From adc70d09e79fb088f71f09719b69cc7ef83039f4 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 16 May 2024 20:26:58 +0200 Subject: [PATCH 01/12] chg: [sigma] updated to the latest version --- clusters/sigma-rules.json | 3889 ++++++++++++++++++++----------------- 1 file changed, 2116 insertions(+), 1773 deletions(-) diff --git a/clusters/sigma-rules.json b/clusters/sigma-rules.json index a9b6f11..786e098 100644 --- a/clusters/sigma-rules.json +++ b/clusters/sigma-rules.json @@ -23,10 +23,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml" ], "tags": [ @@ -93,8 +93,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/last-byte/PersistenceSniper", "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", + "https://github.com/last-byte/PersistenceSniper", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml" ], "tags": [ @@ -127,8 +127,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", + "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml" ], "tags": [ @@ -149,10 +149,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://www.sans.org/cyber-security-summit/archives", + "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", "https://learn.microsoft.com/en-us/dotnet/core/runtime-config/debugging-profiling", "https://twitter.com/jamieantisocial/status/1304520651248668673", - "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", - "https://www.sans.org/cyber-security-summit/archives", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml" ], "tags": [ @@ -188,9 +188,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml" ], "tags": [ @@ -223,8 +223,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md", + "https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml" ], "tags": [ @@ -258,10 +258,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml" ], "tags": [ @@ -295,8 +295,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/Hexacorn/status/991447379864932352", - "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml", "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/", + "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml" ], "tags": [ @@ -395,8 +395,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging", "https://persistence-info.github.io/Data/aedebug.html", + "https://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml" ], "tags": [ @@ -419,12 +419,12 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html", - "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper", "https://www.attackiq.com/2023/09/20/emulating-rhysida/", - "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI", "https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior", "https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/", + "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper", + "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI", + "https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml" ], "tags": [ @@ -467,8 +467,8 @@ "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html", - "https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN", + "https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6", "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html", "https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml" @@ -540,8 +540,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", + "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml" ], "tags": [ @@ -564,8 +564,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md", + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_special_accounts.yml" ], "tags": [ @@ -682,8 +682,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md", "https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx", + "https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml" ], "tags": [ @@ -716,9 +716,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/deepinstinct/Lsass-Shtinkering", "https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml" ], "tags": [ @@ -751,8 +751,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649", "https://github.com/redcanaryco/atomic-red-team/blob/73fcfa1d4863f6a4e17f90e54401de6e30a312bb/atomics/T1112/T1112.md#atomic-test-3---modify-registry-to-store-logon-credentials", + "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649", "https://threathunterplaybook.com/hunts/windows/190510-RegModWDigestDowngrade/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml" ], @@ -786,8 +786,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml" ], @@ -1065,9 +1065,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml" ], "tags": [ @@ -1100,8 +1100,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", "https://twitter.com/dottor_morte/status/1544652325570191361", + "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml" ], "tags": [ @@ -1168,8 +1168,8 @@ "logsource.product": "windows", "refs": [ "https://www.virustotal.com/gui/file/6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d/detection", - "https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine", "https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html", + "https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine", "https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml" ], @@ -1270,8 +1270,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/", "https://persistence-info.github.io/Data/naturallanguage6.html", + "https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml" ], "tags": [ @@ -1294,8 +1294,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://labs.f-secure.com/blog/scheduled-task-tampering/", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://labs.f-secure.com/blog/scheduled-task-tampering/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml" ], "tags": [ @@ -1438,8 +1438,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry", "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", + "https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml" ], "tags": [ @@ -1472,9 +1472,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/win32/api/winevt/", "https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", - "https://learn.microsoft.com/en-us/windows/win32/api/winevt/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml" ], "tags": [ @@ -1558,9 +1558,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/", "https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", + "https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml" ], "tags": [ @@ -1669,8 +1669,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute", "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute", "https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml" ], @@ -1705,8 +1705,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", + "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml" ], "tags": [ @@ -1789,8 +1789,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", "https://twitter.com/dottor_morte/status/1544652325570191361", + "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml" ], "tags": [ @@ -1823,9 +1823,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", "https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise", "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf", + "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml" ], "tags": [ @@ -1871,10 +1871,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/gtworek/PSBits/tree/master/IFilter", "https://persistence-info.github.io/Data/ifilters.html", - "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", "https://twitter.com/0gtweet/status/1468548924600459267", + "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", + "https://github.com/gtworek/PSBits/tree/master/IFilter", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml" ], "tags": [ @@ -1897,10 +1897,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/M_haggis/status/1699056847154725107", - "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content", "https://twitter.com/JAMESWT_MHT/status/1699042827261391247", + "https://twitter.com/M_haggis/status/1699056847154725107", + "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml" ], "tags": [ @@ -1989,10 +1989,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1112/T1112.md", - "https://twitter.com/nas_bench/status/1626648985824788480", "https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/", "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks", + "https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1112/T1112.md", + "https://twitter.com/nas_bench/status/1626648985824788480", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml" ], "tags": [ @@ -2013,40 +2013,6 @@ "uuid": "a1e11042-a74a-46e6-b07c-c4ce8ecc239b", "value": "Potential Persistence Via Event Viewer Events.asp" }, - { - "description": "Detects when an attacker tries to disable User Account Control (UAC) by changing its registry key HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA from 1 to 0", - "meta": { - "author": "frack113", - "creation_date": "2022/01/05", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_disable_uac_registry.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-8---disable-uac-using-regexe", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002" - ] - }, - "related": [ - { - "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "48437c39-9e5f-47fb-af95-3d663c3f2919", - "value": "Disable UAC Using Registry" - }, { "description": "Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute", "meta": { @@ -2182,8 +2148,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml" ], "tags": [ @@ -2218,16 +2184,16 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", "https://twitter.com/_xpn_/status/1268712093928378368", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://bunnyinside.com/?term=f71e8cb9c76a", "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml" ], @@ -2326,8 +2292,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store", "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml" ], "tags": [ @@ -2360,8 +2326,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/htmlhelpauthor.html", "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/", + "https://persistence-info.github.io/Data/htmlhelpauthor.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_chm.yml" ], "tags": [ @@ -2552,8 +2518,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1476286368385019906", "https://persistence-info.github.io/Data/lsaaextension.html", + "https://twitter.com/0gtweet/status/1476286368385019906", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_lsa_extension.yml" ], "tags": [ @@ -2576,16 +2542,16 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", - "https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", "https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry", "https://blog.sekoia.io/darkgate-internals/", - "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", - "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", - "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", + "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", + "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml" ], "tags": [ @@ -2720,9 +2686,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml" ], "tags": [ @@ -2755,8 +2721,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/", "https://github.com/redcanaryco/atomic-red-team/blob/04e487c1828d76df3e834621f4f893ea756d5232/atomics/T1562.001/T1562.001.md#atomic-test-43---disable-hypervisor-enforced-code-integrity-hvci", + "https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml" ], "tags": [ @@ -2789,13 +2755,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", - "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", + "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml" ], "tags": [ @@ -2828,9 +2794,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task", - "https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign", "https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/", + "https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml" ], "tags": [ @@ -2865,9 +2831,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml" ], "tags": [ @@ -2924,8 +2890,8 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://twitter.com/MichalKoczwara/status/1553634816016498688", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml" ], "tags": [ @@ -2983,8 +2949,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCommonCore/Public/winget/AdminSettings.h#L13", "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", + "https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCommonCore/Public/winget/AdminSettings.h#L13", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_winget_admin_settings_tampering.yml" ], "tags": [ @@ -3009,9 +2975,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml" ], "tags": [ @@ -3044,9 +3010,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://www.blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf", - "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml" ], "tags": [ @@ -3080,8 +3046,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time", "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml" ], "tags": [ @@ -3116,9 +3082,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml" ], "tags": [ @@ -3209,9 +3175,9 @@ "logsource.product": "windows", "refs": [ "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", - "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", "https://github.com/elastic/detection-rules/issues/1371", "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", + "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml" ], "tags": [ @@ -3318,8 +3284,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/hhctrl.html", "https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/", + "https://persistence-info.github.io/Data/hhctrl.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml" ], "tags": [ @@ -3376,9 +3342,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml" ], "tags": [ @@ -3552,8 +3518,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN", + "https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml" ], "tags": [ @@ -3586,13 +3552,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", - "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", - "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", + "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", + "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml" ], "tags": [ @@ -3660,8 +3626,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd", + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml" ], "tags": [ @@ -3694,8 +3660,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek", "https://persistence-info.github.io/Data/mpnotify.html", + "https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml" ], "tags": [ @@ -3886,10 +3852,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/", "https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps", - "https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware", + "https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/", "https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1", + "https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml" ], "tags": [ @@ -3946,9 +3912,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml" ], "tags": [ @@ -4050,8 +4016,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/", "https://persistence-info.github.io/Data/autodialdll.html", + "https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml" ], "tags": [ @@ -4342,8 +4308,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass", "https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/", + "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml" ], "tags": [ @@ -4551,8 +4517,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/rootm0s/WinPwnage", "https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/", + "https://github.com/rootm0s/WinPwnage", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml" ], "tags": [ @@ -4585,8 +4551,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml" ], "tags": [ @@ -4629,6 +4595,41 @@ "uuid": "8218c875-90b9-42e2-b60d-0b0069816d10", "value": "PowerShell Script Execution Policy Enabled" }, + { + "description": "Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the \"UACDisableNotify\" value.\nUAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users.\nWhen \"UACDisableNotify\" is set to 1, UAC prompts are suppressed.\n", + "meta": { + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2024/05/10", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_uac_disable_notification.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md", + "https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_disable_notification.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002" + ] + }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "c5f6a85d-b647-40f7-bbad-c10b66bab038", + "value": "UAC Notification Disabled" + }, { "description": "Detect set DisallowRun to 1 to prevent user running specific computer program", "meta": { @@ -4675,9 +4676,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope", - "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", "https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/", + "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", + "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml" ], "tags": [ @@ -4733,8 +4734,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44", + "https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml" ], "tags": [ @@ -4857,8 +4858,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", + "https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_security_zones.yml" ], "tags": [ @@ -4924,8 +4925,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/WhichbufferArda/status/1543900539280293889", "https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp", + "https://twitter.com/WhichbufferArda/status/1543900539280293889", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml" ], "tags": [ @@ -4958,8 +4959,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html", "https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/", + "https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml" ], "tags": [ @@ -5061,8 +5062,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/VakninHai/status/1517027824984547329", - "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", "https://twitter.com/pabraeken/status/998627081360695297", + "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml" ], "tags": [ @@ -5136,8 +5137,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/malmoeb/status/1560536653709598721", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://twitter.com/malmoeb/status/1560536653709598721", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml" ], "tags": [ @@ -5160,11 +5161,11 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl", + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", "https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage", - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", - "https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl", - "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml" ], "tags": [ @@ -5330,8 +5331,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/", + "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml" ], "tags": [ @@ -5398,9 +5399,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml" ], "tags": [ @@ -5420,6 +5421,40 @@ "uuid": "480421f9-417f-4d3b-9552-fd2728443ec8", "value": "Wow6432Node Windows NT CurrentVersion Autorun Keys Modification" }, + { + "description": "Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the \"PromptOnSecureDesktop\" value.\nThe \"PromptOnSecureDesktop\" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts.\nWhen \"PromptOnSecureDesktop\" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software.\n", + "meta": { + "author": "frack113", + "creation_date": "2024/05/10", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_uac_disable_secure_desktop_prompt.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_disable_secure_desktop_prompt.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002" + ] + }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "0d7ceeef-3539-4392-8953-3dc664912714", + "value": "UAC Secure Desktop Prompt Disabled" + }, { "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "meta": { @@ -5434,10 +5469,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://persistence-info.github.io/Data/userinitmprlogonscript.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml" ], "tags": [ @@ -5471,9 +5506,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml" ], "tags": [ @@ -5547,10 +5582,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", - "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview", + "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml" ], "tags": [ @@ -5784,6 +5819,40 @@ "uuid": "7021255e-5db3-4946-a8b9-0ba7a4644a69", "value": "Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG" }, + { + "description": "Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value \"EnableLUA\" to 0.\n", + "meta": { + "author": "frack113", + "creation_date": "2022/01/05", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_uac_disable.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_disable.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002" + ] + }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "48437c39-9e5f-47fb-af95-3d663c3f2919", + "value": "UAC Disabled" + }, { "description": "Detects when an attacker adds a new \"Debugger\" value to the \"Hangs\" key in order to achieve persistence which will get invoked when an application crashes", "meta": { @@ -5797,8 +5866,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/", "https://persistence-info.github.io/Data/wer_debugger.html", + "https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml" ], "tags": [ @@ -6062,9 +6131,9 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "http://woshub.com/how-to-clear-rdp-connections-history/", - "https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer", "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", + "https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer", + "http://woshub.com/how-to-clear-rdp-connections-history/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml" ], "tags": [ @@ -6105,11 +6174,11 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", "https://docs.microsoft.com/en-us/windows/win32/shell/launch", - "https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", "https://github.com/OTRF/detection-hackathon-apt29/issues/7", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md", - "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", + "https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml" ], "tags": [ @@ -6142,8 +6211,8 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://seclists.org/fulldisclosure/2020/Mar/45", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://seclists.org/fulldisclosure/2020/Mar/45", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml" ], "tags": [ @@ -6253,8 +6322,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://adepts.of0x.cc/netsh-portproxy-code/", + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://www.dfirnotes.net/portproxy_detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml" ], @@ -6290,8 +6359,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html", "http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", + "https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml" ], "tags": [ @@ -6324,8 +6393,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/", "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html", + "https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/", "https://twitter.com/inversecos/status/1494174785621819397", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_office_trust_record_modification.yml" ], @@ -6359,11 +6428,11 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", - "https://nvd.nist.gov/vuln/detail/cve-2021-34527", - "https://nvd.nist.gov/vuln/detail/cve-2021-1675", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf", + "https://nvd.nist.gov/vuln/detail/cve-2021-34527", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", + "https://nvd.nist.gov/vuln/detail/cve-2021-1675", + "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml" ], "tags": [ @@ -6468,9 +6537,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", - "https://github.com/hfiref0x/UACME", "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", + "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml" ], "tags": [ @@ -7019,8 +7088,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Install-SSP.ps1#L157", "https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/", + "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Install-SSP.ps1#L157", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml" ], "tags": [ @@ -7053,8 +7122,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", + "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml" ], "tags": [ @@ -7359,8 +7428,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://blog.xpnsec.com/exploring-mimikatz-part-1/", "https://twitter.com/SBousseaden/status/1183745981189427200", + "https://blog.xpnsec.com/exploring-mimikatz-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml" ], "tags": [ @@ -7571,10 +7640,10 @@ "logsource.product": "windows", "refs": [ "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", - "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", + "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_malware_netwire.yml" ], "tags": [ @@ -7698,8 +7767,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/", "https://blog.yoroi.company/research/ursnif-long-live-the-steganography/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_malware_ursnif.yml" ], "tags": [ @@ -7892,8 +7961,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://github.com/winsiderss/systeminformer", "https://systeminformer.sourceforge.io/", + "https://github.com/winsiderss/systeminformer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_pua_system_informer.yml" ], "tags": [ @@ -8125,8 +8194,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://reqrypt.org/windivert-doc.html", "https://rastamouse.me/ntlm-relaying-via-cobalt-strike/", + "https://reqrypt.org/windivert-doc.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_windivert.yml" ], "tags": [ @@ -8168,8 +8237,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", + "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml" ], "tags": [ @@ -8270,9 +8339,9 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", - "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", "https://twitter.com/neonprimetime/status/1436376497980428318", + "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", + "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_external_ip_lookup.yml" ], "tags": [ @@ -8373,9 +8442,9 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security", "https://cydefops.com/devtunnels-unleashed", "https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2", - "https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml" ], "tags": [ @@ -8573,9 +8642,9 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://cydefops.com/vscode-data-exfiltration", "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://badoption.eu/blog/2023/01/31/code_c2.html", + "https://cydefops.com/vscode-data-exfiltration", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml" ], "tags": [ @@ -8608,8 +8677,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://malware.guide/browser-hijacker/remove-onelaunch-virus/", "https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/", + "https://malware.guide/browser-hijacker/remove-onelaunch-virus/", "https://www.malwarebytes.com/blog/detections/pup-optional-onelaunch-silentcf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml" ], @@ -8686,10 +8755,10 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", "https://redcanary.com/blog/misbehaving-rats/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", "https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml" ], @@ -8723,18 +8792,18 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ + "https://www.us-cert.gov/ncas/alerts/TA17-117A", + "https://thedfirreport.com/2020/06/21/snatch-ransomware/", + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", + "https://github.com/RiccardoAncarani/LiquidSnake", + "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", + "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", - "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://www.us-cert.gov/ncas/alerts/TA17-117A", - "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", - "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", - "https://securelist.com/faq-the-projectsauron-apt/75533/", - "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", - "https://thedfirreport.com/2020/06/21/snatch-ransomware/", - "https://github.com/RiccardoAncarani/LiquidSnake", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://securelist.com/faq-the-projectsauron-apt/75533/", + "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_malicious_namedpipes.yml" ], "tags": [ @@ -8769,8 +8838,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", + "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml" ], "tags": [ @@ -8848,9 +8917,9 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", - "https://o365blog.com/post/adfs/", "https://github.com/Azure/SimuLand", + "https://o365blog.com/post/adfs/", + "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_adfs_namedpipe_connection_uncommon_tool.yml" ], "tags": [ @@ -8883,8 +8952,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", + "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_re.yml" ], "tags": [ @@ -8952,8 +9021,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", "https://github.com/malcomvetter/CSExec", + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_pua_csexec_default_pipe.yml" ], "tags": [ @@ -8995,8 +9064,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://blog.hackvens.fr/articles/CoercedPotato.html", "https://github.com/hackvens/CoercedPotato", + "https://blog.hackvens.fr/articles/CoercedPotato.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_coercedpotato.yml" ], "tags": [ @@ -9030,8 +9099,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://github.com/zcgonvh/EfsPotato", "https://twitter.com/SBousseaden/status/1429530155291193354?s=20", + "https://github.com/zcgonvh/EfsPotato", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_efspotato.yml" ], "tags": [ @@ -9130,11 +9199,11 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ + "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", + "https://github.com/SigmaHQ/sigma/issues/253", + "https://twitter.com/d4rksystem/status/1357010969264873472", "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", - "https://twitter.com/d4rksystem/status/1357010969264873472", - "https://github.com/SigmaHQ/sigma/issues/253", - "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml" ], "tags": [ @@ -9168,8 +9237,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html", "https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html", + "https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml" ], "tags": [ @@ -9270,8 +9339,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml" ], "tags": [ @@ -9328,8 +9397,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html", "https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html", + "https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_powershell_execution_pipe.yml" ], "tags": [ @@ -9362,8 +9431,8 @@ "logsource.category": "sysmon_status", "logsource.product": "windows", "refs": [ - "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_status.yml" ], "tags": [ @@ -9442,8 +9511,8 @@ "logsource.category": "sysmon_error", "logsource.product": "windows", "refs": [ - "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_error.yml" ], "tags": [ @@ -9558,9 +9627,9 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://github.com/denandz/KeeFarce", - "https://github.com/GhostPack/KeeThief", "https://www.cisa.gov/uscert/ncas/alerts/aa20-259a", + "https://github.com/GhostPack/KeeThief", + "https://github.com/denandz/KeeFarce", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml" ], "tags": [ @@ -9635,8 +9704,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://github.com/mdsecactivebreach/CACTUSTORCH", "https://twitter.com/SBousseaden/status/1090588499517079552", + "https://github.com/mdsecactivebreach/CACTUSTORCH", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml" ], "tags": [ @@ -10015,7 +10084,7 @@ "value": "New Outlook Macro Created" }, { - "description": "Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.", + "description": "Detect creation of suspicious executable file names.\nSome strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.\n", "meta": { "author": "frack113", "creation_date": "2022/09/05", @@ -10244,8 +10313,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", "https://twitter.com/SBousseaden/status/1278977301745741825", + "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml" ], "tags": [ @@ -10470,8 +10539,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "Internal Research", + "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_creation.yml" ], "tags": [ @@ -10529,8 +10598,8 @@ "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", - "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", + "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml" ], "tags": [ @@ -10563,8 +10632,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html", "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", + "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html", "https://en.wikipedia.org/wiki/IExpress", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sed_file_creation.yml" ], @@ -10747,11 +10816,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", - "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml" ], "tags": [ @@ -10784,9 +10853,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/intelligence-insights-october-2021/", - "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", + "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", + "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_vhd_download_via_browsers.yml" ], "tags": [ @@ -11058,8 +11127,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies", "https://learn.microsoft.com/en-us/office/troubleshoot/excel/use-startup-folders", + "https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_startup_persistence.yml" ], "tags": [ @@ -11093,9 +11162,9 @@ "logsource.product": "windows", "refs": [ "https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks", - "https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer", - "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/", "https://github.com/Yaxser/Backstab", + "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/", + "https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml" ], "tags": [ @@ -11229,8 +11298,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/12", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml" ], "tags": [ @@ -11298,8 +11367,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", "Internal Research", + "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_addin_persistence.yml" ], @@ -11357,10 +11426,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", - "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", + "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", + "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml" ], "tags": [ @@ -11482,8 +11551,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", "https://persistence-info.github.io/Data/wpbbin.html", + "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml" ], "tags": [ @@ -11517,8 +11586,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "Internal Research", + "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml" ], "tags": [ @@ -11677,7 +11746,7 @@ "value": "TeamViewer Remote Session" }, { - "description": "Detects creation of a malicious DLL file in the location where the OneDrive or Team applications\nUpon execution of the Teams or OneDrive application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded\n", + "description": "Detects creation of a malicious DLL file in the location where the OneDrive or Team applications\nUpon execution of the Teams or OneDrive application, the dropped malicious DLL file (\"iphlpapi.dll\") is sideloaded\n", "meta": { "author": "frack113", "creation_date": "2022/08/12", @@ -11832,8 +11901,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2398", "https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/", + "https://adsecurity.org/?p=2398", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_process.yml" ], "tags": [ @@ -11983,8 +12052,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", "https://github.com/Porchetta-Industries/CrackMapExec", + "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yml" ], "tags": [ @@ -12130,10 +12199,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions", - "https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3", "https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/", + "https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3", "http://addbalance.com/word/startup.htm", + "https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml" ], "tags": [ @@ -12224,26 +12293,26 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/PowerShellMafia/PowerSploit", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/CsEnox/EventViewer-UACBypass", - "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/samratashok/nishang", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/nettitude/Invoke-PowerThIEf", - "https://github.com/AlsidOfficial/WSUSpendu/", - "https://github.com/NetSPI/PowerUpSQL", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", "https://github.com/besimorhino/powercat", - "https://github.com/adrecon/AzureADRecon", - "https://github.com/adrecon/ADRecon", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://github.com/adrecon/ADRecon", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/PowerShellMafia/PowerSploit", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/NetSPI/PowerUpSQL", + "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/samratashok/nishang", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/adrecon/AzureADRecon", + "https://github.com/nettitude/Invoke-PowerThIEf", + "https://github.com/CsEnox/EventViewer-UACBypass", + "https://github.com/AlsidOfficial/WSUSpendu/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml" ], "tags": [ @@ -12342,8 +12411,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://aboutdfir.com/the-key-to-identify-psexec/", "https://twitter.com/davisrichardg/status/1616518800584704028", + "https://aboutdfir.com/the-key-to-identify-psexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service_key.yml" ], "tags": [ @@ -12396,12 +12465,12 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", - "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", - "https://github.com/helpsystems/nanodump", - "https://www.google.com/search?q=procdump+lsass", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", "https://github.com/CCob/MirrorDump", + "https://www.google.com/search?q=procdump+lsass", + "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", + "https://github.com/helpsystems/nanodump", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", + "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml" ], "tags": [ @@ -12736,8 +12805,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "Internal Research", + "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml" ], "tags": [ @@ -12795,8 +12864,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g", - "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", + "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml" ], "tags": [ @@ -12887,8 +12956,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", "https://persistence-info.github.io/Data/powershellprofile.html", + "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml" ], "tags": [ @@ -12922,8 +12991,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79", "https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/", "https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml" @@ -13058,8 +13127,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/14", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml" ], "tags": [ @@ -13257,8 +13326,8 @@ "logsource.product": "windows", "refs": [ "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", - "https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence", "https://liberty-shell.com/sec/2020/02/25/shim-persistence/", + "https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml" ], @@ -13425,9 +13494,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs", "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs", - "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml" ], "tags": [ @@ -13517,11 +13586,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", - "https://twitter.com/malwrhunterteam/status/1235135745611960321", - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://twitter.com/luc4m/status/1073181154126254080", + "https://twitter.com/malwrhunterteam/status/1235135745611960321", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", + "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml" ], "tags": [ @@ -13554,10 +13623,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/tag/ntds-dit/", "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://pentestlab.blog/tag/ntds-dit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml" ], "tags": [ @@ -13700,9 +13769,9 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/cube0x0/status/1418920190759378944", + "https://github.com/FireFart/hivenightmare/", "https://github.com/WiredPulse/Invoke-HiveNightmare", "https://github.com/GossiTheDog/HiveNightmare", - "https://github.com/FireFart/hivenightmare/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml" ], "tags": [ @@ -13737,8 +13806,8 @@ "logsource.product": "windows", "refs": [ "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", - "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", + "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml" ], "tags": [ @@ -13847,8 +13916,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/deepinstinct/Lsass-Shtinkering", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", + "https://github.com/deepinstinct/Lsass-Shtinkering", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_shtinkering.yml" ], "tags": [ @@ -13881,8 +13950,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/", "https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py", + "https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml" ], "tags": [ @@ -13915,9 +13984,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html", "https://twitter.com/Sam0x90/status/1552011547974696960", - "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_mount.yml" ], "tags": [ @@ -13974,8 +14043,8 @@ "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", - "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", + "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml" ], "tags": [ @@ -14041,8 +14110,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/outflanknl/Dumpert", "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", + "https://github.com/outflanknl/Dumpert", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_dumpert.yml" ], "tags": [ @@ -14076,8 +14145,8 @@ "logsource.product": "windows", "refs": [ "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", - "https://github.com/fox-it/LDAPFragger", "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", + "https://github.com/fox-it/LDAPFragger", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml" ], "tags": [ @@ -14170,11 +14239,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/pfiatde/status/1681977680688738305", - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", - "https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/", "https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", + "https://twitter.com/pfiatde/status/1681977680688738305", "https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/", + "https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml" ], "tags": [ @@ -14207,8 +14276,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.joesandbox.com/analysis/465533/0/html", "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", + "https://www.joesandbox.com/analysis/465533/0/html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_get_variable.yml" ], "tags": [ @@ -14291,11 +14360,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", - "https://twitter.com/malwrhunterteam/status/1235135745611960321", - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://twitter.com/luc4m/status/1073181154126254080", + "https://twitter.com/malwrhunterteam/status/1235135745611960321", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", + "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml" ], "tags": [ @@ -14388,12 +14457,12 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/", - "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", - "https://labs.withsecure.com/publications/detecting-onenote-abuse", - "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", "https://twitter.com/MaD_c4t/status/1623414582382567424", + "https://labs.withsecure.com/publications/detecting-onenote-abuse", + "https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/", "https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/", + "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", + "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml" ], "tags": [ @@ -14451,8 +14520,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", + "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_access_susp_teams.yml" ], "tags": [ @@ -14775,12 +14844,12 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", + "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://github.com/Wh04m1001/SysmonEoP", "https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc", - "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml" ], "tags": [ @@ -14924,8 +14993,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", - "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb", "https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405", + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml" ], "tags": [ @@ -14958,11 +15027,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/search?q=CVE-2021-36934", - "https://github.com/cube0x0/CVE-2021-36934", "https://www.google.com/search?q=%22reg.exe+save%22+sam", - "https://github.com/FireFart/hivenightmare", + "https://github.com/search?q=CVE-2021-36934", "https://github.com/HuskyHacks/ShadowSteal", + "https://github.com/FireFart/hivenightmare", + "https://github.com/cube0x0/CVE-2021-36934", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml" ], "tags": [ @@ -14995,8 +15064,8 @@ "logsource.category": "file_rename", "logsource.product": "windows", "refs": [ - "https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/", "https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/", + "https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml" ], "tags": [ @@ -15029,8 +15098,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_credential_manager_access.yml" ], "tags": [ @@ -15166,8 +15235,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "http://blog.harmj0y.net/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/", "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords", + "http://blog.harmj0y.net/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml" ], "tags": [ @@ -15187,6 +15256,43 @@ "uuid": "46612ae6-86be-4802-bc07-39b59feb1309", "value": "Access To Windows DPAPI Master Keys By Uncommon Application" }, + { + "description": "Detects file access requests to Windows Outlook Mail by uncommon processes.\nCould indicate potential attempt of credential stealing.\nRequires heavy baselining before usage\n", + "meta": { + "author": "frack113", + "creation_date": "2024/05/10", + "falsepositive": [ + "Antivirus, Anti-Spyware, Anti-Malware Software", + "Backup software", + "Legitimate software installed on partitions other than \"C:\\\"", + "Searching software such as \"everything.exe\"" + ], + "filename": "file_access_win_outlook_mail_credential_access.yml", + "level": "low", + "logsource.category": "file_access", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/58496ee3306e6e42a7054d36a94e6eb561ee3081/atomics/T1070.008/T1070.008.md#atomic-test-4---copy-and-modify-mailbox-data-on-windows", + "https://darkdefender.medium.com/windows-10-mail-app-forensics-39025f5418d2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_outlook_mail_credential_access.yml" + ], + "tags": [ + "attack.t1070.008", + "attack.defense_evasion" + ] + }, + "related": [ + { + "dest-uuid": "438c967d-3996-4870-bfc2-3954752a1927", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "fc3e237f-2fef-406c-b90d-b3ae7e02fa8f", + "value": "Access To Windows Outlook Mail Files By Uncommon Application" + }, { "description": "Detects file access requests to the Windows Credential History File by an uncommon application.\nThis can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::credhist\" function\n", "meta": { @@ -15605,8 +15711,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://linuxhint.com/view-tomcat-logs-windows/", "Internal Research", + "https://linuxhint.com/view-tomcat-logs-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_tomcat_logs.yml" ], "tags": [ @@ -15639,8 +15745,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/9", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/9", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml" ], "tags": [ @@ -15706,8 +15812,8 @@ "logsource.category": "file_executable_detected", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html", "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", + "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html", "https://en.wikipedia.org/wiki/IExpress", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml" ], @@ -15866,9 +15972,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE", "https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files", + "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml" ], "tags": [ @@ -15901,8 +16007,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", + "https://github.com/hfiref0x/UACME", "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml" ], @@ -16154,8 +16260,8 @@ "logsource.product": "windows", "refs": [ "https://redcanary.com/threat-detection-report/threats/qbot/", - "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", + "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml" ], "tags": [ @@ -16188,10 +16294,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/splinter_code/status/1483815103279603714", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://twitter.com/splinter_code/status/1483815103279603714", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml" ], "tags": [ @@ -16308,9 +16414,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nao_sec/status/1530196847679401984", "https://twitter.com/_JohnHammond/status/1531672601067675648", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://twitter.com/nao_sec/status/1530196847679401984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml" ], "tags": [ @@ -16376,8 +16482,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus", "https://github.com/GhostPack/Rubeus", + "https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml" ], @@ -16428,12 +16534,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic", - "https://nwgat.ninja/getting-system-information-with-wmic-on-windows/", - "https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior", - "https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/", "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar", "https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/", + "https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/", + "https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior", + "https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic", + "https://nwgat.ninja/getting-system-information-with-wmic-on-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml" ], "tags": [ @@ -16466,13 +16572,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", - "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", + "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", + "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml" ], "tags": [ @@ -16584,9 +16690,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://ss64.com/bash/rar.html", "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", - "https://ss64.com/bash/rar.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_compression_with_password.yml" ], "tags": [ @@ -16676,8 +16782,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation/?edition=2019", "https://web.archive.org/web/20200329173843/https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation", + "https://www.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation/?edition=2019", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_setspn_spn_enumeration.yml" ], "tags": [ @@ -16878,10 +16984,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", - "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html", "https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/", + "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html", "https://en.wikipedia.org/wiki/IExpress", + "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml" ], "tags": [ @@ -16947,10 +17053,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml" ], "tags": [ @@ -17065,9 +17171,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -17171,9 +17277,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://code.visualstudio.com/docs/remote/tunnels", "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://badoption.eu/blog/2023/01/31/code_c2.html", + "https://code.visualstudio.com/docs/remote/tunnels", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml" ], "tags": [ @@ -17206,8 +17312,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.pingcastle.com/documentation/scanner/", "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", + "https://www.pingcastle.com/documentation/scanner/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_pingcastle.yml" ], "tags": [ @@ -17283,8 +17389,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/BloodHoundAD/BloodHound", "https://github.com/BloodHoundAD/SharpHound", + "https://github.com/BloodHoundAD/BloodHound", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml" ], "tags": [ @@ -17409,8 +17515,8 @@ "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20200229201156/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493861893.pdf", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://lolbas-project.github.io/lolbas/Binaries/Psr/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml" ], "tags": [ @@ -17632,11 +17738,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", "https://github.com/zcgonvh/NTDSDumpEx", + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://pentestlab.blog/tag/ntds-dit/", "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml" @@ -17918,8 +18024,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://tools.thehacker.recipes/mimikatz/modules", "Internal Research", + "https://tools.thehacker.recipes/mimikatz/modules", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml" ], "tags": [ @@ -17970,8 +18076,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml" ], "tags": [ @@ -18107,8 +18213,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://adepts.of0x.cc/netsh-portproxy-code/", + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://www.dfirnotes.net/portproxy_detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml" ], @@ -18218,10 +18324,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", + "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml" ], "tags": [ @@ -18331,10 +18437,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", - "https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine", "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", + "https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", + "https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultravnc_susp_execution.yml" ], "tags": [ @@ -18401,9 +18507,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.reconinfosec.com/emergence-of-akira-ransomware-group", - "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", "https://github.com/cloudflare/cloudflared", + "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", + "https://blog.reconinfosec.com/emergence-of-akira-ransomware-group", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml" ], "tags": [ @@ -18834,8 +18940,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462", "https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html", + "https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webdav_lnk_execution.yml" ], "tags": [ @@ -18910,9 +19016,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml" ], "tags": [ @@ -18971,9 +19077,9 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/Hexacorn/status/885570278637678592", - "https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques", "https://twitter.com/Hexacorn/status/885553465417756673", "https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", + "https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques", "https://twitter.com/vysecurity/status/885545634958385153", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml" ], @@ -19074,8 +19180,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/wusa.exe/", "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://www.echotrail.io/insights/search/wusa.exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml" ], "tags": [ @@ -19098,8 +19204,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/raspberry-robin/", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://redcanary.com/blog/raspberry-robin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml" ], "tags": [ @@ -19235,39 +19341,6 @@ "uuid": "5bb68627-3198-40ca-b458-49f973db8752", "value": "Rundll32 Execution Without Parameters" }, - { - "description": "Deletes the Windows systemstatebackup using wbadmin.exe.\nThis technique is used by numerous ransomware families.\nThis may only be successful on server platforms that have Windows Backup enabled.\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/13", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_wbadmin_delete_systemstatebackup.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_delete_systemstatebackup.yml" - ], - "tags": [ - "attack.impact", - "attack.t1490" - ] - }, - "related": [ - { - "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "89f75308-5b1b-4390-b2d8-d6b2340efaf8", - "value": "SystemStateBackup Deleted Using Wbadmin.EXE" - }, { "description": "Detects when a user enable developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", "meta": { @@ -19281,8 +19354,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "Internal Research", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml" ], "tags": [ @@ -19306,8 +19379,8 @@ "logsource.product": "windows", "refs": [ "https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/", - "https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py", "https://blog.viettelcybersecurity.com/saml-show-stopper/", + "https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml" ], "tags": [ @@ -19399,8 +19472,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", + "https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml" ], "tags": [ @@ -19574,8 +19647,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", "https://persistence-info.github.io/Data/wpbbin.html", + "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wpbbin_potential_persistence.yml" ], "tags": [ @@ -19683,8 +19756,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/", "https://pentestlab.blog/tag/svchost/", + "https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml" ], "tags": [ @@ -19716,9 +19789,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://emkc.org/s/RJjuLa", - "https://www.mandiant.com/resources/blog/lnk-between-browsers", "https://redcanary.com/blog/chromeloader/", + "https://www.mandiant.com/resources/blog/lnk-between-browsers", + "https://emkc.org/s/RJjuLa", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml" ], "tags": [ @@ -19751,8 +19824,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml" ], "tags": [ @@ -19852,8 +19925,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Bash/", - "https://linux.die.net/man/1/bash", "Internal Research", + "https://linux.die.net/man/1/bash", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml" ], "tags": [ @@ -19955,8 +20028,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/swagkarna/Defeat-Defender-V1.2.0", - "https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2", "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", + "https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml" ], "tags": [ @@ -20056,9 +20129,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/gN3mes1s/status/1222088214581825540", - "https://twitter.com/gN3mes1s/status/1222095371175911424", "https://twitter.com/gN3mes1s/status/1222095963789111296", + "https://twitter.com/gN3mes1s/status/1222095371175911424", + "https://twitter.com/gN3mes1s/status/1222088214581825540", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml" ], "tags": [ @@ -20114,10 +20187,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsi_fsharp_code_execution.yml" ], "tags": [ @@ -20276,11 +20349,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/", - "https://twitter.com/aceresponder/status/1636116096506818562", - "https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/", - "https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png", "https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/", + "https://twitter.com/aceresponder/status/1636116096506818562", + "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/", + "https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png", + "https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml" ], "tags": [ @@ -20314,9 +20387,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/netero1010/TrustedPath-UACBypass-BOF", "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e", "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", - "https://github.com/netero1010/TrustedPath-UACBypass-BOF", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml" ], "tags": [ @@ -20382,8 +20455,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_xpn_/status/1491557187168178176", "https://www.youtube.com/watch?v=Ie831jF0bb0", + "https://twitter.com/_xpn_/status/1491557187168178176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_citrix_trolleyexpress_procdump.yml" ], "tags": [ @@ -20425,9 +20498,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2023/03/06/2022-year-in-review/", "https://www.yeahhub.com/list-installed-programs-version-path-windows/", "https://learn.microsoft.com/en-us/answers/questions/253555/software-list-inventory-wmic-product", + "https://thedfirreport.com/2023/03/06/2022-year-in-review/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml" ], "tags": [ @@ -20460,10 +20533,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://twitter.com/egre55/status/1087685529016193025", "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", + "https://twitter.com/egre55/status/1087685529016193025", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download.yml" ], @@ -20497,8 +20570,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", "Internal Research", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_change.yml" ], "tags": [ @@ -20518,6 +20591,42 @@ "uuid": "1c0e41cd-21bb-4433-9acc-4a2cd6367b9b", "value": "Suspicious Modification Of Scheduled Tasks" }, + { + "description": "Detects the dump of highly sensitive files such as \"NTDS.DIT\" and \"SECURITY\" hive.\nAttackers can leverage the \"wbadmin\" utility in order to dump sensitive files that might contain credential or sensitive information.\n", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", + "creation_date": "2024/05/10", + "falsepositive": [ + "Legitimate backup operation by authorized administrators. Matches must be investigated and allowed on a case by case basis." + ], + "filename": "proc_creation_win_wbadmin_dump_sensitive_files.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery", + "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_dump_sensitive_files.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.003" + ] + }, + "related": [ + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "8b93a509-1cb8-42e1-97aa-ee24224cdc15", + "value": "Sensitive File Dump Via Wbadmin.EXE" + }, { "description": "Detects execution of \"odbcconf\" where the path of the DLL being registered is located in a potentially suspicious location.", "meta": { @@ -20532,8 +20641,8 @@ "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", - "https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", + "https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml" ], "tags": [ @@ -20601,8 +20710,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA", - "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", + "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml" ], "tags": [ @@ -20637,9 +20746,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", - "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml" ], "tags": [ @@ -20782,8 +20891,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntdsutil_susp_usage.yml" ], "tags": [ @@ -20817,10 +20926,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", - "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", + "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml" ], "tags": [ @@ -20844,8 +20953,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", + "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml" ], "tags": [ @@ -21094,8 +21203,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/an0n_r0/status/1474698356635193346?s=12", "https://twitter.com/mrd0x/status/1475085452784844803?s=12", + "https://twitter.com/an0n_r0/status/1474698356635193346?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml" ], "tags": [ @@ -21136,10 +21245,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml" ], "tags": [ @@ -21159,41 +21268,6 @@ "uuid": "5f03babb-12db-4eec-8c82-7b4cb5580868", "value": "Response File Execution Via Odbcconf.EXE" }, - { - "description": "Detects the execution of \"attrib\" with the \"+s\" flag to mark files as system files", - "meta": { - "author": "frack113", - "creation_date": "2022/02/04", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_attrib_system.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.001" - ] - }, - "related": [ - { - "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "bb19e94c-59ae-4c15-8c12-c563d23fe52b", - "value": "Set Files as System Files Using Attrib.EXE" - }, { "description": "Detects usage of wmic to start or stop a service", "meta": { @@ -21332,10 +21406,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode", - "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html", + "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", + "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml" ], "tags": [ @@ -21584,8 +21658,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", "https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_add.yml" ], "tags": [ @@ -21618,10 +21692,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://isc.sans.edu/diary/22264", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" ], "tags": [ @@ -21664,9 +21738,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://www.intrinsec.com/apt27-analysis/", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml" ], "tags": [ @@ -22154,8 +22228,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet", "https://twitter.com/kmkz_security/status/1220694202301976576", + "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yml" ], "tags": [ @@ -22255,8 +22329,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml", "https://twitter.com/pabraeken/status/993298228840992768", + "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml" ], "tags": [ @@ -22298,10 +22372,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", "https://redcanary.com/blog/msix-installers/", - "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", "https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms", + "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csvde_export.yml" ], "tags": [ @@ -22335,9 +22409,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_default_accounts_manipulation.yml" ], "tags": [ @@ -22518,10 +22592,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior", "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior", + "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml" ], "tags": [ @@ -22761,9 +22835,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", "https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", + "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml" ], "tags": [ @@ -22830,12 +22904,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Teams/", - "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", - "https://positive.security/blog/ms-officecmd-rce", "https://taggart-tech.com/quasar-electron/", + "https://positive.security/blog/ms-officecmd-rce", + "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", "https://github.com/mttaggart/quasar", "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", + "https://lolbas-project.github.io/lolbas/Binaries/Teams/", "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml" ], @@ -22984,10 +23058,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg", "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", - "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml" ], @@ -23021,9 +23095,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/binderlabs/DirCreate2System", "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", "https://www.echotrail.io/insights/search/wermgr.exe", + "https://github.com/binderlabs/DirCreate2System", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml" ], "tags": [ @@ -23066,9 +23140,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml" ], "tags": [ @@ -23142,7 +23216,7 @@ ] }, "uuid": "12b8e9f5-96b2-41e1-9a42-8c6779a5c184", - "value": "Suspicious Execution Of PDQDeployRunner" + "value": "Potentially Suspicious Execution Of PDQDeployRunner" }, { "description": "Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes", @@ -23192,8 +23266,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_service_path_modification.yml" ], "tags": [ @@ -23260,8 +23334,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/16", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml" ], "tags": [ @@ -23369,9 +23443,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml" ], "tags": [ @@ -23437,8 +23511,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/", "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", + "https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml" ], "tags": [ @@ -23473,10 +23547,10 @@ "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://twitter.com/cglyer/status/1355171195654709249", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml" ], "tags": [ @@ -23651,8 +23725,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", "http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_squirrel_download.yml" ], @@ -23687,9 +23761,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", - "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", + "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml" ], "tags": [ @@ -23756,8 +23830,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fortiguard.com/threat-signal-report/4718?s=09", "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", + "https://www.fortiguard.com/threat-signal-report/4718?s=09", "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml" ], @@ -23791,8 +23865,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml" ], "tags": [ @@ -23833,8 +23907,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/", + "https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml" ], "tags": [ @@ -23900,8 +23974,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html", "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", + "https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_plink.yml" ], "tags": [ @@ -23968,8 +24042,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core", "https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html", + "https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml" ], "tags": [ @@ -24002,13 +24076,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699", + "https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1", + "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", + "https://github.com/vletoux/pingcastle", "https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8", "https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450", "https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680", - "https://github.com/vletoux/pingcastle", - "https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1", - "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", - "https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml" ], "tags": [ @@ -24041,9 +24115,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://emkc.org/s/RJjuLa", - "https://www.mandiant.com/resources/blog/lnk-between-browsers", "https://redcanary.com/blog/chromeloader/", + "https://www.mandiant.com/resources/blog/lnk-between-browsers", + "https://emkc.org/s/RJjuLa", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml" ], "tags": [ @@ -24076,11 +24150,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml" ], "tags": [ @@ -24122,8 +24196,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html", "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", + "https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml" ], "tags": [ @@ -24156,12 +24230,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/CCob/MirrorDump", "https://github.com/Hackndo/lsassy", "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", - "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", "https://github.com/helpsystems/nanodump", "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", - "https://github.com/CCob/MirrorDump", + "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml" ], "tags": [ @@ -24194,8 +24268,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Print/", "https://twitter.com/Oddvarmoe/status/985518877076541440", + "https://lolbas-project.github.io/lolbas/Binaries/Print/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml" ], "tags": [ @@ -24278,8 +24352,8 @@ "logsource.product": "windows", "refs": [ "https://www.php.net/manual/en/features.commandline.php", - "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml" ], "tags": [ @@ -24299,30 +24373,6 @@ "uuid": "d81871ef-5738-47ab-9797-7a9c90cd4bfb", "value": "Php Inline Command Execution" }, - { - "description": "Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/01/04", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_format.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/wdormann/status/1478011052130459653?s=20", - "https://twitter.com/0gtweet/status/1477925112561209344", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_format.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60", - "value": "Format.com FileSystem LOLBIN" - }, { "description": "Detects potentially suspicious file downloads directly from IP addresses using Wget.exe", "meta": { @@ -24361,8 +24411,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html", "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax", + "https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml" ], "tags": [ @@ -24463,8 +24513,8 @@ "logsource.product": "windows", "refs": [ "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", - "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", + "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml" ], "tags": [ @@ -24541,8 +24591,8 @@ "logsource.product": "windows", "refs": [ "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.yml" ], "tags": [ @@ -24609,9 +24659,9 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/Max_Mal_/status/1633863678909874176", + "Internal Research", "https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465", "https://twitter.com/_JohnHammond/status/1588155401752788994", - "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml" ], "tags": [ @@ -24677,8 +24727,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml" ], "tags": [ @@ -24802,8 +24852,8 @@ "logsource.product": "windows", "refs": [ "https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/", - "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md", "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", + "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml" ], "tags": [ @@ -24836,9 +24886,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall", "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/", + "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_disable.yml" ], "tags": [ @@ -24905,10 +24955,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password", "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", - "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", + "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password", "https://github.com/defaultnamehere/cookie_crimes/", + "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml" ], "tags": [ @@ -25007,8 +25057,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1457676633809330184", "https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/", + "https://twitter.com/0gtweet/status/1457676633809330184", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sigverif.yml" ], "tags": [ @@ -25237,9 +25287,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Winget/", "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install", + "https://lolbas-project.github.io/lolbas/Binaries/Winget/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml" ], "tags": [ @@ -25273,8 +25323,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/intelligence-insights-december-2021", "https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html", + "https://redcanary.com/blog/intelligence-insights-december-2021", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_keytool_susp_child_process.yml" ], "tags": [ @@ -25299,8 +25349,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/malmoeb/status/1616702107242971144", "https://learn.microsoft.com/en-us/answers/questions/739120/how-to-add-re-write-global-rule-with-action-type-r", + "https://twitter.com/malmoeb/status/1616702107242971144", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml" ], "tags": [ @@ -25323,8 +25373,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load.yml" ], "tags": [ @@ -25459,8 +25509,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Wlrmdr/", "https://twitter.com/0gtweet/status/1493963591745220608?s=20&t=xUg9DsZhJy1q9bPTUWgeIQ", + "https://lolbas-project.github.io/lolbas/Binaries/Wlrmdr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wlrmdr_uncommon_child_process.yml" ], "tags": [ @@ -25493,8 +25543,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/ShadowChasing1/status/1552595370961944576", "https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior", + "https://twitter.com/ShadowChasing1/status/1552595370961944576", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml" ], "tags": [ @@ -25627,10 +25677,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/SBousseaden/status/1211636381086339073", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", - "https://twitter.com/SBousseaden/status/1211636381086339073", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml" ], "tags": [ @@ -25681,8 +25731,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/", "https://lolbas-project.github.io/lolbas/Binaries/Gpscript/", + "https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml" ], "tags": [ @@ -25715,12 +25765,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", - "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", - "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", - "https://redcanary.com/blog/raspberry-robin/", - "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", + "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", + "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", + "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", + "https://redcanary.com/blog/raspberry-robin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml" ], "tags": [ @@ -25798,6 +25848,42 @@ "uuid": "550bbb84-ce5d-4e61-84ad-e590f0024dcd", "value": "File Encryption Using Gpg4win" }, + { + "description": "Detects the dump of highly sensitive files such as \"NTDS.DIT\" and \"SECURITY\" hive.\nAttackers can leverage the \"wbadmin\" utility in order to dump sensitive files that might contain credential or sensitive information.\n", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", + "creation_date": "2024/05/10", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wbadmin_restore_sensitive_files.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery", + "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_restore_sensitive_files.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.003" + ] + }, + "related": [ + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "84972c80-251c-4c3a-9079-4f00aad93938", + "value": "Sensitive File Recovery From Backup Via Wbadmin.EXE" + }, { "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", "meta": { @@ -26138,8 +26224,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/hexacorn/status/1448037865435320323", "https://twitter.com/Gal_B1t/status/1062971006078345217", + "https://twitter.com/hexacorn/status/1448037865435320323", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml" ], "tags": [ @@ -26172,8 +26258,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md", + "https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml" ], "tags": [ @@ -26282,8 +26368,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml" ], "tags": [ @@ -26316,8 +26402,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom", "https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon", + "https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver.yml" ], "tags": [ @@ -26366,8 +26452,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", + "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml" ], "tags": [ @@ -26401,11 +26487,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md", "https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/", "https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841", - "https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team", "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md", + "https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml" ], "tags": [ @@ -26498,9 +26584,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/antonioCoco/RogueWinRM", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml" ], @@ -26534,8 +26620,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nao_sec/status/1530196847679401984", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://twitter.com/nao_sec/status/1530196847679401984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml" ], "tags": [ @@ -26569,7 +26655,7 @@ "author": "frack113", "creation_date": "2022/07/18", "falsepositive": [ - "Legitimate use" + "Unknown" ], "filename": "proc_creation_win_icacls_deny.yml", "level": "medium", @@ -26806,8 +26892,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1463526834918854661", "https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5", + "https://twitter.com/mrd0x/status/1463526834918854661", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml" ], "tags": [ @@ -26915,12 +27001,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.joeware.net/freetools/tools/adfind/", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://www.joeware.net/freetools/tools/adfind/", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml" ], "tags": [ @@ -27118,11 +27204,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/cloudflare/cloudflared/releases", - "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", "https://github.com/cloudflare/cloudflared", - "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", + "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", "https://www.intrinsec.com/akira_ransomware/", + "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", + "https://github.com/cloudflare/cloudflared/releases", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml" ], "tags": [ @@ -27155,8 +27241,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1534915321856917506", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/", + "https://twitter.com/nas_bench/status/1534915321856917506", "https://twitter.com/nas_bench/status/1534916659676422152", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml" ], @@ -27394,9 +27480,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/", - "https://docs.microsoft.com/en-us/azure/dns/dns-zones-records", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd", + "https://docs.microsoft.com/en-us/azure/dns/dns-zones-records", + "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml" ], "tags": [ @@ -27430,8 +27516,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", + "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml" ], "tags": [ @@ -27579,8 +27665,8 @@ "logsource.product": "windows", "refs": [ "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", - "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml" ], "tags": [ @@ -27714,8 +27800,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_felamos/status/1179811992841797632", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/", + "https://twitter.com/_felamos/status/1179811992841797632", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml" ], "tags": [ @@ -27781,8 +27867,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/", "https://anydesk.com/en/changelog/windows", + "https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml" ], "tags": [ @@ -27806,9 +27892,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html", "https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing", "https://reaqta.com/2017/11/short-journey-darkvnc/", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml" ], "tags": [ @@ -27900,12 +27986,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html", - "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper", "https://www.attackiq.com/2023/09/20/emulating-rhysida/", - "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI", "https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior", "https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/", + "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper", + "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI", + "https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml" ], "tags": [ @@ -27948,8 +28034,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", - "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", + "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml" ], @@ -28084,8 +28170,8 @@ "logsource.product": "windows", "refs": [ "https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb", - "https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yml" ], "tags": [ @@ -28219,11 +28305,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Ssh/", - "https://man.openbsd.org/ssh_config#ProxyCommand", "https://gtfobins.github.io/gtfobins/ssh/", "https://man.openbsd.org/ssh_config#LocalCommand", "https://github.com/LOLBAS-Project/LOLBAS/pull/211/files", + "https://lolbas-project.github.io/lolbas/Binaries/Ssh/", + "https://man.openbsd.org/ssh_config#ProxyCommand", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml" ], "tags": [ @@ -28290,13 +28376,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", - "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", + "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", + "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml" ], "tags": [ @@ -28329,8 +28415,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/", "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf", + "https://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_terminate_application.yml" ], "tags": [ @@ -28396,8 +28482,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Hackplayers/evil-winrm", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm", + "https://github.com/Hackplayers/evil-winrm", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_evil_winrm.yml" ], "tags": [ @@ -28530,8 +28616,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1460815932402679809", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devinit/", + "https://twitter.com/mrd0x/status/1460815932402679809", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml" ], "tags": [ @@ -28600,8 +28686,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", - "https://ss64.com/nt/dsacls.html", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone", + "https://ss64.com/nt/dsacls.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml" ], "tags": [ @@ -28634,8 +28720,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2020/07/06/indirect-command-execution/", "https://lolbas-project.github.io/lolbas/Binaries/Pcalua/", + "https://pentestlab.blog/2020/07/06/indirect-command-execution/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml" ], "tags": [ @@ -28703,10 +28789,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", "https://twitter.com/EricaZelic/status/1614075109827874817", - "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", + "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", + "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml" ], "tags": [ @@ -28755,9 +28841,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", - "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml" ], "tags": [ @@ -28859,13 +28945,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Hexacorn/status/776122138063409152", - "https://twitter.com/gN3mes1s/status/941315826107510784", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://reaqta.com/2017/12/mavinject-microsoft-injector/", "https://github.com/SigmaHQ/sigma/issues/3742", + "https://twitter.com/Hexacorn/status/776122138063409152", "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://twitter.com/gN3mes1s/status/941315826107510784", "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml" ], @@ -29086,8 +29172,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml" ], "tags": [ @@ -29120,10 +29206,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", - "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", - "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", + "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml" ], "tags": [ @@ -29221,9 +29307,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.nirsoft.net/utils/nircmd2.html#using", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.nirsoft.net/utils/nircmd.html", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://www.nirsoft.net/utils/nircmd2.html#using", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml" ], "tags": [ @@ -29280,8 +29366,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", + "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml" ], @@ -29315,9 +29401,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml" ], "tags": [ @@ -29375,9 +29461,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md", "https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html", "https://lolbas-project.github.io/lolbas/Binaries/Cmstp/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml" ], "tags": [ @@ -29419,8 +29505,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/child-processes/", "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf", + "https://redcanary.com/blog/child-processes/", "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml" ], @@ -29490,8 +29576,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/pabraeken/status/999090532839313408", - "https://twitter.com/pabraeken/status/995837734379032576", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/", + "https://twitter.com/pabraeken/status/995837734379032576", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml" ], "tags": [ @@ -29524,9 +29610,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf", - "https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist", "https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html", + "https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist", + "https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml" ], "tags": [ @@ -29600,8 +29686,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", "https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml" ], @@ -29703,17 +29789,17 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", - "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", - "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml", - "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/", - "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", "https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html", + "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", + "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", + "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", + "https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml" ], "tags": [ @@ -29763,8 +29849,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", "https://github.com/cloudflare/cloudflared", + "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml" ], "tags": [ @@ -29947,8 +30033,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa", + "https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml" ], "tags": [ @@ -30040,8 +30126,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml", + "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/", "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml" ], @@ -30120,8 +30207,8 @@ "logsource.product": "windows", "refs": [ "https://redcanary.com/blog/right-to-left-override/", - "https://unicode-explorer.com/c/202E", "https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method", + "https://unicode-explorer.com/c/202E", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml" ], "tags": [ @@ -30154,8 +30241,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/rikvduijn/status/853251879320662017", "https://twitter.com/felixw3000/status/853354851128025088", + "https://twitter.com/rikvduijn/status/853251879320662017", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml" ], "tags": [ @@ -30356,9 +30443,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/tccontre18/status/1480950986650832903", "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", "https://twitter.com/mrd0x/status/1461041276514623491", + "https://twitter.com/tccontre18/status/1480950986650832903", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml" ], "tags": [ @@ -30391,13 +30478,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.softperfect.com/products/networkscanner/", "https://www.protect.airbus.com/blog/uncovering-cyber-intruders-netscan/", - "https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue", "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf", "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/", + "https://www.softperfect.com/products/networkscanner/", + "https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/", "https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_netscan.yml" ], "tags": [ @@ -30540,8 +30627,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://isc.sans.edu/diary/22264", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml" ], "tags": [ @@ -30694,8 +30781,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml" ], "tags": [ @@ -30761,8 +30848,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Oddvarmoe/status/993383596244258816", "https://github.com/api0cradle/LOLBAS/blob/d148d278f5f205ce67cfaf49afdfb68071c7252a/OSScripts/pester.md", + "https://twitter.com/Oddvarmoe/status/993383596244258816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pester_1.yml" ], "tags": [ @@ -30804,8 +30891,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.d7xtech.com/free-software/runx/", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_runxcmd.yml" ], "tags": [ @@ -30937,10 +31024,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://twitter.com/ForensicITGuy/status/1334734244120309760", - "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml" ], "tags": [ @@ -30990,9 +31077,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation", - "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1003.005/T1003.005.md#atomic-test-1---cached-credential-dump-via-cmdkey", "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx", + "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1003.005/T1003.005.md#atomic-test-1---cached-credential-dump-via-cmdkey", + "https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml" ], "tags": [ @@ -31025,9 +31112,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/lateral-movement-winrm-wmi/", - "https://twitter.com/bohops/status/994405551751815170", "https://lolbas-project.github.io/lolbas/Scripts/Winrm/", + "https://twitter.com/bohops/status/994405551751815170", + "https://redcanary.com/blog/lateral-movement-winrm-wmi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml" ], "tags": [ @@ -31060,8 +31147,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/deepinstinct/Lsass-Shtinkering", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", + "https://github.com/deepinstinct/Lsass-Shtinkering", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_werfault_lsass_shtinkering.yml" ], "tags": [ @@ -31094,10 +31181,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", - "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", + "https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", + "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml" ], "tags": [ @@ -31162,8 +31249,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md", + "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml" ], "tags": [ @@ -31197,8 +31284,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2288", "https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100", + "https://adsecurity.org/?p=2288", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml" ], "tags": [ @@ -31389,9 +31476,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html", "https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", - "https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml" ], "tags": [ @@ -31509,9 +31596,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", "https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0", "https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4", - "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml" ], "tags": [ @@ -31544,8 +31631,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://youtu.be/5mqid-7zp8k?t=2481", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_mailboxexport_share.yml" @@ -31571,8 +31658,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html", "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", + "https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml" ], "tags": [ @@ -31605,8 +31692,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Libraries/Desk/", "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1218.011/T1218.011.md#atomic-test-13---rundll32-with-deskcpl", + "https://lolbas-project.github.io/lolbas/Libraries/Desk/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml" ], "tags": [ @@ -31672,10 +31759,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://isc.sans.edu/diary/22264", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml" ], "tags": [ @@ -31718,8 +31805,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cglyer/status/1182391019633029120", "https://twitter.com/cglyer/status/1182389676876980224", + "https://twitter.com/cglyer/status/1182391019633029120", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" ], "tags": [ @@ -31775,12 +31862,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://isc.sans.edu/diary/22264", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", - "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml" ], "tags": [ @@ -31823,8 +31910,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fortiguard.com/threat-signal-report/4718?s=09", "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", + "https://www.fortiguard.com/threat-signal-report/4718?s=09", "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml" ], @@ -31858,9 +31945,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/DissectMalware/status/998797808907046913", "https://lolbas-project.github.io/lolbas/Binaries/Jsc/", "https://www.phpied.com/make-your-javascript-a-windows-exe/", - "https://twitter.com/DissectMalware/status/998797808907046913", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_jsc_execution.yml" ], "tags": [ @@ -31969,8 +32056,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18", "https://micahbabinski.medium.com/detecting-onenote-one-malware-delivery-407e9321ecf0", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml" ], "tags": [ @@ -32079,8 +32166,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/grayhatkiller/SharpExShell", "https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication", + "https://github.com/grayhatkiller/SharpExShell", "https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml" ], @@ -32114,9 +32201,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", - "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml" ], "tags": [ @@ -32149,8 +32236,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", "https://twitter.com/bigmacjpg/status/1349727699863011328?s=12", + "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_finger_usage.yml" ], @@ -32352,8 +32439,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/nas_bench/status/1535322450858233858", - "https://twitter.com/CyberRaiju/status/1273597319322058752", "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", + "https://twitter.com/CyberRaiju/status/1273597319322058752", "https://twitter.com/bohops/status/1276357235954909188?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml" ], @@ -32387,8 +32474,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Tar/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage", + "https://lolbas-project.github.io/lolbas/Binaries/Tar/", "https://unit42.paloaltonetworks.com/chromeloader-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tar_extraction.yml" ], @@ -32432,9 +32519,9 @@ "logsource.product": "windows", "refs": [ "https://labs.withsecure.com/publications/fin7-target-veeam-servers", - "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", - "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", + "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", + "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml" ], "tags": [ @@ -32526,8 +32613,8 @@ "logsource.product": "windows", "refs": [ "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", - "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", + "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml" ], "tags": [ @@ -32561,13 +32648,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Hexacorn/status/776122138063409152", - "https://twitter.com/gN3mes1s/status/941315826107510784", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://reaqta.com/2017/12/mavinject-microsoft-injector/", "https://github.com/SigmaHQ/sigma/issues/3742", + "https://twitter.com/Hexacorn/status/776122138063409152", "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://twitter.com/gN3mes1s/status/941315826107510784", "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml" ], @@ -32634,8 +32721,8 @@ "logsource.product": "windows", "refs": [ "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", - "https://github.com/hfiref0x/UACME", "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", + "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml" ], "tags": [ @@ -32807,9 +32894,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/tools.conf", - "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", "https://user-images.githubusercontent.com/61026070/136518004-b68cce7d-f9b8-4e9a-9b7b-53b1568a9a94.png", + "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", + "https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/tools.conf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml" ], "tags": [ @@ -32844,9 +32931,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://medium.com/@cyberjyot/t1218-008-dll-execution-using-odbcconf-exe-803fa9e08dac", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml" ], "tags": [ @@ -32914,8 +33001,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", - "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", "https://twitter.com/pabraeken/status/990717080805789697", + "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_runonce_execution.yml" ], "tags": [ @@ -32949,8 +33036,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/sensepost/ruler", - "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49", + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml" ], "tags": [ @@ -32991,8 +33078,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/regsvr32.exe", "https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo", + "https://www.echotrail.io/insights/search/regsvr32.exe", "https://redcanary.com/blog/intelligence-insights-april-2022/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml" ], @@ -33149,10 +33236,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", "https://twitter.com/jseerden/status/1247985304667066373/photo/1", - "https://twitter.com/lefterispan/status/1286259016436514816", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", + "https://twitter.com/lefterispan/status/1286259016436514816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml" ], "tags": [ @@ -33185,8 +33272,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/3proxy/3proxy", + "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml" ], "tags": [ @@ -33253,10 +33340,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f", - "https://twitter.com/mrd0x/status/1511489821247684615", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/", "https://twitter.com/mrd0x/status/1511415432888131586", + "https://twitter.com/mrd0x/status/1511489821247684615", + "https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml" ], "tags": [ @@ -33332,9 +33419,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", + "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml" ], "tags": [ @@ -33369,8 +33456,8 @@ "refs": [ "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/", "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/", - "https://twitter.com/nao_sec/status/1530196847679401984", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://twitter.com/nao_sec/status/1530196847679401984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml" ], "tags": [ @@ -33411,8 +33498,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml-", "https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml", + "https://docs.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml-", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml" ], "tags": [ @@ -33454,9 +33541,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", + "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml" ], "tags": [ @@ -33512,8 +33599,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection", "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer", + "https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection", "https://www.exploit-db.com/exploits/37525", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml" ], @@ -33648,8 +33735,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml" ], "tags": [ @@ -33748,8 +33835,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20220514073704/https://github.com/ch2sh/Jlaive", "https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool", + "https://web.archive.org/web/20220514073704/https://github.com/ch2sh/Jlaive", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml" ], "tags": [ @@ -33782,8 +33869,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.005/T1218.005.md", "https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.005/T1218.005.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml" ], "tags": [ @@ -33850,10 +33937,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", - "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml" ], "tags": [ @@ -33886,8 +33973,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml" ], "tags": [ @@ -33920,8 +34007,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/mklink.html", "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md", + "https://ss64.com/nt/mklink.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml" ], "tags": [ @@ -34001,9 +34088,9 @@ "logsource.product": "windows", "refs": [ "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", + "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", - "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml" ], "tags": [ @@ -34133,6 +34220,44 @@ "uuid": "caa06de8-fdef-4c91-826a-7f9e163eef4b", "value": "RunDLL32 Spawning Explorer" }, + { + "description": "Detects the deletion of all backups or system state backups via \"wbadmin.exe\".\nThis technique is used by numerous ransomware families and actors.\nThis may only be successful on server platforms that have Windows Backup enabled.\n", + "meta": { + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2021/12/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wbadmin_delete_all_backups.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted", + "https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_delete_all_backups.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ] + }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "639c9081-f482-47d3-a0bd-ddee3d4ecd76", + "value": "All Backups Deleted Via Wbadmin.EXE" + }, { "description": "Detects the use of Advanced Port Scanner.", "meta": { @@ -34222,10 +34347,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/wunderwuzzi23/firefox-cookiemonster", "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", "https://github.com/defaultnamehere/cookie_crimes/", + "https://github.com/wunderwuzzi23/firefox-cookiemonster", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml" ], "tags": [ @@ -34292,8 +34417,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/malmoeb/status/1665463817130725378?s=12&t=C0_T_re0wRP_NfKa27Xw9w", "https://www.autoitscript.com/site/", + "https://twitter.com/malmoeb/status/1665463817130725378?s=12&t=C0_T_re0wRP_NfKa27Xw9w", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml" ], "tags": [ @@ -34666,9 +34791,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/gN3mes1s/status/1222088214581825540", - "https://twitter.com/gN3mes1s/status/1222095371175911424", "https://twitter.com/gN3mes1s/status/1222095963789111296", + "https://twitter.com/gN3mes1s/status/1222095371175911424", + "https://twitter.com/gN3mes1s/status/1222088214581825540", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml" ], "tags": [ @@ -34726,9 +34851,9 @@ "logsource.product": "windows", "refs": [ "https://blog.alyac.co.kr/1901", + "https://twitter.com/cyberwar_15/status/1187287262054076416", "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", - "https://twitter.com/cyberwar_15/status/1187287262054076416", "https://en.wikipedia.org/wiki/Hangul_(word_processor)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml" ], @@ -34780,8 +34905,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://www.pureid.io/dumping-abusing-windows-credentials-part-1/", + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/", "https://twitter.com/0gtweet/status/1299071304805560321?s=21", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml" @@ -34883,8 +35008,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", + "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", "https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_export.yml" ], @@ -34975,8 +35100,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt", "https://twitter.com/n1nj4sec/status/1421190238081277959", + "http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt", "https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml" ], @@ -35044,8 +35169,8 @@ "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml" ], "tags": [ @@ -35101,8 +35226,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", + "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml" ], "tags": [ @@ -35227,8 +35352,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys", "https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/", + "https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml" ], "tags": [ @@ -35261,9 +35386,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", - "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", + "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml" ], "tags": [ @@ -35296,12 +35421,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/eral4m/status/1479106975967240209", + "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", "https://twitter.com/nas_bench/status/1433344116071583746", "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", "https://twitter.com/eral4m/status/1479080793003671557", "https://twitter.com/Hexacorn/status/885258886428725250", - "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", + "https://twitter.com/eral4m/status/1479106975967240209", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml" ], "tags": [ @@ -35422,39 +35547,6 @@ "uuid": "1070db9a-3e5d-412e-8e7b-7183b616e1b3", "value": "Persistence Via Sticky Key Backdoor" }, - { - "description": "Detects suspicious scheduled task creations from a parent stored in a temporary folder", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/02/23", - "falsepositive": [ - "Software installers that run from temporary folders and also install scheduled tasks" - ], - "filename": "proc_creation_win_schtasks_parent.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/649e7b46-9bec-4d05-98a5-dfa9a13eaae5/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_parent.yml" - ], - "tags": [ - "attack.execution", - "attack.t1053.005" - ] - }, - "related": [ - { - "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "9494479d-d994-40bf-a8b1-eea890237021", - "value": "Suspicious Add Scheduled Task Parent" - }, { "description": "Detects dump of credentials in VeeamBackup dbo", "meta": { @@ -35560,8 +35652,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Setres/", "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", + "https://lolbas-project.github.io/lolbas/Binaries/Setres/", "https://twitter.com/0gtweet/status/1583356502340870144", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml" @@ -35606,10 +35698,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee", + "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml" ], @@ -35818,9 +35910,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", + "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml" ], "tags": [ @@ -36019,8 +36111,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/", "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", + "https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml" ], "tags": [ @@ -36192,8 +36284,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/", "https://github.com/shantanu561993/SharpChisel", + "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharp_chisel.yml" ], "tags": [ @@ -36359,11 +36451,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://twitter.com/0gtweet/status/1628720819537936386", "https://twitter.com/Alh4zr3d/status/1580925761996828672", - "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml" ], "tags": [ @@ -36398,9 +36490,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.python.org/3/using/cmdline.html#cmdoption-c", - "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", + "https://docs.python.org/3/using/cmdline.html#cmdoption-c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml" ], "tags": [ @@ -36556,10 +36648,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", - "https://www.intrinsec.com/akira_ransomware/", "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", + "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", "https://github.com/cloudflare/cloudflared", + "https://www.intrinsec.com/akira_ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml" ], "tags": [ @@ -36674,8 +36766,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hatching.io/blog/powershell-analysis/", "https://lab52.io/blog/winter-vivern-all-summer/", + "https://hatching.io/blog/powershell-analysis/", "https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml" ], @@ -36810,9 +36902,9 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", - "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", "https://twitter.com/Z3Jpa29z/status/1317545798981324801", + "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csi_execution.yml" ], "tags": [ @@ -36854,8 +36946,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism", + "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsim_remove.yml" ], "tags": [ @@ -36998,9 +37090,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/", "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js", "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", + "https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_koadic.yml" ], "tags": [ @@ -37134,8 +37226,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Kevin-Robertson/Inveigh", "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", + "https://github.com/Kevin-Robertson/Inveigh", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml" ], "tags": [ @@ -37168,8 +37260,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/x86matthew/status/1505476263464607744?s=12", "https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b", + "https://twitter.com/x86matthew/status/1505476263464607744?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parents.yml" ], "tags": [ @@ -37270,8 +37362,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml" ], "tags": [ @@ -37304,8 +37396,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md", "https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb?gi=41b97a644843", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml" ], "tags": [ @@ -37325,6 +37417,49 @@ "uuid": "3bad990e-4848-4a78-9530-b427d854aac0", "value": "Domain Trust Discovery Via Dsquery" }, + { + "description": "Detects potentially suspicious child processes of KeyScrambler.exe", + "meta": { + "author": "Swachchhanda Shrawan Poudel", + "creation_date": "2024/05/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_keyscrambler_susp_child_process.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/DTCERT/status/1712785421845790799", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_keyscrambler_susp_child_process.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1203", + "attack.t1574.002" + ] + }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ca5583e9-8f80-46ac-ab91-7f314d13b984", + "value": "Potentially Suspicious Child Process of KeyScrambler.exe" + }, { "description": "The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.", "meta": { @@ -37381,8 +37516,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/oulusoyum/status/1191329746069655553", "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", + "https://twitter.com/oulusoyum/status/1191329746069655553", "https://twitter.com/mattifestation/status/1196390321783025666", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml" ], @@ -37502,8 +37637,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/subTee/status/1216465628946563073", "https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26", + "https://twitter.com/subTee/status/1216465628946563073", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml" ], "tags": [ @@ -37705,10 +37840,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://nodejs.org/api/cli.html", "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", + "https://nodejs.org/api/cli.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml" ], "tags": [ @@ -37802,9 +37937,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://code.visualstudio.com/docs/remote/tunnels", "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://badoption.eu/blog/2023/01/31/code_c2.html", + "https://code.visualstudio.com/docs/remote/tunnels", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml" ], "tags": [ @@ -37894,24 +38029,24 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/HarmJ0y/DAMP", "https://github.com/besimorhino/powercat", - "https://adsecurity.org/?p=2921", - "https://github.com/adrecon/AzureADRecon", + "https://github.com/Kevin-Robertson/Powermad", "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/adrecon/ADRecon", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", "https://github.com/samratashok/nishang", - "https://github.com/HarmJ0y/DAMP", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/calebstewart/CVE-2021-1675", - "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/adrecon/AzureADRecon", + "https://github.com/calebstewart/CVE-2021-1675", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/adrecon/ADRecon", + "https://adsecurity.org/?p=2921", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml" ], "tags": [ @@ -38001,8 +38136,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/", "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html", + "https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml" ], "tags": [ @@ -38060,8 +38195,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1535431474429808642", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", + "https://twitter.com/nas_bench/status/1535431474429808642", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wsl_lolbin_execution.yml" ], "tags": [ @@ -38104,8 +38239,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", - "https://www.elastic.co/guide/en/security/current/execution-of-com-object-via-xwizard.html", "https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", + "https://www.elastic.co/guide/en/security/current/execution-of-com-object-via-xwizard.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_xwizard_runwizard_com_object_exec.yml" ], "tags": [ @@ -38172,8 +38307,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", "https://twitter.com/SBousseaden/status/1278977301745741825", + "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml" ], "tags": [ @@ -38206,8 +38341,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/", "https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866", + "https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml" ], "tags": [ @@ -38348,9 +38483,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml" ], "tags": [ @@ -38492,11 +38627,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/cloudflare/cloudflared/releases", - "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", "https://github.com/cloudflare/cloudflared", - "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", + "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", "https://www.intrinsec.com/akira_ransomware/", + "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", + "https://github.com/cloudflare/cloudflared/releases", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_portable_execution.yml" ], "tags": [ @@ -38679,9 +38814,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/", - "https://twitter.com/pabraeken/status/990758590020452353", "https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019", + "https://twitter.com/pabraeken/status/990758590020452353", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml" ], "tags": [ @@ -38714,8 +38849,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", "https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_soundrecorder_audio_capture.yml" ], "tags": [ @@ -38771,10 +38906,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", "https://twitter.com/jseerden/status/1247985304667066373/photo/1", - "https://twitter.com/lefterispan/status/1286259016436514816", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", + "https://twitter.com/lefterispan/status/1286259016436514816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml" ], "tags": [ @@ -38874,8 +39009,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1463526834918854661", "https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5", + "https://twitter.com/mrd0x/status/1463526834918854661", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml" ], "tags": [ @@ -38909,10 +39044,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior", "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior", + "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml" ], "tags": [ @@ -38946,8 +39081,8 @@ "logsource.product": "windows", "refs": [ "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", - "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", + "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_output.yml" ], "tags": [ @@ -39038,12 +39173,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2017/04/13/hot-potato/", - "https://github.com/ohpe/juicy-potato", - "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", - "https://www.localpotato.com/", - "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", + "https://pentestlab.blog/2017/04/13/hot-potato/", + "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", + "https://github.com/ohpe/juicy-potato", + "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", + "https://www.localpotato.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml" ], "tags": [ @@ -39144,12 +39279,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", - "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", - "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml" ], "tags": [ @@ -39190,9 +39325,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", - "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml" ], "tags": [ @@ -39291,8 +39426,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.pdq.com/pdq-deploy/", "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md", + "https://www.pdq.com/pdq-deploy/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pdqdeploy_execution.yml" ], "tags": [ @@ -39326,8 +39461,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md", "https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/", + "https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrar_susp_child_process.yml" ], "tags": [ @@ -39360,8 +39495,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml" ], @@ -39404,8 +39539,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", + "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", "https://github.com/samratashok/ADModule", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml" ], @@ -39500,13 +39635,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ngrok.com/docs", - "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", - "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", - "https://twitter.com/xorJosh/status/1598646907802451969", - "https://www.softwaretestinghelp.com/how-to-use-ngrok/", - "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", + "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", + "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", + "https://twitter.com/xorJosh/status/1598646907802451969", + "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", + "https://ngrok.com/docs", + "https://www.softwaretestinghelp.com/how-to-use-ngrok/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml" ], "tags": [ @@ -39572,9 +39707,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://twitter.com/_st0pp3r_/status/1583914515996897281", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml" ], "tags": [ @@ -39642,8 +39777,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md", "https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx", + "https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml" ], "tags": [ @@ -39676,8 +39811,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2017/03/30/weak-service-permissions/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://pentestlab.blog/2017/03/30/weak-service-permissions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml" ], "tags": [ @@ -39824,8 +39959,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military", + "https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f", "https://learn.microsoft.com/en-us/windows/win32/shell/csidl", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml" ], @@ -39992,8 +40127,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml" ], "tags": [ @@ -40061,8 +40196,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode.yml" ], @@ -40096,12 +40231,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://twitter.com/egre55/status/1087685529016193025", - "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", + "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", + "https://twitter.com/egre55/status/1087685529016193025", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml" ], "tags": [ @@ -40134,10 +40269,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", - "https://twitter.com/hFireF0X/status/897640081053364225", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", + "https://github.com/hfiref0x/UACME", + "https://twitter.com/hFireF0X/status/897640081053364225", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml" ], "tags": [ @@ -40260,15 +40395,15 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", - "https://redcanary.com/blog/intelligence-insights-october-2021/", - "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", - "https://github.com/Neo23x0/Raccine#the-process", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", - "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", "https://blog.talosintelligence.com/2017/05/wannacry.html", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", + "https://github.com/Neo23x0/Raccine#the-process", + "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", + "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml" ], "tags": [ @@ -40343,9 +40478,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://code.visualstudio.com/docs/remote/tunnels", "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://badoption.eu/blog/2023/01/31/code_c2.html", + "https://code.visualstudio.com/docs/remote/tunnels", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml" ], "tags": [ @@ -40530,8 +40665,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", + "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml" ], @@ -40566,9 +40701,9 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", - "https://adsecurity.org/?p=2604", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", + "https://adsecurity.org/?p=2604", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml" ], "tags": [ @@ -40601,9 +40736,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/jonasLyk/status/1555914501802921984", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://twitter.com/jonasLyk/status/1555914501802921984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml" ], "tags": [ @@ -40800,8 +40935,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1474899714290208777?s=12", "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace", + "https://twitter.com/0gtweet/status/1474899714290208777?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml" ], "tags": [ @@ -40834,12 +40969,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/JohnLaTwC/status/835149808817991680", - "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil", + "https://twitter.com/JohnLaTwC/status/835149808817991680", "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_decode.yml" ], "tags": [ @@ -40872,10 +41007,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", + "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml" ], "tags": [ @@ -40909,8 +41044,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://www.poweradmin.com/paexec/", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml" ], "tags": [ @@ -40943,8 +41078,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool", "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", + "https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_instalutil_no_log_execution.yml" ], "tags": [ @@ -40967,10 +41102,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/M_haggis/status/1699056847154725107", - "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content", "https://twitter.com/JAMESWT_MHT/status/1699042827261391247", + "https://twitter.com/M_haggis/status/1699056847154725107", + "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml" ], "tags": [ @@ -40994,8 +41129,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://en.wikipedia.org/wiki/HTML_Application", "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", + "https://en.wikipedia.org/wiki/HTML_Application", "https://www.echotrail.io/insights/search/mshta.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml" ], @@ -41029,9 +41164,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", "https://github.com/fireeye/DueDLLigence", "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", + "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml" ], "tags": [ @@ -41064,8 +41199,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1618021838407495681", "https://twitter.com/nas_bench/status/1618021415852335105", + "https://twitter.com/nas_bench/status/1618021838407495681", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml" ], "tags": [ @@ -41107,10 +41242,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", + "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", - "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", + "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml" ], "tags": [ @@ -41176,16 +41311,16 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", "https://twitter.com/_xpn_/status/1268712093928378368", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://bunnyinside.com/?term=f71e8cb9c76a", "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml" ], "tags": [ @@ -41241,11 +41376,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", - "https://twitter.com/mattifestation/status/1326228491302563846", - "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", + "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", + "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", "http://blog.sevagas.com/?Hacking-around-HTA-files", + "https://twitter.com/mattifestation/status/1326228491302563846", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml" ], "tags": [ @@ -41296,15 +41431,15 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.group-ib.com/blog/apt41-world-tour-2021/", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf", - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/", - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a", - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1", + "https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1", + "https://www.group-ib.com/blog/apt41-world-tour-2021/", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml" ], "tags": [ @@ -41415,8 +41550,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign", "https://www.virustotal.com/gui/file/23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57", + "https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml" ], "tags": [ @@ -41507,10 +41642,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", - "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml" ], "tags": [ @@ -41569,8 +41704,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", "http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml" ], @@ -41605,10 +41740,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://isc.sans.edu/diary/22264", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml" ], "tags": [ @@ -41717,12 +41852,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", - "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", + "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", "https://twitter.com/CyberRaiju/status/1251492025678983169", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", + "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", "https://www.cobaltstrike.com/help-opsec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml" ], @@ -41812,8 +41947,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", + "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", "https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml" ], @@ -41913,8 +42048,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_eventvwr_susp_child_process.yml" ], "tags": [ @@ -42027,9 +42162,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/binderlabs/DirCreate2System", "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", "https://www.echotrail.io/insights/search/wermgr.exe", + "https://github.com/binderlabs/DirCreate2System", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_exec_location.yml" ], "tags": [ @@ -42076,8 +42211,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/outflanknl/Dumpert", "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", + "https://github.com/outflanknl/Dumpert", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_dumpert.yml" ], "tags": [ @@ -42193,8 +42328,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution", + "https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml" ], "tags": [ @@ -42251,8 +42386,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://klausjochem.me/2016/02/03/netsh-the-cyber-attackers-tool-of-choice/", "https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/", + "https://klausjochem.me/2016/02/03/netsh-the-cyber-attackers-tool-of-choice/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_packet_capture.yml" ], "tags": [ @@ -42286,8 +42421,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml" ], "tags": [ @@ -42411,11 +42546,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pfiatde/status/1681977680688738305", - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", - "https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/", "https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", + "https://twitter.com/pfiatde/status/1681977680688738305", "https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/", + "https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml" ], "tags": [ @@ -42515,8 +42650,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1478234484881436672?s=12", "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", + "https://twitter.com/mrd0x/status/1478234484881436672?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml" ], "tags": [ @@ -42651,9 +42786,9 @@ "logsource.product": "windows", "refs": [ "https://www.activecyber.us/activelabs/windows-uac-bypass", - "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", - "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", "https://twitter.com/ReaQta/status/1222548288731217921", + "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", + "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml" ], "tags": [ @@ -42720,8 +42855,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/raspberry-robin/", "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", + "https://redcanary.com/blog/raspberry-robin/", "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml" ], @@ -42814,8 +42949,8 @@ "refs": [ "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", "https://github.com/Neo23x0/DLLRunner", - "https://twitter.com/cyb3rops/status/1186631731543236608", "https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/", + "https://twitter.com/cyb3rops/status/1186631731543236608", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml" ], "tags": [ @@ -42906,8 +43041,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://www.nirsoft.net/utils/nircmd.html", + "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_nircmd.yml" ], "tags": [ @@ -42949,8 +43084,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall", "https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml" ], "tags": [ @@ -43049,8 +43184,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Gerenios/AADInternals", "https://o365blog.com/aadinternals/", + "https://github.com/Gerenios/AADInternals", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml" ], "tags": [ @@ -43301,9 +43436,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.nirsoft.net/utils/nircmd2.html#using", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.nirsoft.net/utils/nircmd.html", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://www.nirsoft.net/utils/nircmd2.html#using", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd_as_system.yml" ], "tags": [ @@ -43494,9 +43629,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", "https://twitter.com/pabraeken/status/993298228840992768", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml" ], "tags": [ @@ -43638,9 +43773,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/sysinternals/downloads/livekd", "https://kb.acronis.com/content/60892", "https://4sysops.com/archives/creating-a-complete-memory-dump-without-a-blue-screen/", - "https://learn.microsoft.com/en-us/sysinternals/downloads/livekd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml" ], "tags": [ @@ -43739,8 +43874,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/defaultpack.exe", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/", + "https://www.echotrail.io/insights/search/defaultpack.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_defaultpack_uncommon_child_process.yml" ], "tags": [ @@ -43775,8 +43910,8 @@ "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml" ], "tags": [ @@ -43796,6 +43931,30 @@ "uuid": "ba4cfc11-d0fa-4d94-bf20-7c332c412e76", "value": "Potentially Suspicious DLL Registered Via Odbcconf.EXE" }, + { + "description": "Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which \"format.com\" is used to load malicious DLL files or other programs.\n", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/01/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_format_uncommon_filesystem_load.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/0gtweet/status/1477925112561209344", + "https://twitter.com/wdormann/status/1478011052130459653?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_format_uncommon_filesystem_load.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60", + "value": "Uncommon FileSystem Load Attempt By Format.com" + }, { "description": "Detects MsiExec loading a DLL and calling its DllUnregisterServer function", "meta": { @@ -43978,8 +44137,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml" ], "tags": [ @@ -44012,8 +44171,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml" ], "tags": [ @@ -44047,10 +44206,10 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", - "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets", + "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml" ], "tags": [ @@ -44100,10 +44259,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_susp_execution.yml" ], "tags": [ @@ -44285,13 +44444,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", "https://twitter.com/shantanukhande/status/1229348874298388484", "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", + "https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py", "https://twitter.com/SBousseaden/status/1167417096374050817", "https://twitter.com/Hexacorn/status/1224848930795552769", - "https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py", "https://twitter.com/Wietze/status/1542107456507203586", - "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml" ], "tags": [ @@ -44334,8 +44493,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html", "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", + "http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml" ], @@ -44405,8 +44564,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1036.003/T1036.003.md#atomic-test-1---masquerading-as-windows-lsass-process", - "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", + "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml" ], "tags": [ @@ -44440,8 +44599,8 @@ "logsource.product": "windows", "refs": [ "https://ss64.com/nt/for.html", - "https://ss64.com/ps/foreach-object.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://ss64.com/ps/foreach-object.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml" ], "tags": [ @@ -44483,9 +44642,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/tccontre18/status/1480950986650832903", "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", "https://twitter.com/mrd0x/status/1461041276514623491", + "https://twitter.com/tccontre18/status/1480950986650832903", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml" ], "tags": [ @@ -44505,6 +44664,40 @@ "uuid": "867356ee-9352-41c9-a8f2-1be690d78216", "value": "Potentially Suspicious Regsvr32 HTTP/FTP Pattern" }, + { + "description": "Detects the recovery of files from backups via \"wbadmin.exe\".\nAttackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials.\n", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems), frack113", + "creation_date": "2024/05/10", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wbadmin_restore_file.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery", + "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_restore_file.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ] + }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "6fe4aa1e-0531-4510-8be2-782154b73b48", + "value": "File Recovery From Backup Via Wbadmin.EXE" + }, { "description": "Detects execution of \"certmgr\" with the \"add\" flag in order to install a new certificate on the system.\nAdversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.\n", "meta": { @@ -44518,8 +44711,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", "https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certmgr_certificate_installation.yml" ], "tags": [ @@ -44703,8 +44896,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", + "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_execution.yml" ], "tags": [ @@ -44795,8 +44988,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/JohnLaTwC/status/1082851155481288706", "https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03", + "https://twitter.com/JohnLaTwC/status/1082851155481288706", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_appdata.yml" ], "tags": [ @@ -44831,8 +45024,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://www.poweradmin.com/paexec/", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml" ], "tags": [ @@ -44901,11 +45094,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", + "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", - "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", - "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" ], "tags": [ @@ -44971,8 +45164,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b", "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", + "https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysprep_appdata.yml" ], "tags": [ @@ -45031,8 +45224,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/yarrick/iodine", "https://github.com/iagox86/dnscat2", + "https://github.com/yarrick/iodine", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml" ], "tags": [ @@ -45082,8 +45275,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/", "https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/", + "https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml" ], "tags": [ @@ -45116,11 +45309,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", - "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", - "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", - "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", + "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", + "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", + "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml" ], "tags": [ @@ -45153,10 +45346,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html", - "https://twitter.com/mattifestation/status/986280382042595328", "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", + "https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html", "https://atomicredteam.io/defense-evasion/T1220/", + "https://twitter.com/mattifestation/status/986280382042595328", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml" ], "tags": [ @@ -45214,9 +45407,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", - "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://abuse.io/lockergoga.txt", + "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml" ], "tags": [ @@ -45258,8 +45451,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md", + "https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dirlister_execution.yml" ], "tags": [ @@ -45379,13 +45572,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699", + "https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1", + "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", + "https://github.com/vletoux/pingcastle", "https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8", "https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450", "https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680", - "https://github.com/vletoux/pingcastle", - "https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1", - "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", - "https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_pingcastle.yml" ], "tags": [ @@ -45418,8 +45611,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml" ], "tags": [ @@ -45452,8 +45645,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/search/metadata%253ACube0x0/files", "https://github.com/cube0x0", + "https://www.virustotal.com/gui/search/metadata%253ACube0x0/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml" ], "tags": [ @@ -45562,8 +45755,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_guid_task_name.yml" ], "tags": [ @@ -45596,8 +45789,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz", "https://github.com/skelsec/pypykatz", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pypykatz.yml" ], "tags": [ @@ -45706,8 +45899,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nmap.org/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows", + "https://nmap.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nmap_zenmap.yml" ], "tags": [ @@ -45740,11 +45933,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", "https://twitter.com/bohops/status/980659399495741441", "https://twitter.com/JohnLaTwC/status/1223292479270600706", "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", - "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml" ], "tags": [ @@ -46055,11 +46248,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://twitter.com/_JohnHammond/status/1708910264261980634", - "https://twitter.com/egre55/status/1087685529016193025", "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", + "https://twitter.com/egre55/status/1087685529016193025", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml" ], @@ -46138,8 +46331,8 @@ "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks", "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/", - "https://twitter.com/christophetd/status/1164506034720952320", "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", + "https://twitter.com/christophetd/status/1164506034720952320", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml" ], "tags": [ @@ -46273,8 +46466,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", - "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml" ], "tags": [ @@ -46298,8 +46491,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://isc.sans.edu/diary/22264", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml" ], "tags": [ @@ -46384,9 +46577,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/jonasLyk/status/1555914501802921984", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://twitter.com/jonasLyk/status/1555914501802921984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml" ], "tags": [ @@ -46510,8 +46703,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://tools.thehacker.recipes/mimikatz/modules", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://tools.thehacker.recipes/mimikatz/modules", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml" ], "tags": [ @@ -46752,8 +46945,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html", "https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/", + "https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml" ], "tags": [ @@ -46820,11 +47013,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Teams/", + "https://positive.security/blog/ms-officecmd-rce", "https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc", "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", - "https://positive.security/blog/ms-officecmd-rce", "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", + "https://lolbas-project.github.io/lolbas/Binaries/Teams/", "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml" ], @@ -46848,8 +47041,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/", "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/", + "https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_virtualbox_execution.yml" ], "tags": [ @@ -46933,8 +47126,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.hackvens.fr/articles/CoercedPotato.html", "https://github.com/hackvens/CoercedPotato", + "https://blog.hackvens.fr/articles/CoercedPotato.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml" ], "tags": [ @@ -47002,8 +47195,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/dsacls.html", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", + "https://ss64.com/nt/dsacls.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml" ], "tags": [ @@ -47137,10 +47330,10 @@ "logsource.product": "windows", "refs": [ "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", - "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", - "https://twitter.com/max_mal_/status/1542461200797163522", "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file", + "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", + "https://twitter.com/max_mal_/status/1542461200797163522", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml" ], "tags": [ @@ -47173,9 +47366,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bryon_/status/975835709587075072", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/", "https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/", + "https://twitter.com/bryon_/status/975835709587075072", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml" ], "tags": [ @@ -47308,9 +47501,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", + "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml" ], "tags": [ @@ -47334,8 +47527,8 @@ "logsource.product": "windows", "refs": [ "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml" ], "tags": [ @@ -47368,8 +47561,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection", "https://securelist.com/muddywater/88059/", + "https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml" ], "tags": [ @@ -47568,9 +47761,9 @@ "logsource.product": "windows", "refs": [ "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", - "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", + "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml" ], "tags": [ @@ -47741,8 +47934,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/eral4m/status/1451112385041911809", "https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html", + "https://twitter.com/eral4m/status/1451112385041911809", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml" ], "tags": [ @@ -47900,9 +48093,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1511489821247684615", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/", "https://twitter.com/mrd0x/status/1511415432888131586", + "https://twitter.com/mrd0x/status/1511489821247684615", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml" ], "tags": [ @@ -47976,8 +48169,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", "https://github.com/harleyQu1nn/AggressorScripts", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_software_discovery.yml" ], "tags": [ @@ -48156,14 +48349,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", - "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", - "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", - "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", + "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", + "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", + "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", "https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml" ], "tags": [ @@ -48278,8 +48471,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/GelosSnake/status/934900723426439170", "https://asec.ahnlab.com/en/39828/", + "https://twitter.com/GelosSnake/status/934900723426439170", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml" ], "tags": [ @@ -48382,9 +48575,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement", "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", - "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_localsystem.yml" ], "tags": [ @@ -48418,10 +48611,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", "https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt", "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml" ], @@ -48464,10 +48657,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/JohnLaTwC/status/1415295021041979392", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", - "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", "https://vms.drweb.fr/virus/?i=24144899", + "https://twitter.com/JohnLaTwC/status/1415295021041979392", + "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml" ], "tags": [ @@ -48500,9 +48693,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/software/S0404/", "https://twitter.com/vxunderground/status/1423336151860002816", "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", + "https://attack.mitre.org/software/S0404/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_params.yml" ], "tags": [ @@ -48640,8 +48833,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set", "https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml" ], "tags": [ @@ -48683,8 +48876,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://processhacker.sourceforge.io/", "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", + "https://processhacker.sourceforge.io/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml" ], "tags": [ @@ -48736,8 +48929,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware", "https://docs.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior", + "https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml" ], "tags": [ @@ -48770,10 +48963,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", - "https://twitter.com/nas_bench/status/1537896324837781506", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", + "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", + "https://twitter.com/nas_bench/status/1537896324837781506", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml" ], "tags": [ @@ -48840,9 +49033,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "Internal Research", "https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt", "https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_30.10.2023.txt", - "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml" ], "tags": [ @@ -49031,9 +49224,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery", - "https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf", "https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/", + "https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf", + "https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml" ], "tags": [ @@ -49100,8 +49293,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/harr0ey/status/989617817849876488", "https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/", + "https://twitter.com/harr0ey/status/989617817849876488", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwutl.yml" ], "tags": [ @@ -49134,9 +49327,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048", - "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44", + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", + "https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml" ], "tags": [ @@ -49295,9 +49488,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/fr0s7_/status/1712780207105404948", "https://h.43z.one/ipconverter/", "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", + "https://twitter.com/fr0s7_/status/1712780207105404948", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml" ], "tags": [ @@ -49322,8 +49515,8 @@ "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/", - "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/", + "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml" ], "tags": [ @@ -49431,8 +49624,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_volume.yml" ], "tags": [ @@ -49544,8 +49737,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/microsoft/Windows-classic-samples/blob/7cbd99ac1d2b4a0beffbaba29ea63d024ceff700/Samples/Win7Samples/winbase/vss/vsssampleprovider/register_app.vbs", "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20", + "https://github.com/microsoft/Windows-classic-samples/blob/7cbd99ac1d2b4a0beffbaba29ea63d024ceff700/Samples/Win7Samples/winbase/vss/vsssampleprovider/register_app.vbs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml" ], "tags": [ @@ -49578,9 +49771,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", - "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", "https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", + "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", + "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml" ], "tags": [ @@ -49655,8 +49848,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8", "https://blackpointcyber.com/resources/blog/breaking-through-the-screen/", + "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_webshell.yml" ], "tags": [ @@ -49689,9 +49882,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml" ], "tags": [ @@ -49724,8 +49917,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Forfiles/", "https://pentestlab.blog/2020/07/06/indirect-command-execution/", + "https://lolbas-project.github.io/lolbas/Binaries/Forfiles/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_forfiles_proxy_execution_.yml" ], "tags": [ @@ -49791,9 +49984,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/", "https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", + "https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml" ], "tags": [ @@ -49936,9 +50129,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/electron/rcedit", "https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915", "https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe", - "https://github.com/electron/rcedit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml" ], "tags": [ @@ -50029,13 +50222,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.joeware.net/freetools/tools/adfind/", - "https://thedfirreport.com/2020/05/08/adfind-recon/", - "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects", - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", - "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects", + "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://www.joeware.net/freetools/tools/adfind/", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml" ], "tags": [ @@ -50129,8 +50322,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", - "https://twitter.com/0gtweet/status/1564968845726580736", "https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html", + "https://twitter.com/0gtweet/status/1564968845726580736", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml" ], "tags": [ @@ -50234,6 +50427,44 @@ "uuid": "32e280f1-8ad4-46ef-9e80-910657611fbc", "value": "Potential Homoglyph Attack Using Lookalike Characters" }, + { + "description": "Detects the deletion of backups or system state backups via \"wbadmin.exe\".\nThis technique is used by numerous ransomware families and actors.\nThis may only be successful on server platforms that have Windows Backup enabled.\n", + "meta": { + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2021/12/13", + "falsepositive": [ + "Legitimate backup activity from administration scripts and software." + ], + "filename": "proc_creation_win_wbadmin_delete_backups.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted", + "https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_delete_backups.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ] + }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "89f75308-5b1b-4390-b2d8-d6b2340efaf8", + "value": "Windows Backup Deleted Via Wbadmin.EXE" + }, { "description": "Detects suspicious encoded character syntax often used for defense evasion", "meta": { @@ -50289,8 +50520,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", + "https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml" ], "tags": [ @@ -50324,8 +50555,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/jpillora/chisel/", - "https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/", "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", + "https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_chisel.yml" ], "tags": [ @@ -50391,8 +50622,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", "https://twitter.com/_felamos/status/1204705548668555264", + "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dotnet_arbitrary_dll_csproj_execution.yml" ], @@ -50426,9 +50657,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", + "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_download.yml" ], "tags": [ @@ -50485,10 +50716,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", - "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", + "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", + "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml" ], "tags": [ @@ -50555,8 +50786,8 @@ "logsource.product": "windows", "refs": [ "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", - "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", + "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml" ], "tags": [ @@ -50589,8 +50820,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1535431474429808642", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", + "https://twitter.com/nas_bench/status/1535431474429808642", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml" ], "tags": [ @@ -50673,8 +50904,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md", + "https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml" ], "tags": [ @@ -50743,8 +50974,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md", - "https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html", "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", + "https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml" ], "tags": [ @@ -50912,9 +51143,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", "http://www.xuetr.com/", "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", + "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml" ], "tags": [ @@ -51013,8 +51244,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/", "https://www.autohotkey.com/download/", + "https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_autohotkey.yml" ], "tags": [ @@ -51071,8 +51302,8 @@ "logsource.product": "windows", "refs": [ "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", - "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", "https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", + "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml" ], "tags": [ @@ -51146,8 +51377,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sans.org/blog/wmic-for-incident-response/", "https://github.com/redcanaryco/atomic-red-team/blob/84215139ee5127f8e3a117e063b604812bd71928/atomics/T1047/T1047.md#atomic-test-5---wmi-execute-local-process", + "https://www.sans.org/blog/wmic-for-incident-response/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_process_creation.yml" ], "tags": [ @@ -51181,9 +51412,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md", "https://github.com/outflanknl/NetshHelperBeacon", "https://web.archive.org/web/20160928212230/https://www.adaptforward.com/2016/09/using-netshell-to-execute-evil-dlls-and-persist-on-a-host/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml" ], "tags": [ @@ -51386,8 +51617,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/HiwinCN/HTran", "https://github.com/cw1997/NATBypass", + "https://github.com/HiwinCN/HTran", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml" ], "tags": [ @@ -51497,9 +51728,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", "https://twitter.com/vysecurity/status/873181705024266241", "https://twitter.com/vysecurity/status/974806438316072960", - "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml" ], @@ -51533,8 +51764,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml" ], "tags": [ @@ -51668,8 +51899,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml" ], "tags": [ @@ -51702,8 +51933,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains", "https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md", + "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_w32tm.yml" ], "tags": [ @@ -51802,10 +52033,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", - "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml" ], "tags": [ @@ -51839,8 +52070,8 @@ "logsource.product": "windows", "refs": [ "https://labs.withsecure.com/publications/fin7-target-veeam-servers", - "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", + "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml" ], "tags": [ @@ -52135,8 +52366,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Tar/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage", + "https://lolbas-project.github.io/lolbas/Binaries/Tar/", "https://unit42.paloaltonetworks.com/chromeloader-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tar_compression.yml" ], @@ -52314,9 +52545,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/", "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", "https://twitter.com/bohops/status/1477717351017680899?s=12", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml" ], "tags": [ @@ -52339,9 +52570,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", "https://github.com/frgnca/AudioDeviceCmdlets", - "https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml" ], "tags": [ @@ -52374,9 +52605,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", - "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", "https://github.com/tevora-threat/SharpView/", + "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml" ], "tags": [ @@ -52517,8 +52748,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nsudo.m2team.org/en-us/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://nsudo.m2team.org/en-us/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml" ], "tags": [ @@ -52552,8 +52783,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/17", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/17", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_execution.yml" ], "tags": [ @@ -52620,9 +52851,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://code.visualstudio.com/docs/remote/tunnels", "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://badoption.eu/blog/2023/01/31/code_c2.html", + "https://code.visualstudio.com/docs/remote/tunnels", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml" ], "tags": [ @@ -52656,8 +52887,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/", "https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04", + "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml" ], "tags": [ @@ -52767,8 +52998,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/hostname", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/hostname", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hostname_execution.yml" ], "tags": [ @@ -52879,9 +53110,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", - "https://twitter.com/_st0pp3r_/status/1583914244344799235", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", + "https://twitter.com/_st0pp3r_/status/1583914244344799235", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml" ], "tags": [ @@ -52948,8 +53179,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1478234484881436672?s=12", "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", + "https://twitter.com/mrd0x/status/1478234484881436672?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml" ], "tags": [ @@ -52982,10 +53213,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mode", "https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html", - "https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", "https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior", + "https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mode", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mode_codepage_russian.yml" ], "tags": [ @@ -53018,9 +53249,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/", "https://twitter.com/countuponsec/status/910969424215232518", "https://twitter.com/countuponsec/status/910977826853068800", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml" ], "tags": [ @@ -53053,10 +53284,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/splinter_code/status/1483815103279603714", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://twitter.com/splinter_code/status/1483815103279603714", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml" ], "tags": [ @@ -53125,8 +53356,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/", "https://pentestlab.blog/tag/svchost/", + "https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml" ], "tags": [ @@ -53231,8 +53462,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/", "https://twitter.com/0gtweet/status/1206692239839289344", + "https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml" ], "tags": [ @@ -53442,8 +53673,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://nsudo.m2team.org/en-us/", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nsudo.yml" ], "tags": [ @@ -53501,13 +53732,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", - "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", + "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", + "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml" ], "tags": [ @@ -53542,11 +53773,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/gN3mes1s/status/1206874118282448897", "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe", "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", + "https://twitter.com/gN3mes1s/status/1206874118282448897", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml" ], "tags": [ @@ -53648,8 +53879,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://www.poweradmin.com/paexec/", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml" ], "tags": [ @@ -53725,8 +53956,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml" ], "tags": [ @@ -53850,9 +54081,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/SwiftOnSecurity/status/1455897435063074824", "https://github.com/LOLBAS-Project/LOLBAS/pull/151", "https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/", - "https://twitter.com/SwiftOnSecurity/status/1455897435063074824", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdl32_arbitrary_file_download.yml" ], "tags": [ @@ -53928,8 +54159,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/cmd.html", "https://twitter.com/cyb3rops/status/1562072617552678912", + "https://ss64.com/nt/cmd.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml" ], "tags": [ @@ -54030,8 +54261,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shutdown_logoff.yml" ], "tags": [ @@ -54097,8 +54328,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", + "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml" ], @@ -54429,9 +54660,9 @@ "logsource.category": "wmi_event", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-19-wmievent-wmieventfilter-activity-detected", "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-20-wmievent-wmieventconsumer-activity-detected", "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-21-wmievent-wmieventconsumertofilter-activity-detected", - "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-19-wmievent-wmieventfilter-activity-detected", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml" ], "tags": [ @@ -54464,9 +54695,9 @@ "logsource.category": "wmi_event", "logsource.product": "windows", "refs": [ + "https://github.com/RiccardoAncarani/LiquidSnake", "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", - "https://github.com/RiccardoAncarani/LiquidSnake", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml" ], "tags": [ @@ -54499,8 +54730,8 @@ "logsource.category": "process_tampering", "logsource.product": "windows", "refs": [ - "https://twitter.com/SecurePeacock/status/1486054048390332423?s=20", "https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/", + "https://twitter.com/SecurePeacock/status/1486054048390332423?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_tampering/proc_tampering_susp_process_hollowing.yml" ], "tags": [ @@ -54577,8 +54808,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://megatools.megous.com/", "https://www.mandiant.com/resources/russian-targeting-gov-business", + "https://megatools.megous.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_mega_nz.yml" ], "tags": [ @@ -54755,10 +54986,10 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ + "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md", - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a", - "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_external_ip_lookup.yml" ], "tags": [ @@ -54833,9 +55064,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security", "https://cydefops.com/devtunnels-unleashed", "https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2", - "https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_devtunnel_connection.yml" ], "tags": [ @@ -54901,11 +55132,11 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ + "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf", "https://github.com/looCiprian/GC2-sheet", + "https://youtu.be/n2dFlSaBBKo", "https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/", "https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/", - "https://youtu.be/n2dFlSaBBKo", - "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_google_api_non_browser_access.yml" ], "tags": [ @@ -55074,8 +55305,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python", "https://pypi.org/project/scapy/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_python.yml" ], "tags": [ @@ -55285,11 +55516,11 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://twitter.com/M_haggis/status/900741347035889665", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://twitter.com/M_haggis/status/1032799638213066752", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://twitter.com/M_haggis/status/900741347035889665", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml" ], "tags": [ @@ -55391,9 +55622,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ + "https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/", "https://app.any.run/tasks/ec207948-4916-47eb-a0f4-4c6abb2e7668/", "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", - "https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_regasm_network_activity.yml" ], "tags": [ @@ -55426,8 +55657,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_msiexec_http.yml" ], "tags": [ @@ -55493,10 +55724,10 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d", - "https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html", "https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/", "hhttps://tria.ge/240301-rk34sagf5x/behavioral2", + "https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d", + "https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dialer_initiated_connection.yml" ], "tags": [ @@ -55562,9 +55793,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://cydefops.com/vscode-data-exfiltration", "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://badoption.eu/blog/2023/01/31/code_c2.html", + "https://cydefops.com/vscode-data-exfiltration", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_vscode_tunnel_connection.yml" ], "tags": [ @@ -55620,9 +55851,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.poolwatch.io/coin/monero", - "https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files", "https://github.com/stamparm/maltrail/blob/3ea70459b9559134449423c0a7d8b965ac5c40ea/trails/static/suspicious/crypto_mining.txt", + "https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files", + "https://www.poolwatch.io/coin/monero", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_crypto_mining_pools.yml" ], "tags": [ @@ -55655,10 +55886,10 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ + "https://ngrok.com/blog-post/new-ngrok-domains", + "https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf", "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/", "https://ngrok.com/", - "https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf", - "https://ngrok.com/blog-post/new-ngrok-domains", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_ngrok.yml" ], "tags": [ @@ -55692,11 +55923,11 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", - "https://github.com/kleiton0x00/RedditC2", "https://content.fireeye.com/apt-41/rpt-apt41", - "https://twitter.com/kleiton0x7e/status/1600567316810551296", + "https://github.com/kleiton0x00/RedditC2", "https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al", + "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", + "https://twitter.com/kleiton0x7e/status/1600567316810551296", "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_dead_drop_resolvers.yml" ], @@ -55814,8 +56045,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", "https://twitter.com/hakluke/status/1587733971814977537/photo/1", + "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_ngrok_tunnel.yml" ], "tags": [ @@ -55959,8 +56190,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://twitter.com/forensicitguy/status/1513538712986079238", "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/", + "https://twitter.com/forensicitguy/status/1513538712986079238", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_eqnedt.yml" ], "tags": [ @@ -56095,8 +56326,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/mttaggart/OffensiveNotion", "https://medium.com/@huskyhacks.mk/we-put-a-c2-in-your-notetaking-app-offensivenotion-3e933bace332", + "https://github.com/mttaggart/OffensiveNotion", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_notion_api_susp_communication.yml" ], "tags": [ @@ -56386,10 +56617,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://twitter.com/malmoeb/status/1535142803075960832", + "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml" ], "tags": [ @@ -56491,10 +56722,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://isc.sans.edu/diary/22264", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml" ], "tags": [ @@ -56528,8 +56759,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://nxlog.co/documentation/nxlog-user-guide/applocker.html", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker", + "https://nxlog.co/documentation/nxlog-user-guide/applocker.html", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml" ], @@ -56749,6 +56980,41 @@ "uuid": "cde0a575-7d3d-4a49-9817-b8004a7bf105", "value": "Uncommon New Firewall Rule Added In Windows Firewall Exception List" }, + { + "description": "Detects the addition of a new \"Allow\" firewall rule by the WMI process (WmiPrvSE.EXE).\nThis can occur if an attacker leverages PowerShell cmdlets such as \"New-NetFirewallRule\", or directly uses WMI CIM classes such as \"MSFT_NetFirewallRule\".\n", + "meta": { + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2024/05/10", + "falsepositive": [ + "Administrator scripts or activity." + ], + "filename": "win_firewall_as_add_rule_wmiprvse.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/", + "https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170", + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_wmiprvse.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ] + }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "eca81e8d-09e1-4d04-8614-c91f44fd0519", + "value": "New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE" + }, { "description": "Detects activity when the settings of the Windows firewall have been changed", "meta": { @@ -56793,8 +57059,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/#", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", + "https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/#", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml" ], "tags": [ @@ -57347,9 +57613,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/library/windows/active_directory_replication.html", "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", "https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html", + "https://threathunterplaybook.com/library/windows/active_directory_replication.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml" ], "tags": [ @@ -57417,8 +57683,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity", "https://adsecurity.org/?p=3458", + "https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml" ], "tags": [ @@ -57579,8 +57845,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/SBousseaden/status/1490608838701166596", - "https://www.x86matthew.com/view_post?id=create_svc_rpc", "https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html", + "https://www.x86matthew.com/view_post?id=create_svc_rpc", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml" ], "tags": [ @@ -57826,10 +58092,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.cisecurity.org/controls/cis-controls-list/", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_workstation_was_locked.yml" ], "tags": [ @@ -57853,9 +58119,9 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", - "https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all", "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", + "https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_user_enumeration.yml" ], "tags": [ @@ -58063,9 +58329,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_logoff.yml" ], "tags": [ @@ -58199,9 +58465,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/", "https://github.com/topotam/PetitPotam", "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", + "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml" ], "tags": [ @@ -58301,16 +58567,16 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", "https://twitter.com/_xpn_/status/1268712093928378368", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://bunnyinside.com/?term=f71e8cb9c76a", "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml" ], "tags": [ @@ -58393,8 +58659,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.secureworks.com/blog/ransomware-as-a-distraction", "https://twitter.com/menasec1/status/1106899890377052160", + "https://www.secureworks.com/blog/ransomware-as-a-distraction", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml" ], "tags": [ @@ -58469,8 +58735,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.harmj0y.net/redteaming/another-word-on-delegation/", "https://adsecurity.org/?p=3466", + "https://blog.harmj0y.net/redteaming/another-word-on-delegation/", "https://msdn.microsoft.com/en-us/library/cc220234.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml" ], @@ -58612,9 +58878,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", "https://www.sans.org/webcasts/119395", "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", - "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml" ], "tags": [ @@ -58665,9 +58931,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d", - "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", + "https://twitter.com/gentilkiwi/status/1003236624925413376", + "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml" ], "tags": [ @@ -58701,8 +58967,8 @@ "logsource.product": "windows", "refs": [ "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", - "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", + "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://twitter.com/MsftSecIntel/status/1257324139515269121", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_iso_mount.yml" ], @@ -58878,9 +59144,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm", "https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_sdelete.yml" ], "tags": [ @@ -58939,9 +59205,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html", "https://twitter.com/SBousseaden/status/1581300963650187264?", "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", - "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml" ], "tags": [ @@ -58974,8 +59240,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml", "https://o365blog.com/post/hybridhealthagent/", + "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml" ], "tags": [ @@ -59042,8 +59308,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", + "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_teams_suspicious_objectaccess.yml" ], "tags": [ @@ -59076,9 +59342,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Live environment caused by malware", - "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616", + "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", + "Live environment caused by malware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_time_modification.yml" ], "tags": [ @@ -59144,10 +59410,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.deepinstinct.com/blog/nofilter-abusing-windows-filtering-platform-for-privilege-escalation", "https://x.com/_st0pp3r_/status/1742203752361128162?s=20", "https://github.com/deepinstinct/NoFilter/blob/121d215ab130c5e8e3ad45a7e7fcd56f4de97b4d/NoFilter/Consts.cpp", "https://github.com/deepinstinct/NoFilter", + "https://www.deepinstinct.com/blog/nofilter-abusing-windows-filtering-platform-for-privilege-escalation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_hktl_nofilter.yml" ], "tags": [ @@ -59305,8 +59571,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/deviouspolack/status/832535435960209408", - "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml", "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", + "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_audit_log_cleared.yml" ], "tags": [ @@ -59341,9 +59607,9 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/Flangvik/status/1283054508084473861", - "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", - "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", "https://twitter.com/SecurityJosh/status/1283027365770276866", + "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", + "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml" ], "tags": [ @@ -59451,9 +59717,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/library/windows/active_directory_replication.html", "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", "https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html", + "https://threathunterplaybook.com/library/windows/active_directory_replication.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml" ], "tags": [ @@ -59521,8 +59787,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/service_registry_permissions_weakness_check/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", + "https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/service_registry_permissions_weakness_check/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml" ], "tags": [ @@ -59877,8 +60143,8 @@ "logsource.product": "windows", "refs": [ "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", - "https://github.com/fox-it/LDAPFragger", "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", + "https://github.com/fox-it/LDAPFragger", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml" ], "tags": [ @@ -59911,8 +60177,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml", "https://o365blog.com/post/hybridhealthagent/", + "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml" ], "tags": [ @@ -60252,10 +60518,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", + "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", - "https://twitter.com/gentilkiwi/status/1003236624925413376", - "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml" ], "tags": [ @@ -60624,8 +60890,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", "https://twitter.com/menasec1/status/1111556090137903104", + "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml" ], "tags": [ @@ -60658,8 +60924,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423", + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_device_installation_blocked.yml" ], "tags": [ @@ -60836,8 +61102,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/malmoeb/status/1511760068743766026", "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", + "https://twitter.com/malmoeb/status/1511760068743766026", "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml" ], @@ -60874,8 +61140,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml", "https://github.com/topotam/PetitPotam", + "https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_network_share.yml" ], "tags": [ @@ -60975,11 +61241,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776", "https://github.com/sensepost/ruler", "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", - "https://github.com/sensepost/ruler/issues/47", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624", + "https://github.com/sensepost/ruler/issues/47", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml" ], "tags": [ @@ -61024,59 +61290,6 @@ "uuid": "24549159-ac1b-479c-8175-d42aea947cae", "value": "Hacktool Ruler" }, - { - "description": "Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.", - "meta": { - "author": "Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update)", - "creation_date": "2017/03/27", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_mal_service_installs.yml", - "level": "critical", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", - "https://awakesecurity.com/blog/threat-hunting-for-paexec/", - "https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_service_installs.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1003", - "car.2013-09-005", - "attack.t1543.003", - "attack.t1569.002" - ] - }, - "related": [ - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "cb062102-587e-4414-8efa-dbe3c7bf19c6", - "value": "Malicious Service Installations" - }, { "description": "Detects NetNTLM downgrade attack", "meta": { @@ -61241,8 +61454,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732", "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml" ], "tags": [ @@ -61352,8 +61565,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/blob/master/documentation/logsource-guides/windows/service/security.md", "https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit", + "https://github.com/SigmaHQ/sigma/blob/master/documentation/logsource-guides/windows/service/security.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_disable_event_auditing_critical.yml" ], "tags": [ @@ -61522,8 +61735,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/Purp1eW0lf/status/1616144561965002752", "https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html", + "https://twitter.com/Purp1eW0lf/status/1616144561965002752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml" ], "tags": [ @@ -61871,11 +62084,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml" ], "tags": [ @@ -61908,8 +62121,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/Purp1eW0lf/status/1616144561965002752", "https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html", + "https://twitter.com/Purp1eW0lf/status/1616144561965002752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml" ], "tags": [ @@ -61959,8 +62172,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g", "https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml", + "https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_krbrelayup.yml" ], "tags": [ @@ -62019,10 +62232,10 @@ "logsource.product": "windows", "refs": [ "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.cisecurity.org/controls/cis-controls-list/", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml" ], "tags": [ @@ -62056,10 +62269,10 @@ "logsource.product": "windows", "refs": [ "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml" ], "tags": [ @@ -62092,9 +62305,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983", "https://github.com/amjcyber/EDRNoiseMaker", "https://github.com/netero1010/EDRSilencer", - "https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml" ], "tags": [ @@ -62127,9 +62340,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml" ], "tags": [ @@ -62152,9 +62365,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml" ], "tags": [ @@ -62177,9 +62390,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml" ], "tags": [ @@ -62202,9 +62415,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml" ], "tags": [ @@ -62227,9 +62440,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml" ], "tags": [ @@ -62252,9 +62465,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml" ], "tags": [ @@ -62277,9 +62490,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml" ], "tags": [ @@ -62312,9 +62525,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml" ], "tags": [ @@ -62337,10 +62550,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", - "https://twitter.com/SBousseaden/status/1483810148602814466", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", + "https://twitter.com/SBousseaden/status/1483810148602814466", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml" ], "tags": [ @@ -62364,8 +62577,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", - "https://twitter.com/wdormann/status/1590434950335320065", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", + "https://twitter.com/wdormann/status/1590434950335320065", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml" ], "tags": [ @@ -62466,8 +62679,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/JohnLaTwC/status/1004895028995477505", "https://goo.gl/PsqrhT", + "https://twitter.com/JohnLaTwC/status/1004895028995477505", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml" ], "tags": [ @@ -63030,8 +63243,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection", "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", + "https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml" ], "tags": [ @@ -63065,9 +63278,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_real_time_protection_disabled.yml" ], "tags": [ @@ -63210,9 +63423,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", - "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012", + "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_virus_scan_disabled.yml" ], "tags": [ @@ -63302,9 +63515,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", - "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010", + "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_malware_and_pua_scan_disabled.yml" ], "tags": [ @@ -63403,9 +63616,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", - "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101", + "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_antimalware_platform_expired.yml" ], "tags": [ @@ -63439,8 +63652,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346", - "https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "Internal Research", + "https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml" ], "tags": [ @@ -63473,8 +63686,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware", + "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml" ], "tags": [ @@ -63507,8 +63720,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware", + "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_config_change_sample_submission_consent.yml" ], "tags": [ @@ -63652,9 +63865,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/deepinstinct/Lsass-Shtinkering", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55", - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml" ], "tags": [ @@ -63787,11 +64000,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/VM_vivisector/status/1217190929330655232", - "https://twitter.com/DidierStevens/status/1217533958096924676", "https://twitter.com/FlemmingRiis/status/1217147415482060800", - "https://nullsec.us/windows-event-log-audit-cve/", + "https://twitter.com/DidierStevens/status/1217533958096924676", + "https://twitter.com/VM_vivisector/status/1217190929330655232", "https://www.youtube.com/watch?v=ebmW42YYveI", + "https://nullsec.us/windows-event-log-audit-cve/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml" ], "tags": [ @@ -63894,8 +64107,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16", "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml" ], "tags": [ @@ -63941,9 +64154,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", "https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml" ], "tags": [ @@ -64131,8 +64344,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml", "https://learn.microsoft.com/en-us/windows/win32/msi/event-logging", + "https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/msiinstaller/win_builtin_remove_application.yml" ], "tags": [ @@ -64288,11 +64501,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c", - "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", - "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", + "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml" ], "tags": [ @@ -64408,8 +64621,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10)", "https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml" ], "tags": [ @@ -64564,8 +64777,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.secura.com/blog/zero-logon", "https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382", + "https://www.secura.com/blog/zero-logon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/netlogon/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" ], "tags": [ @@ -64807,9 +65020,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/fortra/impacket/blob/edef71f17bc1240f9f8c957bbda98662951ac3ec/examples/smbexec.py#L60", "https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/", "https://github.com/fortra/impacket/blob/33058eb2fde6976ea62e04bc7d6b629d64d44712/examples/smbexec.py#L286-L296", - "https://github.com/fortra/impacket/blob/edef71f17bc1240f9f8c957bbda98662951ac3ec/examples/smbexec.py#L60", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_hack_smbexec.yml" ], "tags": [ @@ -65138,8 +65351,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml" ], "tags": [ @@ -65312,9 +65525,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", "https://www.sans.org/webcasts/119395", "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", - "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml" ], "tags": [ @@ -66099,8 +66312,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231", "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", + "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml" ], "tags": [ @@ -66261,9 +66474,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://twitter.com/jonasLyk/status/1347900440000811010", "https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/", "https://twitter.com/wdormann/status/1347958161609809921", - "https://twitter.com/jonasLyk/status/1347900440000811010", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/ntfs/win_system_ntfs_vuln_exploit.yml" ], "tags": [ @@ -66329,8 +66542,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Ekultek/BlueKeep", "https://github.com/zerosum0x0/CVE-2019-0708", + "https://github.com/Ekultek/BlueKeep", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml" ], "tags": [ @@ -66364,8 +66577,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml" ], @@ -66399,8 +66612,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml" ], @@ -66653,9 +66866,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", - "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", "https://twitter.com/gentilkiwi/status/861641945944391680", + "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", + "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml" ], "tags": [ @@ -66721,8 +66934,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "Internal Research", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml" ], "tags": [ @@ -66771,10 +66984,10 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", + "https://winaero.com/enable-openssh-server-windows-10/", + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://winaero.com/enable-openssh-server-windows-10/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml" ], "tags": [ @@ -66866,8 +67079,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", + "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml" ], "tags": [ @@ -67079,9 +67292,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml" ], "tags": [ @@ -67128,10 +67341,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "Internal Research", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", - "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml" ], "tags": [ @@ -67154,10 +67367,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "Internal Research", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", - "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml" ], "tags": [ @@ -67180,10 +67393,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "Internal Research", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", - "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml" ], "tags": [ @@ -67206,10 +67419,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "Internal Research", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", - "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml" ], "tags": [ @@ -67503,11 +67716,11 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", - "https://hijacklibs.net/", - "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", - "https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/", "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", + "https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/", + "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", + "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", + "https://hijacklibs.net/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml" ], "tags": [ @@ -67759,8 +67972,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/oulusoyum/status/1191329746069655553", "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", + "https://twitter.com/oulusoyum/status/1191329746069655553", "https://twitter.com/mattifestation/status/1196390321783025666", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_tttracer_module_load.yml" ], @@ -67892,8 +68105,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", - "https://twitter.com/dez_/status/986614411711442944", "https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html", + "https://twitter.com/dez_/status/986614411711442944", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml" ], "tags": [ @@ -68001,12 +68214,12 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://decoded.avast.io/martinchlumecky/png-steganography/", - "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", - "https://github.com/Wh04m1001/SysmonEoP", - "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", + "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", + "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", + "https://github.com/Wh04m1001/SysmonEoP", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml" ], "tags": [ @@ -68050,10 +68263,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.swascan.com/cactus-ransomware-malware-analysis/", - "https://www.crowdstrike.com/blog/windows-restart-manager-part-1/", "https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html", "https://www.crowdstrike.com/blog/windows-restart-manager-part-2/", + "https://www.swascan.com/cactus-ransomware-malware-analysis/", + "https://www.crowdstrike.com/blog/windows-restart-manager-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml" ], "tags": [ @@ -68161,10 +68374,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://thewover.github.io/Introducing-Donut/", + "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", "https://github.com/tyranid/DotNetToJScript", "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", - "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", + "https://thewover.github.io/Introducing-Donut/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml" ], "tags": [ @@ -68198,8 +68411,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/", "https://www.qurium.org/alerts/targeted-malware-against-crph/", + "https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_smadhook.yml" ], "tags": [ @@ -68351,8 +68564,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/", "http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp", + "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_jsschhlp.yml" ], "tags": [ @@ -68395,11 +68608,11 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://thehackernews.com/2024/03/two-chinese-apt-groups-ramp-up-cyber.html", - "https://twitter.com/DTCERT/status/1712785426895839339", "https://twitter.com/Max_Mal_/status/1775222576639291859", + "https://twitter.com/DTCERT/status/1712785426895839339", "https://csirt-cti.net/2024/02/01/stately-taurus-continued-new-information-on-cyberespionage-attacks-against-myanmar-military-junta/", "https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/", + "https://thehackernews.com/2024/03/two-chinese-apt-groups-ramp-up-cyber.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_keyscrambler.yml" ], "tags": [ @@ -68443,8 +68656,8 @@ "refs": [ "https://twitter.com/chadtilbury/status/1275851297770610688", "https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", - "https://github.com/bohops/WSMan-WinRM", "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", + "https://github.com/bohops/WSMan-WinRM", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml" ], "tags": [ @@ -68971,9 +69184,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/HunterPlaybook/status/1301207718355759107", - "https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html", "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", + "https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html", + "https://twitter.com/HunterPlaybook/status/1301207718355759107", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml" ], "tags": [ @@ -69008,8 +69221,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/", "https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/", + "https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location.yml" ], "tags": [ @@ -69117,8 +69330,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/wdormann/status/1547583317410607110", "https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC", + "https://twitter.com/wdormann/status/1547583317410607110", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml" ], "tags": [ @@ -69153,8 +69366,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/p3nt4/PowerShdll", "https://adsecurity.org/?p=2921", + "https://github.com/p3nt4/PowerShdll", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml" ], "tags": [ @@ -69187,8 +69400,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/hhlxf/PrintNightmare", "https://github.com/ly4k/SpoolFool", + "https://github.com/hhlxf/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_spoolsv_dll_load.yml" ], "tags": [ @@ -69269,8 +69482,8 @@ "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/unsigned-dlls/?web_view=true", - "https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion", "https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql", + "https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_unsigned_dll.yml" ], "tags": [ @@ -69397,9 +69610,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "https://twitter.com/StopMalvertisin/status/1648604148848549888", "https://www.roboform.com/", "https://twitter.com/t3ft3lb/status/1656194831830401024", - "https://twitter.com/StopMalvertisin/status/1648604148848549888", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_robform.yml" ], "tags": [ @@ -69483,9 +69696,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", "https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html", "https://github.com/S12cybersecurity/RDPCredentialStealer", + "https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml" ], @@ -69586,9 +69799,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6", "https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html", "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", + "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_unsigned_load.yml" ], "tags": [ @@ -69960,8 +70173,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.py2exe.org/", "https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/", + "https://www.py2exe.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_python_image_load.yml" ], "tags": [ @@ -69994,10 +70207,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.swascan.com/cactus-ransomware-malware-analysis/", - "https://www.crowdstrike.com/blog/windows-restart-manager-part-1/", "https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html", "https://www.crowdstrike.com/blog/windows-restart-manager-part-2/", + "https://www.swascan.com/cactus-ransomware-malware-analysis/", + "https://www.crowdstrike.com/blog/windows-restart-manager-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml" ], "tags": [ @@ -70480,8 +70693,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/", "https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets", + "https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_classicexplorer32.yml" ], "tags": [ @@ -70743,8 +70956,8 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ - "https://nmap.org/ncat/", "https://github.com/besimorhino/powercat", + "https://nmap.org/ncat/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml" ], @@ -71131,8 +71344,8 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ - "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", + "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml" ], "tags": [ @@ -71198,8 +71411,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_remotefxvgpudisablement_abuse.yml" ], "tags": [ @@ -71501,8 +71714,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", - "https://adsecurity.org/?p=2604", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", + "https://adsecurity.org/?p=2604", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml" ], "tags": [ @@ -71535,11 +71748,11 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", - "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", - "http://woshub.com/manage-windows-firewall-powershell/", "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", + "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", + "http://woshub.com/manage-windows-firewall-powershell/", + "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml" ], "tags": [ @@ -71707,8 +71920,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", + "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", "https://github.com/samratashok/ADModule", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml" ], @@ -71910,9 +72123,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html", "https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", - "https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_export_certificate.yml" ], "tags": [ @@ -71968,8 +72181,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell", + "https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml" ], "tags": [ @@ -72035,8 +72248,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0", "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0", + "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml" ], "tags": [ @@ -72167,24 +72380,24 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://github.com/HarmJ0y/DAMP", "https://github.com/besimorhino/powercat", - "https://adsecurity.org/?p=2921", - "https://github.com/adrecon/AzureADRecon", + "https://github.com/Kevin-Robertson/Powermad", "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/adrecon/ADRecon", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", "https://github.com/samratashok/nishang", - "https://github.com/HarmJ0y/DAMP", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/calebstewart/CVE-2021-1675", - "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/adrecon/AzureADRecon", + "https://github.com/calebstewart/CVE-2021-1675", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/adrecon/ADRecon", + "https://adsecurity.org/?p=2921", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml" ], "tags": [ @@ -72274,8 +72487,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy", + "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml" ], "tags": [ @@ -72740,8 +72953,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_localuser.yml" ], "tags": [ @@ -72841,8 +73054,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus", "https://github.com/GhostPack/Rubeus", + "https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml" ], @@ -73171,8 +73384,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml" ], "tags": [ @@ -73205,8 +73418,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.pwndefend.com/2021/02/15/retrieving-passwords-from-veeam-backup-servers/", "https://labs.withsecure.com/publications/fin7-target-veeam-servers", + "https://www.pwndefend.com/2021/02/15/retrieving-passwords-from-veeam-backup-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml" ], "tags": [ @@ -73229,8 +73442,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", "https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml" ], "tags": [ @@ -73363,8 +73576,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", + "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml" ], "tags": [ @@ -73619,8 +73832,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml" ], "tags": [ @@ -73653,8 +73866,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://youtu.be/5mqid-7zp8k?t=2481", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml" @@ -73754,8 +73967,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md", + "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml" ], "tags": [ @@ -73891,6 +74104,42 @@ "uuid": "f62176f3-8128-4faa-bf6c-83261322e5eb", "value": "Malicious PowerShell Keywords" }, + { + "description": "Detects the execution of powershell scripts with calls to the \"Start-NetEventSession\" cmdlet. Which allows an attacker to start event and packet capture for a network event session.\nAdversaries may attempt to capture network to gather information over the course of an operation.\nData captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol.\n", + "meta": { + "author": "frack113", + "creation_date": "2024/05/12", + "falsepositive": [ + "Legitimate network diagnostic scripts." + ], + "filename": "posh_ps_packet_capture.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/7b8935fe4c82cb64d61343de1a8b2e38dd968534/handbooks/10_post_exploitation.md", + "https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13", + "https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_packet_capture.yml" + ], + "tags": [ + "attack.credential_access", + "attack.discovery", + "attack.t1040" + ] + }, + "related": [ + { + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "da34e323-1e65-42db-83be-a6725ac2caa3", + "value": "Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock" + }, { "description": "Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries.", "meta": { @@ -73973,8 +74222,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", "https://github.com/harleyQu1nn/AggressorScripts", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml" ], "tags": [ @@ -74163,10 +74412,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", - "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", + "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", + "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml" ], "tags": [ @@ -74311,8 +74560,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell", + "https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml" ], "tags": [ @@ -74430,10 +74679,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://adsecurity.org/?p=2277", + "https://powersploit.readthedocs.io/en/stable/Recon/README", "https://thedfirreport.com/2020/10/08/ryuks-return", "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", - "https://powersploit.readthedocs.io/en/stable/Recon/README", - "https://adsecurity.org/?p=2277", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml" ], "tags": [ @@ -74499,9 +74748,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", + "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml" ], "tags": [ @@ -74567,8 +74816,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml" ], "tags": [ @@ -74635,8 +74884,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1087.002/T1087.002.md", - "https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml" ], "tags": [ @@ -74677,8 +74926,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.offensive-security.com/metasploit-unleashed/timestomp/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", + "https://www.offensive-security.com/metasploit-unleashed/timestomp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml" ], "tags": [ @@ -74778,11 +75027,11 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md", "https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/", "https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841", - "https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team", "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md", + "https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml" ], "tags": [ @@ -74899,9 +75148,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", "https://www.shellhacks.com/clear-history-powershell/", "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/", - "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml" ], "tags": [ @@ -74976,9 +75225,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -75169,8 +75418,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/NathanMcNulty/status/1569497348841287681", "https://docs.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps", + "https://twitter.com/NathanMcNulty/status/1569497348841287681", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml" ], "tags": [ @@ -75481,8 +75730,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml" ], "tags": [ @@ -75515,8 +75764,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", "https://twitter.com/oroneequalsone/status/1568432028361830402", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml" ], @@ -75620,8 +75869,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", - "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml" ], "tags": [ @@ -75677,8 +75926,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml" ], "tags": [ @@ -75811,8 +76060,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml" ], "tags": [ @@ -75845,8 +76094,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml" ], "tags": [ @@ -75879,8 +76128,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md", "https://techgenix.com/malicious-powershell-scripts-evade-detection/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml" ], "tags": [ @@ -75955,8 +76204,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/Gerenios/AADInternals", "https://o365blog.com/aadinternals/", + "https://github.com/Gerenios/AADInternals", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml" ], "tags": [ @@ -76391,8 +76640,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml" ], "tags": [ @@ -76425,9 +76674,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml" ], "tags": [ @@ -76494,9 +76743,9 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", + "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", "https://twitter.com/ScumBots/status/1610626724257046529", "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", - "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml" ], "tags": [ @@ -76999,8 +77248,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", + "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", "https://github.com/samratashok/ADModule", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml" ], @@ -77319,23 +77568,23 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ + "https://github.com/HarmJ0y/DAMP", "https://github.com/besimorhino/powercat", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/PowerShellMafia/PowerSploit", - "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/AlsidOfficial/WSUSpendu/", - "https://github.com/CsEnox/EventViewer-UACBypass", - "https://github.com/NetSPI/PowerUpSQL", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/PowerShellMafia/PowerSploit", "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", "https://github.com/samratashok/nishang", - "https://github.com/HarmJ0y/DAMP", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/nettitude/Invoke-PowerThIEf", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://github.com/CsEnox/EventViewer-UACBypass", + "https://github.com/AlsidOfficial/WSUSpendu/", + "https://github.com/NetSPI/PowerUpSQL", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml" ], "tags": [ @@ -77368,8 +77617,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md", "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml" ], "tags": [ @@ -77444,8 +77693,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml" ], "tags": [ @@ -77478,24 +77727,24 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ + "https://github.com/HarmJ0y/DAMP", "https://github.com/besimorhino/powercat", - "https://adsecurity.org/?p=2921", - "https://github.com/adrecon/AzureADRecon", + "https://github.com/Kevin-Robertson/Powermad", "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/adrecon/ADRecon", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", "https://github.com/samratashok/nishang", - "https://github.com/HarmJ0y/DAMP", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/calebstewart/CVE-2021-1675", - "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/adrecon/AzureADRecon", + "https://github.com/calebstewart/CVE-2021-1675", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/adrecon/ADRecon", + "https://adsecurity.org/?p=2921", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml" ], "tags": [ @@ -77585,8 +77834,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0", "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0", + "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml" ], "tags": [ @@ -77844,9 +78093,9 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/", - "https://www.mdeditor.tw/pl/pgRt", "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", + "https://www.mdeditor.tw/pl/pgRt", + "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml" ], "tags": [ @@ -78072,8 +78321,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/16", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml" ], "tags": [ @@ -78106,8 +78355,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/", "https://twitter.com/cyb3rops/status/1659175181695287297", + "https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml" ], "tags": [ @@ -78131,8 +78380,8 @@ "logsource.product": "windows", "refs": [ "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", - "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml" ], "tags": [ @@ -78166,17 +78415,17 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://github.com/outflanknl/Dumpert", - "https://github.com/ohpe/juicy-potato", - "https://github.com/hfiref0x/UACME", - "https://github.com/antonioCoco/RoguePotato", - "https://github.com/wavestone-cdt/EDRSandblast", - "https://github.com/gentilkiwi/mimikatz", - "https://github.com/topotam/PetitPotam", "https://github.com/xuanxuan0/DripLoader", - "https://github.com/codewhitesec/HandleKatz", + "https://github.com/topotam/PetitPotam", + "https://github.com/hfiref0x/UACME", + "https://github.com/wavestone-cdt/EDRSandblast", "https://github.com/fortra/nanodump", + "https://github.com/outflanknl/Dumpert", + "https://github.com/gentilkiwi/mimikatz", + "https://github.com/antonioCoco/RoguePotato", "https://www.tarasco.org/security/pwdump_7/", + "https://github.com/codewhitesec/HandleKatz", + "https://github.com/ohpe/juicy-potato", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml" ], "tags": [ @@ -78327,9 +78576,9 @@ "logsource.product": "windows", "refs": [ "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", - "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml" ], "tags": [ @@ -78363,8 +78612,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md", "https://labs.withsecure.com/publications/detecting-onenote-abuse", + "https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml" ], "tags": [ @@ -78617,8 +78866,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/D1rkMtr/UnhookingPatch", "https://twitter.com/D1rkMtr/status/1611471891193298944?s=20", + "https://github.com/D1rkMtr/UnhookingPatch", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_invoke_patchingapi.yml" ], "tags": [ @@ -78721,8 +78970,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", + "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", "https://twitter.com/SBousseaden/status/1541920424635912196", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_seclogon_access.yml" ], @@ -78756,8 +79005,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/_xpn_/status/1491557187168178176", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", + "https://twitter.com/_xpn_/status/1491557187168178176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_dump_keyword_image.yml" ], "tags": [ @@ -78833,8 +79082,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/hlldz/Invoke-Phant0m", "https://twitter.com/timbmsft/status/900724491076214784", + "https://github.com/hlldz/Invoke-Phant0m", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_svchost_susp_access_request.yml" ], "tags": [ @@ -78994,8 +79243,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/shantanukhande/status/1229348874298388484", "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", + "https://twitter.com/shantanukhande/status/1229348874298388484", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml" ], "tags": [ @@ -79060,9 +79309,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/_xpn_/status/1491557187168178176", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://twitter.com/mrd0x/status/1460597833917251595", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", + "https://twitter.com/_xpn_/status/1491557187168178176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_whitelisted_process_names.yml" ], "tags": [ @@ -79131,10 +79380,10 @@ "logsource.product": "windows", "refs": [ "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml" ], "tags": [ @@ -79168,8 +79417,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/boku7/spawn", "https://github.com/boku7/injectAmsiBypass", + "https://github.com/boku7/spawn", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml" ], "tags": [ @@ -79416,8 +79665,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29", "http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html", + "https://github.com/OTRF/detection-hackathon-apt29", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_executable_download_from_webdav.yml" ], "tags": [ @@ -79483,9 +79732,9 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ + "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", - "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", "https://threatpost.com/microsoft-petitpotam-poc/168163/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml" ], @@ -79526,9 +79775,9 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://github.com/Maka8ka/NGLite", "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", "https://github.com/nknorg/nkn-sdk-go", + "https://github.com/Maka8ka/NGLite", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_nkn.yml" ], "tags": [ @@ -79655,8 +79904,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://twitter.com/neu5ron/status/1438987292971053057?s=20", + "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml" ], "tags": [ @@ -79773,12 +80022,12 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ + "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", - "https://github.com/corelight/CVE-2021-1675", "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", - "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", + "https://github.com/corelight/CVE-2021-1675", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml" ], "tags": [ @@ -80094,9 +80343,9 @@ "logsource.category": "No established category", "logsource.product": "cisco", "refs": [ - "https://blog.router-switch.com/2013/11/show-running-config/", - "https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/show_startup-config.htm", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html", + "https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/show_startup-config.htm", + "https://blog.router-switch.com/2013/11/show-running-config/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_collect_data.yml" ], "tags": [ @@ -80806,8 +81055,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", + "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_mal_cobaltstrike.yml" ], "tags": [ @@ -80840,8 +81089,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://twitter.com/stvemillertime/status/1024707932447854592", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1", + "https://twitter.com/stvemillertime/status/1024707932447854592", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_txt_exec_strings.yml" ], "tags": [ @@ -80915,10 +81164,10 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://core.telegram.org/bots/faq", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", + "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_telegram_api.yml" ], "tags": [ @@ -81047,9 +81296,9 @@ "logsource.category": "firewall", "logsource.product": "No established product", "refs": [ + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_cleartext_protocols.yml" ], "tags": [ @@ -81140,10 +81389,10 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ + "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile", "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile", "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile", "https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/", - "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile", "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_hktl_cobalt_strike_malleable_c2_requests.yml" ], @@ -81165,6 +81414,50 @@ "uuid": "f3f21ce1-cdef-4bfc-8328-ed2e826f5fac", "value": "HackTool - CobaltStrike Malleable Profile Patterns - Proxy" }, + { + "description": "Detects executables launched from external WebDAV shares using the WebDAV Explorer integration, commonly seen in initial access campaigns.\n", + "meta": { + "author": "Ahmed Farouk", + "creation_date": "2024/05/10", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_webdav_external_execution.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html", + "https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462", + "https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html", + "https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_webdav_external_execution.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1584", + "attack.t1566" + ] + }, + "related": [ + { + "dest-uuid": "7e3beebd-8bfe-4e7b-a892-e44ab06a75f9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "1ae64f96-72b6-48b3-ad3d-e71dff6c6398", + "value": "Suspicious External WebDAV Execution" + }, { "description": "Detects user agent and URI paths used by empire agents", "meta": { @@ -81298,8 +81591,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://twitter.com/jhencinski/status/1102695118455349248", "https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/", + "https://twitter.com/jhencinski/status/1102695118455349248", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml" ], "tags": [ @@ -81376,14 +81669,14 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", + "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", "http://www.botopedia.org/search?searchword=scan&searchphrase=all", + "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", "https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q", - "https://perishablepress.com/blacklist/ua-2013.txt", + "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", "https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large", "https://twitter.com/crep1x/status/1635034100213112833", - "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", - "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", + "https://perishablepress.com/blacklist/ua-2013.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_malware.yml" ], "tags": [ @@ -81437,48 +81730,6 @@ "uuid": "fa935401-513b-467b-81f4-f9e77aa0dd78", "value": "Crypto Miner User Agent" }, - { - "description": "Detects URL pattern used by search(-ms)/WebDAV initial access campaigns.", - "meta": { - "author": "Micah Babinski", - "creation_date": "2023/08/21", - "falsepositive": [ - "Unknown" - ], - "filename": "proxy_webdav_search_ms.yml", - "level": "high", - "logsource.category": "proxy", - "logsource.product": "No established product", - "refs": [ - "https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462", - "https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_webdav_search_ms.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1584", - "attack.t1566" - ] - }, - "related": [ - { - "dest-uuid": "7e3beebd-8bfe-4e7b-a892-e44ab06a75f9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "5039f3d2-406a-4c1a-9350-7a5a85dc84c2", - "value": "Search-ms and WebDAV Suspicious Indicators in URL" - }, { "description": "Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding.", "meta": { @@ -81595,9 +81846,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ + "https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11", "https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638", "https://blog.talosintelligence.com/ipfs-abuse/", - "https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml" ], "tags": [ @@ -81681,8 +81932,8 @@ "logsource.product": "No established product", "refs": [ "https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516", - "https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash", "https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029", + "https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml" ], "tags": [ @@ -81757,8 +82008,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.advanced-port-scanner.com/", "https://www.advanced-ip-scanner.com/", + "https://www.advanced-port-scanner.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_pua_advanced_ip_scanner_update_check.yml" ], "tags": [ @@ -81952,8 +82203,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", + "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_hacktool.yml" ], "tags": [ @@ -82128,9 +82379,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", + "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_telegram_api.yml" ], "tags": [ @@ -82172,8 +82423,8 @@ "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ - "https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/", "https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps", + "https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/product/nginx/web_nginx_core_dump.yml" ], "tags": [ @@ -82281,8 +82532,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html", "https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1", + "https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_source_code_enumeration.yml" ], "tags": [ @@ -82316,10 +82567,10 @@ "logsource.product": "No established product", "refs": [ "https://twitter.com/httpvoid0x2f/status/1532924261035384832", - "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", - "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", - "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035", "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", + "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", + "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", + "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_java_payload_in_access_logs.yml" ], "tags": [ @@ -82388,8 +82639,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/pimps/JNDI-Exploit-Kit", "https://githubmemory.com/repo/FunctFan/JNDIExploit", + "https://github.com/pimps/JNDI-Exploit-Kit", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_jndi_exploit.yml" ], "tags": [ @@ -82424,8 +82675,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://portswigger.net/web-security/cross-site-scripting/contexts", "https://github.com/payloadbox/xss-payload-list", + "https://portswigger.net/web-security/cross-site-scripting/contexts", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_xss_in_access_logs.yml" ], "tags": [ @@ -82458,9 +82709,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", - "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", + "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", + "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_susp_useragents.yml" ], "tags": [ @@ -82529,8 +82780,8 @@ "logsource.product": "No established product", "refs": [ "https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516", - "https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash", "https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029", + "https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml" ], "tags": [ @@ -82564,8 +82815,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://bad-jubies.github.io/RCE-NOW-WHAT/", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_win_webshells_in_access_logs.yml" ], "tags": [ @@ -82603,8 +82854,8 @@ "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", "https://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection", - "https://github.com/payloadbox/sql-injection-payload-list", "https://brightsec.com/blog/sql-injection-payloads/", + "https://github.com/payloadbox/sql-injection-payload-list", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_sql_injection_in_access_logs.yml" ], "tags": [ @@ -82707,8 +82958,8 @@ "logsource.product": "No established product", "refs": [ "https://github.com/lijiejie/IIS_shortname_Scanner", - "https://www.exploit-db.com/exploits/19525", "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", + "https://www.exploit-db.com/exploits/19525", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml" ], "tags": [ @@ -82774,8 +83025,8 @@ "logsource.category": "application", "logsource.product": "jvm", "refs": [ - "https://secariolabs.com/research/analysing-and-reproducing-poc-for-log4j-2-15-0", "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", + "https://secariolabs.com/research/analysing-and-reproducing-poc-for-log4j-2-15-0", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_jndi_injection_exploitation_attempt.yml" ], "tags": [ @@ -82841,9 +83092,9 @@ "logsource.category": "application", "logsource.product": "jvm", "refs": [ + "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing", "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://rules.sonarsource.com/java/RSPEC-2755", - "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_xxe_exploitation_attempt.yml" ], "tags": [ @@ -82944,8 +83195,8 @@ "logsource.category": "application", "logsource.product": "spring", "refs": [ - "https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection", "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", + "https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/spring/spring_spel_injection.yml" ], "tags": [ @@ -83011,10 +83262,10 @@ "logsource.category": "application", "logsource.product": "ruby_on_rails", "refs": [ - "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", - "http://guides.rubyonrails.org/action_controller_overview.html", - "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", "http://edgeguides.rubyonrails.org/security.html", + "http://guides.rubyonrails.org/action_controller_overview.html", + "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", + "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml" ], "tags": [ @@ -83182,8 +83433,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_smb_file_open.yml" ], "tags": [ @@ -83225,8 +83476,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_vnc_connection_attempt.yml" ], "tags": [ @@ -83259,8 +83510,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_ssh_new_connection.yml" ], "tags": [ @@ -83311,8 +83562,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_tftp_request.yml" ], "tags": [ @@ -83345,8 +83596,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_ftp_login_attempt.yml" ], "tags": [ @@ -83388,8 +83639,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_httpproxy_login_attempt.yml" ], "tags": [ @@ -83423,8 +83674,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_http_post_login_attempt.yml" ], "tags": [ @@ -83457,8 +83708,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_git_clone_request.yml" ], "tags": [ @@ -83491,8 +83742,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_snmp_cmd.yml" ], "tags": [ @@ -83534,8 +83785,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_sip_request.yml" ], "tags": [ @@ -83568,8 +83819,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_ssh_login_attempt.yml" ], "tags": [ @@ -83620,8 +83871,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_mysql_login_attempt.yml" ], "tags": [ @@ -83663,8 +83914,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_redis_command.yml" ], "tags": [ @@ -83706,8 +83957,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_mssql_login_sqlauth.yml" ], "tags": [ @@ -83749,8 +84000,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_telnet_login_attempt.yml" ], "tags": [ @@ -83792,8 +84043,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_mssql_login_winauth.yml" ], "tags": [ @@ -83835,8 +84086,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_http_get.yml" ], "tags": [ @@ -83869,8 +84120,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_ntp_monlist.yml" ], "tags": [ @@ -84136,10 +84387,10 @@ "logsource.category": "application", "logsource.product": "kubernetes", "refs": [ - "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer", "https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html", "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/", "https://www.elastic.co/guide/en/security/current/kubernetes-pod-created-with-hostnetwork.html", + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml" ], "tags": [ @@ -84203,8 +84454,8 @@ "logsource.category": "application", "logsource.product": "kubernetes", "refs": [ - "https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch", "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/", + "https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_sidecar_injection.yml" ], "tags": [ @@ -84260,10 +84511,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml" ], "tags": [ @@ -84286,10 +84537,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml" ], "tags": [ @@ -84312,9 +84563,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml" ], "tags": [ @@ -84355,10 +84606,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml" ], "tags": [ @@ -84399,10 +84650,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml" ], "tags": [ @@ -84443,10 +84694,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml" ], "tags": [ @@ -84479,12 +84730,12 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml" ], "tags": [ @@ -84507,10 +84758,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml" ], "tags": [ @@ -84551,10 +84802,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml" ], "tags": [ @@ -84587,10 +84838,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", + "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml" ], "tags": [ @@ -84623,10 +84874,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml" ], "tags": [ @@ -84649,10 +84900,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml" ], "tags": [ @@ -84685,10 +84936,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml" ], "tags": [ @@ -84711,10 +84962,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml" ], "tags": [ @@ -84737,10 +84988,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml" ], "tags": [ @@ -84763,10 +85014,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", + "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml" ], "tags": [ @@ -84901,9 +85152,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior", - "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/", "https://ss64.com/osx/csrutil.html", + "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/", + "https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior", "https://objective-see.org/blog/blog_0x6D.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_csrutil_disable.yml" ], @@ -84970,8 +85221,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://redcanary.com/blog/applescript/", "https://ss64.com/osx/osacompile.html", + "https://redcanary.com/blog/applescript/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_osacompile_runonly_execution.yml" ], "tags": [ @@ -85078,9 +85329,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.virustotal.com/gui/file/4ffdc72d1ff1ee8228e31691020fc275afd1baee5a985403a71ca8c7bd36e2e4/behavior", "https://www.trendmicro.com/en_ph/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", "https://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior", + "https://www.virustotal.com/gui/file/4ffdc72d1ff1ee8228e31691020fc275afd1baee5a985403a71ca8c7bd36e2e4/behavior", "https://www.virustotal.com/gui/file/5907d59ec1303cfb5c0a0f4aaca3efc0830707d86c732ba6b9e842b5730b95dc/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_ioreg_discovery.yml" ], @@ -85114,9 +85365,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", + "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml" ], "tags": [ @@ -85173,9 +85424,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", "https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html", "https://github.com/MythicAgents/typhon/", - "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_jamf_usage.yml" ], "tags": [ @@ -85198,8 +85449,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://ss64.com/osx/dseditgroup.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-5---add-a-newexisting-user-to-the-admin-group-using-dseditgroup-utility---macos", + "https://ss64.com/osx/dseditgroup.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml" ], "tags": [ @@ -85220,6 +85471,60 @@ "uuid": "5d0fdb62-f225-42fb-8402-3dfe64da468a", "value": "User Added To Admin Group Via DseditGroup" }, + { + "description": "Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.", + "meta": { + "author": "Pratinav Chandra", + "creation_date": "2024/05/13", + "falsepositive": [ + "Legitimate administration activities is expected to trigger false positives. Investigate the command line being passed to determine if the service or launch agent are suspicious." + ], + "filename": "proc_creation_macos_launchctl_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.001/T1569.001.md", + "https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html", + "https://www.loobins.io/binaries/launchctl/", + "https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/", + "https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1569.001", + "attack.t1543.001", + "attack.t1543.004" + ] + }, + "related": [ + { + "dest-uuid": "810aa4ad-61c9-49cb-993f-daa06199421d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ae9d710f-dcd1-4f75-a0a5-93a73b5dda0e", + "value": "Launch Agent/Daemon Execution Via Launchctl" + }, { "description": "Detects attempts to create and add an account to the admin group via \"sysadminctl\"", "meta": { @@ -85268,8 +85573,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md", + "https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml" ], "tags": [ @@ -85302,9 +85607,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.virustotal.com/gui/file/d3fa64f63563fe958b75238742d1e473800cb5f49f5cb79d38d4aa3c93709026/behavior", - "https://ss64.com/osx/sw_vers.html", "https://www.virustotal.com/gui/file/03b71eaceadea05bc0eea5cddecaa05f245126d6b16cfcd0f3ba0442ac58dab3/behavior", + "https://ss64.com/osx/sw_vers.html", + "https://www.virustotal.com/gui/file/d3fa64f63563fe958b75238742d1e473800cb5f49f5cb79d38d4aa3c93709026/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_swvers_discovery.yml" ], "tags": [ @@ -85337,9 +85642,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", "https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html", "https://github.com/MythicAgents/typhon/", - "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml" ], "tags": [ @@ -85515,9 +85820,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml", "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", "https://www.manpagez.com/man/8/firmwarepasswd/", + "https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml" ], "tags": [ @@ -85674,8 +85979,8 @@ "logsource.product": "macos", "refs": [ "https://linux.die.net/man/1/truncate", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md", "https://linux.die.net/man/1/dd", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_binary_padding.yml" ], "tags": [ @@ -85901,8 +86206,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://redcanary.com/blog/applescript/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md", + "https://redcanary.com/blog/applescript/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_applescript.yml" ], "tags": [ @@ -85968,9 +86273,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior", - "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/", "https://ss64.com/osx/csrutil.html", + "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/", + "https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior", "https://objective-see.org/blog/blog_0x6D.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_csrutil_status.yml" ], @@ -86037,8 +86342,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685", + "https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml" ], "tags": [ @@ -86174,8 +86479,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_installer_package_spawned_network_event.toml", "https://redcanary.com/blog/clipping-silver-sparrows-wings/", + "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_installer_package_spawned_network_event.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_installer_susp_child_process.yml" ], "tags": [ @@ -86342,8 +86647,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08", "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_xcsset_malware_infection.yml" ], "tags": [ @@ -86483,8 +86788,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", "https://ss64.com/osx/sysadminctl.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_create_account.yml" ], "tags": [ @@ -86584,12 +86889,12 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://objective-see.org/blog/blog_0x62.html", - "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", - "https://ss64.com/mac/system_profiler.html", "https://www.trendmicro.com/en_za/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", - "https://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf", + "https://objective-see.org/blog/blog_0x62.html", + "https://ss64.com/mac/system_profiler.html", "https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af", + "https://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf", + "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_system_profiler_discovery.yml" ], "tags": [ @@ -86872,8 +87177,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.manpagez.com/man/8/PlistBuddy/", "https://redcanary.com/blog/clipping-silver-sparrows-wings/", + "https://www.manpagez.com/man/8/PlistBuddy/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml" ], "tags": [ @@ -86960,8 +87265,8 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations", "https://thehackernews.com/2024/03/github-rolls-out-default-secret.html", + "https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_push_protection_disabled.yml" ], "tags": [ @@ -87061,9 +87366,9 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization", - "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions", "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions", + "https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_disable_high_risk_configuration.yml" ], "tags": [ @@ -87201,8 +87506,8 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations", "https://thehackernews.com/2024/03/github-rolls-out-default-secret.html", + "https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_push_protection_bypass_detected.yml" ], "tags": [ @@ -87345,8 +87650,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml" ], "tags": [ @@ -87403,8 +87708,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml" ], "tags": [ @@ -87437,9 +87742,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ + "https://dataconomy.com/2023/10/23/okta-data-breach/", "https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/", "https://www.beyondtrust.com/blog/entry/okta-support-unit-breach", - "https://dataconomy.com/2023/10/23/okta-data-breach/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_activity_from_proxy_query.yml" ], "tags": [ @@ -87485,9 +87790,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data", "https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm", + "https://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_password_in_alternateid_field.yml" ], "tags": [ @@ -87520,8 +87825,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_modified_or_deleted.yml" ], "tags": [ @@ -87544,8 +87849,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_revoked.yml" ], "tags": [ @@ -87568,8 +87873,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/okta/workflows-templates/blob/master/workflows/suspicious_activity_reported/readme.md", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_suspicious_activity_enduser_report.yml" ], "tags": [ @@ -87603,8 +87908,8 @@ "logsource.product": "okta", "refs": [ "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", "https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_security_threat_detected.yml" ], "tags": [ @@ -87627,8 +87932,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml" ], "tags": [ @@ -87651,8 +87956,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_created.yml" ], "tags": [ @@ -87675,8 +87980,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_account_locked_out.yml" ], "tags": [ @@ -87709,8 +88014,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml" ], "tags": [ @@ -87767,9 +88072,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", "https://sec.okta.com/fastpassphishingdetection", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_fastpass_phishing_detection.yml" ], "tags": [ @@ -87802,8 +88107,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assignment_created.yml" ], "tags": [ @@ -87826,8 +88131,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_unauthorized_access_to_app.yml" ], "tags": [ @@ -87852,8 +88157,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_modified_or_deleted.yml" ], "tags": [ @@ -87876,8 +88181,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml" ], "tags": [ @@ -87946,8 +88251,8 @@ "logsource.category": "No established category", "logsource.product": "cisco", "refs": [ - "https://duo.com/docs/adminapi#logs", "https://help.duo.com/s/article/6327?language=en_US", + "https://duo.com/docs/adminapi#logs", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/cisco/duo/cisco_duo_mfa_bypass_via_bypass_code.yml" ], "tags": [ @@ -88071,8 +88376,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html", "https://github.com/elastic/detection-rules/pull/1213", + "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml" ], "tags": [ @@ -88310,9 +88615,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/", - "https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md", "https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html", + "https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md", + "https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml" ], "tags": [ @@ -88462,9 +88767,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", - "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html", + "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml" ], "tags": [ @@ -88589,8 +88894,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html", "https://github.com/elastic/detection-rules/pull/1214", + "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_sts_assumerole_misuse.yml" ], "tags": [ @@ -88640,9 +88945,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-info-in-cloudtrail.html", - "https://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html", "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html", + "https://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html", + "https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-info-in-cloudtrail.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml" ], "tags": [ @@ -89042,12 +89347,12 @@ "logsource.product": "aws", "refs": [ "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", + "https://github.com/elastic/detection-rules/pull/1145/files", "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", - "https://github.com/elastic/detection-rules/pull/1145/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_s3_data_management_tampering.yml" ], "tags": [ @@ -89179,8 +89484,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/", "https://github.com/NetSPI/aws_consoler", + "https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml" ], "tags": [ @@ -89394,9 +89699,9 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/access-context-manager/docs/audit-logging", - "https://cloud.google.com/logging/docs/audit/understanding-audit-logs", "https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog", + "https://cloud.google.com/logging/docs/audit/understanding-audit-logs", + "https://cloud.google.com/access-context-manager/docs/audit-logging", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_access_policy_deleted.yml" ], "tags": [ @@ -89456,8 +89761,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html", "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_full_network_traffic_packet_capture.yml" ], "tags": [ @@ -89623,11 +89928,11 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", - "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", + "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", "https://github.com/elastic/detection-rules/pull/1267", + "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_kubernetes_rolebinding.yml" ], "tags": [ @@ -89745,9 +90050,9 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_mfa_disabled.yml" ], "tags": [ @@ -89770,8 +90075,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_role_privilege_deleted.yml" ], "tags": [ @@ -89794,9 +90099,9 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_removed.yml" ], "tags": [ @@ -89819,8 +90124,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://support.google.com/a/answer/9261439", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings", + "https://support.google.com/a/answer/9261439", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_access_levels_modified.yml" ], "tags": [ @@ -89854,8 +90159,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_granted_domain_api_access.yml" ], "tags": [ @@ -89888,8 +90193,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml" ], "tags": [ @@ -89922,8 +90227,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_role_modified_or_deleted.yml" ], "tags": [ @@ -89988,8 +90293,8 @@ "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ - "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html", + "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml" ], "tags": [ @@ -90022,8 +90327,8 @@ "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ - "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", "https://confluence.atlassian.com/bitbucketserver/global-permissions-776640369.html", + "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml" ], "tags": [ @@ -90057,8 +90362,8 @@ "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ - "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", "https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html", + "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml" ], "tags": [ @@ -90100,8 +90405,8 @@ "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ - "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", "https://support.atlassian.com/security-and-access-policies/docs/export-user-accounts", + "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_user_details_export_attempt_detected.yml" ], "tags": [ @@ -90218,8 +90523,8 @@ "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ - "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html", + "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml" ], "tags": [ @@ -90286,8 +90591,8 @@ "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ - "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html", + "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_full_data_export_triggered.yml" ], "tags": [ @@ -90329,8 +90634,8 @@ "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ - "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html", + "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml" ], "tags": [ @@ -90404,8 +90709,8 @@ "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ - "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html", + "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml" ], "tags": [ @@ -90488,11 +90793,11 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://www.sygnia.co/golden-saml-advisory", - "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", - "https://o365blog.com/post/aadbackdoor/", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", + "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", + "https://www.sygnia.co/golden-saml-advisory", + "https://o365blog.com/post/aadbackdoor/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/exchange/microsoft365_new_federated_domain_added_exchange.yml" ], "tags": [ @@ -90525,8 +90830,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://research.splunk.com/cloud/e155876a-6048-11eb-ae93-0242ac130002/", "https://o365blog.com/post/aadbackdoor/", + "https://research.splunk.com/cloud/e155876a-6048-11eb-ae93-0242ac130002/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/audit/microsoft365_new_federated_domain_added_audit.yml" ], "tags": [ @@ -90592,8 +90897,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_activity_from_infrequent_country.yml" ], "tags": [ @@ -90626,8 +90931,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_impossible_travel_activity.yml" ], "tags": [ @@ -90660,8 +90965,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_activity_from_anonymous_ip_addresses.yml" ], "tags": [ @@ -90694,8 +90999,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_unusual_volume_of_file_deletion.yml" ], "tags": [ @@ -90728,8 +91033,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_susp_inbox_forwarding.yml" ], "tags": [ @@ -90762,8 +91067,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_susp_oauth_app_file_download_activities.yml" ], "tags": [ @@ -90819,8 +91124,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_user_restricted_from_sending_email.yml" ], "tags": [ @@ -90853,8 +91158,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_potential_ransomware_activity.yml" ], "tags": [ @@ -90887,8 +91192,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_activity_by_terminated_user.yml" ], "tags": [ @@ -90911,8 +91216,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_logon_from_risky_ip_address.yml" ], "tags": [ @@ -90945,8 +91250,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_data_exfiltration_to_unsanctioned_app.yml" ], "tags": [ @@ -91012,8 +91317,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_detection/microsoft365_from_susp_ip_addresses.yml" ], "tags": [ @@ -91645,8 +91950,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f", "https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/", + "https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_ad_new_root_ca_added.yml" ], "tags": [ @@ -92219,8 +92524,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f", "https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/", + "https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_ad_certificate_based_authencation_enabled.yml" ], "tags": [ @@ -92287,8 +92592,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/", "https://blooteem.com/march-2022", + "https://www.microsoft.com/en-us/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml" ], "tags": [ @@ -93194,8 +93499,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address", + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml" ], "tags": [ @@ -93231,8 +93536,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#token-issuer-anomaly", + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml" ], "tags": [ @@ -93265,8 +93570,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#impossible-travel", + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml" ], "tags": [ @@ -93370,8 +93675,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anomalous-token", "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anomalous-token", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_token.yml" ], "tags": [ @@ -93546,8 +93851,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-forwarding", "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-forwarding", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml" ], "tags": [ @@ -93617,9 +93922,9 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user", - "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in", + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml" ], "tags": [ @@ -93655,8 +93960,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#leaked-credentials", + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml" ], "tags": [ @@ -93689,8 +93994,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated", "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml" ], "tags": [ @@ -93723,8 +94028,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules", + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml" ], "tags": [ @@ -93863,8 +94168,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_pods_deleted.yml" ], "tags": [ @@ -93888,11 +94193,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://attack.mitre.org/matrices/enterprise/cloud/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_container_registry_created_or_deleted.yml" ], "tags": [ @@ -93941,11 +94246,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://attack.mitre.org/matrices/enterprise/cloud/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_role_access.yml" ], "tags": [ @@ -93968,11 +94273,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://attack.mitre.org/matrices/enterprise/cloud/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_secret_or_config_object_access.yml" ], "tags": [ @@ -94557,11 +94862,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://attack.mitre.org/matrices/enterprise/cloud/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_network_policy_change.yml" ], "tags": [ @@ -94669,11 +94974,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://attack.mitre.org/matrices/enterprise/cloud/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_rolebinding_modified_or_deleted.yml" ], "tags": [ @@ -94821,11 +95126,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://attack.mitre.org/matrices/enterprise/cloud/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_service_account_modified_or_deleted.yml" ], "tags": [ @@ -94859,11 +95164,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://attack.mitre.org/matrices/enterprise/cloud/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_cluster_created_or_deleted.yml" ], "tags": [ @@ -95143,10 +95448,10 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://kubernetes.io/docs/concepts/workloads/controllers/job/", "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", + "https://kubernetes.io/docs/concepts/workloads/controllers/job/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_cronjob.yml" ], "tags": [ @@ -95181,8 +95486,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_events_deleted.yml" ], "tags": [ @@ -95459,9 +95764,9 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/host_without_firewall.yml" ], "tags": "No established tags" @@ -95482,10 +95787,10 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/default_credentials_usage.yml" ], "tags": [ @@ -95508,9 +95813,9 @@ "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/netflow_cleartext_protocols.yml" ], "tags": [ @@ -95670,12 +95975,12 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7", "https://www.nextron-systems.com/?s=antivirus", - "https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916", "https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c", "https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d", + "https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916", "https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045", + "https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_ransomware.yml" ], "tags": [ @@ -95707,8 +96012,8 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.nextron-systems.com/?s=antivirus", "https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/", + "https://www.nextron-systems.com/?s=antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_hacktool.yml" ], "tags": [ @@ -95741,16 +96046,16 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", "https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection", - "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", - "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", "https://www.nextron-systems.com/?s=antivirus", + "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", - "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", - "https://github.com/tennc/webshell", + "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", + "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", + "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", + "https://github.com/tennc/webshell", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_webshell.yml" ], "tags": [ @@ -95783,10 +96088,10 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797", - "https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424", - "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466", + "https://www.nextron-systems.com/?s=antivirus", + "https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424", + "https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_exploiting.yml" ], "tags": [ @@ -95884,8 +96189,8 @@ "logsource.category": "file_event", "logsource.product": "linux", "refs": [ - "https://www.makeuseof.com/how-to-install-and-use-doas/", "https://research.splunk.com/endpoint/linux_doas_conf_file_creation/", + "https://www.makeuseof.com/how-to-install-and-use-doas/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml" ], "tags": [ @@ -95919,10 +96224,10 @@ "logsource.category": "file_event", "logsource.product": "linux", "refs": [ - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml" ], "tags": [ @@ -95979,10 +96284,10 @@ "logsource.category": "file_event", "logsource.product": "linux", "refs": [ - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml" ], "tags": [ @@ -96105,8 +96410,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "Self Experience", "https://github.com/Neo23x0/auditd/blob/master/audit.rules", + "Self Experience", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_auditing_config_change.yml" ], "tags": [ @@ -96181,10 +96486,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/8/pam_tty_audit", "https://access.redhat.com/articles/4409591#audit-record-types-2", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", + "https://linux.die.net/man/8/pam_tty_audit", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml" ], "tags": [ @@ -96361,8 +96666,8 @@ "refs": [ "https://mn3m.info/posts/suid-vs-capabilities/", "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", - "https://man7.org/linux/man-pages/man8/getcap.8.html", "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", + "https://man7.org/linux/man-pages/man8/getcap.8.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml" ], "tags": [ @@ -96503,8 +96808,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md", "https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml" ], "tags": [ @@ -96637,8 +96942,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", "https://firewalld.org/documentation/man-pages/firewall-cmd.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml" ], "tags": [ @@ -96671,8 +96976,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://github.com/Azure/Azure-Sentinel/pull/3059", + "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml" ], "tags": [ @@ -96933,8 +97238,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa", "https://linux.die.net/man/1/arecord", + "https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_audio_capture.yml" ], "tags": [ @@ -96967,10 +97272,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://man7.org/linux/man-pages/man1/passwd.1.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", "https://linux.die.net/man/1/chage", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", + "https://man7.org/linux/man-pages/man1/passwd.1.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml" ], "tags": [ @@ -97069,8 +97374,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html", "https://blog.aquasec.com/container-security-tnt-container-attack", + "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml" ], "tags": [ @@ -97138,8 +97443,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07", + "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_create_account.yml" ], @@ -97207,8 +97512,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat", "https://www.glitch-cat.com/p/green-lambert-and-attack", + "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat", "https://objective-see.org/blog/blog_0x68.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml" ], @@ -97772,9 +98077,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf", "https://regex101.com/r/RugQYK/1", "https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content", - "https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf", "https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_pnscan_binary_cli_pattern.yml" ], @@ -97865,8 +98170,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/apt-get/", "https://gtfobins.github.io/gtfobins/apt/", + "https://gtfobins.github.io/gtfobins/apt-get/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml" ], "tags": [ @@ -97899,8 +98204,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml" ], "tags": [ @@ -98229,8 +98534,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md", "https://attack.mitre.org/techniques/T1548/001/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml" ], "tags": [ @@ -98263,10 +98568,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml" ], "tags": [ @@ -98332,8 +98637,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://github.com/Azure/Azure-Sentinel/pull/3059", + "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml" ], "tags": [ @@ -98384,9 +98689,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://github.com/Tib3rius/AutoRecon", "https://github.com/projectdiscovery/naabu", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md", - "https://github.com/Tib3rius/AutoRecon", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_network_utilities_execution.yml" ], "tags": [ @@ -98453,8 +98758,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", "https://github.com/sleventyeleven/linuxprivchecker/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml" ], "tags": [ @@ -98521,8 +98826,8 @@ "logsource.product": "linux", "refs": [ "https://linux.die.net/man/1/bash", - "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml" ], "tags": [ @@ -98611,10 +98916,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml" ], "tags": [ @@ -98647,8 +98952,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/", "https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/", + "https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml" ], "tags": [ @@ -98672,8 +98977,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", "https://bpftrace.org/", + "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml" ], "tags": [ @@ -98706,8 +99011,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml" ], "tags": [ @@ -98775,8 +99080,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.blackberry.com/", "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", + "https://blogs.blackberry.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml" ], "tags": [ @@ -98875,10 +99180,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html", - "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/", "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html", "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", + "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html", + "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml" ], "tags": [ @@ -98995,10 +99300,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml" ], "tags": [ @@ -99021,8 +99326,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes", "https://github.com/carlospolop/PEASS-ng", + "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes", "https://github.com/diego-treitos/linux-smart-enumeration", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml" ], @@ -99080,10 +99385,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml" ], "tags": [ @@ -99116,10 +99421,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html", - "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/", "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html", "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", + "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html", + "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml" ], "tags": [ @@ -99142,8 +99447,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/apache/spark/pull/36315/files", "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", + "https://github.com/apache/spark/pull/36315/files", "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml" ], @@ -99178,8 +99483,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://twitter.com/matthieugarin/status/1183970598210412546", "https://www.openwall.com/lists/oss-security/2019/10/14/1", + "https://twitter.com/matthieugarin/status/1183970598210412546", "https://access.redhat.com/security/cve/cve-2019-14287", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml" ], @@ -99222,9 +99527,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html", - "https://blogs.blackberry.com/", "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", + "https://blogs.blackberry.com/", + "https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml" ], "tags": [ @@ -99359,8 +99664,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.blackberry.com/", "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", + "https://blogs.blackberry.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml" ], "tags": [ @@ -99393,9 +99698,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://www.cyberciti.biz/faq/linux-remove-user-command/", + "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://linux.die.net/man/8/groupdel", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_groupdel.yml" ], @@ -99452,10 +99757,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://linuxize.com/post/how-to-delete-group-in-linux/", - "https://linux.die.net/man/8/userdel", "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", + "https://linux.die.net/man/8/userdel", "https://www.cyberciti.biz/faq/linux-remove-user-command/", + "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_userdel.yml" ], "tags": [ @@ -99488,10 +99793,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml" ], "tags": [ @@ -99548,8 +99853,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.blackberry.com/", "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", + "https://blogs.blackberry.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml" ], "tags": [ @@ -99582,9 +99887,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vsan.html", - "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html", "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html", + "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html", + "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vsan.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml" ], "tags": [ @@ -99625,15 +99930,15 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/Gui774ume/ebpfkit", "https://github.com/HavocFramework/Havoc", "https://github.com/t3l3machus/Villain", "https://github.com/1N3/Sn1per", + "https://github.com/Ne0nd0g/merlin", + "https://github.com/Gui774ume/ebpfkit", "https://github.com/Pennyw0rth/NetExec/", - "https://github.com/t3l3machus/hoaxshell", "https://github.com/carlospolop/PEASS-ng", "https://github.com/pathtofile/bad-bpf", - "https://github.com/Ne0nd0g/merlin", + "https://github.com/t3l3machus/hoaxshell", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml" ], "tags": [ @@ -99733,8 +100038,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml" ], @@ -99768,8 +100073,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml" ], "tags": [ @@ -99792,8 +100097,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF", "https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/", + "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml" ], "tags": [ @@ -99826,8 +100131,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_network.html", "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", + "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_network.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml" ], "tags": [ @@ -99937,8 +100242,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml" ], "tags": [ @@ -100062,11 +100367,11 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://twitter.com/d1r4c/status/1279042657508081664", - "https://curl.se/docs/manpage.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", + "https://curl.se/docs/manpage.html", "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", + "https://twitter.com/d1r4c/status/1279042657508081664", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml" ], "tags": [ @@ -100206,8 +100511,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml" ], "tags": [ @@ -100230,9 +100535,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/nohup/", - "https://en.wikipedia.org/wiki/Nohup", "https://www.computerhope.com/unix/unohup.htm", + "https://en.wikipedia.org/wiki/Nohup", + "https://gtfobins.github.io/gtfobins/nohup/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup.yml" ], "tags": [ @@ -100298,8 +100603,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html", "https://www.cyberciti.biz/faq/how-force-kill-process-linux/", + "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_kill_process.yml" ], "tags": [ @@ -100365,8 +100670,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://github.com/Azure/Azure-Sentinel/pull/3059", + "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml" ], "tags": [ @@ -100417,9 +100722,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_storage.html", - "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html", "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html", + "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html", + "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_storage.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml" ], "tags": [ @@ -100461,10 +100766,10 @@ "logsource.product": "linux", "refs": [ "https://man7.org/linux/man-pages/man1/ncat.1.html", - "https://www.revshells.com/", - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.infosecademy.com/netcat-reverse-shells/", "https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml" ], "tags": [ @@ -100697,8 +101002,8 @@ "logsource.product": "linux", "refs": [ "https://gtfobins.github.io/gtfobins/vim/", - "https://gtfobins.github.io/gtfobins/rvim/", "https://gtfobins.github.io/gtfobins/vimdiff/", + "https://gtfobins.github.io/gtfobins/rvim/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml" ], "tags": [ @@ -100731,10 +101036,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml" ], "tags": [ @@ -100790,8 +101095,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", "https://bpftrace.org/", + "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", "https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml" ], @@ -100849,10 +101154,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml" ], "tags": [ @@ -100885,9 +101190,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/", "https://blogs.blackberry.com/", - "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml" ], "tags": [ @@ -100953,8 +101258,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", "https://github.com/sleventyeleven/linuxprivchecker/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml" ], "tags": [ @@ -100989,8 +101294,8 @@ "refs": [ "https://linuxhint.com/uninstall_yum_package/", "https://sysdig.com/blog/mitre-defense-evasion-falco", - "https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command", "https://linuxhint.com/uninstall-debian-packages/", + "https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_remove_package.yml" ], "tags": [ @@ -101114,8 +101419,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md", + "https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml" ], "tags": [ @@ -101224,8 +101529,8 @@ "logsource.category": "network_connection", "logsource.product": "linux", "refs": [ - "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", "https://twitter.com/hakluke/status/1587733971814977537/photo/1", + "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml" ], "tags": [ @@ -101345,6 +101650,44 @@ "uuid": "a46c93b7-55ed-4d27-a41b-c259456c4746", "value": "Linux Crypto Mining Pool Connections" }, + { + "description": "Detects programs that connect to known malware callback ports based on threat intelligence reports.\n", + "meta": { + "author": "hasselj", + "creation_date": "2024/05/10", + "falsepositive": [ + "Unknown" + ], + "filename": "net_connection_lnx_susp_malware_callback_port.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "linux", + "refs": [ + "https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html", + "https://thehackernews.com/2024/01/systembc-malwares-c2-server-analysis.html", + "https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors", + "https://www.mandiant.com/resources/blog/ukraine-and-sandworm-team", + "https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_susp_malware_callback_port.yml" + ], + "tags": [ + "attack.persistence", + "attack.command_and_control", + "attack.t1571" + ] + }, + "related": [ + { + "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "dbfc7c98-04ab-4ab7-aa94-c74d22aa7376", + "value": "Potentially Suspicious Malware Callback Communication - Linux" + }, { "description": "Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell", "meta": { @@ -101391,8 +101734,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan", "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan", "https://book.hacktricks.xyz/shells/shells/linux", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_dev_tcp.yml" ], @@ -101540,8 +101883,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", "https://web.archive.org/web/20170319121015/http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html", + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", "https://artkond.com/2017/03/23/pivoting-guide/", "http://pastebin.com/FtygZ1cg", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_commands.yml" @@ -101599,9 +101942,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/8/useradd", - "https://digital.nhs.uk/cyber-alerts/2018/cc-2825", "https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid", + "https://digital.nhs.uk/cyber-alerts/2018/cc-2825", + "https://linux.die.net/man/8/useradd", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_privileged_user_creation.yml" ], "tags": [ @@ -101776,9 +102119,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.hackers-arise.com/post/2016/06/20/covering-your-bash-shell-tracks-antiforensics", "https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md", + "https://www.hackers-arise.com/post/2016/06/20/covering-your-bash-shell-tracks-antiforensics", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml" ], "tags": [ @@ -101968,8 +102311,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://twitter.com/matthieugarin/status/1183970598210412546", "https://www.openwall.com/lists/oss-security/2019/10/14/1", + "https://twitter.com/matthieugarin/status/1183970598210412546", "https://access.redhat.com/security/cve/cve-2019-14287", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml" ], @@ -102232,5 +102575,5 @@ "value": "Modifying Crontab" } ], - "version": 20240508 + "version": 20240516 } From fe3fead459ad0a7befc4eadb25d44c5dd5e87701 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 16 May 2024 20:29:18 +0200 Subject: [PATCH 02/12] chg: [tidal] updated to the latest version --- clusters/tidal-campaigns.json | 110 + clusters/tidal-groups.json | 256 +- clusters/tidal-references.json | 4877 +++++++++++++++++++++++++++----- clusters/tidal-software.json | 2445 +++++++++++----- clusters/tidal-tactic.json | 72 + clusters/tidal-technique.json | 149 +- 6 files changed, 6392 insertions(+), 1517 deletions(-) diff --git a/clusters/tidal-campaigns.json b/clusters/tidal-campaigns.json index 0b3910f..6375c9e 100644 --- a/clusters/tidal-campaigns.json +++ b/clusters/tidal-campaigns.json @@ -33,6 +33,18 @@ "uuid": "06197e03-e1c1-56af-ba98-5071f98f91f1", "value": "2016 Ukraine Electric Power Attack" }, + { + "description": "The [2022 Ukraine Electric Power Attack](https://app.tidalcyber.com/campaigns/a79e06d1-df08-5c72-9180-2c373274f889) was a [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666) campaign that used a combination of GOGETTER, Neo-REGEORG, [CaddyWiper](https://app.tidalcyber.com/software/62d0ddcd-790d-4d2d-9d94-276f54b40cf0), and living of the land (LotL) techniques to gain access to a Ukrainian electric utility to send unauthorized commands from their SCADA system.[[Mandiant-Sandworm-Ukraine-2022](https://app.tidalcyber.com/references/7ad64744-2790-54e4-97cd-e412423f6ada)][[Dragos-Sandworm-Ukraine-2022](https://app.tidalcyber.com/references/a17aa1b1-cda4-5aeb-b401-f4fd47d29f93)] ", + "meta": { + "campaign_attack_id": "C0034", + "first_seen": "2022-06-01T04:00:00Z", + "last_seen": "2022-10-01T04:00:00Z", + "source": "MITRE" + }, + "related": [], + "uuid": "a79e06d1-df08-5c72-9180-2c373274f889", + "value": "2022 Ukraine Electric Power Attack" + }, { "description": "In July 2023, U.S. authorities released joint Cybersecurity Advisory AA23-187A, which detailed increased observations of new variants of the Truebot botnet malware infecting organizations in the United States and Canada. Authorities assessed that Truebot infections are primarily motivated around collection and exfiltration of sensitive victim data for financial gain. Officials also assessed that actors were using both spearphishing emails containing malicious hyperlinks and exploitation of CVE-2022-31199 in the IT system auditing application Netwrix Auditor to deliver Truebot during these attacks. Additional tools associated with the attacks included Raspberry Robin for initial infections, FlawedGrace and Cobalt Strike for various post-exploitation activities, and Teleport, a custom tool for data exfiltration.[[U.S. CISA Increased Truebot Activity July 6 2023](/references/6f9b8f72-c55f-4268-903e-1f8a82efa5bb)]\n\nThe Advisory did not provide specific impacted victim sectors. The Advisory referred to activity taking place “in recent months” prior to July 2023 but did not provide an estimated date when the summarized activity began. A public threat report referenced in the Advisory reported an observed increase in Truebot infections beginning in August 2022, including several compromises involving education sector organizations.[[U.S. CISA Increased Truebot Activity July 6 2023](/references/6f9b8f72-c55f-4268-903e-1f8a82efa5bb)][[Cisco Talos Blog December 08 2022](/references/bcf92374-48a3-480f-a679-9fd34b67bcdd)]\n\n**Related Vulnerabilities**: CVE-2022-31199[[U.S. CISA Increased Truebot Activity July 6 2023](/references/6f9b8f72-c55f-4268-903e-1f8a82efa5bb)]", "meta": { @@ -166,6 +178,29 @@ "uuid": "80ae546a-70e5-4427-be1d-e74efc428ffd", "value": "APT29 TeamCity Exploits" }, + { + "description": "ArcaneDoor was a campaign, which likely ran from November 2023 until around February 2024, that targeted Cisco Adaptive Security Appliances (ASAs). ASAs are network devices that combine firewall, VPN, and other functionality. The campaign targeted unspecified government institutions around the world and was believed to have been conducted for espionage purposes.[[Cisco Talos ArcaneDoor April 24 2024](/references/531c3f6f-2d2b-4774-b069-e2b7a13602c1)]\n\nResearchers attributed the campaign to UAT4356 (aka Storm-1849), a possible China-linked adversary.[[Wired ArcaneDoor April 24 2024](/references/05a8afd3-0173-41ca-b23b-196ea0f3b1c1)] The initial access vector for the ArcaneDoor attacks remains unclear. After gaining a foothold, actors used the Line Dancer tool to upload Line Runner, a persistence and arbitrary code execution capability, to compromised ASAs (Cisco assigned two vulnerabilities, CVE-2024-20359 and CVE-2024-20353, to these activities). Responders observed various actions on objectives during the attacks, including device configuration modification, network traffic capture, and possible lateral movement.[[Cisco Talos ArcaneDoor April 24 2024](/references/531c3f6f-2d2b-4774-b069-e2b7a13602c1)]", + "meta": { + "campaign_attack_id": "C5019", + "first_seen": "2023-11-01T00:00:00Z", + "last_seen": "2024-02-29T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "a159c91c-5258-49ea-af7d-e803008d97d3", + "af5e9be5-b86e-47af-91dd-966a5e34a186", + "15787198-6c8b-4f79-bf50-258d55072fee", + "6bb2f579-a5cd-4647-9dcd-eff05efe3679", + "c25f341a-7030-4688-a00b-6d637298e52e", + "9768aada-9d63-4d46-ab9f-d41b8c8e4010", + "2e85babc-77cd-4455-9c6e-312223a956de", + "0d3ca5b9-2ea9-4daf-b3b5-11f1c6f9ebd3" + ] + }, + "related": [], + "uuid": "ccc6401a-b79f-424b-8617-3c2d55475584", + "value": "ArcaneDoor" + }, { "description": "[C0010](https://app.tidalcyber.com/campaigns/a1e33caf-6eb0-442f-b97a-f6042f21df48) was a cyber espionage campaign conducted by UNC3890 that targeted Israeli shipping, government, aviation, energy, and healthcare organizations. Security researcher assess UNC3890 conducts operations in support of Iranian interests, and noted several limited technical connections to Iran, including PDB strings and Farsi language artifacts. [C0010](https://app.tidalcyber.com/campaigns/a1e33caf-6eb0-442f-b97a-f6042f21df48) began by at least late 2020, and was still ongoing as of mid-2022.[[Mandiant UNC3890 Aug 2022](https://app.tidalcyber.com/references/7b3fda0b-d327-4f02-bebe-2b8974f9959d)]", "meta": { @@ -273,6 +308,30 @@ "uuid": "a9719584-4f52-5a5d-b0f7-1059e715c2b8", "value": "C0027" }, + { + "description": "[C0032](https://app.tidalcyber.com/campaigns/c26b3156-8472-5b87-971f-41a7a4702268) was an extended campaign suspected to involve the [Triton](https://app.tidalcyber.com/software/) adversaries with related capabilities and techniques focused on gaining a foothold within IT environments. This campaign occurred in 2019 and was distinctly different from the [Triton Safety Instrumented System Attack](https://app.tidalcyber.com/campaigns/6c7185e1-bd46-5a80-9a76-a376b16fbc7b).[[FireEye TRITON 2019](https://app.tidalcyber.com/references/49c97b85-ca22-400a-9dc4-6290cc117f04)]", + "meta": { + "campaign_attack_id": "C0032", + "first_seen": "2014-10-01T04:00:00Z", + "last_seen": "2017-01-01T05:00:00Z", + "source": "MITRE" + }, + "related": [], + "uuid": "c26b3156-8472-5b87-971f-41a7a4702268", + "value": "C0032" + }, + { + "description": "[C0033](https://app.tidalcyber.com/campaigns/c5d35d8d-fe96-5210-bb57-4692081a25a9) was a [PROMETHIUM](https://app.tidalcyber.com/groups/cc798766-8662-4b55-8536-6d057fbc58f0) campaign during which they used [StrongPity](https://app.tidalcyber.com/software/ed563524-235e-4e06-8c69-3f9d8ddbfd8a) to target Android users. [C0033](https://app.tidalcyber.com/campaigns/c5d35d8d-fe96-5210-bb57-4692081a25a9) was the first publicly documented mobile campaign for [PROMETHIUM](https://app.tidalcyber.com/groups/cc798766-8662-4b55-8536-6d057fbc58f0), who previously used Windows-based techniques.[[welivesec_strongpity](https://app.tidalcyber.com/references/1b89df2c-e756-599a-9f7f-a5230db9de46)]", + "meta": { + "campaign_attack_id": "C0033", + "first_seen": "2016-05-01T07:00:00Z", + "last_seen": "2023-01-01T08:00:00Z", + "source": "MITRE" + }, + "related": [], + "uuid": "c5d35d8d-fe96-5210-bb57-4692081a25a9", + "value": "C0033" + }, { "description": "In June 2023, U.S. authorities released Cybersecurity Advisory AA23-158A, which detailed observed exploits of a zero-day SQL injection vulnerability (CVE-2023-34362) affecting Progress Software's managed file transfer (MFT) solution, MOVEit Transfer. According to the Advisory, exploit activity began on May 27, 2023, as threat actors, which the Advisory attributed to \"CL0P Ransomware Gang, also known as TA505\", began compromising internet-facing MOVEit Transfer web applications. Actors deployed web shells, dubbed LEMURLOOT, on compromised MOVEit applications, which enabled persistence, discovery of files and folders stored on MOVEit servers, and staging and exfiltration of compressed victim data. Authorities indicated they expected to see \"widespread exploitation of unpatched software services in both private and public networks\".[[U.S. CISA CL0P CVE-2023-34362 Exploitation](/references/07e48ca8-b965-4234-b04a-dfad45d58b22)] Progress Software acknowledged the vulnerability and issued guidance on known affected versions, software upgrades, and patching.[[Progress Software MOVEit Transfer Critical Vulnerability](/references/9f364e22-b73c-4f3a-902c-a3f0eb01a2b9)]\n\n**Related Vulnerabilities**: CVE-2023-34362[[U.S. CISA CL0P CVE-2023-34362 Exploitation](/references/07e48ca8-b965-4234-b04a-dfad45d58b22)]", "meta": { @@ -303,6 +362,29 @@ "uuid": "fb011ed2-bfb9-4f0f-bd88-8b3fa0cf9b48", "value": "CostaRicto" }, + { + "description": "[Cutting Edge](https://app.tidalcyber.com/campaigns/4e605e33-57fe-5bb2-b0ad-ec146aac041b) was a campaign conducted by suspected China-nexus espionage actors, variously identified as UNC5221/UTA0178 and UNC5325, that began as early as December 2023 with the exploitation of zero-day vulnerabilities in Ivanti Connect Secure (previously Pulse Secure) VPN appliances. [Cutting Edge](https://app.tidalcyber.com/campaigns/4e605e33-57fe-5bb2-b0ad-ec146aac041b) targeted the U.S. defense industrial base and multiple sectors globally including telecommunications, financial, aerospace, and technology. [Cutting Edge](https://app.tidalcyber.com/campaigns/4e605e33-57fe-5bb2-b0ad-ec146aac041b) featured the use of defense evasion and living-off-the-land (LoTL) techniques along with the deployment of web shells and other custom malware.[[Mandiant Cutting Edge January 2024](https://app.tidalcyber.com/references/9d9ec923-89c1-5155-ae6e-98d4776d4250)][[Volexity Ivanti Zero-Day Exploitation January 2024](https://app.tidalcyber.com/references/93eda380-ea21-59e0-97e8-5bec1f9a0e71)][[Volexity Ivanti Global Exploitation January 2024](https://app.tidalcyber.com/references/b96fa4f2-864d-5d88-9a29-b117da8f8c5c)][[Mandiant Cutting Edge Part 2 January 2024](https://app.tidalcyber.com/references/5209d259-4293-58c0-bbdc-f30ff77d57f7)][[Mandiant Cutting Edge Part 3 February 2024](https://app.tidalcyber.com/references/49e5b125-5503-5cb0-9a56-a93f82b55753)]", + "meta": { + "campaign_attack_id": "C0029", + "first_seen": "2023-12-01T05:00:00Z", + "last_seen": "2024-02-01T05:00:00Z", + "source": "MITRE", + "tags": [ + "9768aada-9d63-4d46-ab9f-d41b8c8e4010", + "758c3085-2f79-40a8-ab95-f8a684737927", + "af5e9be5-b86e-47af-91dd-966a5e34a186", + "35e694ec-5133-46e3-b7e1-5831867c3b55", + "1dc8fd1e-0737-405a-98a1-111dd557f1b5", + "15787198-6c8b-4f79-bf50-258d55072fee", + "d1ab6bd6-2688-4e54-a1d3-d180bb8fd41a", + "1ff4614e-0ee6-4e04-921d-61abba7fcdb7", + "e00b65fc-8f56-4a9e-9f09-ccf3124a3272" + ] + }, + "related": [], + "uuid": "4e605e33-57fe-5bb2-b0ad-ec146aac041b", + "value": "Cutting Edge" + }, { "description": "German and South Korean cybersecurity authorities published an advisory highlighting recent attempts by North Korea-linked cyber actors to target enterprises and research centers in the defense sector. The advisory detailed a supply chain attack, attributed to an unnamed threat group, in which actors compromised a company that maintained a defense sector research center's web servers, then used stolen SSH credentials to remotely access the research center's network. The actors then used various methods to evade defenses, including impersonating security staff, deployed malware via a patch management system, and stole account information and email contents before being evicted from the network.[[BfV North Korea February 17 2024](/references/cc76be15-6d9d-40b2-b7f3-196bb0a7106a)]", "meta": { @@ -431,6 +513,8 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "fe984a01-910d-4e39-9c49-179aa03f75ab", + "9768aada-9d63-4d46-ab9f-d41b8c8e4010", "758c3085-2f79-40a8-ab95-f8a684737927", "af5e9be5-b86e-47af-91dd-966a5e34a186", "35e694ec-5133-46e3-b7e1-5831867c3b55", @@ -454,6 +538,7 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "fe984a01-910d-4e39-9c49-179aa03f75ab", "a98d7a43-f227-478e-81de-e7299639a355", "c475ad68-3fdc-4725-8abc-784c56125e96" ] @@ -494,6 +579,19 @@ "uuid": "85f136b3-d5a3-4c4c-a37c-40e4418dc989", "value": "Night Dragon" }, + { + "description": "\"Operation Bearded Barbie\" was a suspected AridViper (aka APT-C-23/Desert Falcon) campaign that appeared to target Israeli individuals, especially \"high-profile\" defense, law enforcement, and other government service personnel. The campaign heavily relied upon social engineering techniques, including the use of well-developed social media personas, aimed at tricking targets into installing backdoors for Windows and Android devices. The campaign appeared to be motivated by information collection for espionage purposes.[[Cybereason Operation Bearded Barbie April 5 2022](/references/7d71b7c9-531e-4e4f-ab85-df2380555b7a)]", + "meta": { + "campaign_attack_id": "C5018", + "first_seen": "2022-03-01T00:00:00Z", + "last_seen": "2022-04-01T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber" + }, + "related": [], + "uuid": "0496e076-1813-4f51-86e6-8f551983e8f8", + "value": "Operation Bearded Barbie" + }, { "description": "[Operation CuckooBees](https://app.tidalcyber.com/campaigns/81bf4e45-f0d3-4fec-a9d4-1259cf8542a1) was a cyber espionage campaign targeting technology and manufacturing companies in East Asia, Western Europe, and North America since at least 2019. Security researchers noted the goal of [Operation CuckooBees](https://app.tidalcyber.com/campaigns/81bf4e45-f0d3-4fec-a9d4-1259cf8542a1), which was still ongoing as of May 2022, was likely the theft of proprietary information, research and development documents, source code, and blueprints for various technologies. Researchers assessed [Operation CuckooBees](https://app.tidalcyber.com/campaigns/81bf4e45-f0d3-4fec-a9d4-1259cf8542a1) was conducted by actors affiliated with [Winnti Group](https://app.tidalcyber.com/groups/6932662a-53a7-4e43-877f-6e940e2d744b), [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9), and BARIUM.[[Cybereason OperationCuckooBees May 2022](https://app.tidalcyber.com/references/fe3e2c7e-2287-406c-b717-cf7721b5843a)]", "meta": { @@ -641,6 +739,18 @@ "related": [], "uuid": "8bde8146-0656-5800-82e6-e24e008e4f4a", "value": "SolarWinds Compromise" + }, + { + "description": "[Triton Safety Instrumented System Attack](https://app.tidalcyber.com/campaigns/6c7185e1-bd46-5a80-9a76-a376b16fbc7b) was a campaign employed by [TEMP.Veles](https://app.tidalcyber.com/groups/3a54b8dc-a231-4db8-96da-1c0c1aa396f6) which leveraged the [Triton](https://app.tidalcyber.com/software/) malware framework against a petrochemical organization.[[Triton-EENews-2017](https://app.tidalcyber.com/references/5cc54d85-ee53-579d-a8fb-9b54b3540dc0)] The malware and techniques used within this campaign targeted specific Triconex [Safety Controller](https://attack.mitre.org/assets/A0010)s within the environment.[[FireEye TRITON 2018](https://app.tidalcyber.com/references/bfa5886a-a7f4-40d1-98d0-c3358abcf265)] The incident was eventually discovered due to a safety trip that occurred as a result of an issue in the malware.[[FireEye TRITON 2017](https://app.tidalcyber.com/references/597a4d8b-ffb2-4551-86db-b319f5a5b707)]\n", + "meta": { + "campaign_attack_id": "C0030", + "first_seen": "2017-06-01T04:00:00Z", + "last_seen": "2017-08-01T04:00:00Z", + "source": "MITRE" + }, + "related": [], + "uuid": "6c7185e1-bd46-5a80-9a76-a376b16fbc7b", + "value": "Triton Safety Instrumented System Attack" } ], "version": 1 diff --git a/clusters/tidal-groups.json b/clusters/tidal-groups.json index f1346df..5aeb492 100644 --- a/clusters/tidal-groups.json +++ b/clusters/tidal-groups.json @@ -37,6 +37,68 @@ "uuid": "e38bcb42-12c1-4202-a794-ec26cd830caa", "value": "Ajax Security Team" }, + { + "description": "[Akira](https://app.tidalcyber.com/groups/923f478c-7ad1-516f-986d-61f96b9c553e) is a ransomware variant and ransomware deployment entity active since at least March 2023.[[Arctic Wolf Akira 2023](https://app.tidalcyber.com/references/aa34f2a1-a398-5dc4-b898-cdc02afeca5d)] [Akira](https://app.tidalcyber.com/groups/923f478c-7ad1-516f-986d-61f96b9c553e) uses compromised credentials to access single-factor external access mechanisms such as VPNs for initial access, then various publicly-available tools and techniques for lateral movement.[[Arctic Wolf Akira 2023](https://app.tidalcyber.com/references/aa34f2a1-a398-5dc4-b898-cdc02afeca5d)][[Secureworks GOLD SAHARA](https://app.tidalcyber.com/references/3abb7995-4a62-56a6-9492-942965edf0a0)] [Akira](https://app.tidalcyber.com/groups/923f478c-7ad1-516f-986d-61f96b9c553e) operations are associated with \"double extortion\" ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Technical analysis of [Akira](https://app.tidalcyber.com/software/96ae0e1e-975a-5e11-adbe-c79ee17cee11) ransomware indicates multiple overlaps with and similarities to [Conti](https://app.tidalcyber.com/software/8e995c29-2759-4aeb-9a0f-bb7cd97b06e5) malware.[[BushidoToken Akira 2023](https://app.tidalcyber.com/references/8fe09ef1-f72e-5261-b79f-5d41fad51eac)]", + "meta": { + "group_attack_id": "G1024", + "observed_countries": [ + "AU", + "BD", + "BR", + "CA", + "DK", + "FR", + "IN", + "IL", + "LV", + "MX", + "NI", + "PT", + "ZA", + "TR", + "GB", + "US" + ], + "observed_motivations": [ + "Financial Gain" + ], + "source": "MITRE", + "tags": [ + "0580d361-b60b-4664-9b2e-6d737e495cc1", + "9768aada-9d63-4d46-ab9f-d41b8c8e4010", + "a159c91c-5258-49ea-af7d-e803008d97d3", + "c5a258ce-9045-48d9-b254-ec2bf6437bb5", + "cc4ea215-87ce-4351-9579-cf527caf5992", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", + "c79f7ba7-a2f2-43ff-8c78-521807ef6c92", + "a2e000da-8181-4327-bacd-32013dbd3654", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "562e535e-19f5-4d6c-81ed-ce2aec544f09" + ], + "target_categories": [ + "Agriculture", + "Banks", + "Construction", + "Education", + "Energy", + "Financial Services", + "Government", + "Healthcare", + "Insurance", + "Legal", + "Manufacturing", + "Non Profit", + "Retail", + "Technology", + "Telecommunications" + ] + }, + "related": [], + "uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", + "value": "Akira" + }, { "description": "This Group object reflects the tools & TTPs used by threat actors known to deploy Akira, a ransomware family that researchers believe has been used since at least March 2023.[[TrendMicro Akira October 5 2023](/references/8f45fb21-c6ad-4b97-b459-da96eb643069)] Researchers assess that the Akira operation relates to and possibly derives from the Conti ransomware operation (by way of the Royal ransomware operation).[[GitHub ransomware_map](/references/d995f4b2-3262-4c37-855a-61aef7d7b8a8)]\n\nTTPs associated with the Akria ransomware binary itself can be found in the separate \"Akira Ransomware\" Software object.", "meta": { @@ -420,7 +482,7 @@ "value": "APT20" }, { - "description": "[APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[[NSA/FBI Drovorub August 2020](https://app.tidalcyber.com/references/d697a342-4100-4e6b-95b9-4ae3ba80924b)][[Cybersecurity Advisory GRU Brute Force Campaign July 2021](https://app.tidalcyber.com/references/e70f0742-5f3e-4701-a46b-4a58c0281537)] This group has been active since at least 2004.[[DOJ GRU Indictment Jul 2018](https://app.tidalcyber.com/references/d65f371b-19d0-49de-b92b-94a2bea1d988)][[Ars Technica GRU indictment Jul 2018](https://app.tidalcyber.com/references/a1192cb3-4536-4900-93c7-a127ca06c690)][[Crowdstrike DNC June 2016](https://app.tidalcyber.com/references/7f4edc06-ac67-4d71-b39c-5df9ce521bbb)][[FireEye APT28](https://app.tidalcyber.com/references/c423b2b2-25a3-4a8d-b89a-83ab07c0cd20)][[SecureWorks TG-4127](https://app.tidalcyber.com/references/5f401c82-4e16-43a1-b234-48918fe7df9f)][[FireEye APT28 January 2017](https://app.tidalcyber.com/references/61d80b8f-5bdb-41e6-b59a-d2d996392873)][[GRIZZLY STEPPE JAR](https://app.tidalcyber.com/references/4b26d274-497f-49bc-a2a5-b93856a49893)][[Sofacy DealersChoice](https://app.tidalcyber.com/references/ec157d0c-4091-43f5-85f1-a271c4aac1fc)][[Palo Alto Sofacy 06-2018](https://app.tidalcyber.com/references/a32357eb-3226-4bee-aeed-d2fbcfa52da0)][[Symantec APT28 Oct 2018](https://app.tidalcyber.com/references/777bc94a-6c21-4f8c-9efa-a1cf52ececc0)][[ESET Zebrocy May 2019](https://app.tidalcyber.com/references/f8b837fb-e46c-4153-8e86-dc4b909b393a)]\n\n[APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. [[Crowdstrike DNC June 2016](https://app.tidalcyber.com/references/7f4edc06-ac67-4d71-b39c-5df9ce521bbb)] In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[[US District Court Indictment GRU Oct 2018](https://app.tidalcyber.com/references/56aeab4e-b046-4426-81a8-c3b2323492f0)] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666). ", + "description": "[APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[[NSA/FBI Drovorub August 2020](https://app.tidalcyber.com/references/d697a342-4100-4e6b-95b9-4ae3ba80924b)][[Cybersecurity Advisory GRU Brute Force Campaign July 2021](https://app.tidalcyber.com/references/e70f0742-5f3e-4701-a46b-4a58c0281537)] This group has been active since at least 2004.[[DOJ GRU Indictment Jul 2018](https://app.tidalcyber.com/references/d65f371b-19d0-49de-b92b-94a2bea1d988)][[Ars Technica GRU indictment Jul 2018](https://app.tidalcyber.com/references/a1192cb3-4536-4900-93c7-a127ca06c690)][[Crowdstrike DNC June 2016](https://app.tidalcyber.com/references/7f4edc06-ac67-4d71-b39c-5df9ce521bbb)][[FireEye APT28](https://app.tidalcyber.com/references/c423b2b2-25a3-4a8d-b89a-83ab07c0cd20)][[SecureWorks TG-4127](https://app.tidalcyber.com/references/5f401c82-4e16-43a1-b234-48918fe7df9f)][[FireEye APT28 January 2017](https://app.tidalcyber.com/references/61d80b8f-5bdb-41e6-b59a-d2d996392873)][[GRIZZLY STEPPE JAR](https://app.tidalcyber.com/references/4b26d274-497f-49bc-a2a5-b93856a49893)][[Sofacy DealersChoice](https://app.tidalcyber.com/references/ec157d0c-4091-43f5-85f1-a271c4aac1fc)][[Palo Alto Sofacy 06-2018](https://app.tidalcyber.com/references/a32357eb-3226-4bee-aeed-d2fbcfa52da0)][[Symantec APT28 Oct 2018](https://app.tidalcyber.com/references/777bc94a-6c21-4f8c-9efa-a1cf52ececc0)][[ESET Zebrocy May 2019](https://app.tidalcyber.com/references/f8b837fb-e46c-4153-8e86-dc4b909b393a)]\n\n[APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[[Crowdstrike DNC June 2016](https://app.tidalcyber.com/references/7f4edc06-ac67-4d71-b39c-5df9ce521bbb)] In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[[US District Court Indictment GRU Oct 2018](https://app.tidalcyber.com/references/56aeab4e-b046-4426-81a8-c3b2323492f0)] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666). ", "meta": { "country": "RU", "group_attack_id": "G0007", @@ -607,7 +669,7 @@ "value": "APT29" }, { - "description": "[APT3](https://app.tidalcyber.com/groups/9da726e6-af02-49b8-8ebe-7ea4235513c9) is a China-based threat group that researchers have attributed to China's Ministry of State Security.[[FireEye Clandestine Wolf](https://app.tidalcyber.com/references/dbb779c4-4d75-4fb4-ad3a-7d1f0f74e26f)][[Recorded Future APT3 May 2017](https://app.tidalcyber.com/references/a894d79f-5977-4ef9-9aa5-7bfec795ceb2)] This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.[[FireEye Clandestine Wolf](https://app.tidalcyber.com/references/dbb779c4-4d75-4fb4-ad3a-7d1f0f74e26f)][[FireEye Operation Double Tap](https://app.tidalcyber.com/references/4b9af128-98da-48b6-95c7-8d27979c2ab1)] As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.[[Symantec Buckeye](https://app.tidalcyber.com/references/dbf3ce3e-bcf2-4e47-ad42-839e51967395)]\n\nIn 2017, MITRE developed an APT3 Adversary Emulation Plan.[[APT3 Adversary Emulation Plan](https://app.tidalcyber.com/references/64c01921-c33f-402e-b30d-a2ba26583a24)]", + "description": "[APT3](https://app.tidalcyber.com/groups/9da726e6-af02-49b8-8ebe-7ea4235513c9) is a China-based threat group that researchers have attributed to China's Ministry of State Security.[[FireEye Clandestine Wolf](https://app.tidalcyber.com/references/dbb779c4-4d75-4fb4-ad3a-7d1f0f74e26f)][[Recorded Future APT3 May 2017](https://app.tidalcyber.com/references/a894d79f-5977-4ef9-9aa5-7bfec795ceb2)] This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.[[FireEye Clandestine Wolf](https://app.tidalcyber.com/references/dbb779c4-4d75-4fb4-ad3a-7d1f0f74e26f)][[FireEye Operation Double Tap](https://app.tidalcyber.com/references/4b9af128-98da-48b6-95c7-8d27979c2ab1)] As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.[[Symantec Buckeye](https://app.tidalcyber.com/references/dbf3ce3e-bcf2-4e47-ad42-839e51967395)]", "meta": { "country": "CN", "group_attack_id": "G0022", @@ -704,7 +766,7 @@ "value": "APT32" }, { - "description": "[APT33](https://app.tidalcyber.com/groups/99bbbe25-45af-492f-a7ff-7cbc57828bac) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. [[FireEye APT33 Sept 2017](https://app.tidalcyber.com/references/70610469-db0d-45ab-a790-6e56309a39ec)] [[FireEye APT33 Webinar Sept 2017](https://app.tidalcyber.com/references/9b378592-5737-403d-8a07-27077f5b2d61)]", + "description": "[APT33](https://app.tidalcyber.com/groups/99bbbe25-45af-492f-a7ff-7cbc57828bac) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.[[FireEye APT33 Sept 2017](https://app.tidalcyber.com/references/70610469-db0d-45ab-a790-6e56309a39ec)][[FireEye APT33 Webinar Sept 2017](https://app.tidalcyber.com/references/9b378592-5737-403d-8a07-27077f5b2d61)]", "meta": { "country": "IR", "group_attack_id": "G0064", @@ -766,7 +828,7 @@ "value": "APT37" }, { - "description": "[APT38](https://app.tidalcyber.com/groups/dfbce236-735c-436d-b433-933bd6eae17b) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.[[CISA AA20-239A BeagleBoyz August 2020](https://app.tidalcyber.com/references/a8a2e3f2-3967-4e82-a36a-2436c654fb3f)] Active since at least 2014, [APT38](https://app.tidalcyber.com/groups/dfbce236-735c-436d-b433-933bd6eae17b) has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which [APT38](https://app.tidalcyber.com/groups/dfbce236-735c-436d-b433-933bd6eae17b) stole $81 million, as well as attacks against Bancomext (2018) and Banco de Chile (2018); some of their attacks have been destructive.[[CISA AA20-239A BeagleBoyz August 2020](https://app.tidalcyber.com/references/a8a2e3f2-3967-4e82-a36a-2436c654fb3f)][[FireEye APT38 Oct 2018](https://app.tidalcyber.com/references/7c916329-af56-4723-820c-ef932a6e3409)][[DOJ North Korea Indictment Feb 2021](https://app.tidalcyber.com/references/d702653f-a9da-4a36-8f84-97caeb445266)][[Kaspersky Lazarus Under The Hood Blog 2017](https://app.tidalcyber.com/references/a1e1ab6a-8db0-4593-95ec-78784607dfa0)]\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) instead of tracking clusters or subgroups.", + "description": "[APT38](https://app.tidalcyber.com/groups/dfbce236-735c-436d-b433-933bd6eae17b) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.[[CISA AA20-239A BeagleBoyz August 2020](https://app.tidalcyber.com/references/a8a2e3f2-3967-4e82-a36a-2436c654fb3f)] Active since at least 2014, [APT38](https://app.tidalcyber.com/groups/dfbce236-735c-436d-b433-933bd6eae17b) has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which [APT38](https://app.tidalcyber.com/groups/dfbce236-735c-436d-b433-933bd6eae17b) stole $81 million, as well as attacks against Bancomext [[FireEye APT38 Oct 2018](https://app.tidalcyber.com/references/7c916329-af56-4723-820c-ef932a6e3409)] and Banco de Chile [[FireEye APT38 Oct 2018](https://app.tidalcyber.com/references/7c916329-af56-4723-820c-ef932a6e3409)]; some of their attacks have been destructive.[[CISA AA20-239A BeagleBoyz August 2020](https://app.tidalcyber.com/references/a8a2e3f2-3967-4e82-a36a-2436c654fb3f)][[FireEye APT38 Oct 2018](https://app.tidalcyber.com/references/7c916329-af56-4723-820c-ef932a6e3409)][[DOJ North Korea Indictment Feb 2021](https://app.tidalcyber.com/references/d702653f-a9da-4a36-8f84-97caeb445266)][[Kaspersky Lazarus Under The Hood Blog 2017](https://app.tidalcyber.com/references/a1e1ab6a-8db0-4593-95ec-78784607dfa0)]\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) instead of tracking clusters or subgroups.", "meta": { "country": "KP", "group_attack_id": "G0082", @@ -929,6 +991,43 @@ "uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "value": "APT41" }, + { + "description": "[APT5](https://app.tidalcyber.com/groups/f46d6ee9-9d1d-586a-9f2d-6bff8fb92910) is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. [APT5](https://app.tidalcyber.com/groups/f46d6ee9-9d1d-586a-9f2d-6bff8fb92910) has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits.[[NSA APT5 Citrix Threat Hunting December 2022](https://app.tidalcyber.com/references/916e2137-46e6-53c2-a917-5b5b5c4bae3a)][[Microsoft East Asia Threats September 2023](https://app.tidalcyber.com/references/31f2c61e-cefe-5df7-9c2b-780bf03c88ec)][[Mandiant Pulse Secure Zero-Day April 2021](https://app.tidalcyber.com/references/0760480c-97be-5fc9-a6aa-f1df91a314a3)][[Mandiant Pulse Secure Update May 2021](https://app.tidalcyber.com/references/5620adaf-c2a7-5f0f-ae70-554ce720426e)][[FireEye Southeast Asia Threat Landscape March 2015](https://app.tidalcyber.com/references/59658f8b-af24-5df5-8f7d-cb6b9cf7579e)][[Mandiant Advanced Persistent Threats](https://app.tidalcyber.com/references/2d16615b-09fc-5925-8f59-6d20f334d236)] ", + "meta": { + "group_attack_id": "G1023", + "source": "MITRE" + }, + "related": [], + "uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", + "value": "APT5" + }, + { + "description": "[APT-C-23](https://app.tidalcyber.com/groups/e3c5164e-49cf-5bb1-955d-6775585abb14) is a threat group that has been active since at least 2014.[[symantec_mantis](https://app.tidalcyber.com/references/76a792b5-f3cd-566e-a87b-9fae844ce07d)] [APT-C-23](https://app.tidalcyber.com/groups/e3c5164e-49cf-5bb1-955d-6775585abb14) has primarily focused its operations on the Middle East, including Israeli military assets. [APT-C-23](https://app.tidalcyber.com/groups/e3c5164e-49cf-5bb1-955d-6775585abb14) has developed mobile spyware targeting Android and iOS devices since 2017.[[welivesecurity_apt-c-23](https://app.tidalcyber.com/references/7196226e-7d0d-5e14-a4e3-9b6322537039)]", + "meta": { + "group_attack_id": "G1028", + "observed_countries": [ + "DZ", + "BH", + "IL", + "PS", + "TR" + ], + "observed_motivations": [ + "Cyber Espionage" + ], + "source": "MITRE", + "target_categories": [ + "Defense", + "Education", + "Government", + "Media", + "NGOs" + ] + }, + "related": [], + "uuid": "e3c5164e-49cf-5bb1-955d-6775585abb14", + "value": "APT-C-23" + }, { "description": "[APT-C-36](https://app.tidalcyber.com/groups/153c14a6-31b7-44f2-892e-6d9fdc152267) is a suspected South America espionage group that has been active since at least 2018. The group mainly targets Colombian government institutions as well as important corporations in the financial sector, petroleum industry, and professional manufacturing.[[QiAnXin APT-C-36 Feb2019](https://app.tidalcyber.com/references/cae075ea-42cb-4695-ac66-9187241393d1)]", "meta": { @@ -1083,7 +1182,7 @@ "value": "BianLian Ransomware Group" }, { - "description": "[BITTER](https://app.tidalcyber.com/groups/3a02aa1b-851a-43e1-b83b-58037f3c7025) is a suspected South Asian cyber espionage threat group that has been active since at least 2013. [BITTER](https://app.tidalcyber.com/groups/3a02aa1b-851a-43e1-b83b-58037f3c7025) has primarily targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.[[Cisco Talos Bitter Bangladesh May 2022](https://app.tidalcyber.com/references/097583ed-03b0-41cd-bf85-66d473f46439)][[Forcepoint BITTER Pakistan Oct 2016](https://app.tidalcyber.com/references/9fc54fb0-b7d9-49dc-b6dd-ab4cb2cd34fa)]", + "description": "[BITTER](https://app.tidalcyber.com/groups/3a02aa1b-851a-43e1-b83b-58037f3c7025) is a suspected South Asian cyber espionage threat group that has been active since at least 2013. [BITTER](https://app.tidalcyber.com/groups/3a02aa1b-851a-43e1-b83b-58037f3c7025) has targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.[[Cisco Talos Bitter Bangladesh May 2022](https://app.tidalcyber.com/references/097583ed-03b0-41cd-bf85-66d473f46439)][[Forcepoint BITTER Pakistan Oct 2016](https://app.tidalcyber.com/references/9fc54fb0-b7d9-49dc-b6dd-ab4cb2cd34fa)]", "meta": { "group_attack_id": "G1002", "source": "MITRE" @@ -1126,6 +1225,55 @@ "uuid": "393da13e-016c-41a3-9d89-b33173adecbf", "value": "Bl00dy Ransomware Gang" }, + { + "description": "This Group object reflects the tools & TTPs associated with threat actors known to deploy Black Basta, a ransomware-as-a-service (RaaS) variant that researchers believe has been used since at least April 2022. Black Basta affiliates have attacked a very wide range of targets, including organizations in at least 12 out of 16 U.S. critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector.[[U.S. CISA Black Basta May 10 2024](/references/10fed6c7-4d73-49cd-9170-3f67d06365ca)]\n\nSpecific pre- and post-exploit behaviors may vary among intrusions carried out by different Black Basta affiliates. TTPs associated with the Black Basta ransomware binary itself can be found in the separate dedicated Software object.", + "meta": { + "group_attack_id": "G5023", + "observed_countries": [ + "AU", + "AT", + "CA", + "DE", + "IT", + "CH", + "GB", + "US" + ], + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "d903e38b-600d-4736-9e3b-cf1a6e436481", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "d819ae1a-e385-49fd-88d5-f66660729ecb", + "15787198-6c8b-4f79-bf50-258d55072fee", + "c40971d6-ad75-4b2d-be6c-5353c96a232d", + "3adcb409-166d-4465-ba1f-ddaecaff8282", + "dea4388a-b1f2-4f2a-9df9-108631d0d078", + "2743d495-7728-4a75-9e5f-b64854039792", + "d431939f-2dc0-410b-83f7-86c458125444", + "fdd53e62-5bf1-41f1-8bd6-b970a866c39d", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "562e535e-19f5-4d6c-81ed-ce2aec544f09" + ], + "target_categories": [ + "Construction", + "Financial Services", + "Healthcare", + "Legal", + "Manufacturing", + "Retail", + "Technology", + "Transportation" + ] + }, + "related": [], + "uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", + "value": "Black Basta Affiliates" + }, { "description": "This object represents the BlackCat/ALPHV Ransomware-as-a-Service (“RaaS”) apex group and the behaviors associated with its various affiliate ransomware operators. Specific affiliate operations defined by the research community will be tracked as separate objects.\n\nResearchers first observed BlackCat ransomware (AKA ALPHV or Noberus) in November 2021. An April 2022 U.S. FBI advisory linked BlackCat’s developers and money launderers to the defunct Blackmatter and Darkside ransomware operations (the latter was responsible for the major 2021 Colonial Pipeline incident).[[FBI BlackCat April 19 2022](/references/2640b58c-8413-4691-80e1-33aec9b6c7f6)] As of September 2023, BlackCat is believed to be responsible for attacking organizations globally and in virtually every major sector, and it consistently claims some of the highest victim tallies of any RaaS. According to data collected by the [ransomwatch project](https://github.com/joshhighet/ransomwatch) and analyzed by Tidal, BlackCat actors publicly claimed 233 victims in 2022, the third most of any ransomware operation in the dataset (considerably below Clop (558) but well above Hive (181)), and it already surpassed that number by July of 2023.[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)] Like many RaaS, BlackCat actors threaten to leak exfiltrated victim data, but they also threaten to carry out denial of service attacks if victims do not pay timely ransoms.[[BlackBerry BlackCat Threat Overview](/references/59f98ae1-c62d-460f-8d2a-9ae287b59953)]\n\nBlackCat developers have regularly evolved the namesake ransomware over time, and collaboration with affiliates means that a large number and variety of tools & TTPs are observed during intrusions involving BlackCat. BlackCat became the first prominent ransomware family to transition to the Rust programming language in 2022, which researchers assess provides greater customization and defense evasion capabilities and faster performance.[[X-Force BlackCat May 30 2023](/references/b80c1f70-9d05-4f4b-bdc2-6157c6837202)][[FBI BlackCat April 19 2022](/references/2640b58c-8413-4691-80e1-33aec9b6c7f6)] A BlackCat variant named Sphynx emerged in early 2023, featuring multiple defense evasion-focused enhancements. In Q3 2023, public reports suggested that Scattered Spider (AKA 0ktapus or UNC3944), a group attributed to several prominent intrusions involving telecommunications, technology, and casino entities, had begun to use BlackCat/Sphynx ransomware during its operations.[[Caesars Scattered Spider September 13 2023](/references/6915c003-7c8b-451c-8fb1-3541f00c14fb)][[BushidoToken Scattered Spider August 16 2023](/references/621a8320-0e3c-444f-b82a-7fd4fdf9fb67)]", "meta": { @@ -1265,6 +1413,9 @@ "Cyber Espionage" ], "source": "MITRE", + "tags": [ + "b20e7912-6a8d-46e3-8e13-9a3fc4813852" + ], "target_categories": [ "Construction", "Defense", @@ -1386,6 +1537,16 @@ "uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", "value": "Chimera" }, + { + "description": "[Cinnamon Tempest](https://app.tidalcyber.com/groups/8e059c6b-d278-5454-a234-a8ad69feb66c) is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked [Babuk](https://app.tidalcyber.com/software/0dc07eb9-66df-4116-b1bc-7020ca6395a1) source code. [Cinnamon Tempest](https://app.tidalcyber.com/groups/8e059c6b-d278-5454-a234-a8ad69feb66c) does not operate their ransomware on an affiliate model or purchase access but appears to act independently in all stages of the attack lifecycle. Based on victimology, the short lifespan of each ransomware variant, and use of malware attributed to government-sponsored threat groups, [Cinnamon Tempest](https://app.tidalcyber.com/groups/8e059c6b-d278-5454-a234-a8ad69feb66c) may be motivated by intellectual property theft or cyberespionage rather than financial gain.[[Microsoft Ransomware as a Service](https://app.tidalcyber.com/references/833018b5-6ef6-5327-9af5-1a551df25cd2)][[Microsoft Threat Actor Naming July 2023](https://app.tidalcyber.com/references/78a8137d-694e-533d-aed3-6bd48fc0cd4a)][[Trend Micro Cheerscrypt May 2022](https://app.tidalcyber.com/references/ca7ccf2c-37f3-522a-acfb-09daa16e23d8)][[SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022](https://app.tidalcyber.com/references/0b275cf9-a885-58cc-b859-112090a711e3)]", + "meta": { + "group_attack_id": "G1021", + "source": "MITRE" + }, + "related": [], + "uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c", + "value": "Cinnamon Tempest" + }, { "description": "[Cleaver](https://app.tidalcyber.com/groups/c8cc6ce8-d421-42e6-a6eb-2ea9d2d9ab07) is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. [[Cylance Cleaver](https://app.tidalcyber.com/references/f0b45225-3ec3-406f-bd74-87f24003761b)] Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). [[Dell Threat Group 2889](https://app.tidalcyber.com/references/de7003cb-5127-4fd7-9475-d69e0d7f5cc8)]", "meta": { @@ -2218,7 +2379,7 @@ "value": "Fox Kitten" }, { - "description": "[GALLIUM](https://app.tidalcyber.com/groups/15ff1ce0-44f0-4f1d-a4ef-83444570e572) is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. Security researchers have identified [GALLIUM](https://app.tidalcyber.com/groups/15ff1ce0-44f0-4f1d-a4ef-83444570e572) as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.[[Cybereason Soft Cell June 2019](https://app.tidalcyber.com/references/620b7353-0e58-4503-b534-9250a8f5ae3c)][[Microsoft GALLIUM December 2019](https://app.tidalcyber.com/references/5bc76b47-ff68-4031-a347-f2dc0daba203)][[Unit 42 PingPull Jun 2022](https://app.tidalcyber.com/references/ac6491ab-6ef1-4091-8a15-50e2cbafe157)]", + "description": "[GALLIUM](https://app.tidalcyber.com/groups/15ff1ce0-44f0-4f1d-a4ef-83444570e572) is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. This group is particularly known for launching Operation Soft Cell, a long-term campaign targeting telecommunications providers.[[Cybereason Soft Cell June 2019](https://app.tidalcyber.com/references/620b7353-0e58-4503-b534-9250a8f5ae3c)] Security researchers have identified [GALLIUM](https://app.tidalcyber.com/groups/15ff1ce0-44f0-4f1d-a4ef-83444570e572) as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.[[Cybereason Soft Cell June 2019](https://app.tidalcyber.com/references/620b7353-0e58-4503-b534-9250a8f5ae3c)][[Microsoft GALLIUM December 2019](https://app.tidalcyber.com/references/5bc76b47-ff68-4031-a347-f2dc0daba203)][[Unit 42 PingPull Jun 2022](https://app.tidalcyber.com/references/ac6491ab-6ef1-4091-8a15-50e2cbafe157)]", "meta": { "country": "CN", "group_attack_id": "G0093", @@ -2670,7 +2831,7 @@ "value": "LAPSUS$" }, { - "description": "[Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.[[US-CERT HIDDEN COBRA June 2017](https://app.tidalcyber.com/references/8e57cea3-ee37-4507-bb56-7445050ec8ca)][[Treasury North Korean Cyber Groups September 2019](https://app.tidalcyber.com/references/54977bb2-2929-41d7-bdea-06d39dc76174)] The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. [[Novetta Blockbuster](https://app.tidalcyber.com/references/bde96b4f-5f98-4ce5-a507-4b05d192b6d7)]\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) instead of tracking clusters or subgroups, such as [Andariel](https://app.tidalcyber.com/groups/2cc997b5-5076-4eef-9974-f54387614f46), [APT37](https://app.tidalcyber.com/groups/013fdfdc-aa32-4779-8f6e-7920615cbf66), [APT38](https://app.tidalcyber.com/groups/dfbce236-735c-436d-b433-933bd6eae17b), and [Kimsuky](https://app.tidalcyber.com/groups/37f317d8-02f0-43d4-8a7d-7a65ce8aadf1). ", + "description": "[Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.[[US-CERT HIDDEN COBRA June 2017](https://app.tidalcyber.com/references/8e57cea3-ee37-4507-bb56-7445050ec8ca)][[Treasury North Korean Cyber Groups September 2019](https://app.tidalcyber.com/references/54977bb2-2929-41d7-bdea-06d39dc76174)] The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[[Novetta Blockbuster](https://app.tidalcyber.com/references/bde96b4f-5f98-4ce5-a507-4b05d192b6d7)]\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) instead of tracking clusters or subgroups, such as [Andariel](https://app.tidalcyber.com/groups/2cc997b5-5076-4eef-9974-f54387614f46), [APT37](https://app.tidalcyber.com/groups/013fdfdc-aa32-4779-8f6e-7920615cbf66), [APT38](https://app.tidalcyber.com/groups/dfbce236-735c-436d-b433-933bd6eae17b), and [Kimsuky](https://app.tidalcyber.com/groups/37f317d8-02f0-43d4-8a7d-7a65ce8aadf1). ", "meta": { "country": "KP", "group_attack_id": "G0032", @@ -3026,6 +3187,33 @@ "uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "value": "Magic Hound" }, + { + "description": "[Malteiro](https://app.tidalcyber.com/groups/803f8018-6e45-5b0f-978f-1fe96b217120) is a financially motivated criminal group that is likely based in Brazil and has been active since at least November 2019. The group operates and distributes the [Mispadu](https://app.tidalcyber.com/software/758e5226-6015-5cc7-af4b-20fa35c9bac1) banking trojan via a Malware-as-a-Service (MaaS) business model. [Malteiro](https://app.tidalcyber.com/groups/803f8018-6e45-5b0f-978f-1fe96b217120) mainly targets victims throughout Latin America (particularly Mexico) and Europe (particularly Spain and Portugal).[[SCILabs Malteiro 2021](https://app.tidalcyber.com/references/c6948dfc-b133-556b-a8ac-b3a4dba09c0e)]", + "meta": { + "country": "BR", + "group_attack_id": "G1026", + "observed_countries": [ + "MX", + "PT", + "ES" + ], + "observed_motivations": [ + "Financial Gain" + ], + "source": "MITRE", + "target_categories": [ + "Financial Services", + "Government", + "Healthcare", + "Manufacturing", + "Retail", + "Telecommunications" + ] + }, + "related": [], + "uuid": "803f8018-6e45-5b0f-978f-1fe96b217120", + "value": "Malteiro" + }, { "description": "MedusaLocker is a ransomware-as-a-service (\"RaaS\") operation that has been active since September 2019. U.S. cybersecurity authorities indicate that MedusaLocker operators have primarily targeted victims in the healthcare sector, among other unspecified sectors. Initial access for MedusaLocker intrusions originally came via phishing and spam email campaigns, but since 2022 has typically occurred via exploit of vulnerable Remote Desktop Protocol devices.[[HC3 Analyst Note MedusaLocker Ransomware February 2023](/references/49e314d6-5324-41e0-8bee-2b3e08d5e12f)]\n \nThis object represents behaviors associated with operators of MedusaLocker ransomware. As MedusaLocker is licensed on a RaaS model, affiliates likely do not act as a single cohesive unit, and behaviors observed during particular attacks may vary. Behaviors associated with samples of MedusaLocker ransomware are represented in the \"MedusaLocker Ransomware\" Software object.\n\n**Malpedia (Research)**: https://malpedia.caad.fkie.fraunhofer.de/details/win.medusalocker", "meta": { @@ -3407,6 +3595,16 @@ "uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", "value": "Mustang Panda" }, + { + "description": "[Mustard Tempest](https://app.tidalcyber.com/groups/0898e7cb-118e-5eeb-b856-04e56ed18182) is an initial access broker that has operated the [SocGholish](https://app.tidalcyber.com/software/ab84f259-9b9a-51d8-a68a-2bcd7512d760) distribution network since at least 2017. [Mustard Tempest](https://app.tidalcyber.com/groups/0898e7cb-118e-5eeb-b856-04e56ed18182) has partnered with [Indrik Spider](https://app.tidalcyber.com/groups/3c7ad595-1940-40fc-b9ca-3e649c1e5d87) to provide access for the download of additional malware including LockBit, [WastedLocker](https://app.tidalcyber.com/software/0ba6ee8d-2b29-4980-8e55-348ea05f00ad), and remote access tools.[[Microsoft Ransomware as a Service](https://app.tidalcyber.com/references/833018b5-6ef6-5327-9af5-1a551df25cd2)][[Microsoft Threat Actor Naming July 2023](https://app.tidalcyber.com/references/78a8137d-694e-533d-aed3-6bd48fc0cd4a)][[Secureworks Gold Prelude Profile](https://app.tidalcyber.com/references/b16ae37d-5244-5c1e-92a9-e494b5a9ef49)][[SocGholish-update](https://app.tidalcyber.com/references/01d9c3ba-29e2-5090-b399-0e7adf50a6b9)]", + "meta": { + "group_attack_id": "G1020", + "source": "MITRE" + }, + "related": [], + "uuid": "0898e7cb-118e-5eeb-b856-04e56ed18182", + "value": "Mustard Tempest" + }, { "description": "[Naikon](https://app.tidalcyber.com/groups/a80c00b2-b8b6-4780-99bb-df8fe921947d) is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).[[CameraShy](https://app.tidalcyber.com/references/9942b6a5-6ffb-4a26-9392-6c8bb9954997)] Active since at least 2010, [Naikon](https://app.tidalcyber.com/groups/a80c00b2-b8b6-4780-99bb-df8fe921947d) has primarily conducted operations against government, military, and civil organizations in Southeast Asia, as well as against international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN).[[CameraShy](https://app.tidalcyber.com/references/9942b6a5-6ffb-4a26-9392-6c8bb9954997)][[Baumgartner Naikon 2015](https://app.tidalcyber.com/references/09302b4f-7f71-4289-92f6-076c685f0810)] \n\nWhile [Naikon](https://app.tidalcyber.com/groups/a80c00b2-b8b6-4780-99bb-df8fe921947d) shares some characteristics with [APT30](https://app.tidalcyber.com/groups/be45ff95-6c74-4000-bc39-63044673d82f), the two groups do not appear to be exact matches.[[Baumgartner Golovkin Naikon 2015](https://app.tidalcyber.com/references/5163576f-0b2c-49ba-8f34-b7efe3f3f6db)]", "meta": { @@ -3477,7 +3675,7 @@ "value": "Nomadic Octopus" }, { - "description": "[OilRig](https://app.tidalcyber.com/groups/d01abdb1-0378-4654-aa38-1a4a292703e2) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[[Palo Alto OilRig April 2017](https://app.tidalcyber.com/references/fb561cdd-03f6-4867-b5b5-7e4deb11f0d0)][[ClearSky OilRig Jan 2017](https://app.tidalcyber.com/references/f19f9ad4-bb31-443b-9c26-87946469a0c3)][[Palo Alto OilRig May 2016](https://app.tidalcyber.com/references/53836b95-a30a-4e95-8e19-e2bb2f18c738)][[Palo Alto OilRig Oct 2016](https://app.tidalcyber.com/references/14bbb07b-caeb-4d17-8e54-047322a5930c)][[Unit42 OilRig Playbook 2023](https://app.tidalcyber.com/references/e38902bb-9bab-5beb-817b-668a67a76541)][[FireEye APT34 Dec 2017](https://app.tidalcyber.com/references/88f41728-08ad-4cd8-a418-895738d68b04)][[Unit 42 QUADAGENT July 2018](https://app.tidalcyber.com/references/320f49df-7b0a-4a6a-8542-17b0f56c94c9)]", + "description": "[OilRig](https://app.tidalcyber.com/groups/d01abdb1-0378-4654-aa38-1a4a292703e2) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[[FireEye APT34 Dec 2017](https://app.tidalcyber.com/references/88f41728-08ad-4cd8-a418-895738d68b04)][[Palo Alto OilRig April 2017](https://app.tidalcyber.com/references/fb561cdd-03f6-4867-b5b5-7e4deb11f0d0)][[ClearSky OilRig Jan 2017](https://app.tidalcyber.com/references/f19f9ad4-bb31-443b-9c26-87946469a0c3)][[Palo Alto OilRig May 2016](https://app.tidalcyber.com/references/53836b95-a30a-4e95-8e19-e2bb2f18c738)][[Palo Alto OilRig Oct 2016](https://app.tidalcyber.com/references/14bbb07b-caeb-4d17-8e54-047322a5930c)][[Unit42 OilRig Playbook 2023](https://app.tidalcyber.com/references/e38902bb-9bab-5beb-817b-668a67a76541)][[Unit 42 QUADAGENT July 2018](https://app.tidalcyber.com/references/320f49df-7b0a-4a6a-8542-17b0f56c94c9)]", "meta": { "country": "IR", "group_attack_id": "G0049", @@ -3512,7 +3710,7 @@ "value": "OilRig" }, { - "description": "[Orangeworm](https://app.tidalcyber.com/groups/863b7013-133d-4a82-93d2-51b53a8fd30e) is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage.[[Symantec Orangeworm April 2018](https://app.tidalcyber.com/references/eee5efa1-bbc6-44eb-8fae-23002f351605)]", + "description": "[Orangeworm](https://app.tidalcyber.com/groups/863b7013-133d-4a82-93d2-51b53a8fd30e) is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage.[[Symantec Orangeworm April 2018](https://app.tidalcyber.com/references/eee5efa1-bbc6-44eb-8fae-23002f351605)] Reverse engineering of [Kwampirs](https://app.tidalcyber.com/software/35ac4018-8506-4025-a9e3-bd017700b3b3), directly associated with [Orangeworm](https://app.tidalcyber.com/groups/863b7013-133d-4a82-93d2-51b53a8fd30e) activity, indicates significant functional and development overlaps with [Shamoon](https://app.tidalcyber.com/software/840db1db-e262-4d6f-b6e3-2a64696a41c5).[[Cylera Kwampirs 2022](https://app.tidalcyber.com/references/06442111-2c71-5efb-9530-cabeba159a91)]", "meta": { "group_attack_id": "G0071", "observed_countries": [ @@ -3955,6 +4153,7 @@ ], "source": "MITRE", "tags": [ + "b20e7912-6a8d-46e3-8e13-9a3fc4813852", "f2ae2283-f94d-4f8f-bbde-43f2bed66c55" ], "target_categories": [ @@ -3987,7 +4186,7 @@ "value": "Scarlet Mimic" }, { - "description": "[Scattered Spider](https://app.tidalcyber.com/groups/3d77fb6c-cfb4-5563-b0be-7aa1ad535337) is a cybercriminal group that has been active since at least 2022 targeting customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. During campaigns [Scattered Spider](https://app.tidalcyber.com/groups/3d77fb6c-cfb4-5563-b0be-7aa1ad535337) has leveraged targeted social-engineering techniques and attempted to bypass popular endpoint security tools.[[CrowdStrike Scattered Spider Profile](https://app.tidalcyber.com/references/a865a984-7f7b-5f82-ac4a-6fac79a2a753)][[CrowdStrike Scattered Spider BYOVD January 2023](https://app.tidalcyber.com/references/d7d86f5d-1f02-54b0-b6f4-879878563245)][[Crowdstrike TELCO BPO Campaign December 2022](https://app.tidalcyber.com/references/382785e1-4ef3-506e-b74f-cd07df9ae46e)]", + "description": "[Scattered Spider](https://app.tidalcyber.com/groups/3d77fb6c-cfb4-5563-b0be-7aa1ad535337) is a native English-speaking cybercriminal group that has been active since at least 2022.[[CrowdStrike Scattered Spider Profile](https://app.tidalcyber.com/references/a865a984-7f7b-5f82-ac4a-6fac79a2a753)][[MSTIC Octo Tempest Operations October 2023](https://app.tidalcyber.com/references/92716d7d-3ca5-5d7a-b719-946e94828f13)] The group initially targeted customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. Beginning in 2023, [Scattered Spider](https://app.tidalcyber.com/groups/3d77fb6c-cfb4-5563-b0be-7aa1ad535337) expanded its operations to compromise victims in the gaming, hospitality, retail, MSP, manufacturing, and financial sectors.[[MSTIC Octo Tempest Operations October 2023](https://app.tidalcyber.com/references/92716d7d-3ca5-5d7a-b719-946e94828f13)] During campaigns, [Scattered Spider](https://app.tidalcyber.com/groups/3d77fb6c-cfb4-5563-b0be-7aa1ad535337) has leveraged targeted social-engineering techniques, attempted to bypass popular endpoint security tools, and more recently, deployed ransomware for financial gain.[[CISA Scattered Spider Advisory November 2023](https://app.tidalcyber.com/references/deae8b2c-39dd-5252-b846-88e1cab099c2)][[CrowdStrike Scattered Spider BYOVD January 2023](https://app.tidalcyber.com/references/d7d86f5d-1f02-54b0-b6f4-879878563245)][[CrowdStrike Scattered Spider Profile](https://app.tidalcyber.com/references/a865a984-7f7b-5f82-ac4a-6fac79a2a753)][[MSTIC Octo Tempest Operations October 2023](https://app.tidalcyber.com/references/92716d7d-3ca5-5d7a-b719-946e94828f13)][[Crowdstrike TELCO BPO Campaign December 2022](https://app.tidalcyber.com/references/382785e1-4ef3-506e-b74f-cd07df9ae46e)]", "meta": { "group_attack_id": "G1015", "observed_countries": [ @@ -4505,6 +4704,16 @@ "uuid": "a3b39b07-0bfa-4c69-9f01-acf7dc6033b4", "value": "Thrip" }, + { + "description": "[ToddyCat](https://app.tidalcyber.com/groups/0f41da7d-1e47-58fe-ba6e-ee658a985e1b) is a sophisticated threat group that has been active since at least 2020 using custom loaders and malware in multi-stage infection chains against government and military targets across Europe and Asia.[[Kaspersky ToddyCat June 2022](https://app.tidalcyber.com/references/285c038b-e5fc-57ef-9a98-d9e24c52e2cf)][[Kaspersky ToddyCat Check Logs October 2023](https://app.tidalcyber.com/references/dbdaf320-eada-5bbb-95ab-aaa987ed7960)]", + "meta": { + "group_attack_id": "G1022", + "source": "MITRE" + }, + "related": [], + "uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", + "value": "ToddyCat" + }, { "description": "[Tonto Team](https://app.tidalcyber.com/groups/9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c) is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. [Tonto Team](https://app.tidalcyber.com/groups/9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c) has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017).[[Kaspersky CactusPete Aug 2020](https://app.tidalcyber.com/references/1c393964-e717-45ad-8eb6-5df5555d3c70)][[ESET Exchange Mar 2021](https://app.tidalcyber.com/references/c83f1810-22bb-4def-ab2f-3f3d67703f47)][[FireEye Chinese Espionage October 2019](https://app.tidalcyber.com/references/d37c069c-7fb8-44e1-8377-da97e8bbcf67)][[ARS Technica China Hack SK April 2017](https://app.tidalcyber.com/references/c9c647b6-f4fb-44d6-9376-23c1ae9520b4)][[Trend Micro HeartBeat Campaign January 2013](https://app.tidalcyber.com/references/f42a36c2-1ca5-49ff-a7ec-7de90379a6d5)][[Talos Bisonal 10 Years March 2020](https://app.tidalcyber.com/references/6844e59b-d393-43df-9978-e3e3cc7b8db6)]", "meta": { @@ -4706,6 +4915,30 @@ "uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "value": "Turla" }, + { + "description": "UAT4356 (aka Storm-1849) is an actor attributed to the ArcaneDoor campaign targeting Cisco Adaptive Security Appliance (ASA) network devices. The suspected espionage activity targeted unspecified government institutions around the world.[[Cisco Talos ArcaneDoor April 24 2024](/references/531c3f6f-2d2b-4774-b069-e2b7a13602c1)] Anonymous sources indicated that the ArcaneDoor campaign appeared aligned with China's state interests.[[Wired ArcaneDoor April 24 2024](/references/05a8afd3-0173-41ca-b23b-196ea0f3b1c1)]", + "meta": { + "country": "CN", + "group_attack_id": "G5022", + "observed_motivations": [ + "Cyber Espionage" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "a159c91c-5258-49ea-af7d-e803008d97d3", + "6bb2f579-a5cd-4647-9dcd-eff05efe3679", + "c25f341a-7030-4688-a00b-6d637298e52e", + "9768aada-9d63-4d46-ab9f-d41b8c8e4010" + ], + "target_categories": [ + "Government" + ] + }, + "related": [], + "uuid": "f69c7e2f-b616-4782-b2f3-28e9b6702eb4", + "value": "UAT4356" + }, { "description": "Vice Society is an extortion-focused threat actor group first observed in mid-2021. The group gained notoriety after targeting a considerable number of educational institutions, especially lower education institutions. Although the education sector accounts for a disproportionate amount of the group’s victims, Vice Society has claimed victims in multiple other industries too, including the healthcare, retail, financial, insurance, and public services sectors. The group regularly pressures victims into paying a ransom by threatening to leak data exfiltrated during its intrusions. Vice Society is not known to have developed its own ransomware, instead deploying other existing families, including HELLOKITTY/FIVEHANDS and Zeppelin.[[U.S. CISA Vice Society September 2022](/references/0a754513-5f20-44a0-8cea-c5d9519106c8)]\n\n**Related Vulnerabilities**: CVE-2021-1675[[Unit 42 Vice Society December 6 2022](/references/6abf7387-0857-4938-b36e-1374a66d4ed8)], CVE-2021-34527[[Unit 42 Vice Society December 6 2022](/references/6abf7387-0857-4938-b36e-1374a66d4ed8)]", "meta": { @@ -5061,6 +5294,9 @@ "Cyber Espionage" ], "source": "MITRE", + "tags": [ + "b20e7912-6a8d-46e3-8e13-9a3fc4813852" + ], "target_categories": [ "Aerospace", "Construction", diff --git a/clusters/tidal-references.json b/clusters/tidal-references.json index 6e5308a..bf5c663 100644 --- a/clusters/tidal-references.json +++ b/clusters/tidal-references.json @@ -862,6 +862,20 @@ "uuid": "a981e013-f839-46e9-9c8a-128c4897f77a", "value": "Microsoft Remote Desktop Services" }, + { + "description": "Apple Support. (n.d.). About systemsetup in Remote Desktop. Retrieved March 27, 2024.", + "meta": { + "date_accessed": "2024-03-27T00:00:00Z", + "refs": [ + "https://support.apple.com/en-gb/guide/remote-desktop/apd95406b8d/mac" + ], + "source": "MITRE", + "title": "About systemsetup in Remote Desktop" + }, + "related": [], + "uuid": "a85bd111-a2ca-5e66-b90e-f52ff780fc5c", + "value": "systemsetup mac time" + }, { "description": "Microsoft. (n.d.). About the Clipboard. Retrieved March 29, 2016.", "meta": { @@ -963,6 +977,21 @@ "uuid": "70c217c3-83a2-40f2-8f47-b68d8bd4cdf0", "value": "NCC Group Chimera January 2021" }, + { + "description": "Trend Micro. (2023, June 6). Abusing Electronbased applications in targeted attacks. Retrieved March 7, 2024.", + "meta": { + "date_accessed": "2024-03-07T00:00:00Z", + "date_published": "2023-06-06T00:00:00Z", + "refs": [ + "https://www.first.org/resources/papers/conf2023/FIRSTCON23-TLP-CLEAR-Horejsi-Abusing-Electron-Based-Applications-in-Targeted-Attacks.pdf" + ], + "source": "MITRE", + "title": "Abusing Electronbased applications in targeted attacks" + }, + "related": [], + "uuid": "0be977fd-7b7e-5ddb-aa0c-def81b97b2a5", + "value": "Electron 2" + }, { "description": "Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved March 5, 2019.", "meta": { @@ -1218,6 +1247,21 @@ "uuid": "f3f2eca0-fda3-451e-bf13-aacb14668e48", "value": "Unit42 AcidBox June 2020" }, + { + "description": "Juan Andres Guerrero-Saade and Max van Amerongen, SentinelOne. (2022, March 31). AcidRain | A Modem Wiper Rains Down on Europe. Retrieved March 25, 2024.", + "meta": { + "date_accessed": "2024-03-25T00:00:00Z", + "date_published": "2022-03-31T00:00:00Z", + "refs": [ + "https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/" + ], + "source": "MITRE", + "title": "AcidRain | A Modem Wiper Rains Down on Europe" + }, + "related": [], + "uuid": "bd4a7b2e-a387-5e1b-9d9e-52464a8e25c9", + "value": "AcidRain JAGS 2022" + }, { "description": "Eli Schwartz. (2018, June 8). acroread package compromised. Retrieved April 23, 2019.", "meta": { @@ -1352,6 +1396,21 @@ "uuid": "32150673-5593-4a2c-9872-aaa96a21aa5c", "value": "Microsoft SID-History Attribute" }, + { + "description": "Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024.", + "meta": { + "date_accessed": "2024-02-27T00:00:00Z", + "date_published": "2024-01-10T00:00:00Z", + "refs": [ + "https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/" + ], + "source": "MITRE", + "title": "Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN" + }, + "related": [], + "uuid": "93eda380-ea21-59e0-97e8-5bec1f9a0e71", + "value": "Volexity Ivanti Zero-Day Exploitation January 2024" + }, { "description": "Dan Goodin. (2014, June 30). Active malware operation let attackers sabotage US energy industry. Retrieved March 9, 2017.", "meta": { @@ -1826,6 +1885,20 @@ "uuid": "5b6b909d-870a-4d14-85ec-6aa14e598740", "value": "FireEye APT Groups" }, + { + "description": "Mandiant. (n.d.). Advanced Persistent Threats (APTs). Retrieved February 14, 2024.", + "meta": { + "date_accessed": "2024-02-14T00:00:00Z", + "refs": [ + "https://www.mandiant.com/resources/insights/apt-groups" + ], + "source": "MITRE", + "title": "Advanced Persistent Threats (APTs)" + }, + "related": [], + "uuid": "2d16615b-09fc-5925-8f59-6d20f334d236", + "value": "Mandiant Advanced Persistent Threats" + }, { "description": "Mandiant. (n.d.). Advanced Persistent Threats (APTs). Retrieved September 14, 2023.", "meta": { @@ -1856,6 +1929,20 @@ "uuid": "9aef57b1-1a2e-4833-815e-887616cc0570", "value": "Advanced_sec_audit_policy_settings" }, + { + "description": "CrowdStrike, Falcon OverWatch Team. (2022, December 30). Retrieved October 19, 2023.", + "meta": { + "date_accessed": "2023-10-19T00:00:00Z", + "refs": [ + "https://www.crowdstrike.com/blog/4-ways-adversaries-hijack-dlls/" + ], + "source": "MITRE", + "title": "Adversaries Hijack DLLs" + }, + "related": [], + "uuid": "01836e53-4316-51a7-852c-01e585212276", + "value": "Adversaries Hijack DLLs" + }, { "description": "CrowdStrike. (2021, September 30). Adversary Profile - Ricochet Chollima. Retrieved September 30, 2021.", "meta": { @@ -2128,6 +2215,21 @@ "uuid": "f8b837fb-e46c-4153-8e86-dc4b909b393a", "value": "ESET Zebrocy May 2019" }, + { + "description": "Max Kersten & Alexandre Mundo. (2023, November 29). Akira Ransomware. Retrieved April 4, 2024.", + "meta": { + "date_accessed": "2024-04-04T00:00:00Z", + "date_published": "2023-11-29T00:00:00Z", + "refs": [ + "https://www.trellix.com/blogs/research/akira-ransomware/" + ], + "source": "MITRE", + "title": "Akira Ransomware" + }, + "related": [], + "uuid": "df191993-a2cb-5d26-960c-11d1c6d3d73b", + "value": "Kersten Akira 2023" + }, { "description": "SEQBOSS. (2023, August 10). AKIRA RANSOMWARE ANALYSIS. Retrieved April 3, 2024.", "meta": { @@ -2175,6 +2277,21 @@ "uuid": "809db259-3557-5597-9d1a-7c00cc10b89c", "value": "Microsoft AKS Azure AD 2023" }, + { + "description": "Venkat Viswanathan. (2023, June 13). A leap forward in token security: Okta adds support for DPoP. Retrieved January 2, 2024.", + "meta": { + "date_accessed": "2024-01-02T00:00:00Z", + "date_published": "2023-06-13T00:00:00Z", + "refs": [ + "https://www.okta.com/blog/2023/06/a-leap-forward-in-token-security-okta-adds-support-for-dpop/" + ], + "source": "MITRE", + "title": "A leap forward in token security: Okta adds support for DPoP" + }, + "related": [], + "uuid": "d792ede9-6ff6-5fae-a045-fd8b57abd3d3", + "value": "Okta DPoP 2023" + }, { "description": "US-CERT. (2018, December 3). Alert (AA18-337A): SamSam Ransomware. Retrieved March 15, 2019.", "meta": { @@ -3043,6 +3160,21 @@ "uuid": "d14442d5-2557-4a92-9a29-b15a20752f56", "value": "Dragos Crashoverride 2018" }, + { + "description": "Keshet, Lior. Kessem, Limor. (2017, January 25). Anatomy of an hVNC Attack. Retrieved November 28, 2023.", + "meta": { + "date_accessed": "2023-11-28T00:00:00Z", + "date_published": "2017-01-25T00:00:00Z", + "refs": [ + "https://securityintelligence.com/anatomy-of-an-hvnc-attack/" + ], + "source": "MITRE", + "title": "Anatomy of an hVNC Attack" + }, + "related": [], + "uuid": "293c5d41-cd23-5da5-9d2b-754b626bc22a", + "value": "Anatomy of an hVNC Attack" + }, { "description": "Drysdale, D. (2014, July 16). Anatomy of a system call, part 2. Retrieved June 16, 2020.", "meta": { @@ -3132,6 +3264,22 @@ "uuid": "f4efbcb5-494c-40e0-8734-5df1b92ec39c", "value": "Kaspersky Andariel Ransomware June 2021" }, + { + "description": "Pankaj Kohli. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved October 30, 2023.", + "meta": { + "date_accessed": "2023-10-30T00:00:00Z", + "date_published": "2021-11-23T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/" + ], + "source": "Tidal Cyber", + "title": "Android APT spyware, targeting Middle East victims, enhances evasiveness" + }, + "related": [], + "uuid": "305c201b-ccc6-4e28-a1cb-97ca697bb214", + "value": "Sophos X-Ops C-23" + }, { "description": "Plummer, D. (1982, November). An Ethernet Address Resolution Protocol. Retrieved October 15, 2020.", "meta": { @@ -3552,12 +3700,42 @@ "uuid": "12df02e3-bbdd-4682-9662-1810402ad918", "value": "AppArmor official" }, + { + "description": "Administrator. (2020, May 26). APPDOMAINMANAGER INJECTION AND DETECTION. Retrieved March 28, 2024.", + "meta": { + "date_accessed": "2024-03-28T00:00:00Z", + "date_published": "2020-05-26T00:00:00Z", + "refs": [ + "https://pentestlaboratories.com/2020/05/26/appdomainmanager-injection-and-detection/" + ], + "source": "MITRE", + "title": "APPDOMAINMANAGER INJECTION AND DETECTION" + }, + "related": [], + "uuid": "f681fd40-5bfc-50c6-a654-f9a128af5ff1", + "value": "PenTestLabs AppDomainManagerInject" + }, + { + "description": "Spagnola, N. (2023, May 5). AppDomain Manager Injection: New Techniques For Red Teams. Retrieved March 29, 2024.", + "meta": { + "date_accessed": "2024-03-29T00:00:00Z", + "date_published": "2023-05-05T00:00:00Z", + "refs": [ + "https://www.rapid7.com/blog/post/2023/05/05/appdomain-manager-injection-new-techniques-for-red-teams/" + ], + "source": "MITRE", + "title": "AppDomain Manager Injection: New Techniques For Red Teams" + }, + "related": [], + "uuid": "881f8d23-908f-58cf-904d-5ef7b959eb39", + "value": "Rapid7 AppDomain Manager Injection" + }, { "description": "Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.", "meta": { "date_accessed": "2016-07-18T00:00:00Z", "refs": [ - "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip" + "https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf" ], "source": "MITRE", "title": "Appendix C (Digital) - The Malware Arsenal" @@ -3684,19 +3862,34 @@ "value": "applescript signing" }, { - "description": "Corio, C., & Sayana, D. P.. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", + "description": "Microsoft. (2023, December 15). Application and service principal objects in Microsoft Entra ID. Retrieved February 28, 2024.", "meta": { - "date_accessed": "2014-11-18T00:00:00Z", - "date_published": "2008-06-01T00:00:00Z", + "date_accessed": "2024-02-28T00:00:00Z", + "date_published": "2023-12-15T00:00:00Z", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/technet-magazine/cc510322(v=msdn.10)?redirectedfrom=MSDN" + "https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser" ], "source": "MITRE", - "title": "Application Lockdown with Software Restriction Policies" + "title": "Application and service principal objects in Microsoft Entra ID" }, "related": [], - "uuid": "5dab4466-0871-486a-84ad-0e648b2e937d", - "value": "Microsoft Application Lockdown" + "uuid": "2a20c574-3e69-5da6-887e-68e34cee7562", + "value": "Microsoft Entra ID Service Principals" + }, + { + "description": "Microsoft. (2021, September 15). Application domains. Retrieved March 28, 2024.", + "meta": { + "date_accessed": "2024-03-28T00:00:00Z", + "date_published": "2021-09-15T00:00:00Z", + "refs": [ + "https://learn.microsoft.com/dotnet/framework/app-domains/application-domains" + ], + "source": "MITRE", + "title": "Application domains" + }, + "related": [], + "uuid": "268e7ade-c0a8-5859-8b16-6fa8aa3b0cb7", + "value": "Microsoft App Domains" }, { "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", @@ -3713,6 +3906,21 @@ "uuid": "cae409ca-1c77-45df-88cd-c0998ac724ec", "value": "Corio 2008" }, + { + "description": "Corio, C., & Sayana, D. P.. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", + "meta": { + "date_accessed": "2014-11-18T00:00:00Z", + "date_published": "2008-06-01T00:00:00Z", + "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/technet-magazine/cc510322(v=msdn.10)?redirectedfrom=MSDN" + ], + "source": "MITRE", + "title": "Application Lockdown with Software Restriction Policies" + }, + "related": [], + "uuid": "5dab4466-0871-486a-84ad-0e648b2e937d", + "value": "Microsoft Application Lockdown" + }, { "description": "Beechey, J.. (2014, November 18). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "meta": { @@ -4254,6 +4462,21 @@ "uuid": "8a44368f-3348-4817-aca7-81bfaca5ae6d", "value": "FireEye APT40 March 2019" }, + { + "description": "Nikita Rostovcev. (2022, August 18). APT41 World Tour 2021 on a tight schedule. Retrieved February 22, 2024.", + "meta": { + "date_accessed": "2024-02-22T00:00:00Z", + "date_published": "2022-08-18T00:00:00Z", + "refs": [ + "https://www.group-ib.com/blog/apt41-world-tour-2021/" + ], + "source": "MITRE", + "title": "APT41 World Tour 2021 on a tight schedule" + }, + "related": [], + "uuid": "b6e7fb29-7935-5454-8fb2-37585c46324a", + "value": "Rostovcev APT41 2021" + }, { "description": "Mandiant. (n.d.). APT42: Crooked Charms, Cons and Compromise. Retrieved September 16, 2022.", "meta": { @@ -4268,6 +4491,36 @@ "uuid": "10b3e476-a0c5-41fd-8cb8-5bfb245b118f", "value": "Mandiant APT42" }, + { + "description": "National Security Agency. (2022, December). APT5: Citrix ADC Threat Hunting Guidance. Retrieved February 5, 2024.", + "meta": { + "date_accessed": "2024-02-05T00:00:00Z", + "date_published": "2022-12-01T00:00:00Z", + "refs": [ + "https://media.defense.gov/2022/Dec/13/2003131586/-1/-1/0/CSA-APT5-CITRIXADC-V1.PDF" + ], + "source": "MITRE", + "title": "APT5: Citrix ADC Threat Hunting Guidance" + }, + "related": [], + "uuid": "916e2137-46e6-53c2-a917-5b5b5c4bae3a", + "value": "NSA APT5 Citrix Threat Hunting December 2022" + }, + { + "description": "Stefanko, L. (2020, September 30). APT‑C‑23 group evolves its Android spyware. Retrieved March 4, 2024.", + "meta": { + "date_accessed": "2024-03-04T00:00:00Z", + "date_published": "2020-09-30T00:00:00Z", + "refs": [ + "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/" + ], + "source": "MITRE", + "title": "APT‑C‑23 group evolves its Android spyware" + }, + "related": [], + "uuid": "7196226e-7d0d-5e14-a4e3-9b6322537039", + "value": "welivesecurity_apt-c-23" + }, { "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.", "meta": { @@ -4357,6 +4610,21 @@ "uuid": "dabad6df-1e31-4c16-9217-e079f2493b02", "value": "Proofpoint TA459 April 2017" }, + { + "description": "Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.", + "meta": { + "date_accessed": "2024-01-03T00:00:00Z", + "date_published": "2022-06-21T00:00:00Z", + "refs": [ + "https://securelist.com/toddycat/106799/" + ], + "source": "MITRE", + "title": "APT ToddyCat" + }, + "related": [], + "uuid": "285c038b-e5fc-57ef-9a98-d9e24c52e2cf", + "value": "Kaspersky ToddyCat June 2022" + }, { "description": "Global Research and Analysis Team . (2018, April 12). APT Trends report Q1 2018. Retrieved January 27, 2021.", "meta": { @@ -4417,6 +4685,38 @@ "uuid": "fe28042c-d289-463f-9ece-1a75a70b966e", "value": "Securelist APT Trends Q2 2017" }, + { + "description": "Andy Greenberg. (2024, April 24). ‘ArcaneDoor’ Cyberspies Hacked Cisco Firewalls to Access Government Networks. Retrieved May 6, 2024.", + "meta": { + "date_accessed": "2024-05-06T00:00:00Z", + "date_published": "2024-04-24T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.wired.com/story/arcanedoor-cyberspies-hacked-cisco-firewalls-to-access-government-networks/" + ], + "source": "Tidal Cyber", + "title": "‘ArcaneDoor’ Cyberspies Hacked Cisco Firewalls to Access Government Networks" + }, + "related": [], + "uuid": "05a8afd3-0173-41ca-b23b-196ea0f3b1c1", + "value": "Wired ArcaneDoor April 24 2024" + }, + { + "description": "Cisco Talos. (2024, April 24). ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices. Retrieved May 6, 2024.", + "meta": { + "date_accessed": "2024-05-06T00:00:00Z", + "date_published": "2024-04-24T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/" + ], + "source": "Tidal Cyber", + "title": "ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices" + }, + "related": [], + "uuid": "531c3f6f-2d2b-4774-b069-e2b7a13602c1", + "value": "Cisco Talos ArcaneDoor April 24 2024" + }, { "description": "Robbins, A. (2018, April 2). A Red Teamer’s Guide to GPOs and OUs. Retrieved March 5, 2019.", "meta": { @@ -4492,6 +4792,37 @@ "uuid": "e7091d66-7faa-49d6-b16f-be1f79db4471", "value": "FireEye Respond Webinar July 2017" }, + { + "description": "Dusty Miller. (2023, October 17). Are You Sure Your Browser is Up to Date? The Current Landscape of Fake Browser Updates . Retrieved February 13, 2024.", + "meta": { + "date_accessed": "2024-02-13T00:00:00Z", + "date_published": "2023-10-17T00:00:00Z", + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/are-you-sure-your-browser-date-current-landscape-fake-browser-updates" + ], + "source": "MITRE", + "title": "Are You Sure Your Browser is Up to Date? The Current Landscape of Fake Browser Updates" + }, + "related": [], + "uuid": "89e913a8-1d52-53fe-b692-fb72e21d794f", + "value": "Browser-updates" + }, + { + "description": "Threat & Detection Research Team. (2023, October 26). AridViper, an intrusion set allegedly associated with Hamas. Retrieved October 30, 2023.", + "meta": { + "date_accessed": "2023-10-30T00:00:00Z", + "date_published": "2023-10-26T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://blog.sekoia.io/aridviper-an-intrusion-set-allegedly-associated-with-hamas/" + ], + "source": "Tidal Cyber", + "title": "AridViper, an intrusion set allegedly associated with Hamas" + }, + "related": [], + "uuid": "963a97b9-71b2-46e7-8315-1d7ef76d832c", + "value": "Sekoia.io AridViper" + }, { "description": "Microsoft. (n.d.). Arp. Retrieved April 17, 2016.", "meta": { @@ -4612,6 +4943,34 @@ "uuid": "5276508c-6792-56be-b757-e4b495ef6c37", "value": "Mandiant UNC2452 APT29 April 2022" }, + { + "description": "Microsoft. (n.d.). Assembly.Load Method. Retrieved February 9, 2024.", + "meta": { + "date_accessed": "2024-02-09T00:00:00Z", + "refs": [ + "https://learn.microsoft.com/dotnet/api/system.reflection.assembly.load" + ], + "source": "MITRE", + "title": "Assembly.Load Method" + }, + "related": [], + "uuid": "3d980d7a-7074-5812-9bb1-ca8e27e028bd", + "value": "Microsoft AssemblyLoad" + }, + { + "description": "Kubernetes. (n.d.). Assigning Pods to Nodes. Retrieved February 15, 2024.", + "meta": { + "date_accessed": "2024-02-15T00:00:00Z", + "refs": [ + "https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/" + ], + "source": "MITRE", + "title": "Assigning Pods to Nodes" + }, + "related": [], + "uuid": "fe6ba97b-ff61-541b-9a67-a835290dc4ab", + "value": "Kubernetes Assigning Pods to Nodes" + }, { "description": "Plett, C. et al.. (2017, October 15). assoc. Retrieved August 7, 2018.", "meta": { @@ -4942,6 +5301,21 @@ "uuid": "597a4d8b-ffb2-4551-86db-b319f5a5b707", "value": "FireEye TRITON 2017" }, + { + "description": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer. (2017, December 14). Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure. Retrieved January 12, 2018.", + "meta": { + "date_accessed": "2018-01-12T00:00:00Z", + "date_published": "2017-12-14T00:00:00Z", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html" + ], + "source": "MITRE", + "title": "Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure" + }, + "related": [], + "uuid": "d4ca3351-eeb8-5342-8c85-806614e22c48", + "value": "FireEye TRITON Dec 2017" + }, { "description": "Runa A. Sandvik. (2014, January 14). Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved August 9, 2022.", "meta": { @@ -4987,6 +5361,21 @@ "uuid": "efcbbbdd-9af1-46c2-8538-3fd22f2b67d2", "value": "Unit 42 Unsecured Docker Daemons" }, + { + "description": "Tiago Pereira. (2023, November 2). Attackers use JavaScript URLs, API forms and more to scam users in popular online game “Roblox”. Retrieved January 2, 2024.", + "meta": { + "date_accessed": "2024-01-02T00:00:00Z", + "date_published": "2023-11-02T00:00:00Z", + "refs": [ + "https://blog.talosintelligence.com/roblox-scam-overview/" + ], + "source": "MITRE", + "title": "Attackers use JavaScript URLs, API forms and more to scam users in popular online game “Roblox”" + }, + "related": [], + "uuid": "9371ee4a-ac23-5acb-af3f-132ef3645392", + "value": "Talos Roblox Scam 2023" + }, { "description": "Bullock, B.. (2016, October 3). Attacking Exchange with MailSniper. Retrieved October 6, 2019.", "meta": { @@ -5167,6 +5556,21 @@ "uuid": "dec646d4-8b32-5091-b097-abe887aeca96", "value": "Microsoft ASR Obfuscation" }, + { + "description": "Microsoft. (2024, March 4). Attack surface reduction rules reference. Retrieved March 29, 2024.", + "meta": { + "date_accessed": "2024-03-29T00:00:00Z", + "date_published": "2024-03-04T00:00:00Z", + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-execution-of-potentially-obfuscated-scripts" + ], + "source": "MITRE", + "title": "Attack surface reduction rules reference" + }, + "related": [], + "uuid": "2b4dcb27-f32e-50f0-83e0-350659e49f0b", + "value": "Obfuscated scripts" + }, { "description": "Co, M. and Sison, G. (2018, February 8). Attack Using Windows Installer msiexec.exe leads to LokiBot. Retrieved April 18, 2019.", "meta": { @@ -5227,6 +5631,21 @@ "uuid": "5c183c97-0ab2-4b75-8dbc-9db92a929ff4", "value": "TechNet Credential Theft" }, + { + "description": "Antony J. Blinken, US Department of State. (2022, May 10). Attribution of Russia’s Malicious Cyber Activity Against Ukraine. Retrieved March 25, 2024.", + "meta": { + "date_accessed": "2024-03-25T00:00:00Z", + "date_published": "2022-05-10T00:00:00Z", + "refs": [ + "https://www.state.gov/attribution-of-russias-malicious-cyber-activity-against-ukraine/" + ], + "source": "MITRE", + "title": "Attribution of Russia’s Malicious Cyber Activity Against Ukraine" + }, + "related": [], + "uuid": "9d514c52-9def-5b11-aa06-fdf3ee9923ed", + "value": "AcidRain State Department 2022" + }, { "description": "Gagliardi, R. (n.d.). Audit in a OS X System. Retrieved September 23, 2021.", "meta": { @@ -6848,6 +7267,21 @@ "uuid": "85069317-2c25-448b-9ff4-504e429dc1bf", "value": "Microsoft Dofoil 2018" }, + { + "description": "Noah Corradin and Shuyang Wang. (2023, August 1). Behind The Breach: Self-Service Password Reset (SSPR) Abuse in Azure AD. Retrieved March 28, 2024.", + "meta": { + "date_accessed": "2024-03-28T00:00:00Z", + "date_published": "2023-08-01T00:00:00Z", + "refs": [ + "https://www.obsidiansecurity.com/blog/behind-the-breach-self-service-password-reset-azure-ad/" + ], + "source": "MITRE", + "title": "Behind The Breach: Self-Service Password Reset (SSPR) Abuse in Azure AD" + }, + "related": [], + "uuid": "7f28f770-ef06-5923-b759-b731ceabe08a", + "value": "Obsidian SSPR Abuse 2023" + }, { "description": "Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.", "meta": { @@ -6938,6 +7372,21 @@ "uuid": "eef7cd8a-8cb6-4b24-ba49-9b17353d20b5", "value": "Shadowbunny VM Defense Evasion" }, + { + "description": "Mathanraj Thangaraju, Sijo Jacob. (2023, July 26). Beyond File Search: A Novel Method for Exploiting the \"search-ms\" URI Protocol Handler. Retrieved March 15, 2024.", + "meta": { + "date_accessed": "2024-03-15T00:00:00Z", + "date_published": "2023-07-26T00:00:00Z", + "refs": [ + "https://www.trellix.com/blogs/research/beyond-file-search-a-novel-method/" + ], + "source": "MITRE", + "title": "Beyond File Search: A Novel Method for Exploiting the \"search-ms\" URI Protocol Handler" + }, + "related": [], + "uuid": "7079d170-9ead-5be4-bbc8-13c3f082b3dd", + "value": "T1105: Trellix_search-ms" + }, { "description": "Hexacorn. (2014, April 16). Beyond good ol’ Run key, Part 10. Retrieved July 3, 2017.", "meta": { @@ -7361,6 +7810,22 @@ "uuid": "a8145e38-c2a4-5021-824d-5a831299b9d9", "value": "Uptycs Black Basta ESXi June 2022" }, + { + "description": "Elliptic Research. (2023, November 29). Black Basta ransomware victims have paid over $100 million. Retrieved May 14, 2024.", + "meta": { + "date_accessed": "2024-05-14T00:00:00Z", + "date_published": "2023-11-29T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.elliptic.co/blog/black-basta-ransomware-victims-have-paid-over-100-million" + ], + "source": "Tidal Cyber", + "title": "Black Basta ransomware victims have paid over $100 million" + }, + "related": [], + "uuid": "dc7579c0-911d-417d-bba5-bc36e078b640", + "value": "Elliptic Black Basta November 29 2023" + }, { "description": "Ballmer, D. (2022, May 6). Black Basta: Rebrand of Conti or Something New?. Retrieved March 7, 2023.", "meta": { @@ -7376,6 +7841,21 @@ "uuid": "32a272fe-ac10-5478-88a0-b3dd366ec540", "value": "BlackBerry Black Basta May 2022" }, + { + "description": "Microsoft. (2022, June 13). BlackCat. Retrieved February 13, 2024.", + "meta": { + "date_accessed": "2024-02-13T00:00:00Z", + "date_published": "2022-06-13T00:00:00Z", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/" + ], + "source": "MITRE", + "title": "BlackCat" + }, + "related": [], + "uuid": "df07a086-0d38-570b-b0c5-9f5061212db7", + "value": "WMI 6" + }, { "description": "FBI. (2022, April 19). BlackCat/ALPHV Ransomware Indicators of Compromise. Retrieved September 14, 2023.", "meta": { @@ -7423,6 +7903,21 @@ "uuid": "59f98ae1-c62d-460f-8d2a-9ae287b59953", "value": "BlackBerry BlackCat Threat Overview" }, + { + "description": "Carvey, H. (2024, February 28). BlackCat Ransomware Affiliate TTPs. Retrieved March 27, 2024.", + "meta": { + "date_accessed": "2024-03-27T00:00:00Z", + "date_published": "2024-02-28T00:00:00Z", + "refs": [ + "https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps" + ], + "source": "MITRE", + "title": "BlackCat Ransomware Affiliate TTPs" + }, + "related": [], + "uuid": "faa60cf9-0fc5-5728-90be-d0e11b48a921", + "value": "Huntress BlackCat" + }, { "description": "Brandt, Andrew. (2022, July 14). BlackCat ransomware attacks not merely a byproduct of bad luck. Retrieved December 20, 2022.", "meta": { @@ -7662,6 +8157,21 @@ "uuid": "0c764280-9d8c-4fa4-9088-170f02550d4c", "value": "Blue Cloud of Death" }, + { + "description": "SEONGSU PARK. (2022, December 27). BlueNoroff introduces new methods bypassing MoTW. Retrieved February 6, 2024.", + "meta": { + "date_accessed": "2024-02-06T00:00:00Z", + "date_published": "2022-12-27T00:00:00Z", + "refs": [ + "https://securelist.com/bluenoroff-methods-bypass-motw/108383/" + ], + "source": "MITRE", + "title": "BlueNoroff introduces new methods bypassing MoTW" + }, + "related": [], + "uuid": "acdf0a7f-f341-5bec-bfe0-f879827f0185", + "value": "1 - appv" + }, { "description": "Apple Inc. (2013, April 23). Bonjour Overview. Retrieved October 11, 2021.", "meta": { @@ -7750,6 +8260,20 @@ "uuid": "835c9e5d-b291-43d9-9b8a-2978aa8c8cd3", "value": "FireEye BOOTRASH SANS" }, + { + "description": "Booz Allen Hamilton. (n.d.). When The Lights Went Out. Retrieved October 22, 2019", + "meta": { + "date_accessed": "2019-10-22T00:00:00Z", + "refs": [ + "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + ], + "source": "MITRE", + "title": "Booz Allen Hamilton" + }, + "related": [], + "uuid": "7f0acd33-602e-5f07-a1ae-a87e3c8f2eb5", + "value": "Booz Allen Hamilton" + }, { "description": "Harbison, M. (2019, March 26). Born This Way? Origins of LockerGoga. Retrieved April 16, 2019.", "meta": { @@ -7824,6 +8348,22 @@ "uuid": "fa813afd-b8f0-535b-9108-6d3d3989b6b9", "value": "Brazking-Websockets" }, + { + "description": "Arnold Osipov. (2024, March 26). Breaking Boundaries Mispadu's Infiltration Beyond LATAM. Retrieved April 4, 2024.", + "meta": { + "date_accessed": "2024-04-04T00:00:00Z", + "date_published": "2024-03-26T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://blog.morphisec.com/mispadu-infiltration-beyond-latam" + ], + "source": "Tidal Cyber", + "title": "Breaking Boundaries Mispadu's Infiltration Beyond LATAM" + }, + "related": [], + "uuid": "38d88851-1b71-4ed7-88e3-2ee5c3876c06", + "value": "Morphisec 3 26 2024" + }, { "description": "MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.", "meta": { @@ -8020,6 +8560,20 @@ "uuid": "c62d8d1a-cd1b-4b39-95b6-68f3f063dacf", "value": "Secureworks BRONZE BUTLER Oct 2017" }, + { + "description": "Secureworks CTU. (n.d.). BRONZE FLEETWOOD. Retrieved February 5, 2024.", + "meta": { + "date_accessed": "2024-02-05T00:00:00Z", + "refs": [ + "https://www.secureworks.com/research/threat-profiles/bronze-fleetwood" + ], + "source": "MITRE", + "title": "BRONZE FLEETWOOD" + }, + "related": [], + "uuid": "4fbb113c-94b4-56fd-b292-1ccf84e1c8f3", + "value": "Secureworks BRONZE FLEETWOOD Profile" + }, { "description": "Secureworks. (2021, January 1). BRONZE HUNTLEY Threat Profile. Retrieved May 5, 2021.", "meta": { @@ -8050,6 +8604,35 @@ "uuid": "019889e0-a2ce-476f-9a31-2fc394de2821", "value": "Secureworks BRONZE PRESIDENT December 2019" }, + { + "description": "SecureWorks. (n.d.). BRONZE STARLIGHT. Retrieved December 6, 2023.", + "meta": { + "date_accessed": "2023-12-06T00:00:00Z", + "refs": [ + "https://www.secureworks.com/research/threat-profiles/bronze-starlight" + ], + "source": "MITRE", + "title": "BRONZE STARLIGHT" + }, + "related": [], + "uuid": "d2e8cd95-fcd5-58e4-859a-c4724ec94ab4", + "value": "Dell SecureWorks BRONZE STARLIGHT Profile" + }, + { + "description": "Counter Threat Unit Research Team . (2022, June 23). BRONZE STARLIGHT RANSOMWARE OPERATIONS USE HUI LOADER. Retrieved December 7, 2023.", + "meta": { + "date_accessed": "2023-12-07T00:00:00Z", + "date_published": "2022-06-23T00:00:00Z", + "refs": [ + "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader" + ], + "source": "MITRE", + "title": "BRONZE STARLIGHT RANSOMWARE OPERATIONS USE HUI LOADER" + }, + "related": [], + "uuid": "0b275cf9-a885-58cc-b859-112090a711e3", + "value": "SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022" + }, { "description": "Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.", "meta": { @@ -8361,6 +8944,21 @@ "uuid": "d4e4cc8a-3246-463f-ba06-d68459d907d4", "value": "MsitPros CHM Aug 2017" }, + { + "description": "Phil Stokes. (2021, July 1). Bypassing macOS TCC User Privacy Protections By Accident and Design. Retrieved March 21, 2024.", + "meta": { + "date_accessed": "2024-03-21T00:00:00Z", + "date_published": "2021-07-01T00:00:00Z", + "refs": [ + "https://www.sentinelone.com/labs/bypassing-macos-tcc-user-privacy-protections-by-accident-and-design/" + ], + "source": "MITRE", + "title": "Bypassing macOS TCC User Privacy Protections By Accident and Design" + }, + "related": [], + "uuid": "4fc68e85-cd7a-5a15-84e3-8fbea0b28fd5", + "value": "TCC macOS bypass" + }, { "description": "Nelson, M. (2017, March 14). Bypassing UAC using App Paths. Retrieved May 25, 2017.", "meta": { @@ -8406,21 +9004,6 @@ "uuid": "74df644a-06b8-4331-85a3-932358d65b62", "value": "Hybrid Analysis Icacls1 June 2018" }, - { - "description": "Microsoft. (2016, August 31). Cached and Stored Credentials Technical Overview. Retrieved November 24, 2020.", - "meta": { - "date_accessed": "2020-11-24T00:00:00Z", - "date_published": "2016-08-31T00:00:00Z", - "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565(v=ws.11)#credential-manager-store" - ], - "source": "MITRE", - "title": "Cached and Stored Credentials Technical Overview" - }, - "related": [], - "uuid": "c949a29b-bb31-4bd7-a967-ddd48c7efb8e", - "value": "Microsoft Credential Manager store" - }, { "description": "Microsoft. (2016, August 21). Cached and Stored Credentials Technical Overview. Retrieved February 21, 2020.", "meta": { @@ -8436,6 +9019,21 @@ "uuid": "590ea63f-f800-47e4-8d39-df11a184ba84", "value": "Microsoft - Cached Creds" }, + { + "description": "Microsoft. (2016, August 31). Cached and Stored Credentials Technical Overview. Retrieved November 24, 2020.", + "meta": { + "date_accessed": "2020-11-24T00:00:00Z", + "date_published": "2016-08-31T00:00:00Z", + "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565(v=ws.11)#credential-manager-store" + ], + "source": "MITRE", + "title": "Cached and Stored Credentials Technical Overview" + }, + "related": [], + "uuid": "c949a29b-bb31-4bd7-a967-ddd48c7efb8e", + "value": "Microsoft Credential Manager store" + }, { "description": "Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021.", "meta": { @@ -8558,21 +9156,6 @@ "uuid": "bde61ee9-16f9-4bd9-a847-5cc9df21335c", "value": "FSI Andariel Campaign Rifle July 2017" }, - { - "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.", - "meta": { - "date_accessed": "2018-08-23T00:00:00Z", - "date_published": "2015-02-01T00:00:00Z", - "refs": [ - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf" - ], - "source": "MITRE, Tidal Cyber", - "title": "CARBANAK APT THE GREAT BANK ROBBERY" - }, - "related": [], - "uuid": "2f7e77db-fe39-4004-9945-3c8943708494", - "value": "Kaspersky Carbanak" - }, { "description": "Kaspersky Lab's Global Research & Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved March 27, 2017.", "meta": { @@ -8588,6 +9171,21 @@ "uuid": "053a2bbb-5509-4aba-bbd7-ccc3d8074291", "value": "KasperskyCarbanak" }, + { + "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.", + "meta": { + "date_accessed": "2018-08-23T00:00:00Z", + "date_published": "2015-02-01T00:00:00Z", + "refs": [ + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf" + ], + "source": "MITRE, Tidal Cyber", + "title": "CARBANAK APT THE GREAT BANK ROBBERY" + }, + "related": [], + "uuid": "2f7e77db-fe39-4004-9945-3c8943708494", + "value": "Kaspersky Carbanak" + }, { "description": "Griffin, N. (2017, January 17). CARBANAK GROUP USES GOOGLE FOR MALWARE COMMAND-AND-CONTROL. Retrieved February 15, 2017.", "meta": { @@ -8858,6 +9456,21 @@ "uuid": "e61b035f-6247-47e3-918c-2892815dfddf", "value": "Cdb.exe - LOLBAS Project" }, + { + "description": "Joseph Slowik, DomainTools. (2021, March 3). Centreon to Exim and Back: On the Trail of Sandworm. Retrieved April 6, 2024.", + "meta": { + "date_accessed": "2024-04-06T00:00:00Z", + "date_published": "2021-03-03T00:00:00Z", + "refs": [ + "https://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm/" + ], + "source": "MITRE", + "title": "Centreon to Exim and Back: On the Trail of Sandworm" + }, + "related": [], + "uuid": "e1753588-bc53-5265-935e-cbbaf3e13a82", + "value": "Slowik Sandworm 2021" + }, { "description": "Cherepanov, A.. (2018, July 9). Certificates stolen from Taiwanese tech‑companies misused in Plead malware campaign. Retrieved May 6, 2020.", "meta": { @@ -9246,6 +9859,21 @@ "uuid": "2885db46-4f8c-4c35-901c-7641c7701293", "value": "EclecticLightChecksonEXECodeSigning" }, + { + "description": "Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024.", + "meta": { + "date_accessed": "2024-02-05T00:00:00Z", + "date_published": "2021-04-20T00:00:00Z", + "refs": [ + "https://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day" + ], + "source": "MITRE", + "title": "Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day" + }, + "related": [], + "uuid": "0760480c-97be-5fc9-a6aa-f1df91a314a3", + "value": "Mandiant Pulse Secure Zero-Day April 2021" + }, { "description": "Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021.", "meta": { @@ -9366,6 +9994,22 @@ "uuid": "de78446a-cb46-4422-820b-9ddf07557b1a", "value": "Hacker News LuckyMouse June 2018" }, + { + "description": "Catalin Cimpanu. (2021, July 20). Chinese hacking group APT31 uses mesh of home routers to disguise attacks. Retrieved April 25, 2024.", + "meta": { + "date_accessed": "2024-04-25T00:00:00Z", + "date_published": "2021-07-20T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://therecord.media/chinese-hacking-group-apt31-uses-mesh-of-home-routers-to-disguise-attacks" + ], + "source": "Tidal Cyber", + "title": "Chinese hacking group APT31 uses mesh of home routers to disguise attacks" + }, + "related": [], + "uuid": "41fc3724-85a0-4ad0-9494-47f89f3b079b", + "value": "The Record APT31 Router Hacks" + }, { "description": "Chickowski, E. (2015, February 10). Chinese Hacking Group Codoso Team Uses Forbes.com As Watering Hole. Retrieved September 13, 2018.", "meta": { @@ -9486,6 +10130,20 @@ "uuid": "b019406c-6e39-41a2-a8b4-97f8d6482147", "value": "Azure AD Hybrid Identity" }, + { + "description": "Huntress. (n.d.). Retrieved March 14, 2024.", + "meta": { + "date_accessed": "2024-03-14T00:00:00Z", + "refs": [ + "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708" + ], + "source": "MITRE", + "title": "Chrome Remote Desktop" + }, + "related": [], + "uuid": "c1b2d0e9-2396-5080-aea3-58a99c027d20", + "value": "Chrome Remote Desktop" + }, { "description": "Cisco. (2023, March 7). Cisco IOS Security Command Reference: Commands S to Z . Retrieved July 13, 2022.", "meta": { @@ -9883,20 +10541,6 @@ "uuid": "75b89502-21ed-4920-95cc-212eaf17f281", "value": "CL_Mutexverifiers.ps1 - LOLBAS Project" }, - { - "description": "Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021.", - "meta": { - "date_accessed": "2021-05-11T00:00:00Z", - "refs": [ - "https://www.cybereason.com/blog/cybereason-vs.-clop-ransomware" - ], - "source": "MITRE", - "title": "Clop Ransomware" - }, - "related": [], - "uuid": "f54d682d-100e-41bb-96be-6a79ea422066", - "value": "Cybereason Clop Dec 2020" - }, { "description": "Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021.", "meta": { @@ -9912,6 +10556,20 @@ "uuid": "458141bd-7dd2-41fd-82e8-7ea2e4a477ab", "value": "Mcafee Clop Aug 2019" }, + { + "description": "Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021.", + "meta": { + "date_accessed": "2021-05-11T00:00:00Z", + "refs": [ + "https://www.cybereason.com/blog/cybereason-vs.-clop-ransomware" + ], + "source": "MITRE", + "title": "Clop Ransomware" + }, + "related": [], + "uuid": "f54d682d-100e-41bb-96be-6a79ea422066", + "value": "Cybereason Clop Dec 2020" + }, { "description": "GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020.", "meta": { @@ -10423,6 +11081,21 @@ "uuid": "53ff662d-a0b3-41bd-ab9e-a9bb8bbdea25", "value": "Colorcpl.exe - LOLBAS Project" }, + { + "description": "Bluescreenofjeff.com. (2015, April 12). Combatting Incident Responders with Apache mod_rewrite. Retrieved February 13, 2024.", + "meta": { + "date_accessed": "2024-02-13T00:00:00Z", + "date_published": "2015-04-12T00:00:00Z", + "refs": [ + "https://bluescreenofjeff.com/2016-04-12-combatting-incident-responders-with-apache-mod_rewrite/" + ], + "source": "MITRE", + "title": "Combatting Incident Responders with Apache mod_rewrite" + }, + "related": [], + "uuid": "3568b09c-7368-5fc2-85b3-d16ee9b9c686", + "value": "mod_rewrite" + }, { "description": "Phil Stokes. (2020, September 8). Coming Out of Your Shell: From Shlayer to ZShlayer. Retrieved September 13, 2021.", "meta": { @@ -10647,6 +11320,21 @@ "uuid": "a92b0d6c-b3e8-56a4-b1b4-1d117e59db84", "value": "Condi-Botnet-binaries" }, + { + "description": "Okta. (2023, November 30). Conditional Access Based on Device Security Posture. Retrieved January 2, 2024.", + "meta": { + "date_accessed": "2024-01-02T00:00:00Z", + "date_published": "2023-11-30T00:00:00Z", + "refs": [ + "https://support.okta.com/help/s/article/Conditional-access-based-on-device-security-posture?language=en_US" + ], + "source": "MITRE", + "title": "Conditional Access Based on Device Security Posture" + }, + "related": [], + "uuid": "c914578c-dcc2-539e-bb3d-50bf7a0e7101", + "value": "Okta Conditional Access Policies" + }, { "description": "Microsoft. (2022, December 14). Conditional Access templates. Retrieved February 21, 2023.", "meta": { @@ -10662,6 +11350,21 @@ "uuid": "9ed9870b-d09a-511d-96f9-4956f26d46bf", "value": "Microsoft Common Conditional Access Policies" }, + { + "description": "Microsoft. (2023, October 23). Conditional Access: Token protection (preview). Retrieved January 2, 2024.", + "meta": { + "date_accessed": "2024-01-02T00:00:00Z", + "date_published": "2023-10-23T00:00:00Z", + "refs": [ + "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-token-protection" + ], + "source": "MITRE", + "title": "Conditional Access: Token protection (preview)" + }, + "related": [], + "uuid": "aa4629cf-f11f-5921-9f72-5a8d3f752603", + "value": "Microsoft Token Protection 2023" + }, { "description": "Trend Micro. (2014, March 18). Conficker. Retrieved February 18, 2021.", "meta": { @@ -10855,21 +11558,6 @@ "uuid": "ccd0d241-4ff7-4a15-b2b4-06945980c6bf", "value": "Windows RDP Sessions" }, - { - "description": "Microsoft. (2014, March 12). Configuring Additional LSA Protection. Retrieved November 27, 2017.", - "meta": { - "date_accessed": "2017-11-27T00:00:00Z", - "date_published": "2014-03-12T00:00:00Z", - "refs": [ - "https://technet.microsoft.com/library/dn408187.aspx" - ], - "source": "MITRE", - "title": "Configuring Additional LSA Protection" - }, - "related": [], - "uuid": "da3f1d7d-188f-4500-9bc6-3299ba043b5c", - "value": "Microsoft LSA Protection Mar 2014" - }, { "description": "Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved June 24, 2015.", "meta": { @@ -10900,6 +11588,21 @@ "uuid": "3ad49746-4e42-4663-a49e-ae64152b9463", "value": "Microsoft LSA" }, + { + "description": "Microsoft. (2014, March 12). Configuring Additional LSA Protection. Retrieved November 27, 2017.", + "meta": { + "date_accessed": "2017-11-27T00:00:00Z", + "date_published": "2014-03-12T00:00:00Z", + "refs": [ + "https://technet.microsoft.com/library/dn408187.aspx" + ], + "source": "MITRE", + "title": "Configuring Additional LSA Protection" + }, + "related": [], + "uuid": "da3f1d7d-188f-4500-9bc6-3299ba043b5c", + "value": "Microsoft LSA Protection Mar 2014" + }, { "description": "Google. (n.d.). Configuring Data Access audit logs. Retrieved October 16, 2020.", "meta": { @@ -11078,6 +11781,21 @@ "uuid": "57691166-5a22-44a0-8724-6b3b19658c3b", "value": "Content trust in Docker" }, + { + "description": "Microsoft. (2024, February 27). Contextual file and folder exclusions. Retrieved March 29, 2024.", + "meta": { + "date_accessed": "2024-03-29T00:00:00Z", + "date_published": "2024-02-27T00:00:00Z", + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-contextual-file-folder-exclusions-microsoft-defender-antivirus" + ], + "source": "MITRE", + "title": "Contextual file and folder exclusions" + }, + "related": [], + "uuid": "7a511f0d-8feb-5370-87db-b33b96ea2367", + "value": "Microsoft File Folder Exclusions" + }, { "description": "Steven Campbell, Akshay Suthar, Connor Belfiore, Arctic Wolf Labs Team. (2023, July 26). Conti and Akira: Chained Together. Retrieved March 13, 2024.", "meta": { @@ -11094,6 +11812,21 @@ "uuid": "72e1b75b-edf7-45b0-9c14-14776a146d0e", "value": "Arctic Wolf Conti Akira July 26 2023" }, + { + "description": "Steven Campbell, Akshay Suthar, & Connor Belfiorre. (2023, July 26). Conti and Akira: Chained Together. Retrieved February 20, 2024.", + "meta": { + "date_accessed": "2024-02-20T00:00:00Z", + "date_published": "2023-07-26T00:00:00Z", + "refs": [ + "https://arcticwolf.com/resources/blog/conti-and-akira-chained-together/" + ], + "source": "MITRE", + "title": "Conti and Akira: Chained Together" + }, + "related": [], + "uuid": "aa34f2a1-a398-5dc4-b898-cdc02afeca5d", + "value": "Arctic Wolf Akira 2023" + }, { "description": "DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.", "meta": { @@ -11971,6 +12704,36 @@ "uuid": "51e67e37-2d61-4228-999b-bec6f80cf106", "value": "Bishop Fox Sliver Framework August 2019" }, + { + "description": "Okta Defensive Cyber Operations. (2023, August 31). Cross-Tenant Impersonation: Prevention and Detection. Retrieved March 4, 2024.", + "meta": { + "date_accessed": "2024-03-04T00:00:00Z", + "date_published": "2023-08-31T00:00:00Z", + "refs": [ + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection" + ], + "source": "MITRE", + "title": "Cross-Tenant Impersonation: Prevention and Detection" + }, + "related": [], + "uuid": "77dbd22f-ce57-50f7-9c6b-8dc874a4d80d", + "value": "Okta Cross-Tenant Impersonation" + }, + { + "description": "Okta Defensive Cyber Operations. (2023, August 31). Cross-Tenant Impersonation: Prevention and Detection. Retrieved February 15, 2024.", + "meta": { + "date_accessed": "2024-02-15T00:00:00Z", + "date_published": "2023-08-31T00:00:00Z", + "refs": [ + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection" + ], + "source": "MITRE", + "title": "Cross-Tenant Impersonation: Prevention and Detection" + }, + "related": [], + "uuid": "d54188b5-86eb-52a0-8384-823c45431762", + "value": "Okta Cross-Tenant Impersonation 2023" + }, { "description": "Crowdstrike. (2013, October 16). CrowdCasts Monthly: You Have an Adversary Problem. Retrieved March 1, 2017.", "meta": { @@ -12327,6 +13090,51 @@ "uuid": "96324ab1-7eb8-42dc-b19a-fa1d9f85e239", "value": "CustomShellHost.exe - LOLBAS Project" }, + { + "description": "Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.", + "meta": { + "date_accessed": "2024-02-27T00:00:00Z", + "date_published": "2024-01-31T00:00:00Z", + "refs": [ + "https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation" + ], + "source": "MITRE", + "title": "Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation" + }, + "related": [], + "uuid": "5209d259-4293-58c0-bbdc-f30ff77d57f7", + "value": "Mandiant Cutting Edge Part 2 January 2024" + }, + { + "description": "Lin, M. et al. (2024, February 27). Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts. Retrieved March 1, 2024.", + "meta": { + "date_accessed": "2024-03-01T00:00:00Z", + "date_published": "2024-02-27T00:00:00Z", + "refs": [ + "https://www.mandiant.com/resources/blog/investigating-ivanti-exploitation-persistence" + ], + "source": "MITRE", + "title": "Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts" + }, + "related": [], + "uuid": "49e5b125-5503-5cb0-9a56-a93f82b55753", + "value": "Mandiant Cutting Edge Part 3 February 2024" + }, + { + "description": "McLellan, T. et al. (2024, January 12). Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation. Retrieved February 27, 2024.", + "meta": { + "date_accessed": "2024-02-27T00:00:00Z", + "date_published": "2024-01-12T00:00:00Z", + "refs": [ + "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day" + ], + "source": "MITRE", + "title": "Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation" + }, + "related": [], + "uuid": "9d9ec923-89c1-5155-ae6e-98d4776d4250", + "value": "Mandiant Cutting Edge January 2024" + }, { "description": "Symantec Security Response. (2012, June 18). CVE-2012-1875 Exploited in the Wild - Part 1 (Trojan.Naid). Retrieved February 22, 2018.", "meta": { @@ -12628,6 +13436,36 @@ "uuid": "a37564a4-ff83-4ce0-818e-80750172f302", "value": "CyberKnow Tweet July 7 2022" }, + { + "description": "CISA. (2023, August). Cyber Safety Review Board: Lapsus. Retrieved January 5, 2024.", + "meta": { + "date_accessed": "2024-01-05T00:00:00Z", + "date_published": "2023-08-01T00:00:00Z", + "refs": [ + "https://www.cisa.gov/sites/default/files/2023-08/CSRB_Lapsus%24_508c.pdf" + ], + "source": "MITRE", + "title": "Cyber Safety Review Board: Lapsus" + }, + "related": [], + "uuid": "4b713738-d767-5243-b9af-4d7ac7b0b349", + "value": "Cyber Safety Review Board: Lapsus" + }, + { + "description": "CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024.", + "meta": { + "date_accessed": "2024-03-18T00:00:00Z", + "date_published": "2023-11-16T00:00:00Z", + "refs": [ + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a" + ], + "source": "MITRE", + "title": "Cybersecurity Advisory: Scattered Spider (AA23-320A)" + }, + "related": [], + "uuid": "deae8b2c-39dd-5252-b846-88e1cab099c2", + "value": "CISA Scattered Spider Advisory November 2023" + }, { "description": "NSA/NCSC. (2019, October 21). Cybersecurity Advisory: Turla Group Exploits Iranian APT To Expand Coverage Of Victims. Retrieved October 16, 2020.", "meta": { @@ -12672,6 +13510,21 @@ "uuid": "26096485-1dd6-512a-a2a1-27dbbfb6fde0", "value": "ExpressVPN PATH env Windows 2021" }, + { + "description": "SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024.", + "meta": { + "date_accessed": "2024-03-13T00:00:00Z", + "date_published": "2021-12-23T00:00:00Z", + "refs": [ + "https://blog.scilabs.mx/en/cyber-threat-profile-malteiro/" + ], + "source": "MITRE", + "title": "Cyber Threat Profile Malteiro" + }, + "related": [], + "uuid": "c6948dfc-b133-556b-a8ac-b3a4dba09c0e", + "value": "SCILabs Malteiro 2021" + }, { "description": "NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022.", "meta": { @@ -12747,6 +13600,20 @@ "uuid": "41311827-3d81-422a-9b07-ee8ddc2fc7f1", "value": "Apple Developer Doco Archive Launchd" }, + { + "description": "Kubernetes. (n.d.). DaemonSet. Retrieved February 15, 2024.", + "meta": { + "date_accessed": "2024-02-15T00:00:00Z", + "refs": [ + "https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/" + ], + "source": "MITRE", + "title": "DaemonSet" + }, + "related": [], + "uuid": "4e4668bd-9bef-597e-ad41-8afe1974b7f6", + "value": "Kubernetes DaemonSet" + }, { "description": "Huseyin Can Yuceel. (2022, October 24). Daixin Team Targets Healthcare Organizations with Ransomware Attacks. Retrieved December 1, 2023.", "meta": { @@ -13066,6 +13933,21 @@ "uuid": "0c373780-3202-4036-8c83-f3d468155b35", "value": "DataSvcUtil.exe - LOLBAS Project" }, + { + "description": "botconf eu. (2014, December 31). David Sancho - Finding Holes in Banking 2FA: Operation Emmental. Retrieved January 4, 2024.", + "meta": { + "date_accessed": "2024-01-04T00:00:00Z", + "date_published": "2014-12-31T00:00:00Z", + "refs": [ + "https://www.youtube.com/watch?v=gchKFumYHWc" + ], + "source": "MITRE", + "title": "David Sancho - Finding Holes in Banking 2FA: Operation Emmental" + }, + "related": [], + "uuid": "36443369-4fa9-4802-8b21-68cc382b949f", + "value": "Operation Emmental" + }, { "description": "Z3RO. (2019, March 10). Day 70: Hijacking VNC (Enum, Brute, Access and Crack). Retrieved September 20, 2021.", "meta": { @@ -13621,6 +14503,21 @@ "uuid": "01fc44b9-0eb3-4fd2-b755-d611825374ae", "value": "TechNet Del" }, + { + "description": "Yonatan Khanashvilli. (2023, November 28). DeleFriend: Severe design flaw in Domain Wide Delegation could leave Google Workspace vulnerable for takeover. Retrieved January 16, 2024.", + "meta": { + "date_accessed": "2024-01-16T00:00:00Z", + "date_published": "2023-11-28T00:00:00Z", + "refs": [ + "https://www.hunters.security/en/blog/delefriend-a-newly-discovered-design-flaw-in-domain-wide-delegation-could-leave-google-workspace-vulnerable-for-takeover" + ], + "source": "MITRE", + "title": "DeleFriend: Severe design flaw in Domain Wide Delegation could leave Google Workspace vulnerable for takeover" + }, + "related": [], + "uuid": "290cebe1-a2fd-5ccd-8ef6-afa9d4c3c9df", + "value": "Hunters Domain Wide Delegation Google Workspace 2023" + }, { "description": "Delegate access with a shared access signature. (2019, December 18). Delegate access with a shared access signature. Retrieved March 2, 2022.", "meta": { @@ -13963,6 +14860,21 @@ "uuid": "e9a882a5-1a88-4fdf-9349-205f4fa167c9", "value": "NSA and ASD Detect and Prevent Web Shells 2020" }, + { + "description": "Australian Cyber Security Centre. National Security Agency. (2020, April 21). Detect and Prevent Web Shell Malware. Retrieved February 9, 2024.", + "meta": { + "date_accessed": "2024-02-09T00:00:00Z", + "date_published": "2020-04-21T00:00:00Z", + "refs": [ + "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF" + ], + "source": "MITRE", + "title": "Detect and Prevent Web Shell Malware" + }, + "related": [], + "uuid": "b91963c4-07ea-5e36-9cc8-8a2149ee7473", + "value": "URI Unique" + }, { "description": "Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook Rules and Custom Forms Injections Attacks in Office 365. Retrieved February 4, 2019.", "meta": { @@ -14655,6 +15567,21 @@ "uuid": "451bdfe3-0b30-425c-97a0-44727b70c1da", "value": "Microsoft DSE June 2017" }, + { + "description": "Microsoft Threat Intelligence. (2023, September). Digital threats from East Asia increase in breadth and effectiveness. Retrieved February 5, 2024.", + "meta": { + "date_accessed": "2024-02-05T00:00:00Z", + "date_published": "2023-09-01T00:00:00Z", + "refs": [ + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW1aFyW" + ], + "source": "MITRE", + "title": "Digital threats from East Asia increase in breadth and effectiveness" + }, + "related": [], + "uuid": "31f2c61e-cefe-5df7-9c2b-780bf03c88ec", + "value": "Microsoft East Asia Threats September 2023" + }, { "description": "ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.", "meta": { @@ -14831,6 +15758,36 @@ "uuid": "d53e8f89-df78-565b-a316-cf2644c5ed36", "value": "disable_notif_synology_ransom" }, + { + "description": "Brian Krebs. (2023, May 30). Discord Admins Hacked by Malicious Bookmarks. Retrieved January 2, 2024.", + "meta": { + "date_accessed": "2024-01-02T00:00:00Z", + "date_published": "2023-05-30T00:00:00Z", + "refs": [ + "https://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/" + ], + "source": "MITRE", + "title": "Discord Admins Hacked by Malicious Bookmarks" + }, + "related": [], + "uuid": "1d0a21f4-9a8e-5514-894a-3d55263ff973", + "value": "Krebs Discord Bookmarks 2023" + }, + { + "description": "Microsoft Windows Server. (2023, February 3). Diskshadow. Retrieved November 21, 2023.", + "meta": { + "date_accessed": "2023-11-21T00:00:00Z", + "date_published": "2023-02-03T00:00:00Z", + "refs": [ + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow" + ], + "source": "MITRE", + "title": "Diskshadow" + }, + "related": [], + "uuid": "9e8b57a5-7e31-5add-ac3e-8b9c0f7f27aa", + "value": "Diskshadow" + }, { "description": "LOLBAS. (2018, May 25). Diskshadow.exe. Retrieved December 4, 2023.", "meta": { @@ -14847,6 +15804,21 @@ "uuid": "27a3f0b4-e699-4319-8b52-8eae4581faa2", "value": "Diskshadow.exe - LOLBAS Project" }, + { + "description": "OpenAI. (2024, February 14). Disrupting malicious uses of AI by state-affiliated threat actors. Retrieved March 11, 2024.", + "meta": { + "date_accessed": "2024-03-11T00:00:00Z", + "date_published": "2024-02-14T00:00:00Z", + "refs": [ + "https://openai.com/blog/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors" + ], + "source": "MITRE", + "title": "Disrupting malicious uses of AI by state-affiliated threat actors" + }, + "related": [], + "uuid": "d8f576cb-0afc-54a7-a449-570c4311ef7a", + "value": "OpenAI-CTI" + }, { "description": "Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.", "meta": { @@ -14922,21 +15894,6 @@ "uuid": "d2a1aab3-a4c9-4583-9cf8-170eeb77d828", "value": "Microsoft DTC" }, - { - "description": "Nick Harbour. (2010, September 1). DLL Search Order Hijacking Revisited. Retrieved March 13, 2020.", - "meta": { - "date_accessed": "2020-03-13T00:00:00Z", - "date_published": "2010-09-01T00:00:00Z", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2010/08/dll-search-order-hijacking-revisited.html" - ], - "source": "MITRE", - "title": "DLL Search Order Hijacking Revisited" - }, - "related": [], - "uuid": "0ba2675d-4d7f-406a-81fa-b87e62d7a539", - "value": "FireEye DLL Search Order Hijacking" - }, { "description": "Mandiant. (2010, August 31). DLL Search Order Hijacking Revisited. Retrieved December 5, 2014.", "meta": { @@ -14952,6 +15909,21 @@ "uuid": "2f602a6c-0305-457c-b329-a17b55d8e094", "value": "Mandiant Search Order" }, + { + "description": "Nick Harbour. (2010, September 1). DLL Search Order Hijacking Revisited. Retrieved March 13, 2020.", + "meta": { + "date_accessed": "2020-03-13T00:00:00Z", + "date_published": "2010-09-01T00:00:00Z", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2010/08/dll-search-order-hijacking-revisited.html" + ], + "source": "MITRE", + "title": "DLL Search Order Hijacking Revisited" + }, + "related": [], + "uuid": "0ba2675d-4d7f-406a-81fa-b87e62d7a539", + "value": "FireEye DLL Search Order Hijacking" + }, { "description": "Stewart, A. (2014). DLL SIDE-LOADING: A Thorn in the Side of the Anti-Virus Industry. Retrieved November 12, 2014.", "meta": { @@ -15059,6 +16031,20 @@ "uuid": "50652a27-c47b-41d4-a2eb-2ebf74e5bd09", "value": "dnx.exe - LOLBAS Project" }, + { + "description": "GTFOBins. (n.d.). docker. Retrieved February 15, 2024.", + "meta": { + "date_accessed": "2024-02-15T00:00:00Z", + "refs": [ + "https://gtfobins.github.io/gtfobins/docker/" + ], + "source": "MITRE", + "title": "docker" + }, + "related": [], + "uuid": "c4fa5825-85f9-5ab1-a59d-a86b20ef0570", + "value": "GTFOBins Docker" + }, { "description": "Docker. (n.d.). DockerD CLI. Retrieved March 29, 2021.", "meta": { @@ -15260,6 +16246,21 @@ "uuid": "a1b987cc-7789-411c-9673-3cf6357b207c", "value": "ASERT Donot March 2018" }, + { + "description": "Simonian, Nick. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved January 17, 2024.", + "meta": { + "date_accessed": "2024-01-17T00:00:00Z", + "date_published": "2023-05-22T00:00:00Z", + "refs": [ + "https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse" + ], + "source": "MITRE", + "title": "Don't @ Me: URL Obfuscation Through Schema Abuse" + }, + "related": [], + "uuid": "d5ed4c98-6d37-5000-bba0-9aada295a50c", + "value": "mandiant-masking" + }, { "description": "Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved August 4, 2023.", "meta": { @@ -15275,6 +16276,21 @@ "uuid": "b63f5934-2ace-5326-89be-7a850469a563", "value": "Mandiant URL Obfuscation 2023" }, + { + "description": "Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved February 13, 2024.", + "meta": { + "date_accessed": "2024-02-13T00:00:00Z", + "date_published": "2023-05-22T00:00:00Z", + "refs": [ + "https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse" + ], + "source": "MITRE", + "title": "Don't @ Me: URL Obfuscation Through Schema Abuse" + }, + "related": [], + "uuid": "75b860d9-a48d-57de-ba1e-b0db970abb1b", + "value": "Schema-abuse" + }, { "description": "TheWover. (2019, May 9). donut. Retrieved March 25, 2022.", "meta": { @@ -15381,6 +16397,21 @@ "uuid": "931aed95-a629-4f94-8762-aad580f5d3e2", "value": "Malwarebytes IssacWiper CaddyWiper March 2022" }, + { + "description": "Crowdstrike. (2020, September 24). Double Trouble: Ransomware with Data Leak Extortion, Part 1. Retrieved December 6, 2023.", + "meta": { + "date_accessed": "2023-12-06T00:00:00Z", + "date_published": "2020-09-24T00:00:00Z", + "refs": [ + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/" + ], + "source": "MITRE", + "title": "Double Trouble: Ransomware with Data Leak Extortion, Part 1" + }, + "related": [], + "uuid": "a91c3252-94b8-52a8-bb0d-cadac6afa161", + "value": "Crowdstrike-leaks" + }, { "description": "Team Cinnamon. (2017, February 3). Downgrade Attacks. Retrieved December 9, 2021.", "meta": { @@ -15456,21 +16487,6 @@ "uuid": "9514c5cd-2ed6-4dbf-aa9e-1c425e969226", "value": "Symantec Dragonfly" }, - { - "description": "Symantec. (2017, October 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved April 19, 2022.", - "meta": { - "date_accessed": "2022-04-19T00:00:00Z", - "date_published": "2017-10-07T00:00:00Z", - "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks" - ], - "source": "MITRE", - "title": "Dragonfly: Western energy sector targeted by sophisticated attack group" - }, - "related": [], - "uuid": "a0439d4a-a3ea-4be5-9a01-f223ca259681", - "value": "Symantec Dragonfly 2.0 October 2017" - }, { "description": "Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.", "meta": { @@ -15486,6 +16502,21 @@ "uuid": "11bbeafc-ed5d-4d2b-9795-a0a9544fb64e", "value": "Symantec Dragonfly Sept 2017" }, + { + "description": "Symantec. (2017, October 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved April 19, 2022.", + "meta": { + "date_accessed": "2022-04-19T00:00:00Z", + "date_published": "2017-10-07T00:00:00Z", + "refs": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks" + ], + "source": "MITRE", + "title": "Dragonfly: Western energy sector targeted by sophisticated attack group" + }, + "related": [], + "uuid": "a0439d4a-a3ea-4be5-9a01-f223ca259681", + "value": "Symantec Dragonfly 2.0 October 2017" + }, { "description": "Slepogin, N. (2017, May 25). Dridex: A History of Evolution. Retrieved May 31, 2019.", "meta": { @@ -15546,6 +16577,20 @@ "uuid": "85bee18e-216d-4ea6-b34e-b071e3f63382", "value": "volexity_0day_sophos_FW" }, + { + "description": "Google. (n.d.). Drive log events. Retrieved March 4, 2024.", + "meta": { + "date_accessed": "2024-03-04T00:00:00Z", + "refs": [ + "https://support.google.com/a/answer/4579696" + ], + "source": "MITRE", + "title": "Drive log events" + }, + "related": [], + "uuid": "f546898e-3639-58f4-85a2-6268dfaab207", + "value": "Google Drive Log Events" + }, { "description": "Microsoft. (n.d.). driverquery. Retrieved March 28, 2023.", "meta": { @@ -15756,6 +16801,21 @@ "uuid": "4634e025-c005-46fe-b97c-5d7dda455ba0", "value": "DumpMinitool.exe - LOLBAS Project" }, + { + "description": "Microsoft. (2021, October 12). DuplicateToken function (securitybaseapi.h). Retrieved January 8, 2024.", + "meta": { + "date_accessed": "2024-01-08T00:00:00Z", + "date_published": "2021-10-12T00:00:00Z", + "refs": [ + "https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-duplicatetoken" + ], + "source": "MITRE", + "title": "DuplicateToken function (securitybaseapi.h)" + }, + "related": [], + "uuid": "fbf31bc2-7883-56fa-975f-d083288464dc", + "value": "DuplicateToken function" + }, { "description": "Wikipedia. (2017, December 29). Duqu. Retrieved April 10, 2018.", "meta": { @@ -15876,6 +16936,21 @@ "uuid": "9349f864-79e9-4481-ad77-44099621795a", "value": "rfc3315" }, + { + "description": "Microsoft. (2018, May 31). Dynamic-Link Library Redirection. Retrieved March 13, 2020.", + "meta": { + "date_accessed": "2020-03-13T00:00:00Z", + "date_published": "2018-05-31T00:00:00Z", + "refs": [ + "https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection?redirectedfrom=MSDN" + ], + "source": "MITRE", + "title": "Dynamic-Link Library Redirection" + }, + "related": [], + "uuid": "72458590-ee1b-4447-adb8-ca4f486d1db5", + "value": "Microsoft Dynamic-Link Library Redirection" + }, { "description": "Microsoft. (n.d.). Dynamic-Link Library Redirection. Retrieved December 5, 2014.", "meta": { @@ -15891,19 +16966,18 @@ "value": "Microsoft DLL Redirection" }, { - "description": "Microsoft. (2018, May 31). Dynamic-Link Library Redirection. Retrieved March 13, 2020.", + "description": "Microsoft. (n.d.). Dynamic-Link Library Search Order. Retrieved November 30, 2014.", "meta": { - "date_accessed": "2020-03-13T00:00:00Z", - "date_published": "2018-05-31T00:00:00Z", + "date_accessed": "2014-11-30T00:00:00Z", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection?redirectedfrom=MSDN" + "http://msdn.microsoft.com/en-US/library/ms682586" ], "source": "MITRE", - "title": "Dynamic-Link Library Redirection" + "title": "Dynamic-Link Library Search Order" }, "related": [], - "uuid": "72458590-ee1b-4447-adb8-ca4f486d1db5", - "value": "Microsoft Dynamic-Link Library Redirection" + "uuid": "c157444d-bf2b-4806-b069-519122b7a459", + "value": "Microsoft DLL Search" }, { "description": "Microsoft. (2018, May 31). Dynamic-Link Library Search Order. Retrieved November 30, 2014.", @@ -15921,18 +16995,18 @@ "value": "Microsoft Dynamic Link Library Search Order" }, { - "description": "Microsoft. (n.d.). Dynamic-Link Library Search Order. Retrieved November 30, 2014.", + "description": "Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved July 25, 2016.", "meta": { - "date_accessed": "2014-11-30T00:00:00Z", + "date_accessed": "2016-07-25T00:00:00Z", "refs": [ - "http://msdn.microsoft.com/en-US/library/ms682586" + "https://msdn.microsoft.com/en-us/library/ff919712.aspx" ], "source": "MITRE", - "title": "Dynamic-Link Library Search Order" + "title": "Dynamic-Link Library Security" }, "related": [], - "uuid": "c157444d-bf2b-4806-b069-519122b7a459", - "value": "Microsoft DLL Search" + "uuid": "5d1d1916-cef4-49d1-b8e2-a6d18fb297f6", + "value": "MSDN DLL Security" }, { "description": "Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved November 27, 2017.", @@ -15962,20 +17036,6 @@ "uuid": "e087442a-0a53-4cc8-9fd6-772cbd0295d5", "value": "Microsoft Dynamic-Link Library Security" }, - { - "description": "Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved July 25, 2016.", - "meta": { - "date_accessed": "2016-07-25T00:00:00Z", - "refs": [ - "https://msdn.microsoft.com/en-us/library/ff919712.aspx" - ], - "source": "MITRE", - "title": "Dynamic-Link Library Security" - }, - "related": [], - "uuid": "5d1d1916-cef4-49d1-b8e2-a6d18fb297f6", - "value": "MSDN DLL Security" - }, { "description": "Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018.", "meta": { @@ -16198,6 +17258,35 @@ "uuid": "0d42c329-5847-4970-9580-2318a566df4e", "value": "Secureworks IRON RITUAL USAID Phish May 2021" }, + { + "description": "ElectronJS.org. (n.d.). Retrieved March 7, 2024.", + "meta": { + "date_accessed": "2024-03-07T00:00:00Z", + "refs": [ + "https://www.electronjs.org/docs/latest/tutorial/using-native-node-modules" + ], + "source": "MITRE", + "title": "Electron Security" + }, + "related": [], + "uuid": "e44c8abf-77c1-5e19-93e6-99397d7eaa41", + "value": "Electron Security" + }, + { + "description": "Dragos, Inc.. (2023, December 11). ELECTRUM Targeted Ukrainian Electric Entity Using Custom Tools and CaddyWiper Malware, October 2022. Retrieved March 28, 2024.", + "meta": { + "date_accessed": "2024-03-28T00:00:00Z", + "date_published": "2023-12-11T00:00:00Z", + "refs": [ + "https://www.dragos.com/blog/new-details-electrum-ukraine-electric-sector-compromise-2022/" + ], + "source": "MITRE", + "title": "ELECTRUM Targeted Ukrainian Electric Entity Using Custom Tools and CaddyWiper Malware, October 2022" + }, + "related": [], + "uuid": "a17aa1b1-cda4-5aeb-b401-f4fd47d29f93", + "value": "Dragos-Sandworm-Ukraine-2022" + }, { "description": "Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020.", "meta": { @@ -16716,6 +17805,21 @@ "uuid": "ad3eda19-08eb-4d59-a2c9-3b5ed8302205", "value": "Google Ensuring Your Information is Safe" }, + { + "description": "Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.", + "meta": { + "date_accessed": "2024-02-09T00:00:00Z", + "date_published": "2018-11-13T00:00:00Z", + "refs": [ + "https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign" + ], + "source": "MITRE", + "title": "Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign" + }, + "related": [], + "uuid": "31796564-4154-54c0-958a-7d6802dfefad", + "value": "Ensilo Darkgate 2018" + }, { "description": "Fortinet Blog. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved October 20, 2023.", "meta": { @@ -16748,6 +17852,21 @@ "uuid": "a45a920c-3bda-4442-8650-4ad78f950283", "value": "Splunk DarkGate January 17 2024" }, + { + "description": "Splunk Threat Research Team. (2024, January 17). Enter The Gates: An Analysis of the DarkGate AutoIt Loader. Retrieved March 29, 2024.", + "meta": { + "date_accessed": "2024-03-29T00:00:00Z", + "date_published": "2024-01-17T00:00:00Z", + "refs": [ + "https://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html" + ], + "source": "MITRE", + "title": "Enter The Gates: An Analysis of the DarkGate AutoIt Loader" + }, + "related": [], + "uuid": "adc6384c-e0d7-547f-a1e3-2c57ff0525ae", + "value": "Splunk DarkGate" + }, { "description": "Microsoft. (2021, October 12). EnumDeviceDrivers function (psapi.h). Retrieved March 28, 2023.", "meta": { @@ -16792,20 +17911,6 @@ "uuid": "af842a1f-8f39-4b4f-b4d2-0bbb810e6c31", "value": "Deloitte Environment Awareness" }, - { - "description": "Microsoft. (n.d.). Environment Property. Retrieved July 27, 2016.", - "meta": { - "date_accessed": "2016-07-27T00:00:00Z", - "refs": [ - "https://msdn.microsoft.com/en-us/library/fd7hxfdd.aspx" - ], - "source": "MITRE", - "title": "Environment Property" - }, - "related": [], - "uuid": "79ea888c-2dd7-40cb-9149-e2469a35ea3a", - "value": "MSDN Environment Property" - }, { "description": "Microsoft. (2011, October 24). Environment Property. Retrieved July 27, 2016.", "meta": { @@ -16821,6 +17926,20 @@ "uuid": "64598969-864d-4bc7-805e-c289cccb7bc6", "value": "Microsoft Environment Property" }, + { + "description": "Microsoft. (n.d.). Environment Property. Retrieved July 27, 2016.", + "meta": { + "date_accessed": "2016-07-27T00:00:00Z", + "refs": [ + "https://msdn.microsoft.com/en-us/library/fd7hxfdd.aspx" + ], + "source": "MITRE", + "title": "Environment Property" + }, + "related": [], + "uuid": "79ea888c-2dd7-40cb-9149-e2469a35ea3a", + "value": "MSDN Environment Property" + }, { "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, February). Equation Group: Questions and Answers. Retrieved December 21, 2015.", "meta": { @@ -17270,6 +18389,21 @@ "uuid": "29301297-8343-4f75-8096-7fe229812f75", "value": "Cisco Synful Knock Evolution" }, + { + "description": "SCILabs. (2023, May 23). Evolution of banking trojan URSA/Mispadu. Retrieved March 13, 2024.", + "meta": { + "date_accessed": "2024-03-13T00:00:00Z", + "date_published": "2023-05-23T00:00:00Z", + "refs": [ + "https://blog.scilabs.mx/en/evolution-of-banking-trojan-ursa-mispadu/" + ], + "source": "MITRE", + "title": "Evolution of banking trojan URSA/Mispadu" + }, + "related": [], + "uuid": "a7a0db8d-bc1c-5e89-8c42-a3a6cc2cf28d", + "value": "SCILabs URSA/Mispadu Evolution 2023" + }, { "description": "Fedor Sinitsyn. (2021, May 25). Evolution of JSWorm Ransomware. Retrieved August 18, 2021.", "meta": { @@ -17705,6 +18839,21 @@ "uuid": "9ba3d54c-02d1-45bd-bfe8-939e84d9d44b", "value": "Explorer.exe - LOLBAS Project" }, + { + "description": "Zohar Zigdon. (2023, November 30). Exploring a Critical Risk in Google Workspace's Domain-Wide Delegation Feature. Retrieved January 16, 2024.", + "meta": { + "date_accessed": "2024-01-16T00:00:00Z", + "date_published": "2023-11-30T00:00:00Z", + "refs": [ + "https://unit42.paloaltonetworks.com/critical-risk-in-google-workspace-delegation-feature/" + ], + "source": "MITRE", + "title": "Exploring a Critical Risk in Google Workspace's Domain-Wide Delegation Feature" + }, + "related": [], + "uuid": "cd76910f-1c15-50fb-a942-f19b6cc1ca69", + "value": "Palo Alto Unit 42 Google Workspace Domain Wide Delegation 2023" + }, { "description": "Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019.", "meta": { @@ -17857,6 +19006,21 @@ "uuid": "a4617ef4-e6d2-47e7-8f81-68e7380279bf", "value": "Bizeul 2014" }, + { + "description": "Spyboy. (2023). Facad1ng. Retrieved February 13, 2024.", + "meta": { + "date_accessed": "2024-02-13T00:00:00Z", + "date_published": "2023-01-01T00:00:00Z", + "refs": [ + "https://github.com/spyboy-productions/Facad1ng" + ], + "source": "MITRE", + "title": "Facad1ng" + }, + "related": [], + "uuid": "bd80f3d7-e653-5f8f-ba8a-00b8780ae935", + "value": "Facad1ng" + }, { "description": "O'Donnell, L. (2020, October 20). Facebook: A Top Launching Pad For Phishing Attacks. Retrieved October 20, 2020.", "meta": { @@ -17872,21 +19036,6 @@ "uuid": "186c1213-d0c5-4eb6-aa0f-0fd61b07a1f7", "value": "ThreatPost Social Media Phishing" }, - { - "description": "Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022.", - "meta": { - "date_accessed": "2022-09-29T00:00:00Z", - "date_published": "2021-01-11T00:00:00Z", - "refs": [ - "https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/" - ], - "source": "MITRE", - "title": "FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts" - }, - "related": [], - "uuid": "34dc9010-e800-420c-ace4-4f426c915d2f", - "value": "SentinelLabs reversing run-only applescripts 2021" - }, { "description": "Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 30, 2022.", "meta": { @@ -17902,6 +19051,21 @@ "uuid": "785f7692-2be8-4f5d-921e-51efdfe0c0b9", "value": "Sentinel Labs" }, + { + "description": "Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022.", + "meta": { + "date_accessed": "2022-09-29T00:00:00Z", + "date_published": "2021-01-11T00:00:00Z", + "refs": [ + "https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/" + ], + "source": "MITRE", + "title": "FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts" + }, + "related": [], + "uuid": "34dc9010-e800-420c-ace4-4f426c915d2f", + "value": "SentinelLabs reversing run-only applescripts 2021" + }, { "description": "Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.", "meta": { @@ -18565,21 +19729,6 @@ "uuid": "e38adff1-7f53-4b0c-9d58-a4640b09b10d", "value": "CyberScoop FIN7 Oct 2017" }, - { - "description": "Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021.", - "meta": { - "date_accessed": "2021-09-08T00:00:00Z", - "date_published": "2021-03-10T00:00:00Z", - "refs": [ - "https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf" - ], - "source": "MITRE", - "title": "FIN8 Returns with Improved BADHATCH Toolkit" - }, - "related": [], - "uuid": "958cfc9a-901c-549d-96c2-956272b240e3", - "value": "BitDefender BADHATCH Mar 2021" - }, { "description": "Bitdefender. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved October 30, 2023.", "meta": { @@ -18596,6 +19745,21 @@ "uuid": "501b6391-e09e-47dc-9cfc-c8ed4c034aca", "value": "Bitdefender FIN8 BADHATCH Report" }, + { + "description": "Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021.", + "meta": { + "date_accessed": "2021-09-08T00:00:00Z", + "date_published": "2021-03-10T00:00:00Z", + "refs": [ + "https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf" + ], + "source": "MITRE", + "title": "FIN8 Returns with Improved BADHATCH Toolkit" + }, + "related": [], + "uuid": "958cfc9a-901c-549d-96c2-956272b240e3", + "value": "BitDefender BADHATCH Mar 2021" + }, { "description": "Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023.", "meta": { @@ -18686,6 +19850,21 @@ "uuid": "4c2424d6-670b-4db0-a752-868b4c954e29", "value": "Expel IO Evil in AWS" }, + { + "description": "Chad Tilbury. (2023, May 22). Finding Evil WMI Event Consumers with Disk Forensics. Retrieved February 9, 2024.", + "meta": { + "date_accessed": "2024-02-09T00:00:00Z", + "date_published": "2023-05-22T00:00:00Z", + "refs": [ + "https://www.sans.org/blog/finding-evil-wmi-event-consumers-with-disk-forensics/" + ], + "source": "MITRE", + "title": "Finding Evil WMI Event Consumers with Disk Forensics" + }, + "related": [], + "uuid": "ee46fd07-3df3-50f6-b922-263f031ee23f", + "value": "Evil WMI" + }, { "description": "Butler, M. (2013, November). Finding Hidden Threats by Decrypting SSL. Retrieved April 5, 2016.", "meta": { @@ -18701,21 +19880,6 @@ "uuid": "d251a79b-8516-41a7-b394-47a761d0ab3b", "value": "SANS Decrypting SSL" }, - { - "description": "Sancho, D., Hacquebord, F., Link, R. (2014, July 22). Finding Holes Operation Emmental. Retrieved February 9, 2016.", - "meta": { - "date_accessed": "2016-02-09T00:00:00Z", - "date_published": "2014-07-22T00:00:00Z", - "refs": [ - "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-operation-emmental.pdf" - ], - "source": "MITRE", - "title": "Finding Holes Operation Emmental" - }, - "related": [], - "uuid": "36443369-4fa9-4802-8b21-68cc382b949f", - "value": "Operation Emmental" - }, { "description": "Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL & Exploiting Group Policy Preferences. Retrieved February 17, 2020.", "meta": { @@ -20046,6 +21210,20 @@ "uuid": "ca28494c-d834-4afc-9237-ab78dcfc427b", "value": "Microsoft msolrolemember" }, + { + "description": "JumpCloud. (n.d.). Get Started: Conditional Access Policies. Retrieved January 2, 2024.", + "meta": { + "date_accessed": "2024-01-02T00:00:00Z", + "refs": [ + "https://jumpcloud.com/support/get-started-conditional-access-policies" + ], + "source": "MITRE", + "title": "Get Started: Conditional Access Policies" + }, + "related": [], + "uuid": "585b4ed7-1f1b-5e7f-bf2b-3732e07309af", + "value": "JumpCloud Conditional Access Policies" + }, { "description": "Craig Rowland. (2019, July 25). Getting an Attacker IP Address from a Malicious Linux At Job. Retrieved October 15, 2021.", "meta": { @@ -20106,6 +21284,21 @@ "uuid": "128b4e3f-bb58-45e0-b8d9-bff9fc3ec3df", "value": "Wardle Dylib Hijack Vulnerable Apps" }, + { + "description": "Microsoft. (2022, November 3). Getting started with App-V for Windows client. Retrieved February 6, 2024.", + "meta": { + "date_accessed": "2024-02-06T00:00:00Z", + "date_published": "2022-11-03T00:00:00Z", + "refs": [ + "https://learn.microsoft.com/en-us/windows/application-management/app-v/appv-getting-started" + ], + "source": "MITRE", + "title": "Getting started with App-V for Windows client" + }, + "related": [], + "uuid": "8305a718-e79f-5bf7-8af3-b117cf106c81", + "value": "2 - appv" + }, { "description": "Austin, J. (2017, June 6). Getting Started with VBA in Office. Retrieved July 3, 2017.", "meta": { @@ -20725,6 +21918,34 @@ "uuid": "b11276cb-f6dd-4e91-90cd-9c287fb3e6b1", "value": "Secureworks GOLD NIAGARA Threat Profile" }, + { + "description": "Secureworks. (n.d.). GOLD PRELUDE . Retrieved March 22, 2024.", + "meta": { + "date_accessed": "2024-03-22T00:00:00Z", + "refs": [ + "https://www.secureworks.com/research/threat-profiles/gold-prelude" + ], + "source": "MITRE", + "title": "GOLD PRELUDE" + }, + "related": [], + "uuid": "b16ae37d-5244-5c1e-92a9-e494b5a9ef49", + "value": "Secureworks Gold Prelude Profile" + }, + { + "description": "Secureworks. (n.d.). GOLD SAHARA. Retrieved February 20, 2024.", + "meta": { + "date_accessed": "2024-02-20T00:00:00Z", + "refs": [ + "https://www.secureworks.com/research/threat-profiles/gold-sahara" + ], + "source": "MITRE", + "title": "GOLD SAHARA" + }, + "related": [], + "uuid": "3abb7995-4a62-56a6-9492-942965edf0a0", + "value": "Secureworks GOLD SAHARA" + }, { "description": "Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020.", "meta": { @@ -20739,6 +21960,20 @@ "uuid": "01d1ffaa-16b3-41c4-bb5a-afe2b41f1142", "value": "Secureworks GOLD SOUTHFIELD" }, + { + "description": "Google. (n.d.). Retrieved March 14, 2024.", + "meta": { + "date_accessed": "2024-03-14T00:00:00Z", + "refs": [ + "https://support.google.com/chrome/answer/1649523" + ], + "source": "MITRE", + "title": "Google Chrome Remote Desktop" + }, + "related": [], + "uuid": "70c87a07-38eb-53d2-8b63-013eb3ce62c8", + "value": "Google Chrome Remote Desktop" + }, { "description": "Google. (n.d.). Retrieved March 16, 2021.", "meta": { @@ -20782,6 +22017,21 @@ "uuid": "29714b88-a1ff-4684-a3b0-35c3a2c78947", "value": "ExploitDB GoogleHacking" }, + { + "description": "Clark, Michael. (2023, August 14). Google’s Vertex AI Platform Gets Freejacked. Retrieved February 28, 2024.", + "meta": { + "date_accessed": "2024-02-28T00:00:00Z", + "date_published": "2023-08-14T00:00:00Z", + "refs": [ + "https://sysdig.com/blog/googles-vertex-ai-platform-freejacked/" + ], + "source": "MITRE", + "title": "Google’s Vertex AI Platform Gets Freejacked" + }, + "related": [], + "uuid": "c7007fa4-bc07-59aa-820e-ffeea1486ed6", + "value": "Freejacked" + }, { "description": "Google. (n.d.). Retrieved March 16, 2021.", "meta": { @@ -20958,6 +22208,21 @@ "uuid": "01e0c198-dd59-5dd1-b632-73cb316eafe0", "value": "AWS PassRole" }, + { + "description": "Microsoft. (2023, June 7). Grant limited access to Azure Storage resources using shared access signatures (SAS). Retrieved March 4, 2024.", + "meta": { + "date_accessed": "2024-03-04T00:00:00Z", + "date_published": "2023-06-07T00:00:00Z", + "refs": [ + "https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview" + ], + "source": "MITRE", + "title": "Grant limited access to Azure Storage resources using shared access signatures (SAS)" + }, + "related": [], + "uuid": "9031357f-04ac-5c07-a59d-97b9e32edf79", + "value": "Microsoft Azure Storage Shared Access Signature" + }, { "description": "Microsoft. (n.d.). Graphics.CopyFromScreen Method. Retrieved March 24, 2020.", "meta": { @@ -21123,6 +22388,20 @@ "uuid": "fa3beaf1-81e7-411b-849a-24cffaf7c552", "value": "Microsoft GPP 2016" }, + { + "description": "MacKenzie, D. and Youngman, J. (n.d.). groups(1) - Linux man page. Retrieved January 11, 2024.", + "meta": { + "date_accessed": "2024-01-11T00:00:00Z", + "refs": [ + "https://linux.die.net/man/1/groups" + ], + "source": "MITRE", + "title": "groups(1) - Linux man page" + }, + "related": [], + "uuid": "3d3c9756-4700-5db3-b8bc-8d2958df6a42", + "value": "groups man page" + }, { "description": "Blachman, Y. (2020, April 22). Growing Abuse of SSH Keys: Commodity Malware Campaigns Now Equipped with SSH Capabilities. Retrieved June 24, 2020.", "meta": { @@ -21211,6 +22490,21 @@ "uuid": "4a435edb-18ae-4c31-beff-2b8f2e6cad34", "value": "Fortinet Moses Staff February 15 2022" }, + { + "description": "Microsoft Threat Intelligence. (2021, December 11). Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability. Retrieved December 7, 2023.", + "meta": { + "date_accessed": "2023-12-07T00:00:00Z", + "date_published": "2021-12-11T00:00:00Z", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/" + ], + "source": "MITRE", + "title": "Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability" + }, + "related": [], + "uuid": "456ed22f-0de1-5ee4-bb8a-29e3baedc7b1", + "value": "Microsoft Log4j Vulnerability Exploitation December 2021" + }, { "description": "Duncan, B. (2020, April 3). GuLoader: Malspam Campaign Installing NetWire RAT. Retrieved January 7, 2021.", "meta": { @@ -21376,6 +22670,21 @@ "uuid": "93b5ecd2-35a3-5bd8-9d6e-87bace012546", "value": "BleepingComputer Agent Tesla steal wifi passwords" }, + { + "description": "Giles, Bruce. (2024, January 4). Hackers threaten to send SWAT teams to Fred Hutch patients' homes. Retrieved January 5, 2024.", + "meta": { + "date_accessed": "2024-01-05T00:00:00Z", + "date_published": "2024-01-04T00:00:00Z", + "refs": [ + "https://www.beckershospitalreview.com/cybersecurity/hackers-threaten-to-send-swat-teams-to-fred-hutch-patients-homes.html" + ], + "source": "MITRE", + "title": "Hackers threaten to send SWAT teams to Fred Hutch patients' homes" + }, + "related": [], + "uuid": "ce8bc906-875a-53bd-8b9c-b2191e369e4e", + "value": "SWAT-hospital" + }, { "description": "Kan, M. (2019, October 24). Hackers Try to Phish United Nations Staffers With Fake Login Pages. Retrieved October 20, 2020.", "meta": { @@ -21526,6 +22835,21 @@ "uuid": "67ebcf71-828e-4202-b842-f071140883f8", "value": "Malwarebytes OSINT Leaky Buckets - Hioureas" }, + { + "description": "Vincent Tiu. (2017, September 15). HackTool:Win32/Gsecdump. Retrieved January 10, 2024.", + "meta": { + "date_accessed": "2024-01-10T00:00:00Z", + "date_published": "2017-09-15T00:00:00Z", + "refs": [ + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=HackTool:Win32/Gsecdump" + ], + "source": "MITRE", + "title": "HackTool:Win32/Gsecdump" + }, + "related": [], + "uuid": "e9c12a7f-ce8a-5f20-8283-509e16532d9b", + "value": "Microsoft Gsecdump" + }, { "description": "MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021.", "meta": { @@ -21676,21 +23000,6 @@ "uuid": "95d6d1ce-ceba-48ee-88c4-0fb30058bd80", "value": "Specter Ops - Cloud Credential Storage" }, - { - "description": "Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.", - "meta": { - "date_accessed": "2021-01-20T00:00:00Z", - "date_published": "2019-09-23T00:00:00Z", - "refs": [ - "https://securelist.com/my-name-is-dtrack/93338/" - ], - "source": "MITRE", - "title": "Hello! My name is Dtrack" - }, - "related": [], - "uuid": "49bd8841-a4b5-4ced-adfa-0ad0c8625ccd", - "value": "Securelist Dtrack" - }, { "description": "KONSTANTIN ZYKOV. (2019, September 23). Hello! My name is Dtrack. Retrieved September 30, 2022.", "meta": { @@ -21707,19 +23016,19 @@ "value": "Securelist Dtrack2" }, { - "description": "Baggett, M. (2012, November 8). Help eliminate unquoted path vulnerabilities. Retrieved December 4, 2014.", + "description": "Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.", "meta": { - "date_accessed": "2014-12-04T00:00:00Z", - "date_published": "2012-11-08T00:00:00Z", + "date_accessed": "2021-01-20T00:00:00Z", + "date_published": "2019-09-23T00:00:00Z", "refs": [ - "https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464" + "https://securelist.com/my-name-is-dtrack/93338/" ], "source": "MITRE", - "title": "Help eliminate unquoted path vulnerabilities" + "title": "Hello! My name is Dtrack" }, "related": [], - "uuid": "9b234329-5e05-4035-af38-dd8ab20fd68e", - "value": "Baggett 2012" + "uuid": "49bd8841-a4b5-4ced-adfa-0ad0c8625ccd", + "value": "Securelist Dtrack" }, { "description": "Mark Baggett. (2012, November 8). Help eliminate unquoted path vulnerabilities. Retrieved November 8, 2012.", @@ -21736,6 +23045,21 @@ "uuid": "23ad5a8c-cbe1-4f40-8757-f1784a4003a1", "value": "Help eliminate unquoted path" }, + { + "description": "Baggett, M. (2012, November 8). Help eliminate unquoted path vulnerabilities. Retrieved December 4, 2014.", + "meta": { + "date_accessed": "2014-12-04T00:00:00Z", + "date_published": "2012-11-08T00:00:00Z", + "refs": [ + "https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464" + ], + "source": "MITRE", + "title": "Help eliminate unquoted path vulnerabilities" + }, + "related": [], + "uuid": "9b234329-5e05-4035-af38-dd8ab20fd68e", + "value": "Baggett 2012" + }, { "description": "Kellie Eickmeyer. (2022, February 7). Helping users stay safe: Blocking internet macros by default in Office. Retrieved February 7, 2022.", "meta": { @@ -21885,6 +23209,21 @@ "uuid": "8a00b664-5a75-4365-9069-a32e0ed20a80", "value": "Pfammatter - Hidden Inbox Rules" }, + { + "description": "Hutchins, Marcus. (2015, September 13). Hidden VNC for Beginners. Retrieved November 28, 2023.", + "meta": { + "date_accessed": "2023-11-28T00:00:00Z", + "date_published": "2015-09-13T00:00:00Z", + "refs": [ + "https://www.malwaretech.com/2015/09/hidden-vnc-for-beginners.html" + ], + "source": "MITRE", + "title": "Hidden VNC for Beginners" + }, + "related": [], + "uuid": "1d50ce73-ad6a-5286-8ef9-0b2bfed321dc", + "value": "Hidden VNC" + }, { "description": "Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.", "meta": { @@ -22259,6 +23598,21 @@ "uuid": "0b0880a8-82cc-4e23-afd9-95d099c753a4", "value": "Microsoft Connection Manager Oct 2009" }, + { + "description": "Dedenok, Roman. (2023, December 12). How cybercriminals disguise URLs. Retrieved January 17, 2024.", + "meta": { + "date_accessed": "2024-01-17T00:00:00Z", + "date_published": "2023-12-12T00:00:00Z", + "refs": [ + "https://www.kaspersky.com/blog/malicious-redirect-methods/50045/" + ], + "source": "MITRE", + "title": "How cybercriminals disguise URLs" + }, + "related": [], + "uuid": "811eb587-effd-50ad-abb4-83221cc5d567", + "value": "Kaspersky-masking" + }, { "description": "Abendan, O. (2012, June 14). How DNS Changer Trojans Direct Users to Threats. Retrieved October 28, 2021.", "meta": { @@ -22304,6 +23658,21 @@ "uuid": "9254d3f5-7fc1-4710-b885-b0ddb3a3dca9", "value": "Apple Culprit Access" }, + { + "description": "Jai Minton. (2023, March 31). How Falcon OverWatch Investigates Malicious Self-Extracting Archives, Decoy Files and Their Hidden Payloads. Retrieved March 29, 2024.", + "meta": { + "date_accessed": "2024-03-29T00:00:00Z", + "date_published": "2023-03-31T00:00:00Z", + "refs": [ + "https://www.crowdstrike.com/blog/self-extracting-archives-decoy-files-and-their-hidden-payloads/" + ], + "source": "MITRE", + "title": "How Falcon OverWatch Investigates Malicious Self-Extracting Archives, Decoy Files and Their Hidden Payloads" + }, + "related": [], + "uuid": "55171e0e-6b6d-568c-941a-85adcafceb43", + "value": "SFX - Encrypted/Encoded File" + }, { "description": "Department of Justice. (2018, August 01). HOW FIN7 ATTACKED AND STOLE DATA. Retrieved August 24, 2018.", "meta": { @@ -22408,6 +23777,21 @@ "uuid": "561ff84d-17ce-511c-af0c-059310f3c129", "value": "Kaspersky Autofill" }, + { + "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.", + "meta": { + "date_accessed": "2023-11-17T00:00:00Z", + "date_published": "2023-07-12T00:00:00Z", + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "source": "MITRE", + "title": "How Microsoft names threat actors" + }, + "related": [], + "uuid": "78a8137d-694e-533d-aed3-6bd48fc0cd4a", + "value": "Microsoft Threat Actor Naming July 2023" + }, { "description": "How Notarization Works. (2020, August 28). How notarization works. Retrieved September 13, 2021.", "meta": { @@ -22849,6 +24233,21 @@ "uuid": "397be6f9-a109-4185-85f7-8d994fb31eaa", "value": "Startup Items Eclectic" }, + { + "description": "Valentin Rothberg. (2022, March 16). How to run pods as systemd services with Podman. Retrieved February 15, 2024.", + "meta": { + "date_accessed": "2024-02-15T00:00:00Z", + "date_published": "2022-03-16T00:00:00Z", + "refs": [ + "https://www.redhat.com/sysadmin/podman-run-pods-systemd-services" + ], + "source": "MITRE", + "title": "How to run pods as systemd services with Podman" + }, + "related": [], + "uuid": "1657c650-7739-5ba3-8c95-b35cb74ee79f", + "value": "Podman Systemd" + }, { "description": "Radu Vlad, Liviu Arsene. (2021, October 15). How to Test Endpoint Security Efficacy and What to Expect. Retrieved March 7, 2024.", "meta": { @@ -23416,6 +24815,20 @@ "uuid": "6891eaf4-6857-4106-860c-1708d2a3bd33", "value": "FireEye ADFS" }, + { + "description": "AWS. (n.d.). IAM JSON policy elements: Condition. Retrieved January 2, 2024.", + "meta": { + "date_accessed": "2024-01-02T00:00:00Z", + "refs": [ + "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html" + ], + "source": "MITRE", + "title": "IAM JSON policy elements: Condition" + }, + "related": [], + "uuid": "0fabd95b-a8cc-5a03-9a48-ffac8e5c5e28", + "value": "AWS IAM Conditions" + }, { "description": "Amazon Web Services. (n.d.). IAM roles for service accounts. Retrieved July 14, 2023.", "meta": { @@ -23459,6 +24872,20 @@ "uuid": "16f6b02a-912b-42c6-8d32-4e4f11fa70ec", "value": "Amazon IAM Groups" }, + { + "description": "IAPP. (n.d.). Retrieved March 5, 2024.", + "meta": { + "date_accessed": "2024-03-05T00:00:00Z", + "refs": [ + "https://iapp.org/resources/article/web-beacon/" + ], + "source": "MITRE", + "title": "IAPP" + }, + "related": [], + "uuid": "a7dac249-f34a-557c-94ea-b16723f7a4f7", + "value": "IAPP" + }, { "description": "CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022.", "meta": { @@ -23533,6 +24960,20 @@ "uuid": "8bb3147c-3178-4449-9978-f1248b1bcb0a", "value": "Dragos Threat Report 2020" }, + { + "description": "MacKenzie, D. and Robbins, A. (n.d.). id(1) - Linux man page. Retrieved January 11, 2024.", + "meta": { + "date_accessed": "2024-01-11T00:00:00Z", + "refs": [ + "https://linux.die.net/man/1/id" + ], + "source": "MITRE", + "title": "id(1) - Linux man page" + }, + "related": [], + "uuid": "158f088c-4d51-567d-bc58-be0b9a087c9a", + "value": "id man page" + }, { "description": "Cisco. (2008, June 10). Identifying and Mitigating Exploitation of the SNMP Version 3 Authentication Vulnerabilities. Retrieved October 19, 2020.", "meta": { @@ -23745,6 +25186,21 @@ "uuid": "c8db6bfd-3a08-43b3-b33b-91a32e9bd694", "value": "Microsoft IIS Modules Overview 2007" }, + { + "description": "Miller, J. et. al. (2021, July 28). I Knew You Were Trouble: TA456 Targets Defense Contractor with Alluring Social Media Persona. Retrieved March 11, 2024.", + "meta": { + "date_accessed": "2024-03-11T00:00:00Z", + "date_published": "2021-07-28T00:00:00Z", + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media" + ], + "source": "MITRE", + "title": "I Knew You Were Trouble: TA456 Targets Defense Contractor with Alluring Social Media Persona" + }, + "related": [], + "uuid": "0cc015d9-96d0-534e-a34a-221267250f90", + "value": "Proofpoint TA456 Defense Contractor July 2021" + }, { "description": "LOLBAS. (2020, March 17). Ilasm.exe. Retrieved December 4, 2023.", "meta": { @@ -24255,6 +25711,21 @@ "uuid": "fcf8265a-3084-4162-87d0-9e77c0a5cff0", "value": "HackerNews IndigoZebra July 2021" }, + { + "description": "Raj Chandel. (2022, March 17). Indirect Command Execution: Defense Evasion (T1202). Retrieved February 6, 2024.", + "meta": { + "date_accessed": "2024-02-06T00:00:00Z", + "date_published": "2022-03-17T00:00:00Z", + "refs": [ + "https://www.hackingarticles.in/indirect-command-execution-defense-evasion-t1202/" + ], + "source": "MITRE", + "title": "Indirect Command Execution: Defense Evasion (T1202)" + }, + "related": [], + "uuid": "c07f1b2b-ae56-5a1a-b607-1f3bc7e119cf", + "value": "3 - appv" + }, { "description": "Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022.", "meta": { @@ -24541,6 +26012,21 @@ "uuid": "c249bfcf-25c4-4502-b5a4-17783d581163", "value": "Microsoft Holmium June 2020" }, + { + "description": "Garcia, F., Regalado, D. (2023, March 7). Inside Mispadu massive infection campaign in LATAM. Retrieved March 15, 2024.", + "meta": { + "date_accessed": "2024-03-15T00:00:00Z", + "date_published": "2023-03-07T00:00:00Z", + "refs": [ + "https://www.metabaseq.com/mispadu-banking-trojan/" + ], + "source": "MITRE", + "title": "Inside Mispadu massive infection campaign in LATAM" + }, + "related": [], + "uuid": "960ae534-6de5-5bcc-b600-db0c2de64305", + "value": "Metabase Q Mispadu Trojan 2023" + }, { "description": "Klijnsma, Y. (2018, September 11). Inside the Magecart Breach of British Airways: How 22 Lines of Code Claimed 380,000 Victims. Retrieved September 9, 2020.", "meta": { @@ -24586,6 +26072,21 @@ "uuid": "70610469-db0d-45ab-a790-6e56309a39ec", "value": "FireEye APT33 Sept 2017" }, + { + "description": "Microsoft. (2021, January 7). Installation Procedure Tables Group. Retrieved December 27, 2023.", + "meta": { + "date_accessed": "2023-12-27T00:00:00Z", + "date_published": "2021-01-07T00:00:00Z", + "refs": [ + "https://learn.microsoft.com/windows/win32/msi/installation-procedure-tables-group" + ], + "source": "MITRE", + "title": "Installation Procedure Tables Group" + }, + "related": [], + "uuid": "8fbe8a88-683c-5640-840c-1389b9c9972d", + "value": "Microsoft Installation Procedures" + }, { "description": "Rich Trouton. (2019, August 9). Installer Package Scripting: Making your deployments easier, one ! at a time. Retrieved September 27, 2022.", "meta": { @@ -24730,6 +26231,21 @@ "uuid": "bffb9e71-ba97-4010-9ad7-29eb330a350c", "value": "Intel Hardware-based Security Technologies" }, + { + "description": "Kayal, A. (2018, August 26). Interactive Mapping of APT-C-23. Retrieved March 4, 2024.", + "meta": { + "date_accessed": "2024-03-04T00:00:00Z", + "date_published": "2018-08-26T00:00:00Z", + "refs": [ + "https://web.archive.org/web/20230604112435/https://research.checkpoint.com/2018/interactive-mapping-of-apt-c-23/" + ], + "source": "MITRE", + "title": "Interactive Mapping of APT-C-23" + }, + "related": [], + "uuid": "24dd2641-839b-5a0e-b5ca-ea121ea70992", + "value": "checkpoint_interactive_map_apt-c-23" + }, { "description": "Microsoft. (2017, June 16). Intercepting All Incoming IIS Requests. Retrieved June 3, 2021.", "meta": { @@ -25206,20 +26722,6 @@ "uuid": "956b3d80-4e19-4cab-a65f-ad86f233aa12", "value": "GitHub Invoke-Obfuscation" }, - { - "description": "Barrett Adams . (n.d.). Invoke-PSImage . Retrieved September 30, 2022.", - "meta": { - "date_accessed": "2022-09-30T00:00:00Z", - "refs": [ - "https://github.com/peewpw/Invoke-PSImage" - ], - "source": "MITRE", - "title": "Invoke-PSImage" - }, - "related": [], - "uuid": "449c873c-c5af-45b8-8bd7-505d2181a05c", - "value": "GitHub PSImage" - }, { "description": "Adams, B. (2017, December 17). Invoke-PSImage. Retrieved April 10, 2018.", "meta": { @@ -25235,6 +26737,20 @@ "uuid": "dd210b79-bd5f-4282-9542-4d1ae2f16438", "value": "GitHub Invoke-PSImage" }, + { + "description": "Barrett Adams . (n.d.). Invoke-PSImage . Retrieved September 30, 2022.", + "meta": { + "date_accessed": "2022-09-30T00:00:00Z", + "refs": [ + "https://github.com/peewpw/Invoke-PSImage" + ], + "source": "MITRE", + "title": "Invoke-PSImage" + }, + "related": [], + "uuid": "449c873c-c5af-45b8-8bd7-505d2181a05c", + "value": "GitHub PSImage" + }, { "description": "Xen. (n.d.). In Wikipedia. Retrieved November 13, 2014.", "meta": { @@ -25249,6 +26765,20 @@ "uuid": "4ce05edd-da25-4559-8489-b78cdd2c0f3d", "value": "Wikipedia Xen" }, + { + "description": "Ostorlab. (n.d.). iOS URL Scheme Hijacking. Retrieved February 9, 2024.", + "meta": { + "date_accessed": "2024-02-09T00:00:00Z", + "refs": [ + "https://docs.ostorlab.co/kb/IPA_URL_SCHEME_HIJACKING/index.html" + ], + "source": "MITRE", + "title": "iOS URL Scheme Hijacking" + }, + "related": [], + "uuid": "9910b0aa-f276-54da-a4df-fd47b42efb10", + "value": "iOS URL Scheme" + }, { "description": "Microsoft. (n.d.). Ipconfig. Retrieved April 17, 2016.", "meta": { @@ -25772,6 +27302,21 @@ "uuid": "2fdbf1ba-0480-4d70-9981-3b5967656472", "value": "Microsoft ISAPI Filter Overview 2017" }, + { + "description": "Marc-Etienne M.Léveillé. (2022, July 19). I see what you did there: A look at the CloudMensis macOS spyware. Retrieved March 21, 2024.", + "meta": { + "date_accessed": "2024-03-21T00:00:00Z", + "date_published": "2022-07-19T00:00:00Z", + "refs": [ + "https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/" + ], + "source": "MITRE", + "title": "I see what you did there: A look at the CloudMensis macOS spyware" + }, + "related": [], + "uuid": "cf42e04a-3593-51ff-bb0b-60d681dc4cd6", + "value": "welivesecurity TCC" + }, { "description": "Ward, S.. (2014, October 14). iSIGHT discovers zero-day vulnerability CVE-2014-4114 used in Russian cyber-espionage campaign. Retrieved June 10, 2020.", "meta": { @@ -25936,6 +27481,21 @@ "uuid": "2ca502a2-664c-4b85-9d6c-1bc96dfb8332", "value": "Twitter ItsReallyNick Status Update APT32 PubPrn" }, + { + "description": "Gurkok, C. et al. (2024, January 15). Ivanti Connect Secure VPN Exploitation Goes Global. Retrieved February 27, 2024.", + "meta": { + "date_accessed": "2024-02-27T00:00:00Z", + "date_published": "2024-01-15T00:00:00Z", + "refs": [ + "https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/" + ], + "source": "MITRE", + "title": "Ivanti Connect Secure VPN Exploitation Goes Global" + }, + "related": [], + "uuid": "b96fa4f2-864d-5d88-9a29-b117da8f8c5c", + "value": "Volexity Ivanti Global Exploitation January 2024" + }, { "description": "Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.", "meta": { @@ -26146,6 +27706,21 @@ "uuid": "26a554dc-39c0-4638-902d-7e84fe01b961", "value": "U.S. Justice Department GRU Botnet February 2024" }, + { + "description": "Office of Public Affairs. (2024, February 15). Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU). Retrieved March 28, 2024.", + "meta": { + "date_accessed": "2024-03-28T00:00:00Z", + "date_published": "2024-02-15T00:00:00Z", + "refs": [ + "https://www.justice.gov/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian" + ], + "source": "MITRE", + "title": "Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU)" + }, + "related": [], + "uuid": "957488f8-c2a8-54b0-a3cb-7b510640a2c4", + "value": "Justice GRU 2024" + }, { "description": "Dr. Nestori Syynimaa. (2020, June 13). Just looking: Azure Active Directory reconnaissance as an outsider. Retrieved February 1, 2022.", "meta": { @@ -26236,6 +27811,22 @@ "uuid": "d854f84a-4d70-4ef4-9197-d8f5396feabb", "value": "Kansa Service related collectors" }, + { + "description": "Cybersecurity and Infrastructure Security Agency. (2023, December 12). Karakurt Data Extortion Group. Retrieved May 1, 2024.", + "meta": { + "date_accessed": "2024-05-01T00:00:00Z", + "date_published": "2023-12-12T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-152a" + ], + "source": "Tidal Cyber", + "title": "Karakurt Data Extortion Group" + }, + "related": [], + "uuid": "ca7ae918-5fbb-472a-b9fa-8e0eaee93af7", + "value": "U.S. CISA Karakurt December 12 2023" + }, { "description": "Cybersecurity Infrastructure and Defense Agency. (2022, June 2). Karakurt Data Extortion Group. Retrieved March 10, 2023.", "meta": { @@ -26681,6 +28272,21 @@ "uuid": "9a497c56-f1d3-4889-8c1a-14b013f14668", "value": "Malwarebytes Kimsuky June 2021" }, + { + "description": "Hossein Jazi. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved January 10, 2024.", + "meta": { + "date_accessed": "2024-01-10T00:00:00Z", + "date_published": "2021-06-01T00:00:00Z", + "refs": [ + "https://www.malwarebytes.com/blog/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor" + ], + "source": "MITRE", + "title": "Kimsuky APT continues to target South Korean government using AppleSeed backdoor" + }, + "related": [], + "uuid": "8b0dd1d7-dc9c-50d3-a47e-20304591ac40", + "value": "Kimsuky Malwarebytes" + }, { "description": "Kim, J. et al. (2019, October). KIMSUKY GROUP: TRACKING THE KING OF THE SPEAR PHISHING. Retrieved November 2, 2020.", "meta": { @@ -26917,6 +28523,21 @@ "uuid": "21a4388d-dbf8-487b-a2a2-67927b099e4a", "value": "Kubernetes Jobs" }, + { + "description": "Abhisek Datta. (2020, March 18). Kubernetes Namespace Breakout using Insecure Host Path Volume — Part 1. Retrieved January 16, 2024.", + "meta": { + "date_accessed": "2024-01-16T00:00:00Z", + "date_published": "2020-03-18T00:00:00Z", + "refs": [ + "https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216" + ], + "source": "MITRE", + "title": "Kubernetes Namespace Breakout using Insecure Host Path Volume — Part 1" + }, + "related": [], + "uuid": "85852b3e-f6a3-5406-9dd5-a649358a53de", + "value": "AppSecco Kubernetes Namespace Breakout 2020" + }, { "description": "The Kubernetes Authors. (n.d.). Kubernetes Web UI (Dashboard). Retrieved March 29, 2021.", "meta": { @@ -26976,6 +28597,20 @@ "uuid": "8fcbd99a-1fb8-4ca3-9efd-a98734d4397d", "value": "Wits End and Shady PowerShell Profiles" }, + { + "description": "AWS. (n.d.). Lambda execution role. Retrieved February 28, 2024.", + "meta": { + "date_accessed": "2024-02-28T00:00:00Z", + "refs": [ + "https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html" + ], + "source": "MITRE", + "title": "Lambda execution role" + }, + "related": [], + "uuid": "18e41da7-8dd3-569b-a54d-253aa8cd22ff", + "value": "AWS Lambda Execution Role" + }, { "description": "Brown, D., et al. (2022, April 28). LAPSUS$: Recent techniques, tactics and procedures. Retrieved December 22, 2022.", "meta": { @@ -27305,21 +28940,6 @@ "uuid": "ba6a5fcc-9391-42c0-8b90-57b729525f41", "value": "Kaspersky ThreatNeedle Feb 2021" }, - { - "description": "GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019.", - "meta": { - "date_accessed": "2019-04-17T00:00:00Z", - "date_published": "2017-04-03T00:00:00Z", - "refs": [ - "https://securelist.com/lazarus-under-the-hood/77908/" - ], - "source": "MITRE, Tidal Cyber", - "title": "Lazarus Under the Hood" - }, - "related": [], - "uuid": "a1e1ab6a-8db0-4593-95ec-78784607dfa0", - "value": "Kaspersky Lazarus Under The Hood Blog 2017" - }, { "description": "GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved October 3, 2018.", "meta": { @@ -27335,6 +28955,21 @@ "uuid": "312b30b1-3bd6-46ea-8f77-504f442499bc", "value": "Kaspersky Lazarus Under The Hood APR 2017" }, + { + "description": "GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019.", + "meta": { + "date_accessed": "2019-04-17T00:00:00Z", + "date_published": "2017-04-03T00:00:00Z", + "refs": [ + "https://securelist.com/lazarus-under-the-hood/77908/" + ], + "source": "MITRE, Tidal Cyber", + "title": "Lazarus Under the Hood" + }, + "related": [], + "uuid": "a1e1ab6a-8db0-4593-95ec-78784607dfa0", + "value": "Kaspersky Lazarus Under The Hood Blog 2017" + }, { "description": "Mclellan, M.. (2018, November 19). Lazy Passwords Become Rocket Fuel for Emotet SMB Spreader. Retrieved March 25, 2019.", "meta": { @@ -27427,6 +29062,21 @@ "uuid": "44e48c77-59dd-4851-8455-893513b7cf45", "value": "Proofpoint TA505 Mar 2018" }, + { + "description": "Microsoft. (2024, January 9). Learn about data loss prevention. Retrieved March 4, 2024.", + "meta": { + "date_accessed": "2024-03-04T00:00:00Z", + "date_published": "2024-01-09T00:00:00Z", + "refs": [ + "https://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp" + ], + "source": "MITRE", + "title": "Learn about data loss prevention" + }, + "related": [], + "uuid": "0d8044c0-27ac-51bc-b08f-14ab352ed0b6", + "value": "Microsoft Purview Data Loss Prevention" + }, { "description": "Galobardes, R. (2018, October 30). Learn how easy is to bypass firewalls using DNS tunneling (and also how to block it). Retrieved March 15, 2020.", "meta": { @@ -27517,6 +29167,21 @@ "uuid": "efdbaba5-1713-4ae1-bb82-4b4706f03b87", "value": "Twitter Leoloobeek Scheduled Task" }, + { + "description": "Clint Gibler and Scott Piper. (2021, January 4). Lesser Known Techniques for Attacking AWS Environments. Retrieved March 4, 2024.", + "meta": { + "date_accessed": "2024-03-04T00:00:00Z", + "date_published": "2021-01-04T00:00:00Z", + "refs": [ + "https://tldrsec.com/p/blog-lesser-known-aws-attacks" + ], + "source": "MITRE", + "title": "Lesser Known Techniques for Attacking AWS Environments" + }, + "related": [], + "uuid": "b8de9dd2-3c57-5417-a24f-0260dff6afc6", + "value": "TLDRSec AWS Attacks" + }, { "description": "Let's Encrypt. (2020, April 23). Let's Encrypt FAQ. Retrieved October 15, 2020.", "meta": { @@ -27816,21 +29481,6 @@ "uuid": "a73a2819-61bd-5bd2-862d-5eeed344909f", "value": "Polop Linux PrivEsc Gitbook" }, - { - "description": "Michael Kerrisk. (2017, September 15). Linux Programmer's Manual. Retrieved September 21, 2018.", - "meta": { - "date_accessed": "2018-09-21T00:00:00Z", - "date_published": "2017-09-15T00:00:00Z", - "refs": [ - "http://man7.org/linux/man-pages/man2/setuid.2.html" - ], - "source": "MITRE", - "title": "Linux Programmer's Manual" - }, - "related": [], - "uuid": "c07e9d6c-18f2-4246-a265-9bec7d833bba", - "value": "setuid man page" - }, { "description": "Kerrisk, M. (2020, June 13). Linux Programmer's Manual. Retrieved June 15, 2020.", "meta": { @@ -27846,6 +29496,21 @@ "uuid": "a8a16cf6-0482-4e98-a39a-496491f985df", "value": "Man LD.SO" }, + { + "description": "Michael Kerrisk. (2017, September 15). Linux Programmer's Manual. Retrieved September 21, 2018.", + "meta": { + "date_accessed": "2018-09-21T00:00:00Z", + "date_published": "2017-09-15T00:00:00Z", + "refs": [ + "http://man7.org/linux/man-pages/man2/setuid.2.html" + ], + "source": "MITRE", + "title": "Linux Programmer's Manual" + }, + "related": [], + "uuid": "c07e9d6c-18f2-4246-a265-9bec7d833bba", + "value": "setuid man page" + }, { "description": "skape. (2003, January 19). Linux x86 run-time process manipulation. Retrieved December 20, 2017.", "meta": { @@ -28302,6 +29967,21 @@ "uuid": "e113b544-82ad-4099-ab4e-7fc8b78f54bd", "value": "LogMeIn Homepage" }, + { + "description": "Microsoft. (2023, March 10). LogonUserW function (winbase.h). Retrieved January 8, 2024.", + "meta": { + "date_accessed": "2024-01-08T00:00:00Z", + "date_published": "2023-03-10T00:00:00Z", + "refs": [ + "https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-logonuserw" + ], + "source": "MITRE", + "title": "LogonUserW function (winbase.h)" + }, + "related": [], + "uuid": "bf8cce5c-be5e-59c7-9ff2-e478f30ce712", + "value": "LogonUserW function" + }, { "description": "ESET. (2018, September). LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group. Retrieved July 2, 2019.", "meta": { @@ -28450,6 +30130,21 @@ "uuid": "099c3492-1813-4874-9901-e24b081f7e12", "value": "GitHub Mimikatz Issue 92 June 2017" }, + { + "description": "Gilboa, A. (2021, February 16). LSASS Memory Dumps are Stealthier than Ever Before - Part 2. Retrieved December 27, 2023.", + "meta": { + "date_accessed": "2023-12-27T00:00:00Z", + "date_published": "2021-02-16T00:00:00Z", + "refs": [ + "https://www.deepinstinct.com/blog/lsass-memory-dumps-are-stealthier-than-ever-before-part-2" + ], + "source": "MITRE", + "title": "LSASS Memory Dumps are Stealthier than Ever Before - Part 2" + }, + "related": [], + "uuid": "4a37ea4e-c512-5e41-8e4e-27911b3a4617", + "value": "Deep Instinct LSASS" + }, { "description": "Kerrisk, M. (2022, December 18). lsmod(8) — Linux manual page. Retrieved March 28, 2023.", "meta": { @@ -28613,6 +30308,21 @@ "uuid": "b3d13a82-c24e-4b47-b47a-7221ad449859", "value": "Kaspersky Lyceum October 2021" }, + { + "description": "SecureWorks. (2019, August 27). LYCEUM Takes Center Stage in Middle East Campaign. Retrieved November 11, 2019", + "meta": { + "date_accessed": "2019-11-11T00:00:00Z", + "date_published": "2019-08-27T00:00:00Z", + "refs": [ + "https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign" + ], + "source": "MITRE", + "title": "LYCEUM Takes Center Stage in Middle East Campaign" + }, + "related": [], + "uuid": "573edbb6-687b-4bc2-bc4a-764a548633b5", + "value": "SecureWorks August 2019" + }, { "description": "Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019.", "meta": { @@ -28649,7 +30359,7 @@ "date_accessed": "2018-09-21T00:00:00Z", "date_published": "2017-01-01T00:00:00Z", "refs": [ - "https://www.synack.com/2017/01/01/mac-malware-2016/" + "https://objective-see.org/blog/blog_0x16.html" ], "source": "MITRE", "title": "Mac Malware of 2016" @@ -28672,21 +30382,6 @@ "uuid": "08227ae5-4086-4c31-83d9-459c3a097754", "value": "objsee mac malware 2017" }, - { - "description": "Chen, Y., Hu, W., Xu, Z., et. al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved October 14, 2019.", - "meta": { - "date_accessed": "2019-10-14T00:00:00Z", - "date_published": "2019-01-31T00:00:00Z", - "refs": [ - "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/" - ], - "source": "MITRE", - "title": "Mac Malware Steals Cryptocurrency Exchanges’ Cookies" - }, - "related": [], - "uuid": "0a88e730-8ed2-4983-8f11-2cb2e4abfe3e", - "value": "Unit 42 Mac Crypto Cookies January 2019" - }, { "description": "Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020.", "meta": { @@ -28702,6 +30397,21 @@ "uuid": "4605c51d-b36e-4c29-abda-2a97829f6019", "value": "Unit42 CookieMiner Jan 2019" }, + { + "description": "Chen, Y., Hu, W., Xu, Z., et. al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved October 14, 2019.", + "meta": { + "date_accessed": "2019-10-14T00:00:00Z", + "date_published": "2019-01-31T00:00:00Z", + "refs": [ + "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/" + ], + "source": "MITRE", + "title": "Mac Malware Steals Cryptocurrency Exchanges’ Cookies" + }, + "related": [], + "uuid": "0a88e730-8ed2-4983-8f11-2cb2e4abfe3e", + "value": "Unit 42 Mac Crypto Cookies January 2019" + }, { "description": "Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.", "meta": { @@ -28986,6 +30696,21 @@ "uuid": "5b728693-37e8-4100-ac82-b70945113e07", "value": "MagicWeb" }, + { + "description": "Check Point Research. (2024, March 8). MAGNET GOBLIN TARGETS PUBLICLY FACING SERVERS USING 1-DAY VULNERABILITIES. Retrieved March 27, 2024.", + "meta": { + "date_accessed": "2024-03-27T00:00:00Z", + "date_published": "2024-03-08T00:00:00Z", + "refs": [ + "https://research.checkpoint.com/2024/magnet-goblin-targets-publicly-facing-servers-using-1-day-vulnerabilities/" + ], + "source": "MITRE", + "title": "MAGNET GOBLIN TARGETS PUBLICLY FACING SERVERS USING 1-DAY VULNERABILITIES" + }, + "related": [], + "uuid": "955b6449-4cd5-5512-a5f3-2bcb91def3ef", + "value": "MAGNET GOBLIN" + }, { "description": "Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. Retrieved October 11, 2019.", "meta": { @@ -29076,6 +30801,36 @@ "uuid": "afe89472-ac42-4a0d-b398-5ed6a5dee74f", "value": "NetSPI Startup Stored Procedures" }, + { + "description": "Raymond, Nathaniel. (2023, August 16). Major Energy Company Targeted in Large QR Code Phishing Campaign. Retrieved January 17, 2024.", + "meta": { + "date_accessed": "2024-01-17T00:00:00Z", + "date_published": "2023-08-16T00:00:00Z", + "refs": [ + "https://cofense.com/blog/major-energy-company-targeted-in-large-qr-code-campaign/" + ], + "source": "MITRE", + "title": "Major Energy Company Targeted in Large QR Code Phishing Campaign" + }, + "related": [], + "uuid": "450da173-3573-5502-ab53-6d6b9955714d", + "value": "Cofense-redirect" + }, + { + "description": "Nathaniel Raymond. (2023, August 16). Major Energy Company Targeted in Large QR Code Phishing Campaign. Retrieved February 13, 2024.", + "meta": { + "date_accessed": "2024-02-13T00:00:00Z", + "date_published": "2023-08-16T00:00:00Z", + "refs": [ + "https://cofense.com/blog/major-energy-company-targeted-in-large-qr-code-campaign/" + ], + "source": "MITRE", + "title": "Major Energy Company Targeted in Large QR Code Phishing Campaign" + }, + "related": [], + "uuid": "eda8270f-c76f-5d01-b45f-74246945ec50", + "value": "QR-cofense" + }, { "description": "LOLBAS. (2018, May 25). Makecab.exe. Retrieved December 4, 2023.", "meta": { @@ -29799,6 +31554,20 @@ "uuid": "91ce21f7-4cd5-4a75-a533-45d052a11c5d", "value": "Microsoft Inbox Rules" }, + { + "description": "Google. (n.d.). Manage external sharing for your organization. Retrieved March 4, 2024.", + "meta": { + "date_accessed": "2024-03-04T00:00:00Z", + "refs": [ + "https://support.google.com/a/answer/60781" + ], + "source": "MITRE", + "title": "Manage external sharing for your organization" + }, + "related": [], + "uuid": "0cc85d20-f47c-52da-8391-83d630e744b9", + "value": "Google Workspace External Sharing" + }, { "description": "Google Cloud. (n.d.). Manage just-in-time privileged access to projects. Retrieved September 21, 2023.", "meta": { @@ -29843,6 +31612,21 @@ "uuid": "3d794f31-c3b4-4e0b-8558-b944d6616676", "value": "Office 365 Partner Relationships" }, + { + "description": "Microsoft. (2023, October 11). Manage sharing settings for SharePoint and OneDrive in Microsoft 365. Retrieved March 4, 2024.", + "meta": { + "date_accessed": "2024-03-04T00:00:00Z", + "date_published": "2023-10-11T00:00:00Z", + "refs": [ + "https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off" + ], + "source": "MITRE", + "title": "Manage sharing settings for SharePoint and OneDrive in Microsoft 365" + }, + "related": [], + "uuid": "69154fdc-3540-5c31-8285-f7795db45d7f", + "value": "Microsoft 365 External Sharing" + }, { "description": "Microsoft. (n.d.). Manage Trusted Publishers. Retrieved March 31, 2016.", "meta": { @@ -29947,18 +31731,18 @@ "value": "FireEye APT35 2018" }, { - "description": "Microsoft. (n.d.). Manifests. Retrieved December 5, 2014.", + "description": "Mandiant. (n.d.). Retrieved February 13, 2024.", "meta": { - "date_accessed": "2014-12-05T00:00:00Z", + "date_accessed": "2024-02-13T00:00:00Z", "refs": [ - "https://msdn.microsoft.com/en-US/library/aa375365" + "https://www.mandiant.com/resources/reports" ], "source": "MITRE", - "title": "Manifests" + "title": "Mandiant WMI" }, "related": [], - "uuid": "e336dc02-c7bb-4046-93d9-17b9512fb731", - "value": "Microsoft Manifests" + "uuid": "8d237948-7b10-5055-b9e6-52e6cab16f32", + "value": "Mandiant WMI" }, { "description": "Microsoft. (n.d.). Manifests. Retrieved June 3, 2016.", @@ -29974,6 +31758,20 @@ "uuid": "a29301fe-0e3c-4c6e-85c5-a30a6bcb9114", "value": "MSDN Manifests" }, + { + "description": "Microsoft. (n.d.). Manifests. Retrieved December 5, 2014.", + "meta": { + "date_accessed": "2014-12-05T00:00:00Z", + "refs": [ + "https://msdn.microsoft.com/en-US/library/aa375365" + ], + "source": "MITRE", + "title": "Manifests" + }, + "related": [], + "uuid": "e336dc02-c7bb-4046-93d9-17b9512fb731", + "value": "Microsoft Manifests" + }, { "description": "Wikipedia. (2017, October 28). Man-in-the-browser. Retrieved January 10, 2018.", "meta": { @@ -30077,6 +31875,21 @@ "uuid": "8ea545ac-cca6-5da5-8a93-6b07518fc9d4", "value": "Kaspersky ManOnTheSide" }, + { + "description": "Symantec Threat Hunter Team. (2023, April 4). Mantis: New Tooling Used in Attacks Against Palestinian Targets. Retrieved March 4, 2024.", + "meta": { + "date_accessed": "2024-03-04T00:00:00Z", + "date_published": "2023-04-04T00:00:00Z", + "refs": [ + "https://web.archive.org/web/20231227054130/https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mantis-palestinian-attacks" + ], + "source": "MITRE", + "title": "Mantis: New Tooling Used in Attacks Against Palestinian Targets" + }, + "related": [], + "uuid": "76a792b5-f3cd-566e-a87b-9fae844ce07d", + "value": "symantec_mantis" + }, { "description": "Falcon OverWatch Team. (2020, July 14). Manufacturing Industry in the Adversaries’ Crosshairs. Retrieved October 17, 2021.", "meta": { @@ -30855,6 +32668,21 @@ "uuid": "8771ed60-eecb-4e0c-b22c-0c26d30d4dec", "value": "Radware Micropsia July 2018" }, + { + "description": "Optiv. (2021, August 17). Microsoft 365 OAuth Device Code Flow and Phishing. Retrieved March 19, 2024.", + "meta": { + "date_accessed": "2024-03-19T00:00:00Z", + "date_published": "2021-08-17T00:00:00Z", + "refs": [ + "https://www.optiv.com/insights/source-zero/blog/microsoft-365-oauth-device-code-flow-and-phishing" + ], + "source": "MITRE", + "title": "Microsoft 365 OAuth Device Code Flow and Phishing" + }, + "related": [], + "uuid": "848da3e2-3228-5ee6-8fff-ff3328e6a387", + "value": "Optiv Device Code Phishing 2021" + }, { "description": "MSRC. (2024, January 19). Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard. Retrieved January 24, 2024.", "meta": { @@ -30991,21 +32819,6 @@ "uuid": "f9daf15d-61ea-4cfa-a4e8-9d33d1acd28f", "value": "Microsoft HTML Help May 2018" }, - { - "description": "Cai, S., Flores, J., de Guzman, C., et. al.. (2019, August 27). Microsoft identity platform access tokens. Retrieved October 4, 2019.", - "meta": { - "date_accessed": "2019-10-04T00:00:00Z", - "date_published": "2019-08-27T00:00:00Z", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens" - ], - "source": "MITRE", - "title": "Microsoft identity platform access tokens" - }, - "related": [], - "uuid": "a39d976e-9b52-48f3-b5db-0ffd84ecd338", - "value": "Microsoft Identity Platform Access 2019" - }, { "description": "Microsoft. (2019, August 29). Microsoft identity platform access tokens. Retrieved September 12, 2019.", "meta": { @@ -31021,6 +32834,21 @@ "uuid": "44767d53-8cd7-44dd-a69d-8a7bebc1d87d", "value": "Microsoft - Azure AD Identity Tokens - Aug 2019" }, + { + "description": "Cai, S., Flores, J., de Guzman, C., et. al.. (2019, August 27). Microsoft identity platform access tokens. Retrieved October 4, 2019.", + "meta": { + "date_accessed": "2019-10-04T00:00:00Z", + "date_published": "2019-08-27T00:00:00Z", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens" + ], + "source": "MITRE", + "title": "Microsoft identity platform access tokens" + }, + "related": [], + "uuid": "a39d976e-9b52-48f3-b5db-0ffd84ecd338", + "value": "Microsoft Identity Platform Access 2019" + }, { "description": "Microsoft. (n.d.). Microsoft identity platform and OAuth 2.0 authorization code flow. Retrieved September 12, 2019.", "meta": { @@ -31182,21 +33010,6 @@ "uuid": "86955cd2-5980-44ba-aa7b-4b9f8e347730", "value": "Microsoft WDAC" }, - { - "description": "Microsoft. (2020, October 15). Microsoft recommended driver block rules. Retrieved March 16, 2021.", - "meta": { - "date_accessed": "2021-03-16T00:00:00Z", - "date_published": "2020-10-15T00:00:00Z", - "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "source": "MITRE", - "title": "Microsoft recommended driver block rules" - }, - "related": [], - "uuid": "2ad8414a-4490-4896-8266-556b8bdbb77f", - "value": "Microsoft Driver Block Rules" - }, { "description": "Jordan Geurten et al. . (2022, March 29). Microsoft recommended driver block rules. Retrieved April 7, 2022.", "meta": { @@ -31212,6 +33025,21 @@ "uuid": "9bb5c330-56bd-47e7-8414-729d8e6cb3b3", "value": "Microsoft driver block rules" }, + { + "description": "Microsoft. (2020, October 15). Microsoft recommended driver block rules. Retrieved March 16, 2021.", + "meta": { + "date_accessed": "2021-03-16T00:00:00Z", + "date_published": "2020-10-15T00:00:00Z", + "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "source": "MITRE", + "title": "Microsoft recommended driver block rules" + }, + "related": [], + "uuid": "2ad8414a-4490-4896-8266-556b8bdbb77f", + "value": "Microsoft Driver Block Rules" + }, { "description": "Microsoft. (n.d.). Retrieved January 24, 2020.", "meta": { @@ -31516,6 +33344,21 @@ "uuid": "a8224ad5-4688-4382-a3e7-1dd3ed74ebce", "value": "CyberScoop BlackOasis Oct 2017" }, + { + "description": "Microsoft Threat Intelligence. (2023, August 2). Midnight Blizzard conducts targeted social engineering over Microsoft Teams. Retrieved February 16, 2024.", + "meta": { + "date_accessed": "2024-02-16T00:00:00Z", + "date_published": "2023-08-02T00:00:00Z", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/" + ], + "source": "MITRE", + "title": "Midnight Blizzard conducts targeted social engineering over Microsoft Teams" + }, + "related": [], + "uuid": "8d0db0f2-9b29-5216-8c9c-de8bf0c541de", + "value": "Int SP - chat apps" + }, { "description": "Deply, B. (n.d.). Mimikatz. Retrieved September 29, 2015.", "meta": { @@ -31650,6 +33493,21 @@ "uuid": "b10cd6cc-35ed-4eac-b213-110de28f33ef", "value": "MimiPenguin GitHub May 2017" }, + { + "description": "Gregal, Hunter. (2019, September 17). MimiPenguin 2.0. Retrieved March 28, 2024.", + "meta": { + "date_accessed": "2024-03-28T00:00:00Z", + "date_published": "2019-09-17T00:00:00Z", + "refs": [ + "https://github.com/huntergregal/mimipenguin/blob/master/mimipenguin.sh" + ], + "source": "MITRE", + "title": "MimiPenguin 2.0" + }, + "related": [], + "uuid": "b66d4c5a-f4de-5888-ad8a-a20bda888bc6", + "value": "mimipenguin proc file" + }, { "description": "Lozhkin, S.. (2015, July 16). Minidionis – one more APT with a usage of cloud drives. Retrieved April 5, 2017.", "meta": { @@ -31695,6 +33553,21 @@ "uuid": "83de363d-b575-4851-9c2d-a78f504cf754", "value": "lazgroup_idn_phishing" }, + { + "description": "Dutch Military Intelligence and Security Service (MIVD) & Dutch General Intelligence and Security Service (AIVD). (2024, February 6). Ministry of Defense of the Netherlands uncovers COATHANGER, a stealthy Chinese FortiGate RAT. Retrieved February 7, 2024.", + "meta": { + "date_accessed": "2024-02-07T00:00:00Z", + "date_published": "2024-02-06T00:00:00Z", + "refs": [ + "https://www.ncsc.nl/binaries/ncsc/documenten/publicaties/2024/februari/6/mivd-aivd-advisory-coathanger-tlp-clear/TLP-CLEAR+MIVD+AIVD+Advisory+COATHANGER.pdf" + ], + "source": "MITRE", + "title": "Ministry of Defense of the Netherlands uncovers COATHANGER, a stealthy Chinese FortiGate RAT" + }, + "related": [], + "uuid": "e8e60112-a08d-5316-b80f-f601e7e5c973", + "value": "NCSC-NL COATHANGER Feb 2024" + }, { "description": "Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018.", "meta": { @@ -31710,6 +33583,37 @@ "uuid": "0110500c-bf67-43a5-97cb-16eb6c01040b", "value": "APT15 Intezer June 2018" }, + { + "description": "ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024.", + "meta": { + "date_accessed": "2024-03-13T00:00:00Z", + "date_published": "2019-11-19T00:00:00Z", + "refs": [ + "https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/" + ], + "source": "MITRE", + "title": "Mispadu: Advertisement for a discounted Unhappy Meal" + }, + "related": [], + "uuid": "e1b945f4-20e0-5b69-8fd7-f05afce8c0ba", + "value": "ESET Security Mispadu Facebook Ads 2019" + }, + { + "description": "ESET Research. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved April 4, 2024.", + "meta": { + "date_accessed": "2024-04-04T00:00:00Z", + "date_published": "2019-11-19T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/" + ], + "source": "Tidal Cyber", + "title": "Mispadu: Advertisement for a discounted Unhappy Meal" + }, + "related": [], + "uuid": "a27753c1-2f7a-40c4-9e28-a37265bce28c", + "value": "ESET Mispadu November 2019" + }, { "description": "Duarte, H., Morrison, B. (2012). (Mis)trusting and (ab)using ssh. Retrieved January 8, 2018.", "meta": { @@ -31725,6 +33629,20 @@ "uuid": "4f63720a-50b6-4eef-826c-71ce8d6e4bb8", "value": "Slideshare Abusing SSH" }, + { + "description": "Ariel Szarf, Or Aspir. (n.d.). Mitiga Security Advisory: Abusing the SSM Agent as a Remote Access Trojan. Retrieved January 31, 2024.", + "meta": { + "date_accessed": "2024-01-31T00:00:00Z", + "refs": [ + "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan" + ], + "source": "MITRE", + "title": "Mitiga Security Advisory: Abusing the SSM Agent as a Remote Access Trojan" + }, + "related": [], + "uuid": "88fecbcd-a89b-536a-a1f6-6ddfb2b452da", + "value": "Mitiga Security Advisory: SSM Agent as Remote Access Trojan" + }, { "description": "Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.", "meta": { @@ -32126,21 +34044,6 @@ "uuid": "6851b3f9-0239-40fc-ba44-34a775e9bd4e", "value": "ESET EvilNum July 2020" }, - { - "description": "Microsoft. (2010, August 12). More information about the DLL Preloading remote attack vector. Retrieved December 5, 2014.", - "meta": { - "date_accessed": "2014-12-05T00:00:00Z", - "date_published": "2010-08-12T00:00:00Z", - "refs": [ - "http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx" - ], - "source": "MITRE", - "title": "More information about the DLL Preloading remote attack vector" - }, - "related": [], - "uuid": "46aa7075-9f0a-461e-8519-5c4860208678", - "value": "Microsoft DLL Preloading" - }, { "description": "Microsoft. (2010, August 12). More information about the DLL Preloading remote attack vector. Retrieved December 5, 2014.", "meta": { @@ -32156,6 +34059,21 @@ "uuid": "80289c7b-53c1-4aec-9436-04a43a82f769", "value": "Microsoft More information about DLL" }, + { + "description": "Microsoft. (2010, August 12). More information about the DLL Preloading remote attack vector. Retrieved December 5, 2014.", + "meta": { + "date_accessed": "2014-12-05T00:00:00Z", + "date_published": "2010-08-12T00:00:00Z", + "refs": [ + "http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx" + ], + "source": "MITRE", + "title": "More information about the DLL Preloading remote attack vector" + }, + "related": [], + "uuid": "46aa7075-9f0a-461e-8519-5c4860208678", + "value": "Microsoft DLL Preloading" + }, { "description": "valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017.", "meta": { @@ -32245,21 +34163,6 @@ "uuid": "e9c47d8e-f732-45c9-bceb-26c5d564e781", "value": "CrowdStrike Deep Panda Web Shells" }, - { - "description": "Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 1, 2023.", - "meta": { - "date_accessed": "2023-09-01T00:00:00Z", - "date_published": "2023-08-10T00:00:00Z", - "refs": [ - "https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" - ], - "source": "MITRE", - "title": "MoustachedBouncer: Espionage against foreign diplomats in Belarus" - }, - "related": [], - "uuid": "6c85e925-d42b-590c-a424-14ebb49812bb", - "value": "ESET MoustachedBouncer" - }, { "description": "Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.", "meta": { @@ -32275,6 +34178,21 @@ "uuid": "9070f14b-5d5e-5f6d-bcac-628478e01242", "value": "MoustachedBouncer ESET August 2023" }, + { + "description": "Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 1, 2023.", + "meta": { + "date_accessed": "2023-09-01T00:00:00Z", + "date_published": "2023-08-10T00:00:00Z", + "refs": [ + "https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" + ], + "source": "MITRE", + "title": "MoustachedBouncer: Espionage against foreign diplomats in Belarus" + }, + "related": [], + "uuid": "6c85e925-d42b-590c-a424-14ebb49812bb", + "value": "ESET MoustachedBouncer" + }, { "description": "Progress Software. (2023, June 16). MOVEit Transfer Critical Vulnerability (May 2023) (CVE-2023-34362). Retrieved July 28, 2023.", "meta": { @@ -32336,21 +34254,6 @@ "uuid": "e208c277-e477-4123-8c3c-313d55cdc1ea", "value": "Volatility Detecting Hooks Sept 2012" }, - { - "description": "Kugler, R. (2012, November 20). Mozilla Foundation Security Advisory 2012-98. Retrieved March 10, 2017.", - "meta": { - "date_accessed": "2017-03-10T00:00:00Z", - "date_published": "2012-11-20T00:00:00Z", - "refs": [ - "https://www.mozilla.org/en-US/security/advisories/mfsa2012-98/" - ], - "source": "MITRE", - "title": "Mozilla Foundation Security Advisory 2012-98" - }, - "related": [], - "uuid": "920d1607-154e-4c74-b1eb-0d8299be536f", - "value": "Mozilla Firefox Installer DLL Hijack" - }, { "description": "Robert Kugler. (2012, November 20). Mozilla Foundation Security Advisory 2012-98. Retrieved March 10, 2017.", "meta": { @@ -32366,6 +34269,21 @@ "uuid": "cd720550-a0b5-4d1d-85dd-98da97f45b62", "value": "mozilla_sec_adv_2012" }, + { + "description": "Kugler, R. (2012, November 20). Mozilla Foundation Security Advisory 2012-98. Retrieved March 10, 2017.", + "meta": { + "date_accessed": "2017-03-10T00:00:00Z", + "date_published": "2012-11-20T00:00:00Z", + "refs": [ + "https://www.mozilla.org/en-US/security/advisories/mfsa2012-98/" + ], + "source": "MITRE", + "title": "Mozilla Foundation Security Advisory 2012-98" + }, + "related": [], + "uuid": "920d1607-154e-4c74-b1eb-0d8299be536f", + "value": "Mozilla Firefox Installer DLL Hijack" + }, { "description": "LOLBAS. (2020, March 20). MpCmdRun.exe. Retrieved December 4, 2023.", "meta": { @@ -32412,21 +34330,6 @@ "uuid": "a15fff18-5d3f-4898-9e47-ec6ae7dda749", "value": "SRD GPP" }, - { - "description": "Microsoft. (2014, May 13). MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege. Retrieved February 17, 2020.", - "meta": { - "date_accessed": "2020-02-17T00:00:00Z", - "date_published": "2014-05-13T00:00:00Z", - "refs": [ - "https://support.microsoft.com/en-us/help/2962486/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevati" - ], - "source": "MITRE", - "title": "MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege" - }, - "related": [], - "uuid": "7537c0bb-6f14-4a4a-94cc-98c6ed9e878f", - "value": "MS14-025" - }, { "description": "Microsoft. (2014, May 13). MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege. Retrieved January 28, 2015.", "meta": { @@ -32442,6 +34345,21 @@ "uuid": "dbe32cbd-8c6e-483f-887c-ea2a5102cf65", "value": "Microsoft MS14-025" }, + { + "description": "Microsoft. (2014, May 13). MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege. Retrieved February 17, 2020.", + "meta": { + "date_accessed": "2020-02-17T00:00:00Z", + "date_published": "2014-05-13T00:00:00Z", + "refs": [ + "https://support.microsoft.com/en-us/help/2962486/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevati" + ], + "source": "MITRE", + "title": "MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege" + }, + "related": [], + "uuid": "7537c0bb-6f14-4a4a-94cc-98c6ed9e878f", + "value": "MS14-025" + }, { "description": "Microsoft. (n.d.). MSBuild1. Retrieved November 30, 2016.", "meta": { @@ -33281,6 +35199,21 @@ "uuid": "d876d037-9d24-44af-b8f0-5c1555632b91", "value": "NCSC Sandworm Feb 2020" }, + { + "description": "Nick Landers. (2017, August 8). Need a signed alternative to Powershell.exe? SyncAppvPublishingServer in Win10 has got you covered.. Retrieved February 6, 2024.", + "meta": { + "date_accessed": "2024-02-06T00:00:00Z", + "date_published": "2017-08-08T00:00:00Z", + "refs": [ + "https://twitter.com/monoxgas/status/895045566090010624" + ], + "source": "MITRE", + "title": "Need a signed alternative to Powershell.exe? SyncAppvPublishingServer in Win10 has got you covered." + }, + "related": [], + "uuid": "264a4f99-b1dc-5afd-8178-e1f37c3db8ff", + "value": "7 - appv" + }, { "description": "Microsoft. (n.d.). NetBIOS Name Resolution. Retrieved November 17, 2017.", "meta": { @@ -33316,7 +35249,7 @@ "date_accessed": "2015-09-22T00:00:00Z", "date_published": "1999-03-04T00:00:00Z", "refs": [ - "http://windowsitpro.com/windows/netexe-reference" + "https://web.archive.org/web/20150511162820/http://windowsitpro.com/windows/netexe-reference" ], "source": "MITRE", "title": "Net.exe reference" @@ -33743,21 +35676,6 @@ "uuid": "5695d3a2-6b6c-433a-9254-d4a2e001a8be", "value": "Bleeping Computer Evil Corp mimics PayloadBin gang 2022" }, - { - "description": "Microsoft Malware Protection Center. (2016, March 22). New feature in Office 2016 can block macros and help prevent infection. Retrieved July 3, 2017.", - "meta": { - "date_accessed": "2017-07-03T00:00:00Z", - "date_published": "2016-03-22T00:00:00Z", - "refs": [ - "https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/" - ], - "source": "MITRE", - "title": "New feature in Office 2016 can block macros and help prevent infection" - }, - "related": [], - "uuid": "f14f08c5-de51-4827-ba3a-f0598dfbe505", - "value": "TechNet Office Macro Security" - }, { "description": "Windows Defender Research. (2016, March 22). New feature in Office 2016 can block macros and help prevent infection. Retrieved April 11, 2018.", "meta": { @@ -33773,6 +35691,21 @@ "uuid": "4d0f4d0a-b812-42f8-a52c-a1f5c69e6337", "value": "Microsoft Block Office Macros" }, + { + "description": "Microsoft Malware Protection Center. (2016, March 22). New feature in Office 2016 can block macros and help prevent infection. Retrieved July 3, 2017.", + "meta": { + "date_accessed": "2017-07-03T00:00:00Z", + "date_published": "2016-03-22T00:00:00Z", + "refs": [ + "https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/" + ], + "source": "MITRE", + "title": "New feature in Office 2016 can block macros and help prevent infection" + }, + "related": [], + "uuid": "f14f08c5-de51-4827-ba3a-f0598dfbe505", + "value": "TechNet Office Macro Security" + }, { "description": "Sudhakar Ramakrishna . (2021, January 11). New Findings From Our Investigation of SUNBURST. Retrieved January 13, 2021.", "meta": { @@ -33877,21 +35810,6 @@ "uuid": "1641553f-96e7-4829-8c77-d96388dac5c7", "value": "Avast CCleaner3 2018" }, - { - "description": "Claud Xiao, Cong Zheng, Yanhui Jia. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved February 19, 2018.", - "meta": { - "date_accessed": "2018-02-19T00:00:00Z", - "date_published": "2017-04-06T00:00:00Z", - "refs": [ - "https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/" - ], - "source": "MITRE", - "title": "New IoT/Linux Malware Targets DVRs, Forms Botnet" - }, - "related": [], - "uuid": "489a6c57-f64c-423b-a7bd-169fa36c4cdf", - "value": "amnesia malware" - }, { "description": "Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved December 17, 2020.", "meta": { @@ -33907,6 +35825,21 @@ "uuid": "95b5b03e-f160-47cf-920c-8f4f3d4114a3", "value": "Tsunami" }, + { + "description": "Claud Xiao, Cong Zheng, Yanhui Jia. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved February 19, 2018.", + "meta": { + "date_accessed": "2018-02-19T00:00:00Z", + "date_published": "2017-04-06T00:00:00Z", + "refs": [ + "https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/" + ], + "source": "MITRE", + "title": "New IoT/Linux Malware Targets DVRs, Forms Botnet" + }, + "related": [], + "uuid": "489a6c57-f64c-423b-a7bd-169fa36c4cdf", + "value": "amnesia malware" + }, { "description": "ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.", "meta": { @@ -33937,6 +35870,36 @@ "uuid": "f3d3b9bc-4c59-4a1f-b602-e3e884661708", "value": "Unit 42 NOKKI Sept 2018" }, + { + "description": "Ionut Arghire. (2021, February 24). New ‘LazyScripter’ Hacking Group Targets Airlines. Retrieved January 10, 2024.", + "meta": { + "date_accessed": "2024-01-10T00:00:00Z", + "date_published": "2021-02-24T00:00:00Z", + "refs": [ + "https://www.securityweek.com/new-lazyscripter-hacking-group-targets-airlines/" + ], + "source": "MITRE", + "title": "New ‘LazyScripter’ Hacking Group Targets Airlines" + }, + "related": [], + "uuid": "bafb2088-d3c1-5550-a48e-cf1e84662fcc", + "value": "Arghire LazyScripter" + }, + { + "description": "Dela Cruz, A. et al. (2022, May 25). New Linux-Based Ransomware Cheerscrypt Targeting ESXi Devices Linked to Leaked Babuk Source Code. Retrieved December 19, 2023.", + "meta": { + "date_accessed": "2023-12-19T00:00:00Z", + "date_published": "2022-05-25T00:00:00Z", + "refs": [ + "https://www.trendmicro.com/en_se/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html" + ], + "source": "MITRE", + "title": "New Linux-Based Ransomware Cheerscrypt Targeting ESXi Devices Linked to Leaked Babuk Source Code" + }, + "related": [], + "uuid": "ca7ccf2c-37f3-522a-acfb-09daa16e23d8", + "value": "Trend Micro Cheerscrypt May 2022" + }, { "description": "Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.", "meta": { @@ -33967,21 +35930,6 @@ "uuid": "b1540c5c-0bbc-4b9d-9185-fae224ba31be", "value": "Gallagher 2015" }, - { - "description": "Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved December 18, 2017.", - "meta": { - "date_accessed": "2017-12-18T00:00:00Z", - "date_published": "2017-11-28T00:00:00Z", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html" - ], - "source": "MITRE", - "title": "Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection" - }, - "related": [], - "uuid": "9737055a-f583-448e-84d0-1d336c4da9a8", - "value": "FireEye TLS Nov 2017" - }, { "description": "Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved June 5, 2019.", "meta": { @@ -33997,6 +35945,21 @@ "uuid": "32c0b9d2-9f31-4e49-8b3a-c63ff4fffa47", "value": "FireEye Ursnif Nov 2017" }, + { + "description": "Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved December 18, 2017.", + "meta": { + "date_accessed": "2017-12-18T00:00:00Z", + "date_published": "2017-11-28T00:00:00Z", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html" + ], + "source": "MITRE", + "title": "Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection" + }, + "related": [], + "uuid": "9737055a-f583-448e-84d0-1d336c4da9a8", + "value": "FireEye TLS Nov 2017" + }, { "description": "Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.", "meta": { @@ -34132,6 +36095,21 @@ "uuid": "a4b37a24-b2a0-4fcb-9ec3-0d6b67e4e13b", "value": "Trend Micro Xbash Sept 2018" }, + { + "description": "Bill Toulas. (2023, December 14). New NKAbuse malware abuses NKN blockchain for stealthy comms. Retrieved February 8, 2024.", + "meta": { + "date_accessed": "2024-02-08T00:00:00Z", + "date_published": "2023-12-14T00:00:00Z", + "refs": [ + "https://www.bleepingcomputer.com/news/security/new-nkabuse-malware-abuses-nkn-blockchain-for-stealthy-comms/#google_vignette" + ], + "source": "MITRE", + "title": "New NKAbuse malware abuses NKN blockchain for stealthy comms" + }, + "related": [], + "uuid": "7c0fea50-a125-57eb-9a86-dd0d6693abce", + "value": "NKAbuse BC" + }, { "description": "MSRC. (2021, June 25). New Nobelium activity. Retrieved August 4, 2021.", "meta": { @@ -34222,6 +36200,21 @@ "uuid": "9523d8ae-d749-4c25-8c7b-df2d8c25c3c8", "value": "Cybereason Linux Exim Worm" }, + { + "description": "Jenko Hwong. (2021, August 10). New Phishing Attacks Exploiting OAuth Authorization Flows (Part 1). Retrieved March 19, 2024.", + "meta": { + "date_accessed": "2024-03-19T00:00:00Z", + "date_published": "2021-08-10T00:00:00Z", + "refs": [ + "https://www.netskope.com/blog/new-phishing-attacks-exploiting-oauth-authorization-flows-part-1" + ], + "source": "MITRE", + "title": "New Phishing Attacks Exploiting OAuth Authorization Flows (Part 1)" + }, + "related": [], + "uuid": "175ea9c6-aa18-581b-9af5-d4d44f0909e9", + "value": "Netskope Device Code Phishing 2021" + }, { "description": "MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.", "meta": { @@ -35195,21 +37188,6 @@ "uuid": "72d4b682-ed19-4e0f-aeff-faa52b3a0439", "value": "Github NoRunDll" }, - { - "description": "Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.", - "meta": { - "date_accessed": "2023-06-30T00:00:00Z", - "date_published": "2022-12-02T00:00:00Z", - "refs": [ - "https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/" - ], - "source": "MITRE", - "title": "Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies" - }, - "related": [], - "uuid": "382785e1-4ef3-506e-b74f-cd07df9ae46e", - "value": "Crowdstrike TELCO BPO Campaign December 2022" - }, { "description": "Tim Parisi. (2022, December 22). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved September 14, 2023.", "meta": { @@ -35226,6 +37204,21 @@ "uuid": "e48760ba-2752-4d30-8f99-152c81f63017", "value": "CrowdStrike Scattered Spider SIM Swapping December 22 2022" }, + { + "description": "Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.", + "meta": { + "date_accessed": "2023-06-30T00:00:00Z", + "date_published": "2022-12-02T00:00:00Z", + "refs": [ + "https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/" + ], + "source": "MITRE", + "title": "Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies" + }, + "related": [], + "uuid": "382785e1-4ef3-506e-b74f-cd07df9ae46e", + "value": "Crowdstrike TELCO BPO Campaign December 2022" + }, { "description": "Ducklin, P. (2015, April 20). Notes from SophosLabs: Dyreza, the malware that discriminates against old computers. Retrieved June 16, 2020.", "meta": { @@ -35330,6 +37323,21 @@ "uuid": "306f7da7-caa2-40bf-a3db-e579c541eeb4", "value": "NT API Windows" }, + { + "description": "Rahman, Alyssa. (2021, December 13). Now You Serial, Now You Don’t — Systematically Hunting for Deserialization Exploits. Retrieved November 28, 2023.", + "meta": { + "date_accessed": "2023-11-28T00:00:00Z", + "date_published": "2021-12-13T00:00:00Z", + "refs": [ + "https://www.mandiant.com/resources/blog/hunting-deserialization-exploits" + ], + "source": "MITRE", + "title": "Now You Serial, Now You Don’t — Systematically Hunting for Deserialization Exploits" + }, + "related": [], + "uuid": "c42e1d00-942c-513d-bdfb-b97afc8f38cf", + "value": "Now You Serial" + }, { "description": "Npcap. (n.d.). Npcap: Windows Packet Capture Library & Driver. Retrieved September 7, 2023.", "meta": { @@ -35496,6 +37504,21 @@ "uuid": "039c0947-1976-4eb8-bb26-4c74dceea7f0", "value": "OWASP Vuln Scanning" }, + { + "description": "SecureWorks Counter Threat Unit Research Team. (2021, June 3). OAuth’S Device Code Flow Abused in Phishing Attacks. Retrieved March 19, 2024.", + "meta": { + "date_accessed": "2024-03-19T00:00:00Z", + "date_published": "2021-06-03T00:00:00Z", + "refs": [ + "https://www.secureworks.com/blog/oauths-device-code-flow-abused-in-phishing-attacks" + ], + "source": "MITRE", + "title": "OAuth’S Device Code Flow Abused in Phishing Attacks" + }, + "related": [], + "uuid": "0cea6734-d877-5007-95cc-0e24bdf33ff8", + "value": "SecureWorks Device Code Phishing 2021" + }, { "description": "Choi, S. (2015, August 6). Obfuscated API Functions in Modern Packers. Retrieved August 22, 2022.", "meta": { @@ -35675,6 +37698,21 @@ "uuid": "77407057-53f1-4fde-bc74-00f73d417f7d", "value": "Securelist Octopus Oct 2018" }, + { + "description": "Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024.", + "meta": { + "date_accessed": "2024-03-18T00:00:00Z", + "date_published": "2023-10-25T00:00:00Z", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/" + ], + "source": "MITRE", + "title": "Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction" + }, + "related": [], + "uuid": "92716d7d-3ca5-5d7a-b719-946e94828f13", + "value": "MSTIC Octo Tempest Operations October 2023" + }, { "description": "LOLBAS. (n.d.). Odbcconf.exe. Retrieved March 7, 2019.", "meta": { @@ -36051,6 +38089,21 @@ "uuid": "3d7dcd68-a7b2-438c-95bb-b7523a39c6f7", "value": "OneDriveStandaloneUpdater.exe - LOLBAS Project" }, + { + "description": "Kosayev, U. (2023, June 15). One Electron to Rule Them All. Retrieved March 7, 2024.", + "meta": { + "date_accessed": "2024-03-07T00:00:00Z", + "date_published": "2023-06-15T00:00:00Z", + "refs": [ + "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf" + ], + "source": "MITRE", + "title": "One Electron to Rule Them All" + }, + "related": [], + "uuid": "e4aa340e-de84-5b0d-8fba-405005a46f09", + "value": "Electron 6-8" + }, { "description": "Hernandez, A. S. Tarter, P. Ocamp, E. J. (2022, January 19). One Source to Rule Them All: Chasing AVADDON Ransomware. Retrieved January 26, 2022.", "meta": { @@ -36095,6 +38148,21 @@ "uuid": "54e5f23a-5ca6-4feb-8046-db2fb71b400a", "value": "FireEye FIN7 Aug 2018" }, + { + "description": "Baumgartner, K. (2016, October 3). On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users. Retrieved March 28, 2024.", + "meta": { + "date_accessed": "2024-03-28T00:00:00Z", + "date_published": "2016-10-03T00:00:00Z", + "refs": [ + "https://securelist.com/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/76147/" + ], + "source": "MITRE", + "title": "On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users" + }, + "related": [], + "uuid": "67d6cf00-7971-55fb-ae5f-e71a3150ceaa", + "value": "securelist_strongpity" + }, { "description": "Phile Stokes. (2018, September 20). On the Trail of OSX.FairyTale | Adware Playing at Malware. Retrieved August 24, 2021.", "meta": { @@ -36216,6 +38284,22 @@ "uuid": "336ea5f5-d8cc-4af5-9aa0-203e319b3c28", "value": "Windows AppleJeus GReAT" }, + { + "description": "Cybereason Nocturnus. (2022, April 5). Operation Bearded Barbie: APT-C-23 Campaign Targeting Israeli Officials. Retrieved October 30, 2023.", + "meta": { + "date_accessed": "2023-10-30T00:00:00Z", + "date_published": "2022-04-05T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials" + ], + "source": "Tidal Cyber", + "title": "Operation Bearded Barbie: APT-C-23 Campaign Targeting Israeli Officials" + }, + "related": [], + "uuid": "7d71b7c9-531e-4e4f-ab85-df2380555b7a", + "value": "Cybereason Operation Bearded Barbie April 5 2022" + }, { "description": "Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.", "meta": { @@ -36621,21 +38705,6 @@ "uuid": "4035e871-9291-4d7f-9c5f-d8482d4dc8a7", "value": "AhnLab Kimsuky Kabar Cobra Feb 2019" }, - { - "description": "Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.", - "meta": { - "date_accessed": "2014-11-12T00:00:00Z", - "date_published": "2014-01-01T00:00:00Z", - "refs": [ - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf" - ], - "source": "MITRE", - "title": "OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs" - }, - "related": [], - "uuid": "31504d92-6c4d-43f0-8548-ccc3aa05ba48", - "value": "Villeneuve et al 2014" - }, { "description": "Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.", "meta": { @@ -36651,6 +38720,21 @@ "uuid": "bb45cf96-ceae-4f46-a0f5-08cd89f699c9", "value": "Mandiant Operation Ke3chang November 2014" }, + { + "description": "Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.", + "meta": { + "date_accessed": "2014-11-12T00:00:00Z", + "date_published": "2014-01-01T00:00:00Z", + "refs": [ + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf" + ], + "source": "MITRE", + "title": "OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs" + }, + "related": [], + "uuid": "31504d92-6c4d-43f0-8548-ccc3aa05ba48", + "value": "Villeneuve et al 2014" + }, { "description": "Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023.", "meta": { @@ -37293,6 +39377,21 @@ "uuid": "55ee5bcc-ba56-58ac-9afb-2349aa75fe39", "value": "Kubernetes Cloud Native Security" }, + { + "description": "Apple Inc.. (2012, July 23). Overview of Dynamic Libraries. Retrieved March 24, 2021.", + "meta": { + "date_accessed": "2021-03-24T00:00:00Z", + "date_published": "2012-07-23T00:00:00Z", + "refs": [ + "https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html" + ], + "source": "MITRE", + "title": "Overview of Dynamic Libraries" + }, + "related": [], + "uuid": "e3b8cc52-2096-418c-b291-1bc76022961d", + "value": "Apple Doco Archive Dynamic Libraries" + }, { "description": "Apple. (2012, July 23). Overview of Dynamic Libraries. Retrieved September 7, 2023.", "meta": { @@ -37309,19 +39408,18 @@ "value": "Apple Dev Dynamic Libraries" }, { - "description": "Apple Inc.. (2012, July 23). Overview of Dynamic Libraries. Retrieved March 24, 2021.", + "description": "Google Cloud. (n.d.). Overview of IAM Conditions. Retrieved January 2, 2024.", "meta": { - "date_accessed": "2021-03-24T00:00:00Z", - "date_published": "2012-07-23T00:00:00Z", + "date_accessed": "2024-01-02T00:00:00Z", "refs": [ - "https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html" + "https://cloud.google.com/iam/docs/conditions-overview" ], "source": "MITRE", - "title": "Overview of Dynamic Libraries" + "title": "Overview of IAM Conditions" }, "related": [], - "uuid": "e3b8cc52-2096-418c-b291-1bc76022961d", - "value": "Apple Doco Archive Dynamic Libraries" + "uuid": "fc117963-580f-5f4a-a969-b2410e00a58f", + "value": "GCP IAM Conditions" }, { "description": "The Kubeflow Authors. (n.d.). Overview of Kubeflow Pipelines. Retrieved March 29, 2021.", @@ -37989,6 +40087,21 @@ "uuid": "1050758d-20da-4c4a-83d3-40aeff3db9ca", "value": "Pcwutl.dll - LOLBAS Project" }, + { + "description": "Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets. Retrieved September 18, 2023.", + "meta": { + "date_accessed": "2023-09-18T00:00:00Z", + "date_published": "2023-09-14T00:00:00Z", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/" + ], + "source": "MITRE", + "title": "Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets" + }, + "related": [], + "uuid": "84d026ed-b8f2-5bbb-865a-2d93aa4b2ef8", + "value": "Microsoft Peach Sandstorm 2023" + }, { "description": "Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets. Retrieved January 31, 2024.", "meta": { @@ -38005,21 +40118,6 @@ "uuid": "98a631f4-4b95-4159-b311-dee1216ec208", "value": "Microsoft Peach Sandstorm September 14 2023" }, - { - "description": "Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets. Retrieved September 18, 2023.", - "meta": { - "date_accessed": "2023-09-18T00:00:00Z", - "date_published": "2023-09-14T00:00:00Z", - "refs": [ - "https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/" - ], - "source": "MITRE", - "title": "Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets" - }, - "related": [], - "uuid": "84d026ed-b8f2-5bbb-865a-2d93aa4b2ef8", - "value": "Microsoft Peach Sandstorm 2023" - }, { "description": "Microsoft. (2021, October 6). PEB structure (winternl.h). Retrieved November 19, 2021.", "meta": { @@ -38081,21 +40179,6 @@ "uuid": "309bfb48-76d1-4ae9-9c6a-30b54658133c", "value": "U.S. CISA BlackTech September 27 2023" }, - { - "description": "NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023.", - "meta": { - "date_accessed": "2023-07-27T00:00:00Z", - "date_published": "2023-05-24T00:00:00Z", - "refs": [ - "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF" - ], - "source": "MITRE", - "title": "People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection" - }, - "related": [], - "uuid": "14872f08-e219-5c0d-a2d7-43a3ba348b4b", - "value": "Joint Cybersecurity Advisory Volt Typhoon June 2023" - }, { "description": "Cybersecurity and Infrastructure Security Agency. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved May 25, 2023.", "meta": { @@ -38112,6 +40195,21 @@ "uuid": "12320f38-ebbf-486a-a450-8a548c3722d6", "value": "U.S. CISA Volt Typhoon May 24 2023" }, + { + "description": "NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023.", + "meta": { + "date_accessed": "2023-07-27T00:00:00Z", + "date_published": "2023-05-24T00:00:00Z", + "refs": [ + "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF" + ], + "source": "MITRE", + "title": "People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection" + }, + "related": [], + "uuid": "14872f08-e219-5c0d-a2d7-43a3ba348b4b", + "value": "Joint Cybersecurity Advisory Volt Typhoon June 2023" + }, { "description": "Microsoft. (2004, February 6). Perimeter Firewall Design. Retrieved April 25, 2016.", "meta": { @@ -38308,6 +40406,21 @@ "uuid": "96ee2b87-9727-4914-affe-d9dc5d58c955", "value": "ANSSI Nobelium Phishing December 2021" }, + { + "description": "Jonathan Greig. (2023, August 16). Phishing campaign used QR codes to target large energy company. Retrieved November 27, 2023.", + "meta": { + "date_accessed": "2023-11-27T00:00:00Z", + "date_published": "2023-08-16T00:00:00Z", + "refs": [ + "https://therecord.media/phishing-campaign-used-qr-codes-to-target-energy-firm" + ], + "source": "MITRE", + "title": "Phishing campaign used QR codes to target large energy company" + }, + "related": [], + "uuid": "f73f45c8-4285-572e-b861-a0ded463a91e", + "value": "QR-campaign-energy-firm" + }, { "description": "Nelson, M. (2015, January 21). Phishing for Credentials: If you want it, just ask!. Retrieved December 17, 2018.", "meta": { @@ -38577,22 +40690,6 @@ "uuid": "a78613a5-ce17-4d11-8f2f-3e642cd7673c", "value": "Symantec Play Ransomware April 19 2023" }, - { - "description": "Don Ovid Ladores, Lucas Silva, Scott Burden, Janus Agcaoili, Ivan Nicole Chavez, Ian Kenefick, Ieriz Nicolle Gonzalez, Paul Pajares. (2022, September 6). Play Ransomware's Attack Playbook Similar to that of Hive, Nokoyawa. Retrieved August 10, 2023.", - "meta": { - "date_accessed": "2023-08-10T00:00:00Z", - "date_published": "2022-09-06T00:00:00Z", - "owner": "TidalCyberIan", - "refs": [ - "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html" - ], - "source": "Tidal Cyber", - "title": "Play Ransomware's Attack Playbook Similar to that of Hive, Nokoyawa" - }, - "related": [], - "uuid": "2d2b527d-25b0-4b58-9ae6-c87060b64069", - "value": "Trend Micro Play Playbook September 06 2022" - }, { "description": "Don Ovid Ladores, Lucas Silva, Scott Burden, Janus Agcaoili, Ivan Nicole Chavez, Ian Kenefick, Ieriz Nicolle Gonzalez, Paul Pajares. (2022, September 6). Play Ransomware's Attack Playbook Similar to that of Hive, Nokoyawa. Retrieved September 21, 2023.", "meta": { @@ -38609,6 +40706,22 @@ "uuid": "ed02529c-920d-4a92-8e86-be1ed7083991", "value": "Trend Micro Play Ransomware September 06 2022" }, + { + "description": "Don Ovid Ladores, Lucas Silva, Scott Burden, Janus Agcaoili, Ivan Nicole Chavez, Ian Kenefick, Ieriz Nicolle Gonzalez, Paul Pajares. (2022, September 6). Play Ransomware's Attack Playbook Similar to that of Hive, Nokoyawa. Retrieved August 10, 2023.", + "meta": { + "date_accessed": "2023-08-10T00:00:00Z", + "date_published": "2022-09-06T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html" + ], + "source": "Tidal Cyber", + "title": "Play Ransomware's Attack Playbook Similar to that of Hive, Nokoyawa" + }, + "related": [], + "uuid": "2d2b527d-25b0-4b58-9ae6-c87060b64069", + "value": "Trend Micro Play Playbook September 06 2022" + }, { "description": "Tomonaga, S. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020.", "meta": { @@ -38907,6 +41020,21 @@ "uuid": "a02790a1-f7c5-43b6-bc7e-075b2c0aa791", "value": "Elastic Docs Potential Protocol Tunneling via EarthWorm" }, + { + "description": "detection.fyi. (2023, October 28). Potential Suspicious Mofcomp Execution. Retrieved February 9, 2024.", + "meta": { + "date_accessed": "2024-02-09T00:00:00Z", + "date_published": "2023-10-28T00:00:00Z", + "refs": [ + "https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_mofcomp_execution/" + ], + "source": "MITRE", + "title": "Potential Suspicious Mofcomp Execution" + }, + "related": [], + "uuid": "c0cdb878-ef43-570a-8d5b-d643ec01f435", + "value": "sus mofcomp" + }, { "description": "B. Ancel. (2014, August 20). Poweliks – Command Line Confusion. Retrieved March 5, 2018.", "meta": { @@ -39208,6 +41336,21 @@ "uuid": "4004e072-9e69-4e81-a2b7-840e106cf3d9", "value": "WithSecure SystemBC May 10 2021" }, + { + "description": "Michael Cobb. (2007, October 11). Preparing for uniform resource identifier (URI) exploits. Retrieved February 9, 2024.", + "meta": { + "date_accessed": "2024-02-09T00:00:00Z", + "date_published": "2007-10-11T00:00:00Z", + "refs": [ + "https://www.techtarget.com/searchsecurity/tip/Preparing-for-uniform-resource-identifier-URI-exploits" + ], + "source": "MITRE", + "title": "Preparing for uniform resource identifier (URI) exploits" + }, + "related": [], + "uuid": "8bb388d4-b7d1-5778-b599-2ed42206b88b", + "value": "URI" + }, { "description": "LOLBAS. (2018, May 25). Presentationhost.exe. Retrieved December 4, 2023.", "meta": { @@ -39359,6 +41502,21 @@ "uuid": "710ed789-de1f-4601-a8ba-32147827adcb", "value": "Anomali Static Kitten February 2021" }, + { + "description": "The DFIR Report. (2023, January 8). proc_creation_win_mofcomp_execution.yml. Retrieved February 9, 2024.", + "meta": { + "date_accessed": "2024-02-09T00:00:00Z", + "date_published": "2023-01-08T00:00:00Z", + "refs": [ + "https://github.com/The-DFIR-Report/Sigma-Rules/blob/main/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml" + ], + "source": "MITRE", + "title": "proc_creation_win_mofcomp_execution.yml" + }, + "related": [], + "uuid": "f7c4e24f-b91e-574f-8b16-fb93295ef9d8", + "value": "sus mofcomp dos" + }, { "description": "LOLBAS. (2020, October 14). Procdump.exe. Retrieved December 4, 2023.", "meta": { @@ -39523,6 +41681,21 @@ "uuid": "adee82e6-a74a-4a91-ab5a-97847b135ca3", "value": "Unit 42 ProjectM March 2016" }, + { + "description": "Michael Mimoso. (2016, August 8). ProjectSauron APT On Par With Equation, Flame, Duqu. Retrieved January 10, 2024.", + "meta": { + "date_accessed": "2024-01-10T00:00:00Z", + "date_published": "2016-08-08T00:00:00Z", + "refs": [ + "https://threatpost.com/projectsauron-apt-on-par-with-equation-flame-duqu/119725/" + ], + "source": "MITRE", + "title": "ProjectSauron APT On Par With Equation, Flame, Duqu" + }, + "related": [], + "uuid": "4d349f2f-c740-55c7-8e7b-b6957e382307", + "value": "Threatpost Sauron" + }, { "description": "Kaspersky Lab's Global Research & Analysis Team. (2016, August 8). ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms. Retrieved August 17, 2016.", "meta": { @@ -39989,6 +42162,35 @@ "uuid": "ec413dc7-028c-4153-9e98-abe85961747f", "value": "anomali-linux-rabbit" }, + { + "description": "CrowdStrike. (n.d.). Punk Spider. Retrieved February 20, 2024.", + "meta": { + "date_accessed": "2024-02-20T00:00:00Z", + "refs": [ + "https://www.crowdstrike.com/adversaries/punk-spider/" + ], + "source": "MITRE", + "title": "Punk Spider" + }, + "related": [], + "uuid": "a16f89a4-5142-559b-acfa-f69ad9410bd2", + "value": "CrowdStrike PUNK SPIDER" + }, + { + "description": "Gamazo, William. Quist, Nathaniel.. (2023, January 5). PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform Resources. Retrieved February 28, 2024.", + "meta": { + "date_accessed": "2024-02-28T00:00:00Z", + "date_published": "2023-01-05T00:00:00Z", + "refs": [ + "https://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/" + ], + "source": "MITRE", + "title": "PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform Resources" + }, + "related": [], + "uuid": "841f397d-d103-56d7-9854-7ce43c684879", + "value": "Free Trial PurpleUrchin" + }, { "description": "Gross, J. and Walter, J.. (2016, January 12). Puttering into the Future.... Retrieved January 22, 2016.", "meta": { @@ -40228,6 +42430,21 @@ "uuid": "6e4960e7-ae5e-4b68-ac85-4bd84e940634", "value": "Red Canary Qbot" }, + { + "description": "Tim Bedard and Tyler Johnson. (2023, October 4). QR Code Scams & Phishing. Retrieved November 27, 2023.", + "meta": { + "date_accessed": "2023-11-27T00:00:00Z", + "date_published": "2023-10-04T00:00:00Z", + "refs": [ + "https://www.proofpoint.com/us/blog/email-and-cloud-threats/cybersecurity-stop-month-qr-code-phishing" + ], + "source": "MITRE", + "title": "QR Code Scams & Phishing" + }, + "related": [], + "uuid": "58df8729-ab42-55ee-a27d-655644bdeb0d", + "value": "qr-phish-agriculture" + }, { "description": "hoakley. (2020, October 29). Quarantine and the quarantine flag. Retrieved September 13, 2021.", "meta": { @@ -40453,6 +42670,21 @@ "uuid": "3c149b0b-f37c-4d4e-aa61-351c87fd57ce", "value": "Eset Ramsay May 2020" }, + { + "description": "Jen Miller-Osborn and Mike Harbison. (2019, December 17). Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia. Retrieved February 9, 2024.", + "meta": { + "date_accessed": "2024-02-09T00:00:00Z", + "date_published": "2019-12-17T00:00:00Z", + "refs": [ + "https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/" + ], + "source": "MITRE", + "title": "Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia" + }, + "related": [], + "uuid": "462b8752-aa21-50d1-a21d-c9945373f37c", + "value": "Rancor WMI" + }, { "description": "Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.", "meta": { @@ -40512,21 +42744,6 @@ "uuid": "984e86e6-32e4-493c-8172-3d29de4720cc", "value": "DHS/CISA Ransomware Targeting Healthcare October 2020" }, - { - "description": "Zafra, D., et al. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved March 2, 2021.", - "meta": { - "date_accessed": "2021-03-02T00:00:00Z", - "date_published": "2020-02-24T00:00:00Z", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html" - ], - "source": "MITRE", - "title": "Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT" - }, - "related": [], - "uuid": "44856547-2de5-45ff-898f-a523095bd593", - "value": "FireEye Ransomware Feb 2020" - }, { "description": "Zafra, D. Lunden, K. Brubaker, N. Kennelly, J.. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved February 9, 2021.", "meta": { @@ -40542,6 +42759,21 @@ "uuid": "9ffa0f35-98e4-4265-8b66-9c805a2b6525", "value": "FireEye Ransomware Disrupt Industrial Production" }, + { + "description": "Zafra, D., et al. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved March 2, 2021.", + "meta": { + "date_accessed": "2021-03-02T00:00:00Z", + "date_published": "2020-02-24T00:00:00Z", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html" + ], + "source": "MITRE", + "title": "Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT" + }, + "related": [], + "uuid": "44856547-2de5-45ff-898f-a523095bd593", + "value": "FireEye Ransomware Feb 2020" + }, { "description": "Check Point. (2020, November 6). Ransomware Alert: Pay2Key. Retrieved January 4, 2021.", "meta": { @@ -41090,6 +43322,21 @@ "uuid": "5b8b6429-14ef-466b-b806-5603e694efc1", "value": "Talos MuddyWater May 2019" }, + { + "description": "Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024.", + "meta": { + "date_accessed": "2024-02-05T00:00:00Z", + "date_published": "2021-05-27T00:00:00Z", + "refs": [ + "https://www.mandiant.com/resources/blog/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices" + ], + "source": "MITRE", + "title": "Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices" + }, + "related": [], + "uuid": "5620adaf-c2a7-5f0f-ae70-554ce720426e", + "value": "Mandiant Pulse Secure Update May 2021" + }, { "description": "Free Desktop. (2017, December 24). Recognized Desktop Entry Keys. Retrieved September 12, 2019.", "meta": { @@ -41135,6 +43382,21 @@ "uuid": "4ca0e6a9-8c20-49a0-957a-7108083a8a29", "value": "Trend Micro Daserf Nov 2017" }, + { + "description": "Red Canary. (2024, March). Red Canary 2024 Threat Detection Report: SocGholish. Retrieved March 22, 2024.", + "meta": { + "date_accessed": "2024-03-22T00:00:00Z", + "date_published": "2024-03-01T00:00:00Z", + "refs": [ + "https://redcanary.com/threat-detection-report/threats/socgholish/" + ], + "source": "MITRE", + "title": "Red Canary 2024 Threat Detection Report: SocGholish" + }, + "related": [], + "uuid": "70fa26e4-109c-5a48-b9fd-ac8b9acf2cf3", + "value": "Red Canary SocGholish March 2024" + }, { "description": "Jahoda, M. et al.. (2017, March 14). redhat Security Guide - Chapter 7 - System Auditing. Retrieved December 20, 2017.", "meta": { @@ -41165,6 +43427,21 @@ "uuid": "599337b3-8587-5578-9be5-e6e4f0edd0ef", "value": "Red Hat System Auditing" }, + { + "description": "Insikt Group. (2023, August 8). RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale. Retrieved March 11, 2024.", + "meta": { + "date_accessed": "2024-03-11T00:00:00Z", + "date_published": "2023-08-08T00:00:00Z", + "refs": [ + "https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf" + ], + "source": "MITRE", + "title": "RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale" + }, + "related": [], + "uuid": "006715e1-9354-51aa-812b-21a33a37ebb4", + "value": "Recorded Future RedHotel August 2023" + }, { "description": "Cylance. (2015, April 13). Redirect to SMB. Retrieved December 21, 2017.", "meta": { @@ -41603,7 +43880,7 @@ "date_accessed": "2021-01-22T00:00:00Z", "date_published": "2021-01-19T00:00:00Z", "refs": [ - "https://www.fireeye.com/content/dam/collateral/en/wp-m-unc2452.pdf" + "https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452" ], "source": "MITRE", "title": "Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452" @@ -41804,6 +44081,21 @@ "uuid": "5f28adee-1313-48ec-895c-27341bd1071f", "value": "Wired SandCat Oct 2019" }, + { + "description": "A.J. Vincens, CyberScoop. (2024, March 18). Researchers spot updated version of malware that hit Viasat. Retrieved March 25, 2024.", + "meta": { + "date_accessed": "2024-03-25T00:00:00Z", + "date_published": "2024-03-18T00:00:00Z", + "refs": [ + "https://cyberscoop.com/viasat-malware-wiper-acidrain/" + ], + "source": "MITRE", + "title": "Researchers spot updated version of malware that hit Viasat" + }, + "related": [], + "uuid": "742c8a5c-21e5-58d8-a90d-f4c186c0699a", + "value": "Vincens AcidPour 2024" + }, { "description": "Moe, O. (2017, August 15). Research on CMSTP.exe. Retrieved April 11, 2018.", "meta": { @@ -41982,6 +44274,21 @@ "uuid": "62ad7dbc-3ed2-4fa5-a56a-2810ce131167", "value": "Malwarebytes RokRAT VBA January 2021" }, + { + "description": "Marina Liang. (2024, April 23). Return of the mac(OS): Transparency, Consent, and Control (TCC) Database Manipulation. Retrieved March 28, 2024.", + "meta": { + "date_accessed": "2024-03-28T00:00:00Z", + "date_published": "2024-04-23T00:00:00Z", + "refs": [ + "https://interpressecurity.com/resources/return-of-the-macos-tcc/" + ], + "source": "MITRE", + "title": "Return of the mac(OS): Transparency, Consent, and Control (TCC) Database Manipulation" + }, + "related": [], + "uuid": "4929c08e-cc20-5f85-8ae0-6bb691ce7917", + "value": "TCC Database" + }, { "description": "Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.", "meta": { @@ -41997,6 +44304,21 @@ "uuid": "8aed9534-2ec6-4c9f-b63b-9bb135432cfb", "value": "jRAT Symantec Aug 2018" }, + { + "description": "Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023.", + "meta": { + "date_accessed": "2023-12-06T00:00:00Z", + "date_published": "2022-10-03T00:00:00Z", + "refs": [ + "https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group" + ], + "source": "MITRE", + "title": "REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP" + }, + "related": [], + "uuid": "f9e40a71-c963-53de-9266-13f9f326c5bf", + "value": "Sygnia Emperor Dragonfly October 2022" + }, { "description": "Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023.", "meta": { @@ -42670,6 +44992,20 @@ "uuid": "0d633a50-4afd-4479-898e-1a785f5637da", "value": "Microsoft Run Key" }, + { + "description": "Microsoft TechNet. (n.d.). Runas. Retrieved April 21, 2017.", + "meta": { + "date_accessed": "2017-04-21T00:00:00Z", + "refs": [ + "https://technet.microsoft.com/en-us/library/bb490994.aspx" + ], + "source": "MITRE", + "title": "Runas" + }, + "related": [], + "uuid": "8b4bdce9-da19-443f-88d2-11466e126c09", + "value": "Microsoft runas" + }, { "description": "Microsoft. (2016, August 31). Runas. Retrieved October 1, 2021.", "meta": { @@ -42685,20 +45021,6 @@ "uuid": "af05c12e-f9c6-421a-9a5d-0797c01ab2dc", "value": "Microsoft RunAs" }, - { - "description": "Microsoft TechNet. (n.d.). Runas. Retrieved April 21, 2017.", - "meta": { - "date_accessed": "2017-04-21T00:00:00Z", - "refs": [ - "https://technet.microsoft.com/en-us/library/bb490994.aspx" - ], - "source": "MITRE", - "title": "Runas" - }, - "related": [], - "uuid": "8b4bdce9-da19-443f-88d2-11466e126c09", - "value": "Microsoft runas" - }, { "description": "Wikipedia. (2018, August 3). Run Command. Retrieved October 12, 2018.", "meta": { @@ -42805,6 +45127,20 @@ "uuid": "24c526e1-7199-45ca-99b4-75e75c7041cd", "value": "Powershell Remote Commands" }, + { + "description": "AutoIT. (n.d.). Running Scripts. Retrieved March 29, 2024.", + "meta": { + "date_accessed": "2024-03-29T00:00:00Z", + "refs": [ + "https://www.autoitscript.com/autoit3/docs/intro/running.htm" + ], + "source": "MITRE", + "title": "Running Scripts" + }, + "related": [], + "uuid": "97e76bc2-9312-5f39-8491-8b42ddeb2067", + "value": "AutoIT" + }, { "description": "LOLBAS. (2018, May 25). Runonce.exe. Retrieved December 4, 2023.", "meta": { @@ -43156,6 +45492,20 @@ "uuid": "cfd0ad64-54b2-446f-9624-9c90a9a94f52", "value": "RyanW3stman Tweet October 10 2023" }, + { + "description": "Ryte Wiki. (n.d.). Retrieved March 5, 2024.", + "meta": { + "date_accessed": "2024-03-05T00:00:00Z", + "refs": [ + "https://en.ryte.com/wiki/Tracking_Pixel" + ], + "source": "MITRE", + "title": "Ryte Wiki" + }, + "related": [], + "uuid": "51b4932e-f85a-5483-8bf8-48de9c85782d", + "value": "Ryte Wiki" + }, { "description": "The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020.", "meta": { @@ -43348,6 +45698,36 @@ "uuid": "0965bb64-be96-46b9-b60f-6829c43a661f", "value": "Talos SamSam Jan 2018" }, + { + "description": "National Security Agency. (2020, March 28). Sandworm Actors Exploiting Vulnerability In EXIM Mail Transfer Agent. Retrieved March 1, 2024.", + "meta": { + "date_accessed": "2024-03-01T00:00:00Z", + "date_published": "2020-03-28T00:00:00Z", + "refs": [ + "https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf" + ], + "source": "MITRE", + "title": "Sandworm Actors Exploiting Vulnerability In EXIM Mail Transfer Agent" + }, + "related": [], + "uuid": "5135c600-b2a6-59e7-9023-8e293736f8de", + "value": "NSA Sandworm 2020" + }, + { + "description": "Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024.", + "meta": { + "date_accessed": "2024-03-28T00:00:00Z", + "date_published": "2023-11-09T00:00:00Z", + "refs": [ + "https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology" + ], + "source": "MITRE", + "title": "Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology" + }, + "related": [], + "uuid": "7ad64744-2790-54e4-97cd-e412423f6ada", + "value": "Mandiant-Sandworm-Ukraine-2022" + }, { "description": "Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler McLellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved April 17, 2024.", "meta": { @@ -43409,6 +45789,34 @@ "uuid": "b8d9006d-7466-49cf-a70e-384edee530ce", "value": "DOJ - Cisco Insider" }, + { + "description": "Joshua Wright. (2020, October 13). Retrieved March 22, 2024.", + "meta": { + "date_accessed": "2024-03-22T00:00:00Z", + "refs": [ + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/" + ], + "source": "MITRE", + "title": "SANS 1" + }, + "related": [], + "uuid": "6fb8f825-5f77-501a-8277-22a5f551d13a", + "value": "SANS 1" + }, + { + "description": "Joshua Wright. (2020, October 14). Retrieved March 22, 2024.", + "meta": { + "date_accessed": "2024-03-22T00:00:00Z", + "refs": [ + "https://www.sans.org/blog/defense-spotlight-finding-hidden-windows-services/" + ], + "source": "MITRE", + "title": "SANS 2" + }, + "related": [], + "uuid": "2a4c41f3-473f-516f-8c68-b771f7c3dfcb", + "value": "SANS 2" + }, { "description": "Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020.", "meta": { @@ -43499,20 +45907,6 @@ "uuid": "f84a5b6d-3af1-45b1-ac55-69ceced8735f", "value": "Scarlet Mimic Jan 2016" }, - { - "description": "CrowdStrike. (n.d.). Scattered Spider. Retrieved July 5, 2023.", - "meta": { - "date_accessed": "2023-07-05T00:00:00Z", - "refs": [ - "https://www.crowdstrike.com/adversaries/scattered-spider/" - ], - "source": "MITRE", - "title": "Scattered Spider" - }, - "related": [], - "uuid": "a865a984-7f7b-5f82-ac4a-6fac79a2a753", - "value": "CrowdStrike Scattered Spider Profile" - }, { "description": "Cybersecurity and Infrastructure Security Agency. (2023, November 16). Scattered Spider. Retrieved November 16, 2023.", "meta": { @@ -43529,6 +45923,20 @@ "uuid": "9c242265-c28c-4580-8e6a-478d8700b092", "value": "U.S. CISA Scattered Spider November 16 2023" }, + { + "description": "CrowdStrike. (n.d.). Scattered Spider. Retrieved July 5, 2023.", + "meta": { + "date_accessed": "2023-07-05T00:00:00Z", + "refs": [ + "https://www.crowdstrike.com/adversaries/scattered-spider/" + ], + "source": "MITRE", + "title": "Scattered Spider" + }, + "related": [], + "uuid": "a865a984-7f7b-5f82-ac4a-6fac79a2a753", + "value": "CrowdStrike Scattered Spider Profile" + }, { "description": "CrowdStrike. (2023, January 10). SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security. Retrieved July 5, 2023.", "meta": { @@ -43544,6 +45952,21 @@ "uuid": "d7d86f5d-1f02-54b0-b6f4-879878563245", "value": "CrowdStrike Scattered Spider BYOVD January 2023" }, + { + "description": "Trellix et. al.. (2023, August 17). Scattered Spider: The Modus Operandi. Retrieved March 18, 2024.", + "meta": { + "date_accessed": "2024-03-18T00:00:00Z", + "date_published": "2023-08-17T00:00:00Z", + "refs": [ + "https://www.trellix.com/blogs/research/scattered-spider-the-modus-operandi/" + ], + "source": "MITRE", + "title": "Scattered Spider: The Modus Operandi" + }, + "related": [], + "uuid": "0041bf10-e26f-59e8-a212-6b1687aafb79", + "value": "Trellix Scattered Spider MO August 2023" + }, { "description": "LOLBAS. (2018, May 25). Sc.exe. Retrieved December 4, 2023.", "meta": { @@ -43799,21 +46222,6 @@ "uuid": "3f0ff65d-56a0-4c29-b561-e6342b0b6b65", "value": "TechNet Secure Boot Process" }, - { - "description": "SecureWorks. (2019, August 27) LYCEUM Takes Center Stage in Middle East Campaign. Retrieved November 19, 2019", - "meta": { - "date_accessed": "2019-11-19T00:00:00Z", - "date_published": "2019-08-27T00:00:00Z", - "refs": [ - "https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign" - ], - "source": "MITRE", - "title": "SecureWorks August 2019" - }, - "related": [], - "uuid": "573edbb6-687b-4bc2-bc4a-764a548633b5", - "value": "SecureWorks August 2019" - }, { "description": "Mathew Branwell. (2012, March 21). Securing .bash_history file. Retrieved July 8, 2017.", "meta": { @@ -43830,10 +46238,10 @@ "value": "Securing bash history" }, { - "description": "Plett, C., Poggemeyer, L. (2012, October 26). Securing Privileged Access Reference Material. Retrieved April 25, 2017.", + "description": "Plett, C., Poggemeyer, L. (12, October 26). Securing Privileged Access Reference Material. Retrieved April 25, 2017.", "meta": { "date_accessed": "2017-04-25T00:00:00Z", - "date_published": "2012-10-26T00:00:00Z", + "date_published": "2026-10-12T00:00:00Z", "refs": [ "https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach" ], @@ -43933,6 +46341,21 @@ "uuid": "255181c2-b1c5-4531-bc16-853f21bc6435", "value": "Havana authentication bug" }, + { + "description": "Miller, J. et al. (2024, March 21). Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign. Retrieved March 27, 2024.", + "meta": { + "date_accessed": "2024-03-27T00:00:00Z", + "date_published": "2024-03-21T00:00:00Z", + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign" + ], + "source": "MITRE", + "title": "Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign" + }, + "related": [], + "uuid": "263be6fe-d9ed-5216-a0be-e8391dbd83e6", + "value": "Proofpoint TA450 Phishing March 2024" + }, { "description": "Microsoft. (2014, November 19). Security Considerations for Trusts. Retrieved November 30, 2017.", "meta": { @@ -43991,6 +46414,35 @@ "uuid": "e4d8ce63-8626-4c8f-a437-b6a120ff61c7", "value": "Schneider Electric USB Malware" }, + { + "description": "Alanna Titterington. (2023, September 14). Security of Electron-based desktop applications. Retrieved March 7, 2024.", + "meta": { + "date_accessed": "2024-03-07T00:00:00Z", + "date_published": "2023-09-14T00:00:00Z", + "refs": [ + "https://www.kaspersky.com/blog/electron-framework-security-issues/49035/" + ], + "source": "MITRE", + "title": "Security of Electron-based desktop applications" + }, + "related": [], + "uuid": "e3e9d747-d5d7-5d36-b5fc-9f58b1d330f3", + "value": "Electron 3" + }, + { + "description": "Apple. (n.d.). Security Server and Security Agent. Retrieved March 29, 2024.", + "meta": { + "date_accessed": "2024-03-29T00:00:00Z", + "refs": [ + "https://developer.apple.com/library/archive/documentation/Security/Conceptual/Security_Overview/Architecture/Architecture.html" + ], + "source": "MITRE", + "title": "Security Server and Security Agent" + }, + "related": [], + "uuid": "2b63d6c7-138b-5a9b-83e0-58f3d34723da", + "value": "Apple Dev SecurityD" + }, { "description": "Microsoft. (n.d.). Security Subsystem Architecture. Retrieved November 27, 2017.", "meta": { @@ -44020,21 +46472,6 @@ "uuid": "3cc2c996-10e9-4e25-999c-21dc2c69e4af", "value": "CISA IDN ST05-016" }, - { - "description": "Dr. Nestori Syynimaa.. (2017, November 16). Security vulnerability in Azure AD & Office 365 identity federation. Retrieved February 1, 2022.", - "meta": { - "date_accessed": "2022-02-01T00:00:00Z", - "date_published": "2017-11-16T00:00:00Z", - "refs": [ - "https://o365blog.com/post/federation-vulnerability/" - ], - "source": "MITRE", - "title": "Security vulnerability in Azure AD & Office 365 identity federation" - }, - "related": [], - "uuid": "123995be-36f5-4cd6-b80a-d601c2d0971e", - "value": "Azure AD Federation Vulnerability" - }, { "description": "Dr. Nestori Syynimaa. (2017, November 16). Security vulnerability in Azure AD & Office 365 identity federation. Retrieved September 28, 2022.", "meta": { @@ -44050,6 +46487,21 @@ "uuid": "d2005eb6-4da4-4938-97fb-caa0e2381f4e", "value": "AADInternals zure AD Federated Domain" }, + { + "description": "Dr. Nestori Syynimaa.. (2017, November 16). Security vulnerability in Azure AD & Office 365 identity federation. Retrieved February 1, 2022.", + "meta": { + "date_accessed": "2022-02-01T00:00:00Z", + "date_published": "2017-11-16T00:00:00Z", + "refs": [ + "https://o365blog.com/post/federation-vulnerability/" + ], + "source": "MITRE", + "title": "Security vulnerability in Azure AD & Office 365 identity federation" + }, + "related": [], + "uuid": "123995be-36f5-4cd6-b80a-d601c2d0971e", + "value": "Azure AD Federation Vulnerability" + }, { "description": "ESET Research. (2015, July 10). Sednit APT Group Meets Hacking Team. Retrieved March 1, 2017.", "meta": { @@ -44225,21 +46677,6 @@ "uuid": "c2f7958b-f521-4133-9aeb-c5c8fae23e78", "value": "ProofPoint Serpent" }, - { - "description": "Wikipedia. (2016, June 12). Server Message Block. Retrieved June 12, 2016.", - "meta": { - "date_accessed": "2016-06-12T00:00:00Z", - "date_published": "2016-06-12T00:00:00Z", - "refs": [ - "https://en.wikipedia.org/wiki/Server_Message_Block" - ], - "source": "MITRE", - "title": "Server Message Block" - }, - "related": [], - "uuid": "087b4779-22d5-4872-adb7-583904a92285", - "value": "Wikipedia SMB" - }, { "description": "Wikipedia. (2017, December 16). Server Message Block. Retrieved December 21, 2017.", "meta": { @@ -44255,6 +46692,21 @@ "uuid": "3ea03c65-12e0-4e28-bbdc-17bb8c1e1831", "value": "Wikipedia Server Message Block" }, + { + "description": "Wikipedia. (2016, June 12). Server Message Block. Retrieved June 12, 2016.", + "meta": { + "date_accessed": "2016-06-12T00:00:00Z", + "date_published": "2016-06-12T00:00:00Z", + "refs": [ + "https://en.wikipedia.org/wiki/Server_Message_Block" + ], + "source": "MITRE", + "title": "Server Message Block" + }, + "related": [], + "uuid": "087b4779-22d5-4872-adb7-583904a92285", + "value": "Wikipedia SMB" + }, { "description": "Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.", "meta": { @@ -44284,6 +46736,20 @@ "uuid": "522eaa6b-0075-5346-bf3c-db1e7820aba2", "value": "Kubernetes Service Accounts Security" }, + { + "description": "Google. (n.d.). Service Accounts Overview. Retrieved February 28, 2024.", + "meta": { + "date_accessed": "2024-02-28T00:00:00Z", + "refs": [ + "https://cloud.google.com/iam/docs/service-account-overview" + ], + "source": "MITRE", + "title": "Service Accounts Overview" + }, + "related": [], + "uuid": "7409c7d3-97a0-5f17-9061-cdaf41274647", + "value": "GCP Service Accounts" + }, { "description": "Microsoft. (2018, May 31). Service Control Manager. Retrieved March 28, 2020.", "meta": { @@ -44402,6 +46868,20 @@ "uuid": "37d237ae-f0a8-5b30-8f97-d751c1560391", "value": "Krebs Access Brokers Fortune 500" }, + { + "description": "OWASP CheatSheets Series Team. (n.d.). Session Management Cheat Sheet. Retrieved December 26, 2023.", + "meta": { + "date_accessed": "2023-12-26T00:00:00Z", + "refs": [ + "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html" + ], + "source": "MITRE", + "title": "Session Management Cheat Sheet" + }, + "related": [], + "uuid": "8b979a57-8238-5a68-bb0f-0301fa1b6432", + "value": "Session Management Cheat Sheet" + }, { "description": "Hsu, S. (2018, June 30). Session vs Token Based Authentication. Retrieved September 29, 2021.", "meta": { @@ -44955,6 +47435,21 @@ "uuid": "e09f639e-bdd3-4e88-8032-f665e347272b", "value": "Trustwave Cherry Picker" }, + { + "description": "Aspen Lindblom, Joseph Goodwin, and Chris Sheldon. (2021, July 19). Shlayer Malvertising Campaigns Still Using Flash Update Disguise. Retrieved March 29, 2024.", + "meta": { + "date_accessed": "2024-03-29T00:00:00Z", + "date_published": "2021-07-19T00:00:00Z", + "refs": [ + "https://www.crowdstrike.com/blog/shlayer-malvertising-campaigns-still-using-flash-update-disguise/" + ], + "source": "MITRE", + "title": "Shlayer Malvertising Campaigns Still Using Flash Update Disguise" + }, + "related": [], + "uuid": "1fb860e8-47e4-5b6e-85ef-afe8de81a3b9", + "value": "File obfuscation" + }, { "description": "Jaron Bradley. (2021, April 26). Shlayer malware abusing Gatekeeper bypass on macOS. Retrieved September 22, 2021.", "meta": { @@ -45243,7 +47738,7 @@ "date_accessed": "2020-05-05T00:00:00Z", "date_published": "2018-09-01T00:00:00Z", "refs": [ - "https://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf" + "https://go.group-ib.com/report-silence-en?_gl=1*d1bh3a*_ga*MTIwMzM5Mzc5MS4xNjk4OTI5NzY4*_ga_QMES53K3Y2*MTcwNDcyMjU2OS40LjEuMTcwNDcyMzU1Mi41My4wLjA." ], "source": "MITRE", "title": "Silence: Moving Into the Darkside" @@ -45856,6 +48351,52 @@ "uuid": "f026dd44-1491-505b-8a8a-e4f28c6cd6a7", "value": "Telefonica Snip3 December 2021" }, + { + "description": "Andrew Northern. (2022, November 22). SocGholish, a very real threat from a very fake update. Retrieved February 13, 2024.", + "meta": { + "date_accessed": "2024-02-13T00:00:00Z", + "date_published": "2022-11-22T00:00:00Z", + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update" + ], + "source": "MITRE", + "title": "SocGholish, a very real threat from a very fake update" + }, + "related": [], + "uuid": "01d9c3ba-29e2-5090-b399-0e7adf50a6b9", + "value": "SocGholish-update" + }, + { + "description": "Milenkoski, A. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved March 22, 2024.", + "meta": { + "date_accessed": "2024-03-22T00:00:00Z", + "date_published": "2022-11-07T00:00:00Z", + "refs": [ + "https://www.sentinelone.com/labs/socgholish-diversifies-and-expands-its-malware-staging-infrastructure-to-counter-defenders/" + ], + "source": "MITRE", + "title": "SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders" + }, + "related": [], + "uuid": "8a26eeb6-6f80-58f1-b773-b38835c6781d", + "value": "SentinelOne SocGholish Infrastructure November 2022" + }, + { + "description": "Proofpoint. (2022, November 21). SocGholish Malware: A Real Threat from a Fake Update | Proofpoint US. Retrieved May 7, 2023.", + "meta": { + "date_accessed": "2023-05-07T00:00:00Z", + "date_published": "2022-11-21T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update" + ], + "source": "Tidal Cyber", + "title": "SocGholish Malware: A Real Threat from a Fake Update | Proofpoint US" + }, + "related": [], + "uuid": "dc4117ea-be69-47db-ab75-03100fee230c", + "value": "Proofpoint November 21 2022" + }, { "description": "Felipe Duarte, Ido Naor. (2022, March 9). Sockbot in GoLand. Retrieved September 22, 2023.", "meta": { @@ -45917,21 +48458,6 @@ "uuid": "0bcc2d76-987c-4a9b-9e00-1400eec4e606", "value": "Unit 42 Sofacy Feb 2018" }, - { - "description": "Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.", - "meta": { - "date_accessed": "2018-11-26T00:00:00Z", - "date_published": "2018-11-20T00:00:00Z", - "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/" - ], - "source": "MITRE", - "title": "Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan" - }, - "related": [], - "uuid": "8c634bbc-4878-4b27-aa18-5996ec968809", - "value": "Unit42 Cannon Nov 2018" - }, { "description": "Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.", "meta": { @@ -45947,6 +48473,21 @@ "uuid": "1523c6de-8879-4652-ac51-1a5085324370", "value": "Unit 42 Sofacy Nov 2018" }, + { + "description": "Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.", + "meta": { + "date_accessed": "2018-11-26T00:00:00Z", + "date_published": "2018-11-20T00:00:00Z", + "refs": [ + "https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/" + ], + "source": "MITRE", + "title": "Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan" + }, + "related": [], + "uuid": "8c634bbc-4878-4b27-aa18-5996ec968809", + "value": "Unit42 Cannon Nov 2018" + }, { "description": "Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.", "meta": { @@ -46112,6 +48653,21 @@ "uuid": "a39354fc-334f-4f65-ba8a-56550f91710f", "value": "Source Manual" }, + { + "description": "FireEye. (2015, March). SOUTHEAST ASIA: AN EVOLVING CYBER THREAT LANDSCAPE. Retrieved February 5, 2024.", + "meta": { + "date_accessed": "2024-02-05T00:00:00Z", + "date_published": "2015-03-01T00:00:00Z", + "refs": [ + "https://web.archive.org/web/20220122121143/https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf" + ], + "source": "MITRE", + "title": "SOUTHEAST ASIA: AN EVOLVING CYBER THREAT LANDSCAPE" + }, + "related": [], + "uuid": "59658f8b-af24-5df5-8f7d-cb6b9cf7579e", + "value": "FireEye Southeast Asia Threat Landscape March 2015" + }, { "description": "Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.", "meta": { @@ -46606,6 +49162,21 @@ "uuid": "d81e0274-76f4-43ce-b829-69f761e280dc", "value": "Stantinko Botnet" }, + { + "description": "Microsoft Threat Intelligence. (2023, December 7). Star Blizzard increases sophistication and evasion in ongoing attacks. Retrieved February 13, 2024.", + "meta": { + "date_accessed": "2024-02-13T00:00:00Z", + "date_published": "2023-12-07T00:00:00Z", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/" + ], + "source": "MITRE", + "title": "Star Blizzard increases sophistication and evasion in ongoing attacks" + }, + "related": [], + "uuid": "68b16960-1893-51a1-b46c-974a09d4a0c4", + "value": "StarBlizzard" + }, { "description": "Amazon. (n.d.). Start Building on AWS Today. Retrieved October 13, 2021.", "meta": { @@ -46620,6 +49191,20 @@ "uuid": "b7d41cde-18c8-4e15-a0ac-ca0afc127e33", "value": "Amazon AWS" }, + { + "description": "Docker. (n.d.). Start containers automatically. Retrieved February 15, 2024.", + "meta": { + "date_accessed": "2024-02-15T00:00:00Z", + "refs": [ + "https://docs.docker.com/config/containers/start-containers-automatically/" + ], + "source": "MITRE", + "title": "Start containers automatically" + }, + "related": [], + "uuid": "5969a1d0-7645-5a58-a461-446d49b63b17", + "value": "Docker Systemd" + }, { "description": "Apple. (2016, September 13). Startup Items. Retrieved July 11, 2017.", "meta": { @@ -46678,6 +49263,21 @@ "uuid": "9cee0681-3ad2-4b1d-8eeb-5160134f3069", "value": "Twitter SquiblyTwo Detection APR 2018" }, + { + "description": "Microsoft Threat Intelligence. (2024, February 14). Staying ahead of threat actors in the age of AI. Retrieved March 11, 2024.", + "meta": { + "date_accessed": "2024-03-11T00:00:00Z", + "date_published": "2024-02-14T00:00:00Z", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/" + ], + "source": "MITRE", + "title": "Staying ahead of threat actors in the age of AI" + }, + "related": [], + "uuid": "4f08a1a3-3cc5-5dfb-9190-2e4991e43d94", + "value": "MSFT-AI" + }, { "description": "Pena, E., Erikson, C. (2019, October 10). Staying Hidden on the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.", "meta": { @@ -46922,6 +49522,22 @@ "uuid": "aa52e826-f292-41f6-985d-0282230c8948", "value": "U.S. CISA BianLian Ransomware May 2023" }, + { + "description": "Cybersecurity and Infrastructure Security Agency. (2024, May 10). #StopRansomware: Black Basta. Retrieved May 13, 2024.", + "meta": { + "date_accessed": "2024-05-13T00:00:00Z", + "date_published": "2024-05-10T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a" + ], + "source": "Tidal Cyber", + "title": "#StopRansomware: Black Basta" + }, + "related": [], + "uuid": "10fed6c7-4d73-49cd-9170-3f67d06365ca", + "value": "U.S. CISA Black Basta May 10 2024" + }, { "description": "Cybersecurity and Infrastructure Security Agency. (2023, June 7). #StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability. Retrieved July 27, 2023.", "meta": { @@ -47188,6 +49804,21 @@ "uuid": "d7097b1e-507b-4626-9cef-39367c09f722", "value": "Windows Blogs Microsoft Edge Sandbox" }, + { + "description": "Warwick Ashford. (2016, August 8). Strider cyber attack group deploying malware for espionage. Retrieved January 10, 2024.", + "meta": { + "date_accessed": "2024-01-10T00:00:00Z", + "date_published": "2016-08-08T00:00:00Z", + "refs": [ + "https://www.computerweekly.com/news/450302128/Strider-cyber-attack-group-deploying-malware-for-espionage" + ], + "source": "MITRE", + "title": "Strider cyber attack group deploying malware for espionage" + }, + "related": [], + "uuid": "dc9cfd06-54fb-553c-b538-1e93fed6c538", + "value": "ComputerWeekly Strider" + }, { "description": "Symantec Security Response. (2016, August 7). Strider: Cyberespionage group turns eye of Sauron on targets. Retrieved August 17, 2016.", "meta": { @@ -47233,6 +49864,21 @@ "uuid": "7d2e20f2-20ba-4d51-9495-034c07be41a8", "value": "Bitdefender StrongPity June 2020" }, + { + "description": "Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.", + "meta": { + "date_accessed": "2023-01-31T00:00:00Z", + "date_published": "2023-01-10T00:00:00Z", + "refs": [ + "https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/" + ], + "source": "MITRE", + "title": "StrongPity espionage campaign targeting Android users" + }, + "related": [], + "uuid": "1b89df2c-e756-599a-9f7f-a5230db9de46", + "value": "welivesec_strongpity" + }, { "description": "Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020.", "meta": { @@ -47349,8 +49995,8 @@ "title": "SUNBURST, TEARDROP and the NetSec New Normal" }, "related": [], - "uuid": "4e3d9201-83d4-5375-b3b7-e00dfb16342d", - "value": "CheckPoint Sunburst & Teardrop December 2020" + "uuid": "a6b75979-af51-42ed-9bb9-01d5fb9ceac9", + "value": "Check Point Sunburst Teardrop December 2020" }, { "description": "Check Point Research. (2020, December 22). SUNBURST, TEARDROP and the NetSec New Normal. Retrieved January 6, 2021.", @@ -47364,8 +50010,8 @@ "title": "SUNBURST, TEARDROP and the NetSec New Normal" }, "related": [], - "uuid": "a6b75979-af51-42ed-9bb9-01d5fb9ceac9", - "value": "Check Point Sunburst Teardrop December 2020" + "uuid": "4e3d9201-83d4-5375-b3b7-e00dfb16342d", + "value": "CheckPoint Sunburst & Teardrop December 2020" }, { "description": "CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.", @@ -47472,6 +50118,21 @@ "uuid": "d38bdb47-1a8d-43f8-b7ed-dfa5e430ac2f", "value": "Moran 2013" }, + { + "description": "John Fokker. (2022, March 17). Suspected DarkHotel APT activity update. Retrieved February 6, 2024.", + "meta": { + "date_accessed": "2024-02-06T00:00:00Z", + "date_published": "2022-03-17T00:00:00Z", + "refs": [ + "https://www.trellix.com/en-ca/about/newsroom/stories/research/suspected-darkhotel-apt-activity-update/" + ], + "source": "MITRE", + "title": "Suspected DarkHotel APT activity update" + }, + "related": [], + "uuid": "2b64284f-bc2c-5ca5-bf16-f862345cef80", + "value": "4 - appv" + }, { "description": "Dell SecureWorks. (2015, October 7). Suspected Iran-Based Hacker Group Creates Network of Fake LinkedIn Profiles. Retrieved January 14, 2016.", "meta": { @@ -47517,6 +50178,21 @@ "uuid": "f45a0551-8d49-4d40-989f-659416dc25ec", "value": "Suspected Russian Activity Targeting Government and Business Entities Around the Globe" }, + { + "description": "UK National Cyber Security Center et al. (2024, February). SVR cyber actors adapt tactics for initial cloud access. Retrieved March 1, 2024.", + "meta": { + "date_accessed": "2024-03-01T00:00:00Z", + "date_published": "2024-02-01T00:00:00Z", + "refs": [ + "https://www.ic3.gov/Media/News/2024/240226.pdf" + ], + "source": "MITRE", + "title": "SVR cyber actors adapt tactics for initial cloud access" + }, + "related": [], + "uuid": "e04e6419-a086-598d-a794-925e42f3f237", + "value": "NCSC et al APT29 2024" + }, { "description": "Cybersecurity and Infrastructure Security Agency. (2024, February 26). SVR Cyber Actors Adapt Tactics for Initial Cloud Access. Retrieved March 1, 2024.", "meta": { @@ -47609,6 +50285,34 @@ "uuid": "ce371df7-aab6-4338-9491-656481cb5601", "value": "SyncAppvPublishingServer.exe - LOLBAS Project" }, + { + "description": "Strontic. (n.d.). SyncAppvPublishingServer.exe. Retrieved February 6, 2024.", + "meta": { + "date_accessed": "2024-02-06T00:00:00Z", + "refs": [ + "https://strontic.github.io/xcyclopedia/library/SyncAppvPublishingServer.exe-3C291419F60CDF9C2E4E19AD89944FA3.html" + ], + "source": "MITRE", + "title": "SyncAppvPublishingServer.exe" + }, + "related": [], + "uuid": "bc5d8a1a-5cf9-5974-bf13-245fa53721da", + "value": "6 - appv" + }, + { + "description": "Nick Landers, Casey Smith. (n.d.). /Syncappvpublishingserver.vbs. Retrieved February 6, 2024.", + "meta": { + "date_accessed": "2024-02-06T00:00:00Z", + "refs": [ + "https://lolbas-project.github.io/lolbas/Scripts/Syncappvpublishingserver/" + ], + "source": "MITRE", + "title": "/Syncappvpublishingserver.vbs" + }, + "related": [], + "uuid": "926c9e06-cc6a-55ea-8436-1211b4cc4d92", + "value": "5 - appv" + }, { "description": "LOLBAS. (2018, May 25). Syncappvpublishingserver.vbs. Retrieved December 4, 2023.", "meta": { @@ -47625,6 +50329,21 @@ "uuid": "adb09226-894c-4874-a2e3-fb2c6de30173", "value": "Syncappvpublishingserver.vbs - LOLBAS Project" }, + { + "description": "Cone, Matt. (2021, January 14). Synchronize your Mac's Clock with a Time Server. Retrieved March 27, 2024.", + "meta": { + "date_accessed": "2024-03-27T00:00:00Z", + "date_published": "2021-01-14T00:00:00Z", + "refs": [ + "https://www.macinstruct.com/tutorials/synchronize-your-macs-clock-with-a-time-server/" + ], + "source": "MITRE", + "title": "Synchronize your Mac's Clock with a Time Server" + }, + "related": [], + "uuid": "b36dd8af-045d-57b0-b0a9-45d831fe6373", + "value": "Mac Time Sync" + }, { "description": "Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful Knock - A Cisco router implant - Part I. Retrieved October 19, 2020.", "meta": { @@ -47640,6 +50359,21 @@ "uuid": "1f6eaa98-9184-4341-8634-5512a9c632dd", "value": "Mandiant - Synful Knock" }, + { + "description": "Sysdig. (2023). Sysdig Global Cloud Threat Report. Retrieved March 1, 2024.", + "meta": { + "date_accessed": "2024-03-01T00:00:00Z", + "date_published": "2023-01-01T00:00:00Z", + "refs": [ + "https://sysdig.com/content/c/pf-2023-global-cloud-threat-report?x=u_WFRi&xs=524303#page=1" + ], + "source": "MITRE", + "title": "Sysdig Global Cloud Threat Report" + }, + "related": [], + "uuid": "80cb54c2-2c44-5e19-bbc5-da9f4aaf976a", + "value": "sysdig" + }, { "description": "Russinovich, R. & Garnier, T. (2021, August 18). Sysmon Event ID 9. Retrieved September 24, 2021.", "meta": { @@ -47743,20 +50477,6 @@ "uuid": "6be16aba-a37f-49c4-9a36-51d2676f64e6", "value": "Ubuntu Manpage systemd rc" }, - { - "description": "Free Desktop. (n.d.). systemd.service — Service unit configuration. Retrieved March 20, 2023.", - "meta": { - "date_accessed": "2023-03-20T00:00:00Z", - "refs": [ - "https://www.freedesktop.org/software/systemd/man/systemd.service.html" - ], - "source": "MITRE", - "title": "systemd.service — Service unit configuration" - }, - "related": [], - "uuid": "cae49a7a-db3b-5202-ba45-fbfa98b073c9", - "value": "freedesktop systemd.service" - }, { "description": "Freedesktop.org. (n.d.). systemd.service — Service unit configuration. Retrieved March 16, 2020.", "meta": { @@ -47771,6 +50491,20 @@ "uuid": "43bae447-d2e3-4b53-b17b-12a0b54ac604", "value": "Systemd Service Units" }, + { + "description": "Free Desktop. (n.d.). systemd.service — Service unit configuration. Retrieved March 20, 2023.", + "meta": { + "date_accessed": "2023-03-20T00:00:00Z", + "refs": [ + "https://www.freedesktop.org/software/systemd/man/systemd.service.html" + ], + "source": "MITRE", + "title": "systemd.service — Service unit configuration" + }, + "related": [], + "uuid": "cae49a7a-db3b-5202-ba45-fbfa98b073c9", + "value": "freedesktop systemd.service" + }, { "description": "Man7. (n.d.). systemd-sleep.conf(5) — Linux manual page. Retrieved June 7, 2023.", "meta": { @@ -47857,6 +50591,36 @@ "uuid": "5e15e03b-be8b-4f3d-a3ae-0df7a4ecfbec", "value": "MSDN System Time" }, + { + "description": "ArchLinux. (2024, February 1). System Time. Retrieved March 27, 2024.", + "meta": { + "date_accessed": "2024-03-27T00:00:00Z", + "date_published": "2024-02-01T00:00:00Z", + "refs": [ + "https://wiki.archlinux.org/title/System_time" + ], + "source": "MITRE", + "title": "System Time" + }, + "related": [], + "uuid": "2dfd22d7-c78b-5967-b732-736f37ea5489", + "value": "linux system time" + }, + { + "description": "Atomic Red Team. (2023, November). T1003.007 - OS Credential Dumping: Proc Filesystem. Retrieved March 28, 2024.", + "meta": { + "date_accessed": "2024-03-28T00:00:00Z", + "date_published": "2023-11-01T00:00:00Z", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md" + ], + "source": "MITRE", + "title": "T1003.007 - OS Credential Dumping: Proc Filesystem" + }, + "related": [], + "uuid": "c7e77109-36d3-5549-a0f7-bacc0d9288b2", + "value": "atomic-red proc file system" + }, { "description": "redcanaryco. (2021, September 3). T1562.002 - Disable Windows Event Logging. Retrieved September 13, 2021.", "meta": { @@ -47902,6 +50666,21 @@ "uuid": "d9992f57-8ff3-432f-b445-937ff4a6ebf9", "value": "US-CERT TA18-068A 2018" }, + { + "description": "Raggi, Michael. Proofpoint Threat Research Team. (2021, February 25). TA413 Leverages New FriarFox Browser Extension to Target the Gmail Accounts of Global Tibetan Organizations. Retrieved February 26, 2024.", + "meta": { + "date_accessed": "2024-02-26T00:00:00Z", + "date_published": "2021-02-25T00:00:00Z", + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global" + ], + "source": "MITRE", + "title": "TA413 Leverages New FriarFox Browser Extension to Target the Gmail Accounts of Global Tibetan Organizations" + }, + "related": [], + "uuid": "3fe79fc8-c86d-57ad-961f-30fddd0e5f62", + "value": "Browers FriarFox" + }, { "description": "Proofpoint Threat Research Team. (2020, November 23). TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader. Retrieved April 13, 2021.", "meta": { @@ -48022,6 +50801,37 @@ "uuid": "8e34bf1e-86ce-4d52-a6fa-037572766e99", "value": "Unit 42 TA551 Jan 2021" }, + { + "description": "Proofpoint. (2023, February 23). TA569: SocGholish and Beyond | Proofpoint US. Retrieved May 7, 2023.", + "meta": { + "date_accessed": "2023-05-07T00:00:00Z", + "date_published": "2023-02-23T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond" + ], + "source": "Tidal Cyber", + "title": "TA569: SocGholish and Beyond | Proofpoint US" + }, + "related": [], + "uuid": "fe7924b1-a385-4784-b308-15c2d0dbd840", + "value": "Proofpoint February 23 2023" + }, + { + "description": "Axel F, Selena Larson. (2023, October 30). TA571 Delivers IcedID Forked Loader. Retrieved February 13, 2024.", + "meta": { + "date_accessed": "2024-02-13T00:00:00Z", + "date_published": "2023-10-30T00:00:00Z", + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta571-delivers-icedid-forked-loader" + ], + "source": "MITRE", + "title": "TA571 Delivers IcedID Forked Loader" + }, + "related": [], + "uuid": "5b463ad7-f425-5e70-b0b0-28514730a888", + "value": "TA571" + }, { "description": "IBM X-Force. (2023, May 30). TA577 OneNote Malspam Results in QakBot Deployment. Retrieved January 24, 2024.", "meta": { @@ -48171,6 +50981,21 @@ "uuid": "e5f54ded-3ec1-49c1-9302-6b9f372d5015", "value": "Tar.exe - LOLBAS Project" }, + { + "description": "Robert Falcone, Jeff White, and Peter Renals. (2021, November 7). Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer. Retrieved February 8, 2024.", + "meta": { + "date_accessed": "2024-02-08T00:00:00Z", + "date_published": "2021-11-07T00:00:00Z", + "refs": [ + "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/" + ], + "source": "MITRE", + "title": "Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer" + }, + "related": [], + "uuid": "7cdd99d2-bbb2-5c81-ad09-92b581f33ffe", + "value": "NGLite Trojan" + }, { "description": "Ashwin Vamshi. (2019, January 24). Targeted Attacks Abusing Google Cloud Platform Open Redirection. Retrieved August 18, 2022.", "meta": { @@ -48201,6 +51026,21 @@ "uuid": "bbc66e9f-98f9-4e34-b568-2833ea536f2e", "value": "AhnLab Andariel Subgroup of Lazarus June 2018" }, + { + "description": "Aditya Sood and Richard Enbody. (2014, December 16). Targeted Cyber Attacks. Retrieved January 4, 2024.", + "meta": { + "date_accessed": "2024-01-04T00:00:00Z", + "date_published": "2014-12-16T00:00:00Z", + "refs": [ + "https://www.techtarget.com/searchsecurity/feature/Targeted-Cyber-Attacks" + ], + "source": "MITRE", + "title": "Targeted Cyber Attacks" + }, + "related": [], + "uuid": "61aca848-6376-560a-8f14-c23a3a9c832b", + "value": "Sood and Enbody" + }, { "description": "Loui, E. Scheuerman, K. et al. (2020, April 16). Targeted Dharma Ransomware Intrusions Exhibit Consistent Techniques. Retrieved January 26, 2022.", "meta": { @@ -48426,6 +51266,21 @@ "uuid": "e0d6208b-a4d6-45f0-bb3a-6c8681630b55", "value": "Intezer TeamTNT Explosion September 2021" }, + { + "description": "Ofek Itach and Assaf Morag. (2023, July 13). TeamTNT Reemerged with New Aggressive Cloud Campaign. Retrieved February 15, 2024.", + "meta": { + "date_accessed": "2024-02-15T00:00:00Z", + "date_published": "2023-07-13T00:00:00Z", + "refs": [ + "https://blog.aquasec.com/teamtnt-reemerged-with-new-aggressive-cloud-campaign" + ], + "source": "MITRE", + "title": "TeamTNT Reemerged with New Aggressive Cloud Campaign" + }, + "related": [], + "uuid": "b98f1967-c62f-5afe-a2f7-4c426615d576", + "value": "AquaSec TeamTNT 2023" + }, { "description": "Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.", "meta": { @@ -48530,6 +51385,21 @@ "uuid": "bb23ca19-78bb-4406-90a4-bf82bd467e04", "value": "McAfee Babuk February 2021" }, + { + "description": "Romain Dumont . (2022, September 21). Technical Analysis of Crytox Ransomware. Retrieved November 22, 2023.", + "meta": { + "date_accessed": "2023-11-22T00:00:00Z", + "date_published": "2022-09-21T00:00:00Z", + "refs": [ + "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware" + ], + "source": "MITRE", + "title": "Technical Analysis of Crytox Ransomware" + }, + "related": [], + "uuid": "7c22d9d0-a2d8-5936-a6b1-5c696a2a19c6", + "value": "Crytox Ransomware" + }, { "description": "Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.", "meta": { @@ -48606,6 +51476,21 @@ "uuid": "8cd7676a-bbef-4c31-8288-365837acf65d", "value": "Apple TN2459 Kernel Extensions" }, + { + "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved March 4, 2024.", + "meta": { + "date_accessed": "2024-03-04T00:00:00Z", + "date_published": "2021-04-01T00:00:00Z", + "refs": [ + "https://web.archive.org/web/20231126111812/https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf" + ], + "source": "MITRE", + "title": "Technical Paper // Taking Action Against Arid Viper" + }, + "related": [], + "uuid": "1dca5e73-0b6e-51cd-867c-927d081f228d", + "value": "fb_arid_viper" + }, { "description": "GovCERT. (2016, May 23). Technical Report about the Espionage Case at RUAG. Retrieved November 7, 2018.", "meta": { @@ -49035,6 +51920,21 @@ "uuid": "2dca2274-5f25-475a-b87d-97f3e3a525de", "value": "SANS Conficker" }, + { + "description": "Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024.", + "meta": { + "date_accessed": "2024-02-09T00:00:00Z", + "date_published": "2023-11-21T00:00:00Z", + "refs": [ + "https://www.trellix.com/blogs/research/the-continued-evolution-of-the-darkgate-malware-as-a-service/" + ], + "source": "MITRE", + "title": "The Continued Evolution of the DarkGate Malware-as-a-Service" + }, + "related": [], + "uuid": "83fb92d8-1245-5d68-b9f2-0915c10401c6", + "value": "Trellix Darkgate 2023" + }, { "description": "Wueest, C.. (2014, October 21). The continued rise of DDoS attacks. Retrieved April 24, 2019.", "meta": { @@ -49065,6 +51965,21 @@ "uuid": "93a23447-641c-4ee2-9fbd-64b2adea8a5f", "value": "BlackBerry CostaRicto November 2020" }, + { + "description": "Invictus Incident Response. (2024, January 31). The curious case of DangerDev@protonmail.me. Retrieved March 19, 2024.", + "meta": { + "date_accessed": "2024-03-19T00:00:00Z", + "date_published": "2024-01-31T00:00:00Z", + "refs": [ + "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + ], + "source": "MITRE", + "title": "The curious case of DangerDev@protonmail.me" + }, + "related": [], + "uuid": "90d608b9-ddbf-5476-bce1-85e8466aca47", + "value": "Invictus IR DangerDev 2024" + }, { "description": "Counter Threat Unit Research Team. (2017, July 27). The Curious Case of Mia Ash: Fake Persona Lures Middle Eastern Targets. Retrieved February 26, 2018.", "meta": { @@ -49101,7 +52016,7 @@ "date_accessed": "2019-10-08T00:00:00Z", "date_published": "2019-06-08T00:00:00Z", "refs": [ - "https://blog.cloudsploit.com/the-danger-of-unused-aws-regions-af0bf1b878fc" + "https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc" ], "source": "MITRE", "title": "The Danger of Unused AWS Regions" @@ -49321,6 +52236,21 @@ "uuid": "7578541b-1ae3-58d0-a8b9-120bd6cd96f5", "value": "CrowdStrike Evolution of Pinchy Spider July 2021" }, + { + "description": "Julia Kisielius. (2017, April 25). The Felismus RAT: Powerful Threat, Mysterious Purpose. Retrieved January 10, 2024.", + "meta": { + "date_accessed": "2024-01-10T00:00:00Z", + "date_published": "2017-04-25T00:00:00Z", + "refs": [ + "https://cybersecurity.att.com/blogs/security-essentials/the-felismus-rat-powerful-threat-mysterious-purpose" + ], + "source": "MITRE", + "title": "The Felismus RAT: Powerful Threat, Mysterious Purpose" + }, + "related": [], + "uuid": "5c74fdea-e5d5-5a77-a945-4819184e571f", + "value": "ATT Felismus" + }, { "description": "Selena Larson, Daniel Blackford, Garrett G. (2021, June 16). The First Step: Initial Access Leads to Ransomware. Retrieved January 24, 2024.", "meta": { @@ -49546,6 +52476,36 @@ "uuid": "f1d16045-d365-43d2-bc08-65ba1ddbe0fd", "value": "dhs_threat_to_net_devices" }, + { + "description": "Blake Sobczak. (2019, March 7). The inside story of the world’s most dangerous malware. Retrieved March 25, 2024.", + "meta": { + "date_accessed": "2024-03-25T00:00:00Z", + "date_published": "2019-03-07T00:00:00Z", + "refs": [ + "https://www.eenews.net/articles/the-inside-story-of-the-worlds-most-dangerous-malware/" + ], + "source": "MITRE", + "title": "The inside story of the world’s most dangerous malware" + }, + "related": [], + "uuid": "5cc54d85-ee53-579d-a8fb-9b54b3540dc0", + "value": "Triton-EENews-2017" + }, + { + "description": "Hegel, T., Milenkoski, A. (2023, October 24). The Israel-Hamas War | Cyber Domain State-Sponsored Activity of Interest. Retrieved March 4, 2024.", + "meta": { + "date_accessed": "2024-03-04T00:00:00Z", + "date_published": "2023-10-24T00:00:00Z", + "refs": [ + "https://web.archive.org/web/20240208234008/www.sentinelone.com/labs/the-israel-hamas-war-cyber-domain-state-sponsored-activity-of-interest/" + ], + "source": "MITRE", + "title": "The Israel-Hamas War | Cyber Domain State-Sponsored Activity of Interest" + }, + "related": [], + "uuid": "8fa21bad-0186-5181-b52e-32f7f116695c", + "value": "sentinelone_israel_hamas_war" + }, { "description": "Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.", "meta": { @@ -49634,6 +52594,20 @@ "uuid": "9347b507-3a41-405d-87f9-d4fc2bfc48e5", "value": "GitHub LaZagne Dec 2018" }, + { + "description": "Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018.", + "meta": { + "date_accessed": "2018-12-14T00:00:00Z", + "refs": [ + "https://github.com/AlessandroZ/LaZagne" + ], + "source": "MITRE", + "title": "The LaZagne Project !!!" + }, + "related": [], + "uuid": "33cca4fa-72a8-59a3-a62f-12f71a499a15", + "value": "GitHub LaZange Dec 2018" + }, { "description": "SecureWorks. (2013). The Lifecycle of Peer-to-Peer (Gameover) ZeuS. Retrieved August 19, 2015.", "meta": { @@ -49649,6 +52623,21 @@ "uuid": "773d1d91-a93c-4bb3-928b-4c3f82f2c889", "value": "Dell P2P ZeuS" }, + { + "description": "Pablo Rincón Crespo. (2022, January). The link between Kwampirs (Orangeworm) and Shamoon APTs. Retrieved February 8, 2024.", + "meta": { + "date_accessed": "2024-02-08T00:00:00Z", + "date_published": "2022-01-01T00:00:00Z", + "refs": [ + "https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf" + ], + "source": "MITRE", + "title": "The link between Kwampirs (Orangeworm) and Shamoon APTs" + }, + "related": [], + "uuid": "06442111-2c71-5efb-9530-cabeba159a91", + "value": "Cylera Kwampirs 2022" + }, { "description": "Linux Kernel Organization, Inc. (n.d.). The Linux Kernel API. Retrieved June 25, 2020.", "meta": { @@ -50067,6 +53056,21 @@ "uuid": "4656cc2c-aff3-4416-b18d-995876d37e06", "value": "Malwarebytes Heroku Skimmers" }, + { + "description": "TOM ABAI. (2023, August 10). There’s a New Stealer Variant in Town, and It’s Using Electron to Stay Fully Undetected. Retrieved March 7, 2024.", + "meta": { + "date_accessed": "2024-03-07T00:00:00Z", + "date_published": "2023-08-10T00:00:00Z", + "refs": [ + "https://www.mend.io/blog/theres-a-new-stealer-variant-in-town-and-its-using-electron-to-stay-fully-undetected/" + ], + "source": "MITRE", + "title": "There’s a New Stealer Variant in Town, and It’s Using Electron to Stay Fully Undetected" + }, + "related": [], + "uuid": "e1762a94-5efc-5211-a714-f4d6d71bfe37", + "value": "Electron 1" + }, { "description": "Howard Oakley. (2020, October 24). There's more to files than data: Extended Attributes. Retrieved October 12, 2021.", "meta": { @@ -50158,6 +53162,21 @@ "uuid": "dbae7e21-20d4-454c-88db-43e2a195808e", "value": "DigiTrust Agent Tesla Jan 2017" }, + { + "description": "James Arndt. (2023, February 21). The Rise of Agent Tesla: Understanding the Notorious Keylogger. Retrieved January 10, 2024.", + "meta": { + "date_accessed": "2024-01-10T00:00:00Z", + "date_published": "2023-02-21T00:00:00Z", + "refs": [ + "https://cofense.com/blog/the-rise-of-agent-tesla-understanding-the-notorious-keylogger/" + ], + "source": "MITRE", + "title": "The Rise of Agent Tesla: Understanding the Notorious Keylogger" + }, + "related": [], + "uuid": "f8a8a3a0-5b30-5f3e-a7b0-f8a4aaae7ee7", + "value": "Cofense Agent Tesla" + }, { "description": "Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.", "meta": { @@ -50293,6 +53312,21 @@ "uuid": "84ac99ef-106f-44e9-97f0-3eda90570932", "value": "Check Point APT31 February 2021" }, + { + "description": "YUCEEL, Huseyin Can. Picus Labs. (2022, June 9). The System Information Discovery Technique Explained - MITRE ATT&CK T1082. Retrieved March 27, 2024.", + "meta": { + "date_accessed": "2024-03-27T00:00:00Z", + "date_published": "2022-06-09T00:00:00Z", + "refs": [ + "https://www.picussecurity.com/resource/the-system-information-discovery-technique-explained-mitre-attack-t1082" + ], + "source": "MITRE", + "title": "The System Information Discovery Technique Explained - MITRE ATT&CK T1082" + }, + "related": [], + "uuid": "6123fbd4-c6fc-504c-92f2-5d405730c298", + "value": "System Information Discovery Technique" + }, { "description": "UCF. (n.d.). The system must require username and password to elevate a running application.. Retrieved December 18, 2017.", "meta": { @@ -50833,6 +53867,21 @@ "uuid": "67dd04dd-c0e0-49e6-9341-4e445d660641", "value": "Aqua Kinsing April 2020" }, + { + "description": "Pedro Tavares (Segurança Informática). (2020, September 15). Threat analysis: The emergent URSA trojan impacts many countries using a sophisticated loader. Retrieved March 13, 2024.", + "meta": { + "date_accessed": "2024-03-13T00:00:00Z", + "date_published": "2020-09-15T00:00:00Z", + "refs": [ + "https://seguranca-informatica.pt/threat-analysis-the-emergent-ursa-trojan-impacts-many-countries-using-a-sophisticated-loader/" + ], + "source": "MITRE", + "title": "Threat analysis: The emergent URSA trojan impacts many countries using a sophisticated loader" + }, + "related": [], + "uuid": "29d25b85-ae13-57d6-9e6f-d0f65783b5ac", + "value": "Segurança Informática URSA Sophisticated Loader 2020" + }, { "description": "Elsad, A. (2022, August 25). Threat Assessment: Black Basta Ransomware. Retrieved March 8, 2023.", "meta": { @@ -50982,20 +54031,6 @@ "uuid": "c113cde7-5dd5-45e9-af16-3ab6ed0b1728", "value": "Awake Security Avaddon" }, - { - "description": "Gary Golomb. (n.d.). Threat Hunting Series: Detecting Command & Control in the Cloud. Retrieved July 8, 2022.", - "meta": { - "date_accessed": "2022-07-08T00:00:00Z", - "refs": [ - "https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/" - ], - "source": "MITRE", - "title": "Threat Hunting Series: Detecting Command & Control in the Cloud" - }, - "related": [], - "uuid": "b12e0288-48cd-46ec-8305-0f4d050782f2", - "value": "Detecting Command & Control in the Cloud" - }, { "description": "Gary Golomb and Tory Kei. (n.d.). Threat Hunting Series: Detecting Command & Control in the Cloud. Retrieved May 27, 2022.", "meta": { @@ -51010,6 +54045,20 @@ "uuid": "fa3762ce-3e60-4991-b464-12601d2a6912", "value": "Awake Security C2 Cloud" }, + { + "description": "Gary Golomb. (n.d.). Threat Hunting Series: Detecting Command & Control in the Cloud. Retrieved July 8, 2022.", + "meta": { + "date_accessed": "2022-07-08T00:00:00Z", + "refs": [ + "https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/" + ], + "source": "MITRE", + "title": "Threat Hunting Series: Detecting Command & Control in the Cloud" + }, + "related": [], + "uuid": "b12e0288-48cd-46ec-8305-0f4d050782f2", + "value": "Detecting Command & Control in the Cloud" + }, { "description": "Weizman, Y. (2020, April 2). Threat Matrix for Kubernetes. Retrieved March 30, 2021.", "meta": { @@ -51309,6 +54358,21 @@ "uuid": "94cdbd73-a31a-4ec3-aa36-de3ea077c1c7", "value": "Talos TinyTurla September 2021" }, + { + "description": "Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.", + "meta": { + "date_accessed": "2024-01-03T00:00:00Z", + "date_published": "2023-10-12T00:00:00Z", + "refs": [ + "https://securelist.com/toddycat-keep-calm-and-check-logs/110696/" + ], + "source": "MITRE", + "title": "ToddyCat: Keep calm and check logs" + }, + "related": [], + "uuid": "dbdaf320-eada-5bbb-95ab-aaa987ed7960", + "value": "Kaspersky ToddyCat Check Logs October 2023" + }, { "description": "netbiosX. (2017, April 3). Token Manipulation. Retrieved April 21, 2017.", "meta": { @@ -51324,6 +54388,21 @@ "uuid": "243deb44-4d47-4c41-bd5d-262c4319cce5", "value": "Pentestlab Token Manipulation" }, + { + "description": "Microsoft Incident Response. (2022, November 16). Token tactics: How to prevent, detect, and respond to cloud token theft. Retrieved December 26, 2023.", + "meta": { + "date_accessed": "2023-12-26T00:00:00Z", + "date_published": "2022-11-16T00:00:00Z", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/11/16/token-tactics-how-to-prevent-detect-and-respond-to-cloud-token-theft/" + ], + "source": "MITRE", + "title": "Token tactics: How to prevent, detect, and respond to cloud token theft" + }, + "related": [], + "uuid": "e254e336-2e3e-5bea-a9e9-0f42f333b894", + "value": "Token tactics" + }, { "description": "Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved December 7, 2020.", "meta": { @@ -51369,6 +54448,20 @@ "uuid": "99e2709e-a32a-4fbf-a20a-ffcdd8befdc8", "value": "NorthSec 2015 GData Uroburos Tools" }, + { + "description": "Daniel Krivelevich and Omer Gil. (n.d.). Top 10 CI/CD Security Risks. Retrieved March 24, 2024.", + "meta": { + "date_accessed": "2024-03-24T00:00:00Z", + "refs": [ + "https://www.cidersecurity.io/top-10-cicd-security-risks/" + ], + "source": "MITRE", + "title": "Top 10 CI/CD Security Risks" + }, + "related": [], + "uuid": "512974b7-b464-52af-909a-2cb880b524e5", + "value": "Cider Security Top 10 CICD Security Risks" + }, { "description": "Roger Dingledine, Nick Mathewson and Paul Syverson. (2004). Tor: The Second-Generation Onion Router. Retrieved December 21, 2017.", "meta": { @@ -51413,6 +54506,21 @@ "uuid": "f0e368f1-3347-41ef-91fb-995c3cb07707", "value": "LOLBAS Tracker" }, + { + "description": "Will Thomas. (2023, September 15). Tracking Adversaries: Akira, another descendent of Conti. Retrieved February 21, 2024.", + "meta": { + "date_accessed": "2024-02-21T00:00:00Z", + "date_published": "2023-09-15T00:00:00Z", + "refs": [ + "https://blog.bushidotoken.net/2023/09/tracking-adversaries-akira-another.html" + ], + "source": "MITRE", + "title": "Tracking Adversaries: Akira, another descendent of Conti" + }, + "related": [], + "uuid": "8fe09ef1-f72e-5261-b79f-5d41fad51eac", + "value": "BushidoToken Akira 2023" + }, { "description": "BushidoToken. (2023, August 16). Tracking Adversaries: Scattered Spider, the BlackCat affiliate. Retrieved September 14, 2023.", "meta": { @@ -51532,21 +54640,6 @@ "uuid": "99e48516-f918-477c-b85e-4ad894cc031f", "value": "JScrip May 2018" }, - { - "description": "Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021.", - "meta": { - "date_accessed": "2021-09-02T00:00:00Z", - "date_published": "2021-05-13T00:00:00Z", - "refs": [ - "https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html" - ], - "source": "MITRE, Tidal Cyber", - "title": "Transparent Tribe APT expands its Windows malware arsenal" - }, - "related": [], - "uuid": "5d58c285-bc7d-4a8a-a96a-ac7118c1089d", - "value": "Talos Transparent Tribe May 2021" - }, { "description": "Malhotra, A., McKay, K. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal . Retrieved July 29, 2022.", "meta": { @@ -51562,6 +54655,21 @@ "uuid": "be1e3092-1981-457b-ae76-b55b057e1d73", "value": "tt_obliqueRAT" }, + { + "description": "Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021.", + "meta": { + "date_accessed": "2021-09-02T00:00:00Z", + "date_published": "2021-05-13T00:00:00Z", + "refs": [ + "https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html" + ], + "source": "MITRE, Tidal Cyber", + "title": "Transparent Tribe APT expands its Windows malware arsenal" + }, + "related": [], + "uuid": "5d58c285-bc7d-4a8a-a96a-ac7118c1089d", + "value": "Talos Transparent Tribe May 2021" + }, { "description": "N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022.", "meta": { @@ -51592,21 +54700,6 @@ "uuid": "9bdda422-dbf7-4b70-a7b1-9e3ad658c239", "value": "tt_httrack_fake_domains" }, - { - "description": "Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved April 1, 2021.", - "meta": { - "date_accessed": "2021-04-01T00:00:00Z", - "date_published": "2020-08-20T00:00:00Z", - "refs": [ - "https://securelist.com/transparent-tribe-part-1/98127/" - ], - "source": "MITRE", - "title": "Transparent Tribe: Evolution analysis, part 1" - }, - "related": [], - "uuid": "0db470b1-ab22-4b67-a858-472e4de7c6f0", - "value": "Securelist Trasparent Tribe 2020" - }, { "description": "Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.", "meta": { @@ -51622,6 +54715,21 @@ "uuid": "42c7faa2-f664-4e4a-9d23-93c88a09da5b", "value": "Kaspersky Transparent Tribe August 2020" }, + { + "description": "Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved April 1, 2021.", + "meta": { + "date_accessed": "2021-04-01T00:00:00Z", + "date_published": "2020-08-20T00:00:00Z", + "refs": [ + "https://securelist.com/transparent-tribe-part-1/98127/" + ], + "source": "MITRE", + "title": "Transparent Tribe: Evolution analysis, part 1" + }, + "related": [], + "uuid": "0db470b1-ab22-4b67-a858-472e4de7c6f0", + "value": "Securelist Trasparent Tribe 2020" + }, { "description": "Microsoft. (2016, June 1). Transport agents. Retrieved June 24, 2019.", "meta": { @@ -51741,6 +54849,20 @@ "uuid": "5590bb5c-d9d1-480c-bb69-1944c1cf2431", "value": "Mandiant APT29 Trello" }, + { + "description": "Trend Micro. (n.d.). Retrieved February 16, 2024.", + "meta": { + "date_accessed": "2024-02-16T00:00:00Z", + "refs": [ + "https://www.trendmicro.com/en_us/research.html" + ], + "source": "MITRE", + "title": "Trend Micro - Int SP" + }, + "related": [], + "uuid": "1c21c911-11db-560c-b623-5937dc478b74", + "value": "Trend Micro - Int SP" + }, { "description": "Jagpal, N., et al. (2015, August). Trends and Lessons from Three Years Fighting Malicious Extensions. Retrieved November 17, 2017.", "meta": { @@ -51996,6 +55118,20 @@ "uuid": "aadbd0a8-00f2-404b-8d02-6d36292726da", "value": "Trimarc Detecting Password Spraying" }, + { + "description": "Cybereason Nocturnus. (n.d.). Triple Threat: Emotet Deploys TrickBot to Steal Data & Spread Ryuk. Retrieved November 28, 2023.", + "meta": { + "date_accessed": "2023-11-28T00:00:00Z", + "refs": [ + "https://www.cybereason.com/blog/research/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware#:~:text=TrickBot%20uses%20a%20hidden%20VNC,desktop%20without%20the%20victim%20noticing" + ], + "source": "MITRE", + "title": "Triple Threat: Emotet Deploys TrickBot to Steal Data & Spread Ryuk" + }, + "related": [], + "uuid": "672743fe-f83a-507e-bd38-2315d7a062e0", + "value": "Emotet Deploys TrickBot" + }, { "description": "Dragos. (2017, December 13). TRISIS Malware Analysis of Safety System Targeted Malware. Retrieved January 6, 2021.", "meta": { @@ -52326,6 +55462,21 @@ "uuid": "47524b17-1acd-44b1-8de5-168369fa9455", "value": "paloalto Tropic Trooper 2016" }, + { + "description": "Microsoft. (2023, October 23). Troubleshooting Conditional Access policy changes. Retrieved January 2, 2024.", + "meta": { + "date_accessed": "2024-01-02T00:00:00Z", + "date_published": "2023-10-23T00:00:00Z", + "refs": [ + "https://learn.microsoft.com/en-us/entra/identity/conditional-access/troubleshoot-policy-changes-audit-log" + ], + "source": "MITRE", + "title": "Troubleshooting Conditional Access policy changes" + }, + "related": [], + "uuid": "fb9ad2ce-c6bc-584b-b42e-0e7c23e5d6cc", + "value": "Microsoft Conditional Access Policy Changes" + }, { "description": "Dylan Ayrey. (2016, December 31). truffleHog. Retrieved October 19, 2020.", "meta": { @@ -52866,6 +56017,21 @@ "uuid": "c565b025-df74-40a9-9535-b630ca06f777", "value": "Bleepingcomputer Gamardeon FSB November 2021" }, + { + "description": "Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024.", + "meta": { + "date_accessed": "2024-03-01T00:00:00Z", + "date_published": "2023-04-19T00:00:00Z", + "refs": [ + "https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/" + ], + "source": "MITRE", + "title": "Ukraine remains Russia’s biggest cyber focus in 2023" + }, + "related": [], + "uuid": "95c6ad1d-df16-5dd3-a6ef-75c1247ec5e0", + "value": "Leonard TAG 2023" + }, { "description": "Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022.", "meta": { @@ -53242,6 +56408,22 @@ "uuid": "b251ed65-a145-4053-9dc2-bf0dad83d76c", "value": "Adsecurity Mimikatz Guide" }, + { + "description": "Cybleinc. (2023, May 10). Unraveling Akira Ransomware. Retrieved February 27, 2024.", + "meta": { + "date_accessed": "2024-02-27T00:00:00Z", + "date_published": "2023-05-10T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://blog.cyble.com/2023/05/10/unraveling-akira-ransomware/" + ], + "source": "Tidal Cyber", + "title": "Unraveling Akira Ransomware" + }, + "related": [], + "uuid": "4a6cde5d-971e-4260-9ab4-777ee81d5af0", + "value": "Cyble Akira May 10 2023" + }, { "description": "GREAT. (2017, April 11). Unraveling the Lamberts Toolkit. Retrieved March 21, 2022.", "meta": { @@ -53318,6 +56500,21 @@ "uuid": "547f1a4a-7e4a-461d-8c19-f4775cd60ac0", "value": "Kaspersky Careto" }, + { + "description": "KASPERSKY GERT. (2023, December 14). Unveiling NKAbuse: a new multiplatform threat abusing the NKN protocol. Retrieved February 8, 2024.", + "meta": { + "date_accessed": "2024-02-08T00:00:00Z", + "date_published": "2023-12-14T00:00:00Z", + "refs": [ + "https://securelist.com/unveiling-nkabuse/111512/" + ], + "source": "MITRE", + "title": "Unveiling NKAbuse: a new multiplatform threat abusing the NKN protocol" + }, + "related": [], + "uuid": "96e199f8-1d33-574f-a507-05303db728e1", + "value": "NKAbuse SL" + }, { "description": "Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.", "meta": { @@ -53333,6 +56530,21 @@ "uuid": "d4e43b2c-a858-4285-984f-f59db5c657bd", "value": "Cymmetria Patchwork" }, + { + "description": "Orange Cyberdefense. (2024, March 14). Unveiling the depths of residential proxies providers. Retrieved April 11, 2024.", + "meta": { + "date_accessed": "2024-04-11T00:00:00Z", + "date_published": "2024-03-14T00:00:00Z", + "refs": [ + "https://www.orangecyberdefense.com/global/blog/research/residential-proxies" + ], + "source": "MITRE", + "title": "Unveiling the depths of residential proxies providers" + }, + "related": [], + "uuid": "df4b99f3-1796-57b3-a352-37be5380badc", + "value": "Orange Residential Proxies" + }, { "description": "Rapid7. (2013, August 26). Upcoming G20 Summit Fuels Espionage Operations. Retrieved March 6, 2017.", "meta": { @@ -53469,6 +56681,21 @@ "uuid": "d6e71b45-fc91-40f4-8201-2186994ae42a", "value": "PaperCut MF/NG vulnerability bulletin" }, + { + "description": "Nathan McFeters. Billy Kim Rios. Rob Carter.. (2008). URI Use and Abuse. Retrieved February 9, 2024.", + "meta": { + "date_accessed": "2024-02-09T00:00:00Z", + "date_published": "2008-01-01T00:00:00Z", + "refs": [ + "https://www.blackhat.com/presentations/bh-dc-08/McFeters-Rios-Carter/Presentation/bh-dc-08-mcfeters-rios-carter.pdf" + ], + "source": "MITRE", + "title": "URI Use and Abuse" + }, + "related": [], + "uuid": "8d0aea35-c1af-5dda-a4c9-814f0e9c9334", + "value": "URI Use" + }, { "description": "LOLBAS. (2018, May 25). Url.dll. Retrieved December 4, 2023.", "meta": { @@ -53485,6 +56712,21 @@ "uuid": "0c88fb72-6be5-4a01-af1c-553650779253", "value": "Url.dll - LOLBAS Project" }, + { + "description": "SCILabs. (2023, October 8). URSA/Mispadu: Overlap analysis with other threats. Retrieved March 13, 2024.", + "meta": { + "date_accessed": "2024-03-13T00:00:00Z", + "date_published": "2023-10-08T00:00:00Z", + "refs": [ + "https://blog.scilabs.mx/en/ursa-mispadu-overlap-analysis-with-other-threats/" + ], + "source": "MITRE", + "title": "URSA/Mispadu: Overlap analysis with other threats" + }, + "related": [], + "uuid": "ed4aab9c-6b94-593b-b81e-47393197ee48", + "value": "SCILabs Malteiro Threat Overlap 2023" + }, { "description": "NJCCIC. (2016, September 27). Ursnif. Retrieved June 4, 2019.", "meta": { @@ -53506,7 +56748,7 @@ "date_accessed": "2019-06-05T00:00:00Z", "date_published": "2015-03-26T00:00:00Z", "refs": [ - "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/?_ga=2.165628854.808042651.1508120821-744063452.1505819992" + "https://web.archive.org/web/20210719165945/https://www.trendmicro.com/en_us/research/15/c/ursnif-the-multifaceted-malware.html?_ga=2.165628854.808042651.1508120821-744063452.1505819992" ], "source": "MITRE", "title": "URSNIF: The Multifaceted Malware" @@ -53750,6 +56992,21 @@ "uuid": "f83283aa-3aaf-4ebd-8503-0d84c2c627c4", "value": "MacOS Email Rules" }, + { + "description": "Microsoft. (2023, October 1). Use sharing auditing in the audit log. Retrieved March 4, 2024.", + "meta": { + "date_accessed": "2024-03-04T00:00:00Z", + "date_published": "2023-10-01T00:00:00Z", + "refs": [ + "https://learn.microsoft.com/en-us/purview/audit-log-sharing" + ], + "source": "MITRE", + "title": "Use sharing auditing in the audit log" + }, + "related": [], + "uuid": "f45d4d73-31b5-557d-b734-f5c186a2e31c", + "value": "Microsoft 365 Sharing Auditing" + }, { "description": "Apple. (n.d.). Use the kickstart command-line utility in Apple Remote Desktop. Retrieved September 23, 2021.", "meta": { @@ -53779,6 +57036,20 @@ "uuid": "4e7c36b9-415f-41f1-980e-251d92994eb4", "value": "Microsoft Windows Event Forwarding FEB 2018" }, + { + "description": "Google. (n.d.). Use Workspace DLP to prevent data loss. Retrieved March 4, 2024.", + "meta": { + "date_accessed": "2024-03-04T00:00:00Z", + "refs": [ + "https://support.google.com/a/answer/9646351" + ], + "source": "MITRE", + "title": "Use Workspace DLP to prevent data loss" + }, + "related": [], + "uuid": "81dc5818-342c-5efb-90c6-425c218e130f", + "value": "Google Workspace Data Loss Prevention" + }, { "description": "Apple. (2020, January 28). Use zsh as the default shell on your Mac. Retrieved June 12, 2020.", "meta": { @@ -53852,6 +57123,20 @@ "uuid": "11c44e1e-28d8-4d45-8539-6586466a5b3c", "value": "Microsoft DsAddSidHistory" }, + { + "description": "AWS. (n.d.). Using instance profiles. Retrieved February 28, 2024.", + "meta": { + "date_accessed": "2024-02-28T00:00:00Z", + "refs": [ + "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html" + ], + "source": "MITRE", + "title": "Using instance profiles" + }, + "related": [], + "uuid": "d114854b-50eb-5d60-896b-401df1e6cada", + "value": "AWS Instance Profiles" + }, { "description": "Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021.", "meta": { @@ -54015,6 +57300,20 @@ "uuid": "d0ac448a-7299-4ddc-8730-be72fb840ccb", "value": "OSX Keychain Schaumann" }, + { + "description": "AutoHotkey Foundation LLC. (n.d.). Using the Program. Retrieved March 29, 2024.", + "meta": { + "date_accessed": "2024-03-29T00:00:00Z", + "refs": [ + "https://www.autohotkey.com/docs/v1/Program.htm" + ], + "source": "MITRE", + "title": "Using the Program" + }, + "related": [], + "uuid": "0ddfa2ec-a8a5-5cf0-b1b9-7ff6890bc666", + "value": "AutoHotKey" + }, { "description": "Preet Bharara, US Attorney. (2016, March 24). Retrieved April 23, 2019.", "meta": { @@ -54298,6 +57597,21 @@ "uuid": "c06af73d-5ed0-46a0-a5a9-161035075884", "value": "MalwareTech VFS Nov 2014" }, + { + "description": "YUCEEL, Huseyin Can. Picus Labs. (2022, June 9). Virtualization/Sandbox Evasion - How Attackers Avoid Malware Analysis. Retrieved December 26, 2023.", + "meta": { + "date_accessed": "2023-12-26T00:00:00Z", + "date_published": "2022-06-09T00:00:00Z", + "refs": [ + "https://www.picussecurity.com/resource/virtualization/sandbox-evasion-how-attackers-avoid-malware-analysis" + ], + "source": "MITRE", + "title": "Virtualization/Sandbox Evasion - How Attackers Avoid Malware Analysis" + }, + "related": [], + "uuid": "a3031616-f21a-574f-a9a5-a808a6230aa8", + "value": "Virtualization/Sandbox Evasion" + }, { "description": "Goodin, D. (2017, March 17). Virtual machine escape fetches $105,000 at Pwn2Own hacking contest - updated. Retrieved March 12, 2018.", "meta": { @@ -54675,6 +57989,21 @@ "uuid": "70c168a0-9ddf-408d-ba29-885c0c5c936a", "value": "vstest.console.exe - LOLBAS Project" }, + { + "description": "Kanthak, S.. (2016, July 20). Vulnerability and Exploit Detector. Retrieved February 3, 2017.", + "meta": { + "date_accessed": "2017-02-03T00:00:00Z", + "date_published": "2016-07-20T00:00:00Z", + "refs": [ + "https://skanthak.homepage.t-online.de/sentinel.html" + ], + "source": "MITRE", + "title": "Vulnerability and Exploit Detector" + }, + "related": [], + "uuid": "d63d6e14-8fe7-4893-a42f-3752eaec8770", + "value": "Vulnerability and Exploit Detector" + }, { "description": "Kanthak, S. (2016, July 20). Vulnerability and Exploit Detector. Retrieved February 3, 2017.", "meta": { @@ -54691,19 +58020,19 @@ "value": "Kanthak Sentinel" }, { - "description": "Kanthak, S.. (2016, July 20). Vulnerability and Exploit Detector. Retrieved February 3, 2017.", + "description": "CertiK. (2020, June 30). Vulnerability in Electron-based Application: Unintentionally Giving Malicious Code Room to Run. Retrieved March 7, 2024.", "meta": { - "date_accessed": "2017-02-03T00:00:00Z", - "date_published": "2016-07-20T00:00:00Z", + "date_accessed": "2024-03-07T00:00:00Z", + "date_published": "2020-06-30T00:00:00Z", "refs": [ - "https://skanthak.homepage.t-online.de/sentinel.html" + "https://medium.com/certik/vulnerability-in-electron-based-application-unintentionally-giving-malicious-code-room-to-run-e2e1447d01b8" ], "source": "MITRE", - "title": "Vulnerability and Exploit Detector" + "title": "Vulnerability in Electron-based Application: Unintentionally Giving Malicious Code Room to Run" }, "related": [], - "uuid": "d63d6e14-8fe7-4893-a42f-3752eaec8770", - "value": "Vulnerability and Exploit Detector" + "uuid": "b425f1b5-0375-5747-abd0-c5cd7ba3b781", + "value": "Electron Security 3" }, { "description": "Microsoft. (2014, November 18). Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780). Retrieved December 23, 2015.", @@ -55184,20 +58513,6 @@ "uuid": "d316c581-646d-48e7-956e-34e2f957c67d", "value": "Cofense Astaroth Sept 2018" }, - { - "description": "Microsoft. (n.d.). wevtutil. Retrieved September 14, 2021.", - "meta": { - "date_accessed": "2021-09-14T00:00:00Z", - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil" - ], - "source": "MITRE", - "title": "wevtutil" - }, - "related": [], - "uuid": "25511dde-9e13-4e03-8ae4-2495e9f5eb5e", - "value": "Wevtutil Microsoft Documentation" - }, { "description": "Plett, C. et al.. (2017, October 16). wevtutil. Retrieved July 2, 2018.", "meta": { @@ -55213,6 +58528,20 @@ "uuid": "8896d802-96c6-4546-8a82-c1f7f2d71ea1", "value": "Microsoft wevtutil Oct 2017" }, + { + "description": "Microsoft. (n.d.). wevtutil. Retrieved September 14, 2021.", + "meta": { + "date_accessed": "2021-09-14T00:00:00Z", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil" + ], + "source": "MITRE", + "title": "wevtutil" + }, + "related": [], + "uuid": "25511dde-9e13-4e03-8ae4-2495e9f5eb5e", + "value": "Wevtutil Microsoft Documentation" + }, { "description": "LOLBAS. (2021, September 26). Wfc.exe. Retrieved December 4, 2023.", "meta": { @@ -55519,6 +58848,21 @@ "uuid": "7e674a8d-e79f-5cb0-8ad2-a7678e647c6f", "value": "CrowdStrike-BEC" }, + { + "description": "Microsoft. (2023, November 15). What is Conditional Access?. Retrieved January 2, 2024.", + "meta": { + "date_accessed": "2024-01-02T00:00:00Z", + "date_published": "2023-11-15T00:00:00Z", + "refs": [ + "https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview" + ], + "source": "MITRE", + "title": "What is Conditional Access?" + }, + "related": [], + "uuid": "7d39522c-5a9c-5a19-a0e4-e5aec68f5f08", + "value": "Microsoft Conditional Access" + }, { "description": "Palo Alto Networks. (n.d.). What Is DNS Tunneling?. Retrieved March 15, 2020.", "meta": { @@ -55888,20 +59232,6 @@ "uuid": "dbdc2009-a468-439b-bd96-e6153b3fb8a1", "value": "Trend Micro When Phishing Starts from the Inside 2017" }, - { - "description": "Booz Allen Hamilton. (n.d.). When The Lights Went Out. Retrieved October 22, 2019", - "meta": { - "date_accessed": "2019-10-22T00:00:00Z", - "refs": [ - "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" - ], - "source": "MITRE", - "title": "When The Lights Went Out" - }, - "related": [], - "uuid": "7f0acd33-602e-5f07-a1ae-a87e3c8f2eb5", - "value": "Booz Allen Hamilton" - }, { "description": "Microsoft. (n.d.). When to Use Transactional NTFS. Retrieved December 20, 2017.", "meta": { @@ -56020,6 +59350,21 @@ "uuid": "127836ce-e459-405d-a75c-32fd5f0ab198", "value": "Accenture Lyceum Targets November 2021" }, + { + "description": "Safran, Or. Asinovsky, Pavel. (2017, November). Who Hid My Desktop: Deep Dive Into HVNC. Retrieved November 28, 2023.", + "meta": { + "date_accessed": "2023-11-28T00:00:00Z", + "date_published": "2017-11-01T00:00:00Z", + "refs": [ + "https://deepsec.net/docs/Slides/2017/Who_Hid_My_Desktop_Or_Safran_Pavel_Asinovsky.pdf" + ], + "source": "MITRE", + "title": "Who Hid My Desktop: Deep Dive Into HVNC" + }, + "related": [], + "uuid": "f9c81b1d-b58c-54d4-8eb8-cd86e9121ce4", + "value": "Who Hid My Desktop" + }, { "description": "Brian Krebs. (2017, January 18). Who is Anna-Senpai, the Mirai Worm Author?. Retrieved May 15, 2017.", "meta": { @@ -56140,6 +59485,35 @@ "uuid": "7420d79f-c6a3-4932-9c2e-c9cc36e2ca35", "value": "Mandiant UNC3944 September 14 2023" }, + { + "description": "Mandiant Intelligence. (2023, September 14). Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety. Retrieved January 2, 2024.", + "meta": { + "date_accessed": "2024-01-02T00:00:00Z", + "date_published": "2023-09-14T00:00:00Z", + "refs": [ + "https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware" + ], + "source": "MITRE", + "title": "Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety" + }, + "related": [], + "uuid": "3a310dbd-4b5c-5eaf-a4ce-699e52007c9b", + "value": "Mandiant UNC3944 SMS Phishing 2023" + }, + { + "description": "Stack Overflow. (n.d.). Why do I see an \"Electron Security Warning\" after updating my Electron project to the latest version?. Retrieved March 7, 2024.", + "meta": { + "date_accessed": "2024-03-07T00:00:00Z", + "refs": [ + "https://stackoverflow.com/questions/48854265/why-do-i-see-an-electron-security-warning-after-updating-my-electron-project-t" + ], + "source": "MITRE", + "title": "Why do I see an \"Electron Security Warning\" after updating my Electron project to the latest version?" + }, + "related": [], + "uuid": "8ec05b76-ec57-5173-9e1e-cf4131d7bd51", + "value": "Electron Security 2" + }, { "description": "Auth0. (n.d.). Why You Should Always Use Access Tokens to Secure APIs. Retrieved September 12, 2019.", "meta": { @@ -56184,6 +59558,21 @@ "uuid": "969ad6de-9415-464d-ba52-2e61e1814a92", "value": "Crowdstrike DNS Hijack 2019" }, + { + "description": "Microsoft Threat Intelligence. (2020, December 10). Widespread malware campaign seeks to silently inject ads into search results, affects multiple browsers. Retrieved February 26, 2024.", + "meta": { + "date_accessed": "2024-02-26T00:00:00Z", + "date_published": "2020-12-10T00:00:00Z", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2020/12/10/widespread-malware-campaign-seeks-to-silently-inject-ads-into-search-results-affects-multiple-browsers/" + ], + "source": "MITRE", + "title": "Widespread malware campaign seeks to silently inject ads into search results, affects multiple browsers" + }, + "related": [], + "uuid": "48afb730-b5e1-5a85-bb60-9ef9b536e397", + "value": "Browser Adrozek" + }, { "description": "Geeks for Geeks. (n.d.). Wi-Fi Password of All Connected Networks in Windows/Linux. Retrieved September 8, 2023.", "meta": { @@ -56579,21 +59968,6 @@ "uuid": "20ec94d1-4a5c-43f5-bb65-f3ea965d2b6e", "value": "TechNet PowerShell" }, - { - "description": "absolomb. (2018, January 26). Windows Privilege Escalation Guide. Retrieved August 10, 2018.", - "meta": { - "date_accessed": "2018-08-10T00:00:00Z", - "date_published": "2018-01-26T00:00:00Z", - "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/" - ], - "source": "MITRE", - "title": "Windows Privilege Escalation Guide" - }, - "related": [], - "uuid": "185154f2-5f2e-48bf-b609-991e9d6a037b", - "value": "Windows Privilege Escalation Guide" - }, { "description": "McFarland, R. (2018, January 26). Windows Privilege Escalation Guide. Retrieved August 10, 2018.", "meta": { @@ -56609,6 +59983,21 @@ "uuid": "c52945dc-eb20-4e69-8f8e-a262f33c244c", "value": "SploitSpren Windows Priv Jan 2018" }, + { + "description": "absolomb. (2018, January 26). Windows Privilege Escalation Guide. Retrieved August 10, 2018.", + "meta": { + "date_accessed": "2018-08-10T00:00:00Z", + "date_published": "2018-01-26T00:00:00Z", + "refs": [ + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/" + ], + "source": "MITRE", + "title": "Windows Privilege Escalation Guide" + }, + "related": [], + "uuid": "185154f2-5f2e-48bf-b609-991e9d6a037b", + "value": "Windows Privilege Escalation Guide" + }, { "description": "HackHappy. (2018, April 23). Windows Privilege Escalation – Unquoted Services. Retrieved August 10, 2018.", "meta": { @@ -57205,6 +60594,20 @@ "uuid": "43bebdc3-3072-4a3d-a0b7-0b23f1119136", "value": "Wlrmdr.exe - LOLBAS Project" }, + { + "description": "Microsoft. (2023, March 7). Retrieved February 13, 2024.", + "meta": { + "date_accessed": "2024-02-13T00:00:00Z", + "refs": [ + "https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page?redirectedfrom=MSDN" + ], + "source": "MITRE", + "title": "WMI 1-3" + }, + "related": [], + "uuid": "fe0a3b0c-8526-5a0d-acb8-660bbc0c9328", + "value": "WMI 1-3" + }, { "description": "Microsoft. (2018, May 31). WMI Architecture. Retrieved September 29, 2021.", "meta": { @@ -57220,6 +60623,21 @@ "uuid": "3778449c-e8b4-4ee5-914b-746053e8ca70", "value": "Microsoft WMI Architecture" }, + { + "description": "Microsoft. (2024, January 26). WMIC Deprecation. Retrieved February 13, 2024.", + "meta": { + "date_accessed": "2024-02-13T00:00:00Z", + "date_published": "2024-01-26T00:00:00Z", + "refs": [ + "https://techcommunity.microsoft.com/t5/windows-it-pro-blog/wmi-command-line-wmic-utility-deprecation-next-steps/ba-p/4039242" + ], + "source": "MITRE", + "title": "WMIC Deprecation" + }, + "related": [], + "uuid": "819cecb2-5bd3-5c20-bbda-372516b00d6e", + "value": "WMI 7,8" + }, { "description": "LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019.", "meta": { @@ -57310,6 +60728,20 @@ "uuid": "dd3f98d9-0228-45a6-9e7b-1babf911a9ac", "value": "AppInit Registry" }, + { + "description": "Kubernetes. (n.d.). Workload Management. Retrieved March 28, 2024.", + "meta": { + "date_accessed": "2024-03-28T00:00:00Z", + "refs": [ + "https://kubernetes.io/docs/concepts/workloads/controllers/" + ], + "source": "MITRE", + "title": "Workload Management" + }, + "related": [], + "uuid": "f207163b-08a8-5219-aca8-812e83e0dad3", + "value": "Kubernetes Workload Management" + }, { "description": "Patrick Wardle. (2019, September 17). Writing a File Monitor with Apple's Endpoint Security Framework. Retrieved December 17, 2020.", "meta": { @@ -57447,8 +60879,8 @@ "title": "XAgentOSX: Sofacy's Xagent macOS Tool" }, "related": [], - "uuid": "b4fd246d-9bd1-4bed-a9cb-92233c5c45c4", - "value": "XAgentOSX" + "uuid": "2dc7a8f1-ccee-46f0-a995-268694f11b02", + "value": "XAgentOSX 2017" }, { "description": "Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.", @@ -57462,8 +60894,8 @@ "title": "XAgentOSX: Sofacy's Xagent macOS Tool" }, "related": [], - "uuid": "2dc7a8f1-ccee-46f0-a995-268694f11b02", - "value": "XAgentOSX 2017" + "uuid": "b4fd246d-9bd1-4bed-a9cb-92233c5c45c4", + "value": "XAgentOSX" }, { "description": "Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.", @@ -57615,6 +61047,21 @@ "uuid": "615d7744-327e-4f14-bce0-a16c352e7486", "value": "Linux kernel Yama" }, + { + "description": "PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved March 29, 2024.", + "meta": { + "date_accessed": "2024-03-29T00:00:00Z", + "date_published": "2023-10-25T00:00:00Z", + "refs": [ + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html" + ], + "source": "MITRE", + "title": "Yellow Liderc ships its scripts and delivers IMAPLoader malware" + }, + "related": [], + "uuid": "b6544ea7-befa-53ae-95fa-5c227c848c46", + "value": "PwC Yellow Liderc" + }, { "description": "Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023.", "meta": { diff --git a/clusters/tidal-software.json b/clusters/tidal-software.json index f89ce43..2325240 100644 --- a/clusters/tidal-software.json +++ b/clusters/tidal-software.json @@ -198,6 +198,31 @@ "uuid": "6bc29df2-195e-410c-ad08-f3661575492f", "value": "AccountRestore" }, + { + "description": "[AcidRain](https://app.tidalcyber.com/software/cf465790-3d6d-5767-bb8c-63a429f95d83) is an ELF binary targeting modems and routers using MIPS architecture.[[AcidRain JAGS 2022](https://app.tidalcyber.com/references/bd4a7b2e-a387-5e1b-9d9e-52464a8e25c9)] [AcidRain](https://app.tidalcyber.com/software/cf465790-3d6d-5767-bb8c-63a429f95d83) is associated with the ViaSat KA-SAT communication outage that took place during the initial phases of the 2022 full-scale invasion of Ukraine. Analysis indicates overlap with another network device-targeting malware, VPNFilter, associated with [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666).[[AcidRain JAGS 2022](https://app.tidalcyber.com/references/bd4a7b2e-a387-5e1b-9d9e-52464a8e25c9)] US and European government sources linked [AcidRain](https://app.tidalcyber.com/software/cf465790-3d6d-5767-bb8c-63a429f95d83) to Russian government entities, while Ukrainian government sources linked [AcidRain](https://app.tidalcyber.com/software/cf465790-3d6d-5767-bb8c-63a429f95d83) specifically to [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666).[[AcidRain State Department 2022](https://app.tidalcyber.com/references/9d514c52-9def-5b11-aa06-fdf3ee9923ed)][[Vincens AcidPour 2024](https://app.tidalcyber.com/references/742c8a5c-21e5-58d8-a90d-f4c186c0699a)]", + "meta": { + "platforms": [ + "Network", + "Linux" + ], + "software_attack_id": "S1125", + "source": "MITRE", + "tags": [ + "b20e7912-6a8d-46e3-8e13-9a3fc4813852" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", + "type": "used-by" + } + ], + "uuid": "cf465790-3d6d-5767-bb8c-63a429f95d83", + "value": "AcidRain" + }, { "description": "[Action RAT](https://app.tidalcyber.com/software/202781a3-d481-4984-9e5a-31caafc20135) is a remote access tool written in Delphi that has been used by [SideCopy](https://app.tidalcyber.com/groups/31bc763e-623f-4870-9780-86e43d732594) since at least December 2021 against Indian and Afghani government personnel.[[MalwareBytes SideCopy Dec 2021](https://app.tidalcyber.com/references/466569a7-1ef8-4824-bd9c-d25301184ea4)]", "meta": { @@ -270,6 +295,9 @@ "software_attack_id": "S0552", "source": "MITRE", "tags": [ + "c5a258ce-9045-48d9-b254-ec2bf6437bb5", + "cc4ea215-87ce-4351-9579-cf527caf5992", + "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "3a633b73-9c2c-4293-8577-fb97be0cda37", @@ -287,38 +315,38 @@ ] }, "related": [ + { + "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", + "type": "used-by" + }, { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, - { - "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", - "type": "used-by" - }, - { - "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", - "type": "used-by" - }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, { - "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", - "type": "used-by" - }, - { - "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", + "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, { "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", "type": "used-by" }, + { + "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", + "type": "used-by" + }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, + { + "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", + "type": "used-by" + }, { "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" @@ -327,6 +355,10 @@ "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" }, + { + "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", + "type": "used-by" + }, { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" @@ -394,6 +426,9 @@ "software_attack_id": "S5024", "source": "Tidal Cyber", "tags": [ + "c5a258ce-9045-48d9-b254-ec2bf6437bb5", + "cc4ea215-87ce-4351-9579-cf527caf5992", + "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "cd1b5d44-226e-4405-8985-800492cf2865", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", @@ -411,6 +446,10 @@ ] }, "related": [ + { + "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", + "type": "used-by" + }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" @@ -620,17 +659,47 @@ }, "related": [ { - "dest-uuid": "e47ae2a7-d34d-4528-ba67-c9c07daa91ba", + "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", "type": "used-by" }, { - "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", + "dest-uuid": "e47ae2a7-d34d-4528-ba67-c9c07daa91ba", "type": "used-by" } ], "uuid": "304650b1-a0b5-460c-9210-23a5b53815a4", "value": "Agent Tesla" }, + { + "description": "[Akira](https://app.tidalcyber.com/software/96ae0e1e-975a-5e11-adbe-c79ee17cee11) ransomware, written in C++, is most prominently (but not exclusively) associated with the a ransomware-as-a-service entity [Akira](https://app.tidalcyber.com/groups/923f478c-7ad1-516f-986d-61f96b9c553e).[[Kersten Akira 2023](https://app.tidalcyber.com/references/df191993-a2cb-5d26-960c-11d1c6d3d73b)]", + "meta": { + "platforms": [ + "Windows" + ], + "software_attack_id": "S1129", + "source": "MITRE", + "tags": [ + "c5a258ce-9045-48d9-b254-ec2bf6437bb5", + "cc4ea215-87ce-4351-9579-cf527caf5992", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "562e535e-19f5-4d6c-81ed-ce2aec544f09" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", + "type": "used-by" + } + ], + "uuid": "96ae0e1e-975a-5e11-adbe-c79ee17cee11", + "value": "Akira" + }, { "description": "A ransomware binary designed to encrypt victim files. More details about the TTPs typically observed during Akira ransomware attacks can be found in the associated Group object, \"Akira Ransomware Actors\".", "meta": { @@ -702,7 +771,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", + "type": "used-by" + } + ], "uuid": "9521c535-1043-4b82-ba5d-e5eaeca500ee", "value": "Anchor" }, @@ -765,6 +839,9 @@ "software_attack_id": "S5007", "source": "Tidal Cyber", "tags": [ + "c5a258ce-9045-48d9-b254-ec2bf6437bb5", + "cc4ea215-87ce-4351-9579-cf527caf5992", + "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", "fb06d216-f535-45c1-993a-8c1b7aa2111c", @@ -795,6 +872,10 @@ "dest-uuid": "0060bb76-6713-4942-a4c0-d4ae01ec2866", "type": "used-by" }, + { + "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", + "type": "used-by" + }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" @@ -958,11 +1039,11 @@ }, "related": [ { - "dest-uuid": "863b7013-133d-4a82-93d2-51b53a8fd30e", + "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, { - "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", + "dest-uuid": "863b7013-133d-4a82-93d2-51b53a8fd30e", "type": "used-by" }, { @@ -970,11 +1051,11 @@ "type": "used-by" }, { - "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", + "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" }, { - "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", + "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" } ], @@ -1018,6 +1099,10 @@ ] }, "related": [ + { + "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", + "type": "used-by" + }, { "dest-uuid": "1bcc9382-ccfe-4b04-91f3-ef1250df5e5b", "type": "used-by" @@ -1026,10 +1111,6 @@ "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "type": "used-by" }, - { - "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", - "type": "used-by" - }, { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" @@ -1075,11 +1156,11 @@ }, "related": [ { - "dest-uuid": "153c14a6-31b7-44f2-892e-6d9fdc152267", + "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", "type": "used-by" }, { - "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", + "dest-uuid": "153c14a6-31b7-44f2-892e-6d9fdc152267", "type": "used-by" } ], @@ -1106,6 +1187,10 @@ ] }, "related": [ + { + "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", + "type": "used-by" + }, { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" @@ -1113,10 +1198,6 @@ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" - }, - { - "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", - "type": "used-by" } ], "uuid": "af01dc7b-a2bc-4fda-bbfe-d2be889c2860", @@ -1542,6 +1623,9 @@ "software_attack_id": "S5026", "source": "Tidal Cyber", "tags": [ + "d903e38b-600d-4736-9e3b-cf1a6e436481", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "d819ae1a-e385-49fd-88d5-f66660729ecb", "d469efcf-4feb-4149-9c0f-c4b7821960bd", "e1af18e3-3224-4e4c-9d0f-533768474508", "39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb", @@ -1560,6 +1644,10 @@ ] }, "related": [ + { + "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", + "type": "used-by" + }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" @@ -1819,11 +1907,11 @@ }, "related": [ { - "dest-uuid": "396a4361-3e84-47bc-9544-58e287c05799", + "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", "type": "used-by" }, { - "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", + "dest-uuid": "396a4361-3e84-47bc-9544-58e287c05799", "type": "used-by" }, { @@ -1889,7 +1977,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb", + "type": "used-by" + } + ], "uuid": "a114a498-fcfd-4e0a-9d1e-e26750d71af8", "value": "BendyBear" }, @@ -2020,6 +2113,10 @@ "software_attack_id": "S0190", "source": "MITRE", "tags": [ + "d903e38b-600d-4736-9e3b-cf1a6e436481", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "d819ae1a-e385-49fd-88d5-f66660729ecb", + "15787198-6c8b-4f79-bf50-258d55072fee", "e1af18e3-3224-4e4c-9d0f-533768474508", "fdd53e62-5bf1-41f1-8bd6-b970a866c39d", "d431939f-2dc0-410b-83f7-86c458125444", @@ -2036,6 +2133,14 @@ "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, + { + "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", + "type": "used-by" + }, + { + "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", + "type": "used-by" + }, { "dest-uuid": "0a245c5e-c1a8-480f-8655-bb2594e3266b", "type": "used-by" @@ -2051,10 +2156,6 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" - }, - { - "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", - "type": "used-by" } ], "uuid": "52a20d3d-1edd-4f17-87f0-b77c67d260b4", @@ -2069,6 +2170,10 @@ "software_attack_id": "S1070", "source": "MITRE", "tags": [ + "d903e38b-600d-4736-9e3b-cf1a6e436481", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "d819ae1a-e385-49fd-88d5-f66660729ecb", + "15787198-6c8b-4f79-bf50-258d55072fee", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "fdd53e62-5bf1-41f1-8bd6-b970a866c39d", "d431939f-2dc0-410b-83f7-86c458125444", @@ -2081,7 +2186,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", + "type": "used-by" + } + ], "uuid": "0d5b24ba-68dc-50fa-8268-3012180fe374", "value": "Black Basta" }, @@ -2106,6 +2216,10 @@ ] }, "related": [ + { + "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", + "type": "used-by" + }, { "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", "type": "used-by" @@ -2135,6 +2249,10 @@ ] }, "related": [ + { + "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", + "type": "used-by" + }, { "dest-uuid": "5f083251-f5dc-459a-abfc-47a1aa7f5094", "type": "used-by" @@ -2142,10 +2260,6 @@ { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" - }, - { - "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", - "type": "used-by" } ], "uuid": "e85e2fca-9347-4448-bfc1-342f29d5d6a1", @@ -2242,22 +2356,14 @@ ] }, "related": [ + { + "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", + "type": "used-by" + }, { "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", "type": "used-by" }, - { - "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", - "type": "used-by" - }, - { - "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", - "type": "used-by" - }, - { - "dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", - "type": "used-by" - }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" @@ -2279,7 +2385,15 @@ "type": "used-by" }, { - "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", + "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", + "type": "used-by" + }, + { + "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", + "type": "used-by" + }, + { + "dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", "type": "used-by" } ], @@ -2611,6 +2725,22 @@ "uuid": "e9873bf1-9619-4c62-b4cf-1009e83de186", "value": "Bundlore" }, + { + "description": "[BUSHWALK](https://app.tidalcyber.com/software/44ed9567-2cb6-590e-b332-154557fb93f9) is a web shell written in Perl that was inserted into the legitimate querymanifest.cgi file on compromised Ivanti Connect Secure VPNs during [Cutting Edge](https://app.tidalcyber.com/campaigns/4e605e33-57fe-5bb2-b0ad-ec146aac041b).[[Mandiant Cutting Edge Part 2 January 2024](https://app.tidalcyber.com/references/5209d259-4293-58c0-bbdc-f30ff77d57f7)][[Mandiant Cutting Edge Part 3 February 2024](https://app.tidalcyber.com/references/49e5b125-5503-5cb0-9a56-a93f82b55753)]", + "meta": { + "platforms": [ + "Network" + ], + "software_attack_id": "S1118", + "source": "MITRE", + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "44ed9567-2cb6-590e-b332-154557fb93f9", + "value": "BUSHWALK" + }, { "description": "[Cachedump](https://app.tidalcyber.com/software/7c03fb92-3cd8-4ce4-a1e0-75e47465e4bc) is a publicly-available tool that program extracts cached password hashes from a system’s registry. [[Mandiant APT1](https://app.tidalcyber.com/references/865eba93-cf6a-4e41-bc09-de9b0b3c2669)]", "meta": { @@ -3066,12 +3196,32 @@ ] }, "related": [ + { + "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", + "type": "used-by" + }, + { + "dest-uuid": "f1477581-d485-403f-a95f-c56bf88c5d1e", + "type": "used-by" + }, + { + "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", + "type": "used-by" + }, { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" }, { - "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", + "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", + "type": "used-by" + }, + { + "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", + "type": "used-by" + }, + { + "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, { @@ -3086,26 +3236,6 @@ "dest-uuid": "021b3c71-6467-4e46-a413-8b726f066f2c", "type": "used-by" }, - { - "dest-uuid": "f1477581-d485-403f-a95f-c56bf88c5d1e", - "type": "used-by" - }, - { - "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", - "type": "used-by" - }, - { - "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", - "type": "used-by" - }, - { - "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", - "type": "used-by" - }, - { - "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", - "type": "used-by" - }, { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" @@ -3202,6 +3332,27 @@ "uuid": "3f2283ef-67c2-49a3-98ac-1aa9f0499361", "value": "ChChes" }, + { + "description": "[Cheerscrypt](https://app.tidalcyber.com/software/6475bc8c-b95d-5cb3-92f0-aa7e2f18859a) is a ransomware that was developed by [Cinnamon Tempest](https://app.tidalcyber.com/groups/8e059c6b-d278-5454-a234-a8ad69feb66c) and has been used in attacks against ESXi and Windows environments since at least 2022. [Cheerscrypt](https://app.tidalcyber.com/software/6475bc8c-b95d-5cb3-92f0-aa7e2f18859a) was derived from the leaked [Babuk](https://app.tidalcyber.com/software/0dc07eb9-66df-4116-b1bc-7020ca6395a1) source code and has infrastructure overlaps with deployments of Night Sky ransomware, which was also derived from [Babuk](https://app.tidalcyber.com/software/0dc07eb9-66df-4116-b1bc-7020ca6395a1).[[Sygnia Emperor Dragonfly October 2022](https://app.tidalcyber.com/references/f9e40a71-c963-53de-9266-13f9f326c5bf)][[Trend Micro Cheerscrypt May 2022](https://app.tidalcyber.com/references/ca7ccf2c-37f3-522a-acfb-09daa16e23d8)]", + "meta": { + "platforms": [ + "Windows" + ], + "software_attack_id": "S1096", + "source": "MITRE", + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c", + "type": "used-by" + } + ], + "uuid": "6475bc8c-b95d-5cb3-92f0-aa7e2f18859a", + "value": "Cheerscrypt" + }, { "description": "[Cherry Picker](https://app.tidalcyber.com/software/2fd6f564-918e-4ee7-920a-2b4be858d11a) is a point of sale (PoS) memory scraper. [[Trustwave Cherry Picker](https://app.tidalcyber.com/references/e09f639e-bdd3-4e88-8032-f665e347272b)]", "meta": { @@ -3235,14 +3386,6 @@ ] }, "related": [ - { - "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", - "type": "used-by" - }, - { - "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", - "type": "used-by" - }, { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" @@ -3252,13 +3395,25 @@ "type": "used-by" }, { - "dest-uuid": "e5b0da2b-12bc-4113-9459-9c51329c9ae0", + "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", + "type": "used-by" + }, + { + "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" }, { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" }, + { + "dest-uuid": "e5b0da2b-12bc-4113-9459-9c51329c9ae0", + "type": "used-by" + }, + { + "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", + "type": "used-by" + }, { "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", "type": "used-by" @@ -3565,6 +3720,10 @@ "dest-uuid": "5f8c6ee0-f302-403b-b712-f1e3df064c0c", "type": "used-by" }, + { + "dest-uuid": "a0c31021-b281-4c41-9855-436768299fe7", + "type": "used-by" + }, { "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" @@ -3577,14 +3736,6 @@ "dest-uuid": "863b7013-133d-4a82-93d2-51b53a8fd30e", "type": "used-by" }, - { - "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", - "type": "used-by" - }, - { - "dest-uuid": "a0c31021-b281-4c41-9855-436768299fe7", - "type": "used-by" - }, { "dest-uuid": "9da726e6-af02-49b8-8ebe-7ea4235513c9", "type": "used-by" @@ -3688,6 +3839,10 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" + }, + { + "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", + "type": "used-by" } ], "uuid": "98d89476-63ec-4baf-b2b3-86c52170f5d8", @@ -3769,6 +3924,23 @@ "uuid": "6f848e15-5234-4445-9a05-2949e4c57f0b", "value": "Cmstp" }, + { + "description": "[COATHANGER](https://app.tidalcyber.com/software/fbd3f71a-e123-5527-908c-9e7ea0d646e8) is a remote access tool (RAT) targeting FortiGate networking appliances. First used in 2023 in targeted intrusions against military and government entities in the Netherlands along with other victims, [COATHANGER](https://app.tidalcyber.com/software/fbd3f71a-e123-5527-908c-9e7ea0d646e8) was disclosed in early 2024, with a high confidence assessment linking this malware to a state-sponsored entity in the People's Republic of China. [COATHANGER](https://app.tidalcyber.com/software/fbd3f71a-e123-5527-908c-9e7ea0d646e8) is delivered after gaining access to a FortiGate device, with in-the-wild observations linked to exploitation of CVE-2022-42475. The name [COATHANGER](https://app.tidalcyber.com/software/fbd3f71a-e123-5527-908c-9e7ea0d646e8) is based on a unique string in the malware used to encrypt configuration files on disk: “She took his coat and hung it up”.[[NCSC-NL COATHANGER Feb 2024](https://app.tidalcyber.com/references/e8e60112-a08d-5316-b80f-f601e7e5c973)]", + "meta": { + "platforms": [ + "Network", + "Linux" + ], + "software_attack_id": "S1105", + "source": "MITRE", + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "fbd3f71a-e123-5527-908c-9e7ea0d646e8", + "value": "COATHANGER" + }, { "description": "[Cobalt Strike](https://app.tidalcyber.com/software/9b6bcbba-3ab4-4a4c-a233-cd12254823f6) is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[[cobaltstrike manual](https://app.tidalcyber.com/references/43277d05-0aa4-4cee-ac41-6f03a49851a9)]\n\nIn addition to its own capabilities, [Cobalt Strike](https://app.tidalcyber.com/software/9b6bcbba-3ab4-4a4c-a233-cd12254823f6) leverages the capabilities of other well-known tools such as Metasploit and [Mimikatz](https://app.tidalcyber.com/software/b8e7c0b4-49e4-4e8d-9467-b17f305ddf16).[[cobaltstrike manual](https://app.tidalcyber.com/references/43277d05-0aa4-4cee-ac41-6f03a49851a9)]", "meta": { @@ -3780,6 +3952,9 @@ "software_attack_id": "S0154", "source": "MITRE", "tags": [ + "d903e38b-600d-4736-9e3b-cf1a6e436481", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "d819ae1a-e385-49fd-88d5-f66660729ecb", "e1af18e3-3224-4e4c-9d0f-533768474508", "fdd53e62-5bf1-41f1-8bd6-b970a866c39d", "d431939f-2dc0-410b-83f7-86c458125444", @@ -3794,6 +3969,22 @@ ] }, "related": [ + { + "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", + "type": "used-by" + }, + { + "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", + "type": "used-by" + }, + { + "dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", + "type": "used-by" + }, + { + "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", + "type": "used-by" + }, { "dest-uuid": "b8a349a6-cde1-4d95-b20f-44c62bbfc786", "type": "used-by" @@ -3807,23 +3998,7 @@ "type": "used-by" }, { - "dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", - "type": "used-by" - }, - { - "dest-uuid": "b10aa4c0-10a1-5e08-8d9d-82ce95d45e6a", - "type": "used-by" - }, - { - "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", - "type": "used-by" - }, - { - "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", - "type": "used-by" - }, - { - "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", + "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", "type": "used-by" }, { @@ -3843,15 +4018,7 @@ "type": "used-by" }, { - "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", - "type": "used-by" - }, - { - "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", - "type": "used-by" - }, - { - "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", + "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", "type": "used-by" }, { @@ -3859,21 +4026,17 @@ "type": "used-by" }, { - "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", - "type": "used-by" - }, - { - "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", - "type": "used-by" - }, - { - "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", + "dest-uuid": "0898e7cb-118e-5eeb-b856-04e56ed18182", "type": "used-by" }, { "dest-uuid": "2e2d3e75-1160-4ba5-80cc-8e7685fcfc44", "type": "used-by" }, + { + "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", + "type": "used-by" + }, { "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", "type": "used-by" @@ -3883,17 +4046,45 @@ "type": "used-by" }, { - "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", + "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", + "type": "used-by" + }, + { + "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" }, { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" }, + { + "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", + "type": "used-by" + }, + { + "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", + "type": "used-by" + }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, + { + "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", + "type": "used-by" + }, + { + "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", + "type": "used-by" + }, + { + "dest-uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c", + "type": "used-by" + }, + { + "dest-uuid": "b10aa4c0-10a1-5e08-8d9d-82ce95d45e6a", + "type": "used-by" + }, { "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", "type": "used-by" @@ -4166,6 +4357,9 @@ "software_attack_id": "S0591", "source": "MITRE", "tags": [ + "d903e38b-600d-4736-9e3b-cf1a6e436481", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "d819ae1a-e385-49fd-88d5-f66660729ecb", "e1af18e3-3224-4e4c-9d0f-533768474508", "fdd53e62-5bf1-41f1-8bd6-b970a866c39d", "d431939f-2dc0-410b-83f7-86c458125444", @@ -4186,13 +4380,17 @@ }, "related": [ { - "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", + "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", "type": "used-by" }, { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, + { + "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", + "type": "used-by" + }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" @@ -4437,7 +4635,7 @@ }, "related": [ { - "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", + "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" }, { @@ -4445,16 +4643,16 @@ "type": "used-by" }, { - "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", - "type": "used-by" - }, - { - "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", + "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", "type": "used-by" }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" + }, + { + "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", + "type": "used-by" } ], "uuid": "47e710b4-1397-47cf-a979-20891192f313", @@ -4873,11 +5071,11 @@ }, "related": [ { - "dest-uuid": "e47ae2a7-d34d-4528-ba67-c9c07daa91ba", + "dest-uuid": "dfbce236-735c-436d-b433-933bd6eae17b", "type": "used-by" }, { - "dest-uuid": "dfbce236-735c-436d-b433-933bd6eae17b", + "dest-uuid": "e47ae2a7-d34d-4528-ba67-c9c07daa91ba", "type": "used-by" }, { @@ -4888,6 +5086,30 @@ "uuid": "74f88899-56d0-4de8-97de-539b3590ab90", "value": "DarkComet" }, + { + "description": "[DarkGate](https://app.tidalcyber.com/software/39d81c48-8f7c-54cb-8fac-485598e31a55) first emerged in 2018 and has evolved into an initial access and data gathering tool associated with various criminal cyber operations. Written in Delphi and named \"DarkGate\" by its author, [DarkGate](https://app.tidalcyber.com/software/39d81c48-8f7c-54cb-8fac-485598e31a55) is associated with credential theft, cryptomining, cryptotheft, and pre-ransomware actions.[[Ensilo Darkgate 2018](https://app.tidalcyber.com/references/31796564-4154-54c0-958a-7d6802dfefad)] DarkGate use increased significantly starting in 2022 and is under active development by its author, who provides it as a Malware-as-a-Service offering.[[Trellix Darkgate 2023](https://app.tidalcyber.com/references/83fb92d8-1245-5d68-b9f2-0915c10401c6)]", + "meta": { + "platforms": [ + "Windows" + ], + "software_attack_id": "S1111", + "source": "MITRE", + "tags": [ + "84615fe0-c2a5-4e07-8957-78ebc29b4635" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "28f3dbcc-b248-442f-9ff3-234210bb2f2a", + "type": "used-by" + } + ], + "uuid": "39d81c48-8f7c-54cb-8fac-485598e31a55", + "value": "DarkGate" + }, { "description": "*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nDarkGate is a commodity downloader. Researchers have often observed DarkGate samples making use of legitimate copies of AutoIt, a freeware BASIC-like scripting language, using it to run AutoIt scripts as part of its execution chain. Reports of DarkGate infections surged following the announcement of the disruption of the QakBot botnet by international authorities in late August 2023.[[Bleeping Computer DarkGate October 14 2023](/references/313e5558-d8f9-4457-9004-810d9fa5340c)] The delivery of DarkGate payloads via instant messaging platforms including Microsoft Teams and Skype was reported in September and October 2023.[[DarkGate Loader delivered via Teams - Truesec](/references/4222a06f-9528-4076-8037-a27012c2930c)][[Trend Micro DarkGate October 12 2023](/references/81650f5b-628b-4e76-80d6-2c15cf70d37a)]", "meta": { @@ -5433,7 +5655,7 @@ "value": "Diantz" }, { - "description": "[Diavol](https://app.tidalcyber.com/software/d057b6e7-1de4-4f2f-b374-7e879caecd67) is a ransomware variant first observed in June 2021 that is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker. [Diavol](https://app.tidalcyber.com/software/d057b6e7-1de4-4f2f-b374-7e879caecd67) has been deployed by [Bazar](https://app.tidalcyber.com/software/b35d9817-6ead-4dbd-a2fa-4b8e217f8eac) and is thought to have potential ties to [Wizard Spider](https://app.tidalcyber.com/groups/0b431229-036f-4157-a1da-ff16dfc095f8).[[Fortinet Diavol July 2021](https://app.tidalcyber.com/references/28c650f2-8ce8-4c78-ab4a-cae56c1548ed)][[FBI Flash Diavol January 2022](https://app.tidalcyber.com/references/a1691741-9ecd-4b20-8cc9-b9bdfc1592b5)][[DFIR Diavol Ransomware December 2021](https://app.tidalcyber.com/references/eb89f18d-684c-4220-b2a8-967f1f8f9162)]", + "description": "[Diavol](https://app.tidalcyber.com/software/d057b6e7-1de4-4f2f-b374-7e879caecd67) is a ransomware variant first observed in June 2021 that is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker. The [Diavol](https://app.tidalcyber.com/software/d057b6e7-1de4-4f2f-b374-7e879caecd67) Ransomware-as-a Service (RaaS) program is managed by [Wizard Spider](https://app.tidalcyber.com/groups/0b431229-036f-4157-a1da-ff16dfc095f8) and it has been observed being deployed by [Bazar](https://app.tidalcyber.com/software/b35d9817-6ead-4dbd-a2fa-4b8e217f8eac).[[Fortinet Diavol July 2021](https://app.tidalcyber.com/references/28c650f2-8ce8-4c78-ab4a-cae56c1548ed)][[FBI Flash Diavol January 2022](https://app.tidalcyber.com/references/a1691741-9ecd-4b20-8cc9-b9bdfc1592b5)][[DFIR Diavol Ransomware December 2021](https://app.tidalcyber.com/references/eb89f18d-684c-4220-b2a8-967f1f8f9162)][[Microsoft Ransomware as a Service](https://app.tidalcyber.com/references/833018b5-6ef6-5327-9af5-1a551df25cd2)]", "meta": { "platforms": [ "Windows" @@ -5448,7 +5670,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", + "type": "used-by" + } + ], "uuid": "d057b6e7-1de4-4f2f-b374-7e879caecd67", "value": "Diavol" }, @@ -6331,16 +6558,16 @@ ] }, "related": [ + { + "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", + "type": "used-by" + }, { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" }, { - "dest-uuid": "12279b62-289e-49ee-97cb-c780edd3d091", - "type": "used-by" - }, - { - "dest-uuid": "73da066d-b25f-45ba-862b-1a69228c6baa", + "dest-uuid": "b534349f-55a4-41b8-9623-6707765c3c50", "type": "used-by" }, { @@ -6348,19 +6575,15 @@ "type": "used-by" }, { - "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", + "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" }, { - "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", + "dest-uuid": "570198e3-b59c-5772-b1ee-15d7ea14d48a", "type": "used-by" }, { - "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", - "type": "used-by" - }, - { - "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", + "dest-uuid": "713e2963-fbf4-406f-a8cf-6a4489d90439", "type": "used-by" }, { @@ -6368,7 +6591,19 @@ "type": "used-by" }, { - "dest-uuid": "b534349f-55a4-41b8-9623-6707765c3c50", + "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", + "type": "used-by" + }, + { + "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", + "type": "used-by" + }, + { + "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", + "type": "used-by" + }, + { + "dest-uuid": "12279b62-289e-49ee-97cb-c780edd3d091", "type": "used-by" }, { @@ -6384,20 +6619,12 @@ "type": "used-by" }, { - "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", + "dest-uuid": "73da066d-b25f-45ba-862b-1a69228c6baa", "type": "used-by" }, { "dest-uuid": "345e553a-164d-4c9d-8bf9-19fcf8a51533", "type": "used-by" - }, - { - "dest-uuid": "570198e3-b59c-5772-b1ee-15d7ea14d48a", - "type": "used-by" - }, - { - "dest-uuid": "713e2963-fbf4-406f-a8cf-6a4489d90439", - "type": "used-by" } ], "uuid": "fea655ac-558f-4dd0-867f-9a5553626207", @@ -6987,6 +7214,9 @@ "software_attack_id": "S5031", "source": "Tidal Cyber", "tags": [ + "c5a258ce-9045-48d9-b254-ec2bf6437bb5", + "cc4ea215-87ce-4351-9579-cf527caf5992", + "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "8bf128ad-288b-41bc-904f-093f4fdde745", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", @@ -7004,6 +7234,10 @@ ] }, "related": [ + { + "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", + "type": "used-by" + }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" @@ -7222,11 +7456,11 @@ }, "related": [ { - "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", + "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "type": "used-by" }, { - "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", + "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" } ], @@ -7374,17 +7608,33 @@ }, "related": [ { - "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", + "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" }, { - "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", + "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" } ], "uuid": "c6dc67a6-587d-4700-a7de-bee043a0031a", "value": "Forfiles" }, + { + "description": "[FRAMESTING](https://app.tidalcyber.com/software/83721b89-df58-50bf-be2a-0b696fb0da78) is a Python web shell that was used during [Cutting Edge](https://app.tidalcyber.com/campaigns/4e605e33-57fe-5bb2-b0ad-ec146aac041b) to embed into an Ivanti Connect Secure Python package for command execution.[[Mandiant Cutting Edge Part 2 January 2024](https://app.tidalcyber.com/references/5209d259-4293-58c0-bbdc-f30ff77d57f7)]", + "meta": { + "platforms": [ + "Network" + ], + "software_attack_id": "S1120", + "source": "MITRE", + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "83721b89-df58-50bf-be2a-0b696fb0da78", + "value": "FRAMESTING" + }, { "description": "[FrameworkPOS](https://app.tidalcyber.com/software/aef7cbbc-5163-419c-8e4b-3f73bed50474) is a point of sale (POS) malware used by [FIN6](https://app.tidalcyber.com/groups/fcaadc12-7c17-4946-a9dc-976ed610854c) to steal payment card data from sytems that run physical POS devices.[[SentinelOne FrameworkPOS September 2019](https://app.tidalcyber.com/references/054d7827-3d0c-40a7-b2a0-1428ad7729ea)]", "meta": { @@ -7559,11 +7809,11 @@ "type": "used-by" }, { - "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", + "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "type": "used-by" }, { - "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", + "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" }, { @@ -7762,13 +8012,29 @@ }, "related": [ { - "dest-uuid": "e343c1f1-458c-467b-bc4a-c1b97b2127e3", + "dest-uuid": "a0c31021-b281-4c41-9855-436768299fe7", + "type": "used-by" + }, + { + "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", "type": "used-by" }, { "dest-uuid": "f1477581-d485-403f-a95f-c56bf88c5d1e", "type": "used-by" }, + { + "dest-uuid": "e343c1f1-458c-467b-bc4a-c1b97b2127e3", + "type": "used-by" + }, + { + "dest-uuid": "60936d3c-37ed-4116-a407-868da3aa4446", + "type": "used-by" + }, + { + "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", + "type": "used-by" + }, { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" @@ -7778,29 +8044,33 @@ "type": "used-by" }, { - "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", - "type": "used-by" - }, - { - "dest-uuid": "a0c31021-b281-4c41-9855-436768299fe7", - "type": "used-by" - }, - { - "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", + "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" }, { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" - }, - { - "dest-uuid": "60936d3c-37ed-4116-a407-868da3aa4446", - "type": "used-by" } ], "uuid": "269ef8f5-35c8-44ba-afe4-63f4c6431427", "value": "gh0st RAT" }, + { + "description": "[GLASSTOKEN](https://app.tidalcyber.com/software/5c1a1ce5-927c-5c79-8a14-2789756d41ee) is a custom web shell used by threat actors during [Cutting Edge](https://app.tidalcyber.com/campaigns/4e605e33-57fe-5bb2-b0ad-ec146aac041b) to execute commands on compromised Ivanti Secure Connect VPNs.[[Volexity Ivanti Zero-Day Exploitation January 2024](https://app.tidalcyber.com/references/93eda380-ea21-59e0-97e8-5bec1f9a0e71)]", + "meta": { + "platforms": [ + "Network" + ], + "software_attack_id": "S1117", + "source": "MITRE", + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "5c1a1ce5-927c-5c79-8a14-2789756d41ee", + "value": "GLASSTOKEN" + }, { "description": "[GLOOXMAIL](https://app.tidalcyber.com/software/09fdec78-5253-433d-8680-294ba6847be9) is malware used by [APT1](https://app.tidalcyber.com/groups/5307bba1-2674-4fbd-bfd5-1db1ae06fc5f) that mimics legitimate Jabber/XMPP traffic. [[Mandiant APT1](https://app.tidalcyber.com/references/865eba93-cf6a-4e41-bc09-de9b0b3c2669)]", "meta": { @@ -8184,16 +8454,12 @@ ] }, "related": [ - { - "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", - "type": "used-by" - }, { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" }, { - "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", + "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" }, { @@ -8203,6 +8469,10 @@ { "dest-uuid": "60936d3c-37ed-4116-a407-868da3aa4446", "type": "used-by" + }, + { + "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", + "type": "used-by" } ], "uuid": "5ffe662f-9da1-4b6f-ad3a-f296383e828c", @@ -8786,11 +9056,11 @@ }, "related": [ { - "dest-uuid": "a0c31021-b281-4c41-9855-436768299fe7", + "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" }, { - "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", + "dest-uuid": "a0c31021-b281-4c41-9855-436768299fe7", "type": "used-by" } ], @@ -8818,6 +9088,31 @@ "uuid": "bf19eba4-7ea1-4c24-95c6-6bcfb44f4c49", "value": "httpclient" }, + { + "description": "[HUI Loader](https://app.tidalcyber.com/software/2df88e4e-5a89-5535-ae1a-4c68b19d9078) is a custom DLL loader that has been used since at least 2015 by China-based threat groups including [Cinnamon Tempest](https://app.tidalcyber.com/groups/8e059c6b-d278-5454-a234-a8ad69feb66c) and [menuPass](https://app.tidalcyber.com/groups/fb93231d-2ae4-45da-9dea-4c372a11f322) to deploy malware on compromised hosts. [HUI Loader](https://app.tidalcyber.com/software/2df88e4e-5a89-5535-ae1a-4c68b19d9078) has been observed in campaigns loading [SodaMaster](https://app.tidalcyber.com/software/6ecd970c-427b-4421-a831-69f46047d22a), [PlugX](https://app.tidalcyber.com/software/070b56f4-7810-4dad-b85f-bdfce9c08c10), [Cobalt Strike](https://app.tidalcyber.com/software/9b6bcbba-3ab4-4a4c-a233-cd12254823f6), [Komplex](https://app.tidalcyber.com/software/2cf1be0d-2fba-4fd0-ab2f-3695716d1735), and several strains of ransomware.[[SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022](https://app.tidalcyber.com/references/0b275cf9-a885-58cc-b859-112090a711e3)]", + "meta": { + "platforms": [ + "Windows" + ], + "software_attack_id": "S1097", + "source": "MITRE", + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c", + "type": "used-by" + }, + { + "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", + "type": "used-by" + } + ], + "uuid": "2df88e4e-5a89-5535-ae1a-4c68b19d9078", + "value": "HUI Loader" + }, { "description": "[Hydraq](https://app.tidalcyber.com/software/4ffbca79-358a-4ba5-bfbb-dc1694c45646) is a data-theft trojan first used by [Elderwood](https://app.tidalcyber.com/groups/51146bb6-7478-44a3-8f08-19adcdceffca) in the 2009 Google intrusion known as Operation Aurora, though variations of this trojan have been used in more recent campaigns by other Chinese actors, possibly including [APT17](https://app.tidalcyber.com/groups/5f083251-f5dc-459a-abfc-47a1aa7f5094).[[MicroFocus 9002 Aug 2016](https://app.tidalcyber.com/references/a4d6bdd1-e70c-491b-a569-72708095c809)][[Symantec Elderwood Sept 2012](https://app.tidalcyber.com/references/5e908748-d260-42f1-a599-ac38b4e22559)][[Symantec Trojan.Hydraq Jan 2010](https://app.tidalcyber.com/references/10bed842-400f-4276-972d-5fca794ea778)][[ASERT Seven Pointed Dagger Aug 2015](https://app.tidalcyber.com/references/a8f323c7-82bc-46e6-bd6c-0b631abc644a)][[FireEye DeputyDog 9002 November 2013](https://app.tidalcyber.com/references/68b5a913-b696-4ca5-89ed-63453023d2a2)][[ProofPoint GoT 9002 Aug 2017](https://app.tidalcyber.com/references/b796f889-400c-440b-86b2-1588fd15f3ae)][[FireEye Sunshop Campaign May 2013](https://app.tidalcyber.com/references/ec246c7a-3396-46f9-acc4-a100cb5e5fe6)][[PaloAlto 3102 Sept 2015](https://app.tidalcyber.com/references/db340043-43a7-4b16-a570-92a0d879b2bf)]", "meta": { @@ -9182,10 +9477,18 @@ "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, + { + "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", + "type": "used-by" + }, { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, + { + "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", + "type": "used-by" + }, { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" @@ -9195,7 +9498,7 @@ "type": "used-by" }, { - "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", + "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" }, { @@ -9203,23 +9506,23 @@ "type": "used-by" }, { - "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", + "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, { "dest-uuid": "1bcc9382-ccfe-4b04-91f3-ef1250df5e5b", "type": "used-by" }, + { + "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", + "type": "used-by" + }, { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" }, { - "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", - "type": "used-by" - }, - { - "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", + "dest-uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c", "type": "used-by" }, { @@ -9230,10 +9533,6 @@ "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" }, - { - "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", - "type": "used-by" - }, { "dest-uuid": "570198e3-b59c-5772-b1ee-15d7ea14d48a", "type": "used-by" @@ -9483,11 +9782,7 @@ "type": "used-by" }, { - "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", - "type": "used-by" - }, - { - "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", + "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" }, { @@ -9499,15 +9794,7 @@ "type": "used-by" }, { - "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", - "type": "used-by" - }, - { - "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", - "type": "used-by" - }, - { - "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", + "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" }, { @@ -9538,6 +9825,18 @@ "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" }, + { + "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", + "type": "used-by" + }, + { + "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", + "type": "used-by" + }, + { + "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", + "type": "used-by" + }, { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" @@ -9625,6 +9924,7 @@ "software_attack_id": "S5061", "source": "Tidal Cyber", "tags": [ + "b20e7912-6a8d-46e3-8e13-9a3fc4813852", "af5e9be5-b86e-47af-91dd-966a5e34a186", "15787198-6c8b-4f79-bf50-258d55072fee", "f01290d9-7160-44cb-949f-ee4947d04b6f", @@ -10124,11 +10424,11 @@ }, "related": [ { - "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", + "dest-uuid": "12279b62-289e-49ee-97cb-c780edd3d091", "type": "used-by" }, { - "dest-uuid": "12279b62-289e-49ee-97cb-c780edd3d091", + "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" }, { @@ -10263,7 +10563,7 @@ "value": "KOPILUWAK" }, { - "description": "[Kwampirs](https://app.tidalcyber.com/software/35ac4018-8506-4025-a9e3-bd017700b3b3) is a backdoor Trojan used by [Orangeworm](https://app.tidalcyber.com/groups/863b7013-133d-4a82-93d2-51b53a8fd30e). It has been found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines. [[Symantec Orangeworm April 2018](https://app.tidalcyber.com/references/eee5efa1-bbc6-44eb-8fae-23002f351605)]", + "description": "[Kwampirs](https://app.tidalcyber.com/software/35ac4018-8506-4025-a9e3-bd017700b3b3) is a backdoor Trojan used by [Orangeworm](https://app.tidalcyber.com/groups/863b7013-133d-4a82-93d2-51b53a8fd30e). [Kwampirs](https://app.tidalcyber.com/software/35ac4018-8506-4025-a9e3-bd017700b3b3) has been found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines.[[Symantec Orangeworm April 2018](https://app.tidalcyber.com/references/eee5efa1-bbc6-44eb-8fae-23002f351605)] [Kwampirs](https://app.tidalcyber.com/software/35ac4018-8506-4025-a9e3-bd017700b3b3) has multiple technical overlaps with [Shamoon](https://app.tidalcyber.com/software/840db1db-e262-4d6f-b6e3-2a64696a41c5) based on reverse engineering analysis.[[Cylera Kwampirs 2022](https://app.tidalcyber.com/references/06442111-2c71-5efb-9530-cabeba159a91)]", "meta": { "platforms": [ "Windows" @@ -10316,6 +10616,8 @@ "software_attack_id": "S0349", "source": "MITRE", "tags": [ + "c5a258ce-9045-48d9-b254-ec2bf6437bb5", + "cc4ea215-87ce-4351-9579-cf527caf5992", "d819ae1a-e385-49fd-88d5-f66660729ecb", "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -10339,10 +10641,18 @@ "dest-uuid": "325c11be-e1ee-47db-afa6-44ac5d16f0e7", "type": "used-by" }, + { + "dest-uuid": "9da726e6-af02-49b8-8ebe-7ea4235513c9", + "type": "used-by" + }, { "dest-uuid": "d7c58e7f-f0b0-44c6-b205-5adcfb56f0e6", "type": "used-by" }, + { + "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", + "type": "used-by" + }, { "dest-uuid": "7c3ef21c-0e1c-43d5-afb0-3a07c5a66937", "type": "used-by" @@ -10352,23 +10662,23 @@ "type": "used-by" }, { - "dest-uuid": "9da726e6-af02-49b8-8ebe-7ea4235513c9", + "dest-uuid": "4bdc62c9-af6a-4377-8431-58a6f39235dd", "type": "used-by" }, { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" }, + { + "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", + "type": "used-by" + }, { "dest-uuid": "b5c28235-d441-40d9-8da2-d49ba2f2568b", "type": "used-by" }, { - "dest-uuid": "4bdc62c9-af6a-4377-8431-58a6f39235dd", - "type": "used-by" - }, - { - "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", + "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, { @@ -10376,13 +10686,17 @@ "type": "used-by" }, { - "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", + "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" }, { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" }, + { + "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", + "type": "used-by" + }, { "dest-uuid": "9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c", "type": "used-by" @@ -10390,10 +10704,6 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" - }, - { - "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", - "type": "used-by" } ], "uuid": "f5558af4-e3e2-47c2-b8fe-72850bd30f37", @@ -10511,6 +10821,22 @@ "uuid": "c9d2f023-d54b-4d08-9598-a42fb92b3161", "value": "LightNeuron" }, + { + "description": "[LIGHTWIRE](https://app.tidalcyber.com/software/1b3af76f-f9a1-58ce-8c7d-aec535f8d0c0) is a web shell written in Perl that was used during [Cutting Edge](https://app.tidalcyber.com/campaigns/4e605e33-57fe-5bb2-b0ad-ec146aac041b) to maintain access and enable command execution by imbedding into the legitimate compcheckresult.cgi component of Ivanti Secure Connect VPNs.[[Mandiant Cutting Edge Part 2 January 2024](https://app.tidalcyber.com/references/5209d259-4293-58c0-bbdc-f30ff77d57f7)][[Mandiant Cutting Edge January 2024](https://app.tidalcyber.com/references/9d9ec923-89c1-5155-ae6e-98d4776d4250)]", + "meta": { + "platforms": [ + "Network" + ], + "software_attack_id": "S1119", + "source": "MITRE", + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "1b3af76f-f9a1-58ce-8c7d-aec535f8d0c0", + "value": "LIGHTWIRE" + }, { "description": "Ligolo is a tool used to establish SOCKS5 or TCP tunnels from a reverse connection.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]", "meta": { @@ -10550,6 +10876,57 @@ "uuid": "3113cb05-23b4-4f90-ab7a-623b800302ce", "value": "Ligolo" }, + { + "description": "Line Dancer is one of the two key tools used during the ArcaneDoor network device intrusions, serving as an in-memory implant used to upload capabilities permitting arbitrary code execution and persistence (Line Runner).[[Cisco Talos ArcaneDoor April 24 2024](/references/531c3f6f-2d2b-4774-b069-e2b7a13602c1)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Network" + ], + "software_attack_id": "S5284", + "source": "Tidal Cyber", + "tags": [ + "a159c91c-5258-49ea-af7d-e803008d97d3", + "af5e9be5-b86e-47af-91dd-966a5e34a186", + "15787198-6c8b-4f79-bf50-258d55072fee", + "6bb2f579-a5cd-4647-9dcd-eff05efe3679", + "9768aada-9d63-4d46-ab9f-d41b8c8e4010", + "0d3ca5b9-2ea9-4daf-b3b5-11f1c6f9ebd3" + ], + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "80412b83-74e4-4bea-b05b-84b00f41db69", + "value": "Line Dancer" + }, + { + "description": "Line Runner is one of the two key tools (along with Line Dancer) used during the ArcaneDoor network device intrusion. Line Runner is used to maintain persistence and execute commands on compromised devices.[[Cisco Talos ArcaneDoor April 24 2024](/references/531c3f6f-2d2b-4774-b069-e2b7a13602c1)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Network" + ], + "software_attack_id": "S5285", + "source": "Tidal Cyber", + "tags": [ + "a159c91c-5258-49ea-af7d-e803008d97d3", + "af5e9be5-b86e-47af-91dd-966a5e34a186", + "15787198-6c8b-4f79-bf50-258d55072fee", + "c25f341a-7030-4688-a00b-6d637298e52e", + "9768aada-9d63-4d46-ab9f-d41b8c8e4010", + "0d3ca5b9-2ea9-4daf-b3b5-11f1c6f9ebd3", + "2e85babc-77cd-4455-9c6e-312223a956de" + ], + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "60bb6282-9eb8-4640-9d79-69c0c8ee0e0b", + "value": "Line Runner" + }, { "description": "[Linfo](https://app.tidalcyber.com/software/925975f8-e8ff-411f-a40e-f799968046f7) is a rootkit trojan used by [Elderwood](https://app.tidalcyber.com/groups/51146bb6-7478-44a3-8f08-19adcdceffca) to open a backdoor on compromised hosts. [[Symantec Elderwood Sept 2012](https://app.tidalcyber.com/references/5e908748-d260-42f1-a599-ac38b4e22559)] [[Symantec Linfo May 2012](https://app.tidalcyber.com/references/e6b88cd4-a58e-4139-b266-48d0f5957407)]", "meta": { @@ -10636,6 +11013,22 @@ "uuid": "cc568409-71ff-468b-9c38-d0dd9020e409", "value": "LitePower" }, + { + "description": "[LITTLELAMB.WOOLTEA](https://app.tidalcyber.com/software/c9c5e7ad-6e95-5d53-b4db-f6b51c7167ca) is a backdoor that was used by UNC5325 during [Cutting Edge](https://app.tidalcyber.com/campaigns/4e605e33-57fe-5bb2-b0ad-ec146aac041b) to deploy malware on targeted Ivanti Connect Secure VPNs and to establish persistence across system upgrades and patches.[[Mandiant Cutting Edge Part 3 February 2024](https://app.tidalcyber.com/references/49e5b125-5503-5cb0-9a56-a93f82b55753)]", + "meta": { + "platforms": [ + "Network" + ], + "software_attack_id": "S1121", + "source": "MITRE", + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "c9c5e7ad-6e95-5d53-b4db-f6b51c7167ca", + "value": "LITTLELAMB.WOOLTEA" + }, { "description": "[Lizar](https://app.tidalcyber.com/software/65d46aab-b3ce-4f5b-b1fc-871db2573fa1) is a modular remote access tool written using the .NET Framework that shares structural similarities to [Carbanak](https://app.tidalcyber.com/software/4cb9294b-9e4c-41b9-b640-46213a01952d). It has likely been used by [FIN7](https://app.tidalcyber.com/groups/4348c510-50fc-4448-ab8d-c8cededd19ff) since at least February 2021.[[BiZone Lizar May 2021](https://app.tidalcyber.com/references/315f47e1-69e5-4dcb-94b2-59583e91dd26)][[Threatpost Lizar May 2021](https://app.tidalcyber.com/references/1b89f62f-586d-4dee-b6dd-e5a5cd090a0e)][[Gemini FIN7 Oct 2021](https://app.tidalcyber.com/references/bbaef178-8577-4398-8e28-604faf0950b4)]", "meta": { @@ -10656,11 +11049,11 @@ }, "related": [ { - "dest-uuid": "393da13e-016c-41a3-9d89-b33173adecbf", + "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" }, { - "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", + "dest-uuid": "393da13e-016c-41a3-9d89-b33173adecbf", "type": "used-by" } ], @@ -10728,6 +11121,27 @@ "uuid": "65bc8e81-0a08-49f6-9d04-a2d63d512342", "value": "LockerGoga" }, + { + "description": "[LoFiSe](https://app.tidalcyber.com/software/d28c3706-df25-59e2-939f-131abaf8a1eb) has been used by [ToddyCat](https://app.tidalcyber.com/groups/0f41da7d-1e47-58fe-ba6e-ee658a985e1b) since at least 2023 to identify and collect files of interest on targeted systems.[[Kaspersky ToddyCat Check Logs October 2023](https://app.tidalcyber.com/references/dbdaf320-eada-5bbb-95ab-aaa987ed7960)]", + "meta": { + "platforms": [ + "Windows" + ], + "software_attack_id": "S1101", + "source": "MITRE", + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", + "type": "used-by" + } + ], + "uuid": "d28c3706-df25-59e2-939f-131abaf8a1eb", + "value": "LoFiSe" + }, { "description": "LogMeIn provides multiple freely available tools that can be used for remote access to systems, including the flagship Rescue tool.[[LogMeIn Homepage](/references/e113b544-82ad-4099-ab4e-7fc8b78f54bd)] Adversary groups, including the Royal ransomware operation and LAPSUS$, have used LogMeIn remote access software for initial access to and persistence within victim networks.[[CISA Royal AA23-061A March 2023](/references/81baa61e-13c3-51e0-bf22-08383dbfb2a1)][[CSRB LAPSUS$ July 24 2023](/references/f8311977-303c-4d05-a7f4-25b3ae36318b)]", "meta": { @@ -11183,6 +11597,10 @@ ] }, "related": [ + { + "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", + "type": "used-by" + }, { "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" @@ -11261,6 +11679,10 @@ { "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "type": "used-by" + }, + { + "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", + "type": "used-by" } ], "uuid": "3c206491-45c0-4ff7-9f40-45f9aae4de64", @@ -11393,6 +11815,8 @@ "software_attack_id": "S5005", "source": "Tidal Cyber", "tags": [ + "c5a258ce-9045-48d9-b254-ec2bf6437bb5", + "cc4ea215-87ce-4351-9579-cf527caf5992", "d819ae1a-e385-49fd-88d5-f66660729ecb", "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -11416,6 +11840,10 @@ "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" }, + { + "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", + "type": "used-by" + }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" @@ -11594,7 +12022,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "e3c5164e-49cf-5bb1-955d-6775585abb14", + "type": "used-by" + } + ], "uuid": "5879efc1-f122-43ec-a80d-e25aa449594d", "value": "Micropsia" }, @@ -11675,6 +12108,9 @@ "software_attack_id": "S0002", "source": "MITRE", "tags": [ + "d903e38b-600d-4736-9e3b-cf1a6e436481", + "c5a258ce-9045-48d9-b254-ec2bf6437bb5", + "cc4ea215-87ce-4351-9579-cf527caf5992", "d819ae1a-e385-49fd-88d5-f66660729ecb", "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -11697,41 +12133,17 @@ }, "related": [ { - "dest-uuid": "f2b31240-0b4a-4fa4-82a4-6bb00e146e75", - "type": "used-by" - }, - { - "dest-uuid": "b82c6ed1-c74a-4128-8b4d-18d1e17e1134", - "type": "used-by" - }, - { - "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", - "type": "used-by" - }, - { - "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", - "type": "used-by" - }, - { - "dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", - "type": "used-by" - }, - { - "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", - "type": "used-by" - }, - { - "dest-uuid": "dfbce236-735c-436d-b433-933bd6eae17b", - "type": "used-by" - }, - { - "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", + "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" }, { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, + { + "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", + "type": "used-by" + }, { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" @@ -11741,23 +12153,43 @@ "type": "used-by" }, { - "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", + "dest-uuid": "b5c28235-d441-40d9-8da2-d49ba2f2568b", "type": "used-by" }, { "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "type": "used-by" }, - { - "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", - "type": "used-by" - }, { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" }, { - "dest-uuid": "72d9bea7-9ca1-43e6-8702-2fb7fb1355de", + "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", + "type": "used-by" + }, + { + "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", + "type": "used-by" + }, + { + "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", + "type": "used-by" + }, + { + "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", + "type": "used-by" + }, + { + "dest-uuid": "e5b0da2b-12bc-4113-9459-9c51329c9ae0", + "type": "used-by" + }, + { + "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", + "type": "used-by" + }, + { + "dest-uuid": "0060bb76-6713-4942-a4c0-d4ae01ec2866", "type": "used-by" }, { @@ -11768,12 +12200,96 @@ "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", "type": "used-by" }, + { + "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", + "type": "used-by" + }, + { + "dest-uuid": "7c3ef21c-0e1c-43d5-afb0-3a07c5a66937", + "type": "used-by" + }, + { + "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", + "type": "used-by" + }, + { + "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", + "type": "used-by" + }, + { + "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", + "type": "used-by" + }, + { + "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", + "type": "used-by" + }, + { + "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", + "type": "used-by" + }, + { + "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", + "type": "used-by" + }, + { + "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", + "type": "used-by" + }, + { + "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", + "type": "used-by" + }, + { + "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", + "type": "used-by" + }, + { + "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", + "type": "used-by" + }, + { + "dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a", + "type": "used-by" + }, + { + "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", + "type": "used-by" + }, + { + "dest-uuid": "72d9bea7-9ca1-43e6-8702-2fb7fb1355de", + "type": "used-by" + }, + { + "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", + "type": "used-by" + }, + { + "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", + "type": "used-by" + }, { "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "type": "used-by" }, { - "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", + "dest-uuid": "dfbce236-735c-436d-b433-933bd6eae17b", + "type": "used-by" + }, + { + "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", + "type": "used-by" + }, + { + "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", + "type": "used-by" + }, + { + "dest-uuid": "f2b31240-0b4a-4fa4-82a4-6bb00e146e75", + "type": "used-by" + }, + { + "dest-uuid": "b82c6ed1-c74a-4128-8b4d-18d1e17e1134", "type": "used-by" }, { @@ -11781,7 +12297,11 @@ "type": "used-by" }, { - "dest-uuid": "7c3ef21c-0e1c-43d5-afb0-3a07c5a66937", + "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", + "type": "used-by" + }, + { + "dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", "type": "used-by" }, { @@ -11792,92 +12312,24 @@ "dest-uuid": "3a54b8dc-a231-4db8-96da-1c0c1aa396f6", "type": "used-by" }, - { - "dest-uuid": "e5b0da2b-12bc-4113-9459-9c51329c9ae0", - "type": "used-by" - }, - { - "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", - "type": "used-by" - }, { "dest-uuid": "f0943620-7bbb-4239-8ed3-c541c36baaa1", "type": "used-by" }, - { - "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", - "type": "used-by" - }, - { - "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", - "type": "used-by" - }, - { - "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", - "type": "used-by" - }, - { - "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", - "type": "used-by" - }, - { - "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", - "type": "used-by" - }, - { - "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", - "type": "used-by" - }, - { - "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", - "type": "used-by" - }, - { - "dest-uuid": "b5c28235-d441-40d9-8da2-d49ba2f2568b", - "type": "used-by" - }, - { - "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", - "type": "used-by" - }, - { - "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", - "type": "used-by" - }, - { - "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", - "type": "used-by" - }, - { - "dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a", - "type": "used-by" - }, - { - "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", - "type": "used-by" - }, { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" }, - { - "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", - "type": "used-by" - }, - { - "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", - "type": "used-by" - }, { "dest-uuid": "9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c", "type": "used-by" }, { - "dest-uuid": "a3b39b07-0bfa-4c69-9f01-acf7dc6033b4", + "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", "type": "used-by" }, { - "dest-uuid": "0060bb76-6713-4942-a4c0-d4ae01ec2866", + "dest-uuid": "a3b39b07-0bfa-4c69-9f01-acf7dc6033b4", "type": "used-by" }, { @@ -12013,6 +12465,30 @@ "uuid": "4048afa2-79c8-4d38-8219-2207adddd884", "value": "Misdat" }, + { + "description": "[Mispadu](https://app.tidalcyber.com/software/758e5226-6015-5cc7-af4b-20fa35c9bac1) is a banking trojan written in Delphi that was first observed in 2019 and uses a Malware-as-a-Service (MaaS) business model.[[ESET Security Mispadu Facebook Ads 2019](https://app.tidalcyber.com/references/e1b945f4-20e0-5b69-8fd7-f05afce8c0ba)][[SCILabs Malteiro 2021](https://app.tidalcyber.com/references/c6948dfc-b133-556b-a8ac-b3a4dba09c0e)] This malware is operated, managed, and sold by the [Malteiro](https://app.tidalcyber.com/groups/803f8018-6e45-5b0f-978f-1fe96b217120) cybercriminal group.[[SCILabs Malteiro 2021](https://app.tidalcyber.com/references/c6948dfc-b133-556b-a8ac-b3a4dba09c0e)] [Mispadu](https://app.tidalcyber.com/software/758e5226-6015-5cc7-af4b-20fa35c9bac1) has mainly been used to target victims in Brazil and Mexico, and has also had confirmed operations throughout Latin America and Europe.[[SCILabs Malteiro 2021](https://app.tidalcyber.com/references/c6948dfc-b133-556b-a8ac-b3a4dba09c0e)][[SCILabs URSA/Mispadu Evolution 2023](https://app.tidalcyber.com/references/a7a0db8d-bc1c-5e89-8c42-a3a6cc2cf28d)][[Segurança Informática URSA Sophisticated Loader 2020](https://app.tidalcyber.com/references/29d25b85-ae13-57d6-9e6f-d0f65783b5ac)] ", + "meta": { + "platforms": [ + "Windows" + ], + "software_attack_id": "S1122", + "source": "MITRE", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "803f8018-6e45-5b0f-978f-1fe96b217120", + "type": "used-by" + } + ], + "uuid": "758e5226-6015-5cc7-af4b-20fa35c9bac1", + "value": "Mispadu" + }, { "description": "[Mis-Type](https://app.tidalcyber.com/software/fe554d2e-f974-41d6-8e7a-701bd758355d) is a backdoor hybrid that was used in [Operation Dust Storm](https://app.tidalcyber.com/campaigns/af0c0f55-dc4f-4cb5-9350-3a2d7c07595f) by 2012.[[Cylance Dust Storm](https://app.tidalcyber.com/references/001dd53c-74e6-4add-aeb7-da76b0d2afe8)]", "meta": { @@ -12170,10 +12646,6 @@ ] }, "related": [ - { - "dest-uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", - "type": "used-by" - }, { "dest-uuid": "4bdc62c9-af6a-4377-8431-58a6f39235dd", "type": "used-by" @@ -12181,6 +12653,10 @@ { "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "type": "used-by" + }, + { + "dest-uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", + "type": "used-by" } ], "uuid": "69f202e7-4bc9-4f4f-943f-330c053ae977", @@ -12733,7 +13209,11 @@ }, "related": [ { - "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", + "dest-uuid": "e47ae2a7-d34d-4528-ba67-c9c07daa91ba", + "type": "used-by" + }, + { + "dest-uuid": "efb3b5ac-cd86-44a2-9de1-02e4612b8cc2", "type": "used-by" }, { @@ -12741,11 +13221,7 @@ "type": "used-by" }, { - "dest-uuid": "e47ae2a7-d34d-4528-ba67-c9c07daa91ba", - "type": "used-by" - }, - { - "dest-uuid": "efb3b5ac-cd86-44a2-9de1-02e4612b8cc2", + "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" } ], @@ -12820,15 +13296,7 @@ "type": "used-by" }, { - "dest-uuid": "e5b0da2b-12bc-4113-9459-9c51329c9ae0", - "type": "used-by" - }, - { - "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", - "type": "used-by" - }, - { - "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", + "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" }, { @@ -12840,12 +13308,20 @@ "type": "used-by" }, { - "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", + "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", + "type": "used-by" + }, + { + "dest-uuid": "e5b0da2b-12bc-4113-9459-9c51329c9ae0", "type": "used-by" }, { "dest-uuid": "9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c", "type": "used-by" + }, + { + "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", + "type": "used-by" } ], "uuid": "950f13e6-3ae3-411e-a2b2-4ba1afe6cb76", @@ -12965,6 +13441,9 @@ "software_attack_id": "S0039", "source": "MITRE", "tags": [ + "c5a258ce-9045-48d9-b254-ec2bf6437bb5", + "cc4ea215-87ce-4351-9579-cf527caf5992", + "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "cd1b5d44-226e-4405-8985-800492cf2865", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", @@ -12981,90 +13460,6 @@ ] }, "related": [ - { - "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", - "type": "used-by" - }, - { - "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", - "type": "used-by" - }, - { - "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", - "type": "used-by" - }, - { - "dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", - "type": "used-by" - }, - { - "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", - "type": "used-by" - }, - { - "dest-uuid": "43f826a1-e8c8-47b8-9b00-38e1b3e4293b", - "type": "used-by" - }, - { - "dest-uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", - "type": "used-by" - }, - { - "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", - "type": "used-by" - }, - { - "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", - "type": "used-by" - }, - { - "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", - "type": "used-by" - }, - { - "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", - "type": "used-by" - }, - { - "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", - "type": "used-by" - }, - { - "dest-uuid": "863b7013-133d-4a82-93d2-51b53a8fd30e", - "type": "used-by" - }, - { - "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", - "type": "used-by" - }, - { - "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", - "type": "used-by" - }, - { - "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", - "type": "used-by" - }, - { - "dest-uuid": "7c3ef21c-0e1c-43d5-afb0-3a07c5a66937", - "type": "used-by" - }, - { - "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", - "type": "used-by" - }, - { - "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", - "type": "used-by" - }, - { - "dest-uuid": "dfbce236-735c-436d-b433-933bd6eae17b", - "type": "used-by" - }, - { - "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", - "type": "used-by" - }, { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" @@ -13078,11 +13473,71 @@ "type": "used-by" }, { - "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", + "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "type": "used-by" }, { - "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", + "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", + "type": "used-by" + }, + { + "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", + "type": "used-by" + }, + { + "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", + "type": "used-by" + }, + { + "dest-uuid": "43f826a1-e8c8-47b8-9b00-38e1b3e4293b", + "type": "used-by" + }, + { + "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", + "type": "used-by" + }, + { + "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", + "type": "used-by" + }, + { + "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", + "type": "used-by" + }, + { + "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", + "type": "used-by" + }, + { + "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", + "type": "used-by" + }, + { + "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", + "type": "used-by" + }, + { + "dest-uuid": "7c3ef21c-0e1c-43d5-afb0-3a07c5a66937", + "type": "used-by" + }, + { + "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", + "type": "used-by" + }, + { + "dest-uuid": "dfbce236-735c-436d-b433-933bd6eae17b", + "type": "used-by" + }, + { + "dest-uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", + "type": "used-by" + }, + { + "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", + "type": "used-by" + }, + { + "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" }, { @@ -13090,7 +13545,11 @@ "type": "used-by" }, { - "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", + "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", + "type": "used-by" + }, + { + "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" }, { @@ -13098,11 +13557,43 @@ "type": "used-by" }, { - "dest-uuid": "0f86e871-0c6c-4227-ae28-3f3696d6ae9d", + "dest-uuid": "863b7013-133d-4a82-93d2-51b53a8fd30e", "type": "used-by" }, { - "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", + "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", + "type": "used-by" + }, + { + "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", + "type": "used-by" + }, + { + "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", + "type": "used-by" + }, + { + "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", + "type": "used-by" + }, + { + "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", + "type": "used-by" + }, + { + "dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", + "type": "used-by" + }, + { + "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", + "type": "used-by" + }, + { + "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", + "type": "used-by" + }, + { + "dest-uuid": "0f86e871-0c6c-4227-ae28-3f3696d6ae9d", "type": "used-by" }, { @@ -13191,10 +13682,6 @@ "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, - { - "dest-uuid": "72d9bea7-9ca1-43e6-8702-2fb7fb1355de", - "type": "used-by" - }, { "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" @@ -13203,6 +13690,10 @@ "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" }, + { + "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", + "type": "used-by" + }, { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" @@ -13212,11 +13703,11 @@ "type": "used-by" }, { - "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", + "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { - "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", + "dest-uuid": "72d9bea7-9ca1-43e6-8702-2fb7fb1355de", "type": "used-by" }, { @@ -13250,15 +13741,7 @@ }, "related": [ { - "dest-uuid": "863b7013-133d-4a82-93d2-51b53a8fd30e", - "type": "used-by" - }, - { - "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", - "type": "used-by" - }, - { - "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", + "dest-uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", "type": "used-by" }, { @@ -13266,17 +13749,21 @@ "type": "used-by" }, { - "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", + "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", + "type": "used-by" + }, + { + "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", + "type": "used-by" + }, + { + "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" }, { "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" }, - { - "dest-uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", - "type": "used-by" - }, { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" @@ -13285,6 +13772,18 @@ "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, + { + "dest-uuid": "863b7013-133d-4a82-93d2-51b53a8fd30e", + "type": "used-by" + }, + { + "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", + "type": "used-by" + }, + { + "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", + "type": "used-by" + }, { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" @@ -13411,6 +13910,22 @@ "uuid": "56018455-7644-4e59-845a-986f55efcad4", "value": "Network Scanner" }, + { + "description": "[NGLite](https://app.tidalcyber.com/software/48b161fe-3ae1-5551-9f26-d6f2d6b5afb9) is a backdoor Trojan that is only capable of running commands received through its C2 channel. While the capabilities are standard for a backdoor, NGLite uses a novel C2 channel that leverages a decentralized network based on the legitimate NKN to communicate between the backdoor and the actors.[[NGLite Trojan](https://app.tidalcyber.com/references/7cdd99d2-bbb2-5c81-ad09-92b581f33ffe)]", + "meta": { + "platforms": [ + "Windows" + ], + "software_attack_id": "S1106", + "source": "MITRE", + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "48b161fe-3ae1-5551-9f26-d6f2d6b5afb9", + "value": "NGLite" + }, { "description": "[ngrok](https://app.tidalcyber.com/software/316ecd9d-ac0b-58c7-8083-5d9214c770f6) is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. [ngrok](https://app.tidalcyber.com/software/316ecd9d-ac0b-58c7-8083-5d9214c770f6) has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.[[Zdnet Ngrok September 2018](https://app.tidalcyber.com/references/3edb88be-2ca6-4925-ba2e-a5a4ac5f9ab0)][[FireEye Maze May 2020](https://app.tidalcyber.com/references/02338a66-6820-4505-8239-a1f1fcc60d32)][[Cyware Ngrok May 2019](https://app.tidalcyber.com/references/583a01b6-cb4e-41e7-aade-ac2fd19bda4e)][[MalwareBytes LazyScripter Feb 2021](https://app.tidalcyber.com/references/078837a7-82cd-4e26-9135-43b612e911fe)]", "meta": { @@ -13420,6 +13935,9 @@ "software_attack_id": "S0508", "source": "MITRE", "tags": [ + "c5a258ce-9045-48d9-b254-ec2bf6437bb5", + "cc4ea215-87ce-4351-9579-cf527caf5992", + "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", @@ -13453,7 +13971,7 @@ "type": "used-by" }, { - "dest-uuid": "12279b62-289e-49ee-97cb-c780edd3d091", + "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" }, { @@ -13464,6 +13982,10 @@ "dest-uuid": "07bdadce-905e-4337-898a-13e88cfb5a61", "type": "used-by" }, + { + "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", + "type": "used-by" + }, { "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" @@ -13472,6 +13994,10 @@ "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, + { + "dest-uuid": "12279b62-289e-49ee-97cb-c780edd3d091", + "type": "used-by" + }, { "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", "type": "used-by" @@ -13522,6 +14048,27 @@ "uuid": "b1963876-dbdc-5beb-ace3-acb6d7705543", "value": "NightClub" }, + { + "description": "[Ninja](https://app.tidalcyber.com/software/2dd26ff0-22d6-591b-9054-78e84fa3e05c) is a malware developed in C++ that has been used by [ToddyCat](https://app.tidalcyber.com/groups/0f41da7d-1e47-58fe-ba6e-ee658a985e1b) to penetrate networks and control remote systems since at least 2020. [Ninja](https://app.tidalcyber.com/software/2dd26ff0-22d6-591b-9054-78e84fa3e05c) is possibly part of a post exploitation toolkit exclusively used by [ToddyCat](https://app.tidalcyber.com/groups/0f41da7d-1e47-58fe-ba6e-ee658a985e1b) and allows multiple operators to work simultaneously on the same machine. [Ninja](https://app.tidalcyber.com/software/2dd26ff0-22d6-591b-9054-78e84fa3e05c) has been used against government and military entities in Europe and Asia and observed in specific infection chains being deployed by [Samurai](https://app.tidalcyber.com/software/bd75c822-7be6-5e6f-bd2e-0512be6d38d9).[[Kaspersky ToddyCat June 2022](https://app.tidalcyber.com/references/285c038b-e5fc-57ef-9a98-d9e24c52e2cf)]", + "meta": { + "platforms": [ + "Windows" + ], + "software_attack_id": "S1100", + "source": "MITRE", + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", + "type": "used-by" + } + ], + "uuid": "2dd26ff0-22d6-591b-9054-78e84fa3e05c", + "value": "Ninja" + }, { "description": "NirSoft is a self-described \"freeware\" utility that can be used to recover passwords.[[NirSoft Website](/references/024e4e25-aab7-4231-bb4b-5e399d02d7b2)] According to U.S. cybersecurity authorities, ransomware actors such as those associated with the Royal ransomware operation have used the NirSoft utility to harvest passwords for malicious purposes.[[#StopRansomware: Royal Ransomware | CISA](/references/dd094572-da2e-4e54-9e54-b243dd4fcd2b)]", "meta": { @@ -13570,18 +14117,14 @@ ] }, "related": [ + { + "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", + "type": "used-by" + }, { "dest-uuid": "fcc6d937-8cd6-4f2c-adb8-48caedbde70a", "type": "used-by" }, - { - "dest-uuid": "b8a349a6-cde1-4d95-b20f-44c62bbfc786", - "type": "used-by" - }, - { - "dest-uuid": "12279b62-289e-49ee-97cb-c780edd3d091", - "type": "used-by" - }, { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" @@ -13591,7 +14134,11 @@ "type": "used-by" }, { - "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", + "dest-uuid": "b8a349a6-cde1-4d95-b20f-44c62bbfc786", + "type": "used-by" + }, + { + "dest-uuid": "12279b62-289e-49ee-97cb-c780edd3d091", "type": "used-by" }, { @@ -13602,6 +14149,24 @@ "uuid": "82996f6f-0575-45cd-8f7c-ba1b063d5b9f", "value": "njRAT" }, + { + "description": "[NKAbuse](https://app.tidalcyber.com/software/e26988e0-e755-54a4-8234-e8f961266d82) is a Go-based, multi-platform malware abusing NKN (New Kind of Network) technology for data exchange between peers, functioning as a potent implant, and equipped with both flooder and backdoor capabilities.[[NKAbuse BC](https://app.tidalcyber.com/references/7c0fea50-a125-57eb-9a86-dd0d6693abce)][[NKAbuse SL](https://app.tidalcyber.com/references/96e199f8-1d33-574f-a507-05303db728e1)]", + "meta": { + "platforms": [ + "macOS", + "Linux", + "Windows" + ], + "software_attack_id": "S1107", + "source": "MITRE", + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "e26988e0-e755-54a4-8234-e8f961266d82", + "value": "NKAbuse" + }, { "description": "[Nltest](https://app.tidalcyber.com/software/fbb1546a-f288-4e43-9e5c-14c94423c4f6) is a Windows command-line utility used to list domain controllers and enumerate domain trusts.[[Nltest Manual](https://app.tidalcyber.com/references/4bb113a8-7e2c-4656-86f4-c30b08705ffa)]", "meta": { @@ -13611,6 +14176,9 @@ "software_attack_id": "S0359", "source": "MITRE", "tags": [ + "c5a258ce-9045-48d9-b254-ec2bf6437bb5", + "cc4ea215-87ce-4351-9579-cf527caf5992", + "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "24f6ba0e-9230-4410-a9fb-b0f3b55de326", "15787198-6c8b-4f79-bf50-258d55072fee", @@ -13626,10 +14194,22 @@ "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, + { + "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", + "type": "used-by" + }, { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" }, + { + "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", + "type": "used-by" + }, + { + "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", + "type": "used-by" + }, { "dest-uuid": "7c3ef21c-0e1c-43d5-afb0-3a07c5a66937", "type": "used-by" @@ -13645,14 +14225,6 @@ { "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" - }, - { - "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", - "type": "used-by" - }, - { - "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", - "type": "used-by" } ], "uuid": "fbb1546a-f288-4e43-9e5c-14c94423c4f6", @@ -14320,6 +14892,28 @@ "uuid": "1933ad3d-3085-4b1b-82b9-ac51b440e2bf", "value": "P8RAT" }, + { + "description": "[PACEMAKER](https://app.tidalcyber.com/software/13856c51-d81c-5d75-bb6a-0bbdcc857cdd) is a credential stealer that was used by [APT5](https://app.tidalcyber.com/groups/f46d6ee9-9d1d-586a-9f2d-6bff8fb92910) as early as 2020 including activity against US Defense Industrial Base (DIB) companies.[[Mandiant Pulse Secure Zero-Day April 2021](https://app.tidalcyber.com/references/0760480c-97be-5fc9-a6aa-f1df91a314a3)]", + "meta": { + "platforms": [ + "Network", + "Linux" + ], + "software_attack_id": "S1109", + "source": "MITRE", + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", + "type": "used-by" + } + ], + "uuid": "13856c51-d81c-5d75-bb6a-0bbdcc857cdd", + "value": "PACEMAKER" + }, { "description": "Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.[[GitHub Pacu](https://app.tidalcyber.com/references/bda43b1b-ea8d-4371-9984-6d8a7cc24965)]", "meta": { @@ -14364,6 +14958,10 @@ ] }, "related": [ + { + "dest-uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c", + "type": "used-by" + }, { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" @@ -14518,6 +15116,27 @@ "uuid": "00daafc4-8bf1-4447-b24f-1580263124f5", "value": "Pcalua" }, + { + "description": "[Pcexter](https://app.tidalcyber.com/software/873ede85-548b-5fc0-a29e-80bd5afc5bf4) is an uploader that has been used by [ToddyCat](https://app.tidalcyber.com/groups/0f41da7d-1e47-58fe-ba6e-ee658a985e1b) since at least 2023 to exfiltrate stolen files.[[Kaspersky ToddyCat Check Logs October 2023](https://app.tidalcyber.com/references/dbdaf320-eada-5bbb-95ab-aaa987ed7960)]", + "meta": { + "platforms": [ + "Windows" + ], + "software_attack_id": "S1102", + "source": "MITRE", + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", + "type": "used-by" + } + ], + "uuid": "873ede85-548b-5fc0-a29e-80bd5afc5bf4", + "value": "Pcexter" + }, { "description": "PCHunter is a tool used to enable advanced task management, including for system processes and kernels.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]", "meta": { @@ -14528,6 +15147,9 @@ "software_attack_id": "S5038", "source": "Tidal Cyber", "tags": [ + "c5a258ce-9045-48d9-b254-ec2bf6437bb5", + "cc4ea215-87ce-4351-9579-cf527caf5992", + "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", @@ -14545,6 +15167,10 @@ ] }, "related": [ + { + "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", + "type": "used-by" + }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" @@ -14572,7 +15198,12 @@ "tool" ] }, - "related": [], + "related": [ + { + "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", + "type": "used-by" + } + ], "uuid": "71eb2211-39aa-4b89-bd51-9dcabd363149", "value": "PcShare" }, @@ -14854,6 +15485,22 @@ ] }, "related": [ + { + "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", + "type": "used-by" + }, + { + "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", + "type": "used-by" + }, + { + "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", + "type": "used-by" + }, + { + "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", + "type": "used-by" + }, { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" @@ -14862,6 +15509,10 @@ "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, + { + "dest-uuid": "41e8b4a4-2d31-46ee-bc56-12375084d067", + "type": "used-by" + }, { "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "type": "used-by" @@ -14871,29 +15522,13 @@ "type": "used-by" }, { - "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", - "type": "used-by" - }, - { - "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", - "type": "used-by" - }, - { - "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", - "type": "used-by" - }, - { - "dest-uuid": "41e8b4a4-2d31-46ee-bc56-12375084d067", + "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", "type": "used-by" }, { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" }, - { - "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", - "type": "used-by" - }, { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" @@ -15010,6 +15645,22 @@ "uuid": "14e65c5d-5164-41a3-92de-67fdd1d529d2", "value": "Pisloader" }, + { + "description": "[PITSTOP](https://app.tidalcyber.com/software/c0e56f14-9768-5547-abcb-aa3f220d0e40) is a backdoor that was deployed on compromised Ivanti Connect Secure VPNs during [Cutting Edge](https://app.tidalcyber.com/campaigns/4e605e33-57fe-5bb2-b0ad-ec146aac041b) to enable command execution and file read/write.[[Mandiant Cutting Edge Part 3 February 2024](https://app.tidalcyber.com/references/49e5b125-5503-5cb0-9a56-a93f82b55753)]", + "meta": { + "platforms": [ + "Network" + ], + "software_attack_id": "S1123", + "source": "MITRE", + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "c0e56f14-9768-5547-abcb-aa3f220d0e40", + "value": "PITSTOP" + }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Capture Network Packets on the windows 10 with October 2018 Update or later.\n\n**Author:** Derek Johnson\n\n**Paths:**\n* c:\\windows\\system32\\pktmon.exe\n* c:\\windows\\syswow64\\pktmon.exe\n\n**Resources:**\n* [https://binar-x79.com/windows-10-secret-sniffer/](https://binar-x79.com/windows-10-secret-sniffer/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_pktmon.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml)\n* IOC: .etl files found on system[[Pktmon.exe - LOLBAS Project](/references/8f0ad4ed-869b-4332-b091-7551262cff29)]", "meta": { @@ -15134,10 +15785,46 @@ ] }, "related": [ + { + "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", + "type": "used-by" + }, + { + "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", + "type": "used-by" + }, { "dest-uuid": "90f4d3f9-3fe3-4a64-8dc1-172c6d037dca", "type": "used-by" }, + { + "dest-uuid": "b10aa4c0-10a1-5e08-8d9d-82ce95d45e6a", + "type": "used-by" + }, + { + "dest-uuid": "4173c301-0307-458d-89dd-2583e94247ec", + "type": "used-by" + }, + { + "dest-uuid": "f2c2db08-624c-46b9-b7ed-b22c21b81813", + "type": "used-by" + }, + { + "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", + "type": "used-by" + }, + { + "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", + "type": "used-by" + }, + { + "dest-uuid": "f1477581-d485-403f-a95f-c56bf88c5d1e", + "type": "used-by" + }, + { + "dest-uuid": "e343c1f1-458c-467b-bc4a-c1b97b2127e3", + "type": "used-by" + }, { "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" @@ -15147,44 +15834,12 @@ "type": "used-by" }, { - "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", - "type": "used-by" - }, - { - "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", - "type": "used-by" - }, - { - "dest-uuid": "f1477581-d485-403f-a95f-c56bf88c5d1e", - "type": "used-by" - }, - { - "dest-uuid": "4173c301-0307-458d-89dd-2583e94247ec", - "type": "used-by" - }, - { - "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", - "type": "used-by" - }, - { - "dest-uuid": "e343c1f1-458c-467b-bc4a-c1b97b2127e3", - "type": "used-by" - }, - { - "dest-uuid": "b10aa4c0-10a1-5e08-8d9d-82ce95d45e6a", - "type": "used-by" - }, - { - "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", + "dest-uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c", "type": "used-by" }, { "dest-uuid": "6932662a-53a7-4e43-877f-6e940e2d744b", "type": "used-by" - }, - { - "dest-uuid": "f2c2db08-624c-46b9-b7ed-b22c21b81813", - "type": "used-by" } ], "uuid": "070b56f4-7810-4dad-b85f-bdfce9c08c10", @@ -15265,34 +15920,34 @@ ] }, "related": [ - { - "dest-uuid": "4510ce41-27b9-479c-9bf3-a328b77bae29", - "type": "used-by" - }, { "dest-uuid": "90f4d3f9-3fe3-4a64-8dc1-172c6d037dca", "type": "used-by" }, - { - "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", - "type": "used-by" - }, { "dest-uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6", "type": "used-by" }, - { - "dest-uuid": "988f5312-834e-48ea-93b7-e6e01ee0938d", - "type": "used-by" - }, - { - "dest-uuid": "f2c2db08-624c-46b9-b7ed-b22c21b81813", - "type": "used-by" - }, { "dest-uuid": "4173c301-0307-458d-89dd-2583e94247ec", "type": "used-by" }, + { + "dest-uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", + "type": "used-by" + }, + { + "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", + "type": "used-by" + }, + { + "dest-uuid": "4510ce41-27b9-479c-9bf3-a328b77bae29", + "type": "used-by" + }, + { + "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", + "type": "used-by" + }, { "dest-uuid": "0a245c5e-c1a8-480f-8655-bb2594e3266b", "type": "used-by" @@ -15310,11 +15965,15 @@ "type": "used-by" }, { - "dest-uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", + "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" }, { - "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", + "dest-uuid": "988f5312-834e-48ea-93b7-e6e01ee0938d", + "type": "used-by" + }, + { + "dest-uuid": "f2c2db08-624c-46b9-b7ed-b22c21b81813", "type": "used-by" }, { @@ -15408,11 +16067,11 @@ }, "related": [ { - "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", + "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" }, { - "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", + "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" } ], @@ -15610,7 +16269,7 @@ }, "related": [ { - "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", + "dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a", "type": "used-by" }, { @@ -15625,32 +16284,32 @@ "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" }, + { + "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", + "type": "used-by" + }, + { + "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", + "type": "used-by" + }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, - { - "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", - "type": "used-by" - }, - { - "dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a", - "type": "used-by" - }, { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, - { - "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", - "type": "used-by" - }, { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { - "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", + "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", + "type": "used-by" + }, + { + "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" } ], @@ -15736,6 +16395,8 @@ "software_attack_id": "S5039", "source": "Tidal Cyber", "tags": [ + "c5a258ce-9045-48d9-b254-ec2bf6437bb5", + "cc4ea215-87ce-4351-9579-cf527caf5992", "d819ae1a-e385-49fd-88d5-f66660729ecb", "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -15755,6 +16416,10 @@ ] }, "related": [ + { + "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", + "type": "used-by" + }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" @@ -16139,6 +16804,9 @@ "software_attack_id": "S0029", "source": "MITRE", "tags": [ + "d903e38b-600d-4736-9e3b-cf1a6e436481", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "d819ae1a-e385-49fd-88d5-f66660729ecb", "e1af18e3-3224-4e4c-9d0f-533768474508", "5cd85fec-0e37-4892-9cd2-bb8c70139072", "0d3ca5b9-2ea9-4daf-b3b5-11f1c6f9ebd3", @@ -16159,22 +16827,6 @@ ] }, "related": [ - { - "dest-uuid": "7902f5cc-d6a5-4a57-8d54-4c75e0c58b83", - "type": "used-by" - }, - { - "dest-uuid": "3a54b8dc-a231-4db8-96da-1c0c1aa396f6", - "type": "used-by" - }, - { - "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", - "type": "used-by" - }, - { - "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", - "type": "used-by" - }, { "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", "type": "used-by" @@ -16187,44 +16839,12 @@ "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "type": "used-by" }, - { - "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", - "type": "used-by" - }, - { - "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", - "type": "used-by" - }, - { - "dest-uuid": "a3b39b07-0bfa-4c69-9f01-acf7dc6033b4", - "type": "used-by" - }, - { - "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", - "type": "used-by" - }, - { - "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", - "type": "used-by" - }, - { - "dest-uuid": "72d9bea7-9ca1-43e6-8702-2fb7fb1355de", - "type": "used-by" - }, { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" }, { - "dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb", - "type": "used-by" - }, - { - "dest-uuid": "d428f9be-6faf-4d57-b677-4a927fea5f7e", - "type": "used-by" - }, - { - "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", + "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "type": "used-by" }, { @@ -16232,25 +16852,57 @@ "type": "used-by" }, { - "dest-uuid": "c8cc6ce8-d421-42e6-a6eb-2ea9d2d9ab07", + "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", + "type": "used-by" + }, + { + "dest-uuid": "0f86e871-0c6c-4227-ae28-3f3696d6ae9d", + "type": "used-by" + }, + { + "dest-uuid": "a3b39b07-0bfa-4c69-9f01-acf7dc6033b4", + "type": "used-by" + }, + { + "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", + "type": "used-by" + }, + { + "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", "type": "used-by" }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, - { - "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", - "type": "used-by" - }, { "dest-uuid": "55b20209-c04a-47ab-805d-ace83522ef6a", "type": "used-by" }, + { + "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", + "type": "used-by" + }, + { + "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", + "type": "used-by" + }, + { + "dest-uuid": "2e2d3e75-1160-4ba5-80cc-8e7685fcfc44", + "type": "used-by" + }, { "dest-uuid": "1bcc9382-ccfe-4b04-91f3-ef1250df5e5b", "type": "used-by" }, + { + "dest-uuid": "0610cd57-2511-467a-97e3-3c810384074f", + "type": "used-by" + }, + { + "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", + "type": "used-by" + }, { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" @@ -16264,23 +16916,19 @@ "type": "used-by" }, { - "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", + "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" }, { - "dest-uuid": "2e2d3e75-1160-4ba5-80cc-8e7685fcfc44", + "dest-uuid": "a41725c5-eb3a-4772-8d1e-17c3bbade79c", "type": "used-by" }, { - "dest-uuid": "0610cd57-2511-467a-97e3-3c810384074f", + "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" }, { - "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", - "type": "used-by" - }, - { - "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", + "dest-uuid": "72d9bea7-9ca1-43e6-8702-2fb7fb1355de", "type": "used-by" }, { @@ -16292,7 +16940,35 @@ "type": "used-by" }, { - "dest-uuid": "a41725c5-eb3a-4772-8d1e-17c3bbade79c", + "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", + "type": "used-by" + }, + { + "dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb", + "type": "used-by" + }, + { + "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", + "type": "used-by" + }, + { + "dest-uuid": "d428f9be-6faf-4d57-b677-4a927fea5f7e", + "type": "used-by" + }, + { + "dest-uuid": "7902f5cc-d6a5-4a57-8d54-4c75e0c58b83", + "type": "used-by" + }, + { + "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", + "type": "used-by" + }, + { + "dest-uuid": "c8cc6ce8-d421-42e6-a6eb-2ea9d2d9ab07", + "type": "used-by" + }, + { + "dest-uuid": "3a54b8dc-a231-4db8-96da-1c0c1aa396f6", "type": "used-by" }, { @@ -16300,11 +16976,11 @@ "type": "used-by" }, { - "dest-uuid": "0f86e871-0c6c-4227-ae28-3f3696d6ae9d", + "dest-uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", "type": "used-by" }, { - "dest-uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", + "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" }, { @@ -16413,6 +17089,28 @@ "uuid": "58883c83-d5be-42fc-b4bd-9287e55cd499", "value": "Pubprn" }, + { + "description": "[PULSECHECK](https://app.tidalcyber.com/software/d777204c-f93c-54d9-b80e-41641a3d55ce) is a web shell written in Perl that was used by [APT5](https://app.tidalcyber.com/groups/f46d6ee9-9d1d-586a-9f2d-6bff8fb92910) as early as 2020 including against Pulse Secure VPNs at US Defense Industrial Base (DIB) companies.[[Mandiant Pulse Secure Zero-Day April 2021](https://app.tidalcyber.com/references/0760480c-97be-5fc9-a6aa-f1df91a314a3)]", + "meta": { + "platforms": [ + "Network", + "Linux" + ], + "software_attack_id": "S1108", + "source": "MITRE", + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", + "type": "used-by" + } + ], + "uuid": "d777204c-f93c-54d9-b80e-41641a3d55ce", + "value": "PULSECHECK" + }, { "description": "According to joint Cybersecurity Advisory AA23-320A (November 2023), Pulseway is a publicly available, legitimate tool that \"enables remote monitoring and management of systems\". According to the Advisory, Scattered Spider threat actors are known to abuse the tool during their intrusions.[[U.S. CISA Scattered Spider November 16 2023](/references/9c242265-c28c-4580-8e6a-478d8700b092)]", "meta": { @@ -16565,11 +17263,7 @@ }, "related": [ { - "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", - "type": "used-by" - }, - { - "dest-uuid": "7902f5cc-d6a5-4a57-8d54-4c75e0c58b83", + "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" }, { @@ -16585,7 +17279,11 @@ "type": "used-by" }, { - "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", + "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", + "type": "used-by" + }, + { + "dest-uuid": "7902f5cc-d6a5-4a57-8d54-4c75e0c58b83", "type": "used-by" } ], @@ -16645,6 +17343,10 @@ "software_attack_id": "S0650", "source": "MITRE", "tags": [ + "d903e38b-600d-4736-9e3b-cf1a6e436481", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "d819ae1a-e385-49fd-88d5-f66660729ecb", + "15787198-6c8b-4f79-bf50-258d55072fee", "e096f0dd-fa2c-4771-8270-128c97c09f5b", "e809d252-12cc-494d-94f5-954c49eb87ce" ], @@ -16654,12 +17356,16 @@ }, "related": [ { - "dest-uuid": "8951bff3-c444-4374-8a9e-b2115d9125b2", + "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", "type": "used-by" }, { "dest-uuid": "28f3dbcc-b248-442f-9ff3-234210bb2f2a", "type": "used-by" + }, + { + "dest-uuid": "8951bff3-c444-4374-8a9e-b2115d9125b2", + "type": "used-by" } ], "uuid": "9050b418-5ffd-481a-a30d-f9059b0871ea", @@ -16705,6 +17411,14 @@ ] }, "related": [ + { + "dest-uuid": "efb3b5ac-cd86-44a2-9de1-02e4612b8cc2", + "type": "used-by" + }, + { + "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", + "type": "used-by" + }, { "dest-uuid": "12279b62-289e-49ee-97cb-c780edd3d091", "type": "used-by" @@ -16713,17 +17427,9 @@ "dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a", "type": "used-by" }, - { - "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", - "type": "used-by" - }, { "dest-uuid": "e5b0da2b-12bc-4113-9459-9c51329c9ae0", "type": "used-by" - }, - { - "dest-uuid": "efb3b5ac-cd86-44a2-9de1-02e4612b8cc2", - "type": "used-by" } ], "uuid": "4bab7c2b-5ec4-467e-8df4-f2e6996e136b", @@ -16866,6 +17572,10 @@ "software_attack_id": "S5281", "source": "Tidal Cyber", "tags": [ + "c5a258ce-9045-48d9-b254-ec2bf6437bb5", + "cc4ea215-87ce-4351-9579-cf527caf5992", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", "e1af18e3-3224-4e4c-9d0f-533768474508", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", "e727eaa6-ef41-4965-b93a-8ad0c51d0236", @@ -16876,6 +17586,14 @@ ] }, "related": [ + { + "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", + "type": "used-by" + }, + { + "dest-uuid": "b534349f-55a4-41b8-9623-6707765c3c50", + "type": "used-by" + }, { "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" @@ -16972,6 +17690,28 @@ "uuid": "dc307b3c-9bc5-4624-b0bc-4807fa1fc57b", "value": "Ramsay" }, + { + "description": "[RAPIDPULSE](https://app.tidalcyber.com/software/129abb68-7992-554e-92fa-fa376279c0b6) is a web shell that exists as a modification to a legitimate Pulse Secure file that has been used by [APT5](https://app.tidalcyber.com/groups/f46d6ee9-9d1d-586a-9f2d-6bff8fb92910) since at least 2021.[[Mandiant Pulse Secure Update May 2021](https://app.tidalcyber.com/references/5620adaf-c2a7-5f0f-ae70-554ce720426e)]", + "meta": { + "platforms": [ + "Network", + "Linux" + ], + "software_attack_id": "S1113", + "source": "MITRE", + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", + "type": "used-by" + } + ], + "uuid": "129abb68-7992-554e-92fa-fa376279c0b6", + "value": "RAPIDPULSE" + }, { "description": "[RARSTONE](https://app.tidalcyber.com/software/a9c9fda8-c156-44f2-bc7e-1b696f3fbaa2) is malware used by the [Naikon](https://app.tidalcyber.com/groups/a80c00b2-b8b6-4780-99bb-df8fe921947d) group that has some characteristics similar to [PlugX](https://app.tidalcyber.com/software/070b56f4-7810-4dad-b85f-bdfce9c08c10). [[Aquino RARSTONE](https://app.tidalcyber.com/references/2327592e-4e8a-481e-bdf9-d548c776adee)]", "meta": { @@ -17113,6 +17853,11 @@ "software_attack_id": "S1040", "source": "MITRE", "tags": [ + "d903e38b-600d-4736-9e3b-cf1a6e436481", + "d819ae1a-e385-49fd-88d5-f66660729ecb", + "c5a258ce-9045-48d9-b254-ec2bf6437bb5", + "cc4ea215-87ce-4351-9579-cf527caf5992", + "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "a40b7316-bef6-4186-9764-58ce6f033850", @@ -17135,6 +17880,10 @@ "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" }, + { + "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", + "type": "used-by" + }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" @@ -17151,9 +17900,17 @@ "dest-uuid": "07bdadce-905e-4337-898a-13e88cfb5a61", "type": "used-by" }, + { + "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", + "type": "used-by" + }, { "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" + }, + { + "dest-uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c", + "type": "used-by" } ], "uuid": "1f3f15fa-1b4b-494d-abc8-c7f8a227b7b4", @@ -17176,11 +17933,11 @@ }, "related": [ { - "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", + "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" }, { - "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", + "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", "type": "used-by" } ], @@ -17370,6 +18127,14 @@ ] }, "related": [ + { + "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", + "type": "used-by" + }, + { + "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", + "type": "used-by" + }, { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" @@ -17379,27 +18144,19 @@ "type": "used-by" }, { - "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", + "dest-uuid": "021b3c71-6467-4e46-a413-8b726f066f2c", "type": "used-by" }, { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" }, - { - "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", - "type": "used-by" - }, { "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", "type": "used-by" }, { - "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", - "type": "used-by" - }, - { - "dest-uuid": "021b3c71-6467-4e46-a413-8b726f066f2c", + "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" } ], @@ -17820,11 +18577,11 @@ }, "related": [ { - "dest-uuid": "830079fe-9824-405b-93e0-c28592155c49", + "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", "type": "used-by" }, { - "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", + "dest-uuid": "830079fe-9824-405b-93e0-c28592155c49", "type": "used-by" } ], @@ -18480,10 +19237,6 @@ ] }, "related": [ - { - "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", - "type": "used-by" - }, { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" @@ -18491,6 +19244,10 @@ { "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", "type": "used-by" + }, + { + "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", + "type": "used-by" } ], "uuid": "8ae86854-4cdc-49eb-895a-d1fa742f7974", @@ -18564,6 +19321,27 @@ "uuid": "88831e9f-453e-466f-9510-9acaa1f20368", "value": "SamSam" }, + { + "description": "[Samurai](https://app.tidalcyber.com/software/bd75c822-7be6-5e6f-bd2e-0512be6d38d9) is a passive backdoor that has been used by [ToddyCat](https://app.tidalcyber.com/groups/0f41da7d-1e47-58fe-ba6e-ee658a985e1b) since at least 2020. [Samurai](https://app.tidalcyber.com/software/bd75c822-7be6-5e6f-bd2e-0512be6d38d9) allows arbitrary C# code execution and is used with multiple modules for remote administration and lateral movement.[[Kaspersky ToddyCat June 2022](https://app.tidalcyber.com/references/285c038b-e5fc-57ef-9a98-d9e24c52e2cf)]", + "meta": { + "platforms": [ + "Windows" + ], + "software_attack_id": "S1099", + "source": "MITRE", + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", + "type": "used-by" + } + ], + "uuid": "bd75c822-7be6-5e6f-bd2e-0512be6d38d9", + "value": "Samurai" + }, { "description": "[Sardonic](https://app.tidalcyber.com/software/9ab0d523-3496-5e64-9ca1-bb756f5e64e0) is a backdoor written in C and C++ that is known to be used by [FIN8](https://app.tidalcyber.com/groups/b3061284-0335-4dcb-9f8e-a3b0412fd46f), as early as August 2021 to target a financial institution in the United States. [Sardonic](https://app.tidalcyber.com/software/9ab0d523-3496-5e64-9ca1-bb756f5e64e0) has a plugin system that can load specially made DLLs and execute their functions.[[Bitdefender Sardonic Aug 2021](https://app.tidalcyber.com/references/8e9d05c9-6783-5738-ac85-a444810a8074)][[Symantec FIN8 Jul 2023](https://app.tidalcyber.com/references/9b08b7f0-1a33-5d76-817f-448fac0d165a)]", "meta": { @@ -18631,10 +19409,6 @@ "dest-uuid": "9da726e6-af02-49b8-8ebe-7ea4235513c9", "type": "used-by" }, - { - "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", - "type": "used-by" - }, { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" @@ -18666,6 +19440,10 @@ { "dest-uuid": "021b3c71-6467-4e46-a413-8b726f066f2c", "type": "used-by" + }, + { + "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", + "type": "used-by" } ], "uuid": "2aacbf3a-a359-41d2-9a71-76447f0545b5", @@ -18753,6 +19531,10 @@ ] }, "related": [ + { + "dest-uuid": "7902f5cc-d6a5-4a57-8d54-4c75e0c58b83", + "type": "used-by" + }, { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" @@ -18761,10 +19543,6 @@ "dest-uuid": "b534349f-55a4-41b8-9623-6707765c3c50", "type": "used-by" }, - { - "dest-uuid": "7902f5cc-d6a5-4a57-8d54-4c75e0c58b83", - "type": "used-by" - }, { "dest-uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", "type": "used-by" @@ -19046,6 +19824,10 @@ "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, + { + "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", + "type": "used-by" + }, { "dest-uuid": "0a245c5e-c1a8-480f-8655-bb2594e3266b", "type": "used-by" @@ -19057,17 +19839,13 @@ { "dest-uuid": "9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c", "type": "used-by" - }, - { - "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", - "type": "used-by" } ], "uuid": "5190f50d-7e54-410a-9961-79ab751ddbab", "value": "ShadowPad" }, { - "description": "[Shamoon](https://app.tidalcyber.com/software/840db1db-e262-4d6f-b6e3-2a64696a41c5) is wiper malware that was first used by an Iranian group known as the \"Cutting Sword of Justice\" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. [Shamoon](https://app.tidalcyber.com/software/840db1db-e262-4d6f-b6e3-2a64696a41c5) has also been seen leveraging [RawDisk](https://app.tidalcyber.com/software/d86a562d-d235-4481-9a3f-273fa3ebe89a) and Filerase to carry out data wiping tasks. The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.[[Palo Alto Shamoon Nov 2016](https://app.tidalcyber.com/references/15007a87-a281-41ae-b203-fdafe02a885f)][[Unit 42 Shamoon3 2018](https://app.tidalcyber.com/references/c2148166-faf4-4ab7-a37e-deae0c88c08d)][[Symantec Shamoon 2012](https://app.tidalcyber.com/references/ac634e99-d951-402b-bb1c-e575753dfda8)][[FireEye Shamoon Nov 2016](https://app.tidalcyber.com/references/44b2eb6b-4902-4ca0-80e5-7333d620e075)]", + "description": "[Shamoon](https://app.tidalcyber.com/software/840db1db-e262-4d6f-b6e3-2a64696a41c5) is wiper malware that was first used by an Iranian group known as the \"Cutting Sword of Justice\" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. [Shamoon](https://app.tidalcyber.com/software/840db1db-e262-4d6f-b6e3-2a64696a41c5) has also been seen leveraging [RawDisk](https://app.tidalcyber.com/software/d86a562d-d235-4481-9a3f-273fa3ebe89a) and Filerase to carry out data wiping tasks. Analysis has linked [Shamoon](https://app.tidalcyber.com/software/840db1db-e262-4d6f-b6e3-2a64696a41c5) with [Kwampirs](https://app.tidalcyber.com/software/35ac4018-8506-4025-a9e3-bd017700b3b3) based on multiple shared artifacts and coding patterns.[[Cylera Kwampirs 2022](https://app.tidalcyber.com/references/06442111-2c71-5efb-9530-cabeba159a91)] The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.[[Palo Alto Shamoon Nov 2016](https://app.tidalcyber.com/references/15007a87-a281-41ae-b203-fdafe02a885f)][[Unit 42 Shamoon3 2018](https://app.tidalcyber.com/references/c2148166-faf4-4ab7-a37e-deae0c88c08d)][[Symantec Shamoon 2012](https://app.tidalcyber.com/references/ac634e99-d951-402b-bb1c-e575753dfda8)][[FireEye Shamoon Nov 2016](https://app.tidalcyber.com/references/44b2eb6b-4902-4ca0-80e5-7333d620e075)]", "meta": { "platforms": [ "Windows" @@ -19165,6 +19943,8 @@ "software_attack_id": "S5275", "source": "Tidal Cyber", "tags": [ + "c5a258ce-9045-48d9-b254-ec2bf6437bb5", + "cc4ea215-87ce-4351-9579-cf527caf5992", "d819ae1a-e385-49fd-88d5-f66660729ecb", "e551ae97-d1b4-484e-9267-89f33829ec2c", "15787198-6c8b-4f79-bf50-258d55072fee", @@ -19178,6 +19958,10 @@ ] }, "related": [ + { + "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", + "type": "used-by" + }, { "dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a", "type": "used-by" @@ -19551,7 +20335,12 @@ "malware" ] }, - "related": [], + "related": [ + { + "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", + "type": "used-by" + } + ], "uuid": "206453a4-a298-4cab-9fdf-f136a4e0c761", "value": "Skeleton Key" }, @@ -19571,6 +20360,28 @@ "uuid": "cc91d3d4-bbf5-4a9c-b43a-2ba034db4858", "value": "Skidmap" }, + { + "description": "[SLIGHTPULSE](https://app.tidalcyber.com/software/c8fed4fc-5721-5db2-b107-b2a9b677244e) is a web shell that was used by [APT5](https://app.tidalcyber.com/groups/f46d6ee9-9d1d-586a-9f2d-6bff8fb92910) as early as 2020 including against Pulse Secure VPNs at US Defense Industrial Base (DIB) entities.[[Mandiant Pulse Secure Zero-Day April 2021](https://app.tidalcyber.com/references/0760480c-97be-5fc9-a6aa-f1df91a314a3)]", + "meta": { + "platforms": [ + "Network", + "Linux" + ], + "software_attack_id": "S1110", + "source": "MITRE", + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", + "type": "used-by" + } + ], + "uuid": "c8fed4fc-5721-5db2-b107-b2a9b677244e", + "value": "SLIGHTPULSE" + }, { "description": "[Sliver](https://app.tidalcyber.com/software/bbd16b7b-7e35-4a11-86ff-9b19e17bdab3) is an open source, cross-platform, red team command and control framework written in Golang.[[Bishop Fox Sliver Framework August 2019](https://app.tidalcyber.com/references/51e67e37-2d61-4228-999b-bec6f80cf106)]", "meta": { @@ -19592,6 +20403,10 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" + }, + { + "dest-uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c", + "type": "used-by" } ], "uuid": "bbd16b7b-7e35-4a11-86ff-9b19e17bdab3", @@ -19634,6 +20449,27 @@ "uuid": "7c047a54-93cf-4dfc-ab20-d905791aebb2", "value": "SLOWDRIFT" }, + { + "description": "[SLOWPULSE](https://app.tidalcyber.com/software/37e264a6-5ad3-5a79-bf2c-db725622206e) is a malware that was used by [APT5](https://app.tidalcyber.com/groups/f46d6ee9-9d1d-586a-9f2d-6bff8fb92910) as early as 2020 including against U.S. Defense Industrial Base (DIB) companies. [SLOWPULSE](https://app.tidalcyber.com/software/37e264a6-5ad3-5a79-bf2c-db725622206e) has several variants and can modify legitimate Pulse Secure VPN files in order to log credentials and bypass single and two-factor authentication flows.[[Mandiant Pulse Secure Zero-Day April 2021](https://app.tidalcyber.com/references/0760480c-97be-5fc9-a6aa-f1df91a314a3)]", + "meta": { + "platforms": [ + "Network" + ], + "software_attack_id": "S1104", + "source": "MITRE", + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", + "type": "used-by" + } + ], + "uuid": "37e264a6-5ad3-5a79-bf2c-db725622206e", + "value": "SLOWPULSE" + }, { "description": "[Small Sieve](https://app.tidalcyber.com/software/c58028b9-2e79-4bc9-9b04-d24ea4dd4948) is a Telegram Bot API-based Python backdoor that has been distributed using a Nullsoft Scriptable Install System (NSIS) Installer; it has been used by [MuddyWater](https://app.tidalcyber.com/groups/dcb260d8-9d53-404f-9ff5-dbee2c6effe6) since at least January 2022.[[DHS CISA AA22-055A MuddyWater February 2022](https://app.tidalcyber.com/references/e76570e1-43ab-4819-80bc-895ede67a205)][[NCSC GCHQ Small Sieve Jan 2022](https://app.tidalcyber.com/references/0edb8946-be38-45f5-a27c-bdbebc383d72)]\n\nSecurity researchers have also noted [Small Sieve](https://app.tidalcyber.com/software/c58028b9-2e79-4bc9-9b04-d24ea4dd4948)'s use by UNC3313, which may be associated with [MuddyWater](https://app.tidalcyber.com/groups/dcb260d8-9d53-404f-9ff5-dbee2c6effe6).[[Mandiant UNC3313 Feb 2022](https://app.tidalcyber.com/references/ac1a1262-1254-4ab2-a940-2d08b6558e9e)]", "meta": { @@ -19746,6 +20582,30 @@ "uuid": "d6c24f7c-fe79-4094-8f3c-68c4446ae4c7", "value": "SNUGRIDE" }, + { + "description": "[SocGholish](https://app.tidalcyber.com/software/ab84f259-9b9a-51d8-a68a-2bcd7512d760) is a JavaScript-based loader malware that has been used since at least 2017. It has been observed in use against multiple sectors globally for initial access, primarily through drive-by-downloads masquerading as software updates. SocGholish is operated by [Mustard Tempest](https://app.tidalcyber.com/groups/0898e7cb-118e-5eeb-b856-04e56ed18182) and its access has been sold to groups including [Indrik Spider](https://app.tidalcyber.com/groups/3c7ad595-1940-40fc-b9ca-3e649c1e5d87) for downloading secondary RAT and ransomware payloads.[[SentinelOne SocGholish Infrastructure November 2022](https://app.tidalcyber.com/references/8a26eeb6-6f80-58f1-b773-b38835c6781d)][[SocGholish-update](https://app.tidalcyber.com/references/01d9c3ba-29e2-5090-b399-0e7adf50a6b9)][[Red Canary SocGholish March 2024](https://app.tidalcyber.com/references/70fa26e4-109c-5a48-b9fd-ac8b9acf2cf3)][[Secureworks Gold Prelude Profile](https://app.tidalcyber.com/references/b16ae37d-5244-5c1e-92a9-e494b5a9ef49)] ", + "meta": { + "platforms": [ + "Windows" + ], + "software_attack_id": "S1124", + "source": "MITRE", + "tags": [ + "84615fe0-c2a5-4e07-8957-78ebc29b4635" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "0898e7cb-118e-5eeb-b856-04e56ed18182", + "type": "used-by" + } + ], + "uuid": "ab84f259-9b9a-51d8-a68a-2bcd7512d760", + "value": "SocGholish" + }, { "description": "[Socksbot](https://app.tidalcyber.com/software/c1906bb6-0b5b-4916-8b29-37f7e272f6b3) is a backdoor that abuses Socket Secure (SOCKS) proxies. [[TrendMicro Patchwork Dec 2017](https://app.tidalcyber.com/references/15465b26-99e1-4956-8c81-cda3388169b8)]", "meta": { @@ -19796,6 +20656,11 @@ "software_attack_id": "S5008", "source": "Tidal Cyber", "tags": [ + "d903e38b-600d-4736-9e3b-cf1a6e436481", + "d819ae1a-e385-49fd-88d5-f66660729ecb", + "c5a258ce-9045-48d9-b254-ec2bf6437bb5", + "cc4ea215-87ce-4351-9579-cf527caf5992", + "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "cd1b5d44-226e-4405-8985-800492cf2865", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", @@ -19822,6 +20687,14 @@ "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", "type": "used-by" }, + { + "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", + "type": "used-by" + }, + { + "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", + "type": "used-by" + }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" @@ -20020,6 +20893,9 @@ "software_attack_id": "S5009", "source": "Tidal Cyber", "tags": [ + "d903e38b-600d-4736-9e3b-cf1a6e436481", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "d819ae1a-e385-49fd-88d5-f66660729ecb", "e1af18e3-3224-4e4c-9d0f-533768474508", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", "9bc47297-864d-4f39-be37-ad9379102853", @@ -20046,6 +20922,10 @@ "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, + { + "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", + "type": "used-by" + }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" @@ -20115,6 +20995,10 @@ ] }, "related": [ + { + "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", + "type": "used-by" + }, { "dest-uuid": "e38bcb42-12c1-4202-a794-ec26cd830caa", "type": "used-by" @@ -20318,6 +21202,22 @@ "uuid": "764c6121-2d15-4a10-ac53-b1c431dc8b47", "value": "STARWHALE" }, + { + "description": "[STEADYPULSE](https://app.tidalcyber.com/software/ea561f0b-b891-5735-aa99-97cc8818fbef) is a web shell that infects targeted Pulse Secure VPN servers through modification of a legitimate Perl script that was used as early as 2020 including in activity against US Defense Industrial Base (DIB) entities.[[Mandiant Pulse Secure Zero-Day April 2021](https://app.tidalcyber.com/references/0760480c-97be-5fc9-a6aa-f1df91a314a3)]", + "meta": { + "platforms": [ + "Network" + ], + "software_attack_id": "S1112", + "source": "MITRE", + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "ea561f0b-b891-5735-aa99-97cc8818fbef", + "value": "STEADYPULSE" + }, { "description": "[StoneDrill](https://app.tidalcyber.com/software/9eee52a2-5ac1-4561-826c-23ec7fbc7876) is wiper malware discovered in destructive campaigns against both Middle Eastern and European targets in association with [APT33](https://app.tidalcyber.com/groups/99bbbe25-45af-492f-a7ff-7cbc57828bac).[[FireEye APT33 Sept 2017](https://app.tidalcyber.com/references/70610469-db0d-45ab-a790-6e56309a39ec)][[Kaspersky StoneDrill 2017](https://app.tidalcyber.com/references/e2637cb3-c449-4609-af7b-ac78a900cc8b)]", "meta": { @@ -20799,46 +21699,46 @@ ] }, "related": [ - { - "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", - "type": "used-by" - }, { "dest-uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", "type": "used-by" }, { - "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", + "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "type": "used-by" }, { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, - { - "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", - "type": "used-by" - }, - { - "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", - "type": "used-by" - }, { "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" }, - { - "dest-uuid": "863b7013-133d-4a82-93d2-51b53a8fd30e", - "type": "used-by" - }, { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, + { + "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", + "type": "used-by" + }, { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" }, + { + "dest-uuid": "863b7013-133d-4a82-93d2-51b53a8fd30e", + "type": "used-by" + }, + { + "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", + "type": "used-by" + }, + { + "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", + "type": "used-by" + }, { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" @@ -21057,20 +21957,16 @@ ] }, "related": [ - { - "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", - "type": "used-by" - }, { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, { - "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", + "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" }, { - "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", + "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" }, { @@ -21081,6 +21977,10 @@ "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "type": "used-by" }, + { + "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", + "type": "used-by" + }, { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" @@ -21093,6 +21993,10 @@ "dest-uuid": "43f826a1-e8c8-47b8-9b00-38e1b3e4293b", "type": "used-by" }, + { + "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", + "type": "used-by" + }, { "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", "type": "used-by" @@ -21366,6 +22270,10 @@ ] }, "related": [ + { + "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", + "type": "used-by" + }, { "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" @@ -21642,14 +22550,6 @@ ] }, "related": [ - { - "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", - "type": "used-by" - }, - { - "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", - "type": "used-by" - }, { "dest-uuid": "393da13e-016c-41a3-9d89-b33173adecbf", "type": "used-by" @@ -21662,6 +22562,14 @@ "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, + { + "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", + "type": "used-by" + }, + { + "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", + "type": "used-by" + }, { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" @@ -22242,10 +23150,6 @@ ] }, "related": [ - { - "dest-uuid": "8951bff3-c444-4374-8a9e-b2115d9125b2", - "type": "used-by" - }, { "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", "type": "used-by" @@ -22253,6 +23157,10 @@ { "dest-uuid": "28f3dbcc-b248-442f-9ff3-234210bb2f2a", "type": "used-by" + }, + { + "dest-uuid": "8951bff3-c444-4374-8a9e-b2115d9125b2", + "type": "used-by" } ], "uuid": "3e501609-87e4-4c47-bd88-5054be0f1037", @@ -22726,6 +23634,22 @@ "uuid": "6e7d1bcf-a308-4861-8aa5-0f4c6f126b0a", "value": "WannaCry" }, + { + "description": "[WARPWIRE](https://app.tidalcyber.com/software/9a592b49-1701-5e4c-95cf-9b8c98b80527) is a Javascript credential stealer that targets plaintext passwords and usernames for exfiltration that was used during [Cutting Edge](https://app.tidalcyber.com/campaigns/4e605e33-57fe-5bb2-b0ad-ec146aac041b) to target Ivanti Connect Secure VPNs.[[Mandiant Cutting Edge January 2024](https://app.tidalcyber.com/references/9d9ec923-89c1-5155-ae6e-98d4776d4250)][[Mandiant Cutting Edge Part 2 January 2024](https://app.tidalcyber.com/references/5209d259-4293-58c0-bbdc-f30ff77d57f7)]", + "meta": { + "platforms": [ + "Network" + ], + "software_attack_id": "S1116", + "source": "MITRE", + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "9a592b49-1701-5e4c-95cf-9b8c98b80527", + "value": "WARPWIRE" + }, { "description": "[WarzoneRAT](https://app.tidalcyber.com/software/cfebe868-15cb-4be5-b7ed-38b52f2a0722) is a malware-as-a-service remote access tool (RAT) written in C++ that has been publicly available for purchase since at least late 2018.[[Check Point Warzone Feb 2020](https://app.tidalcyber.com/references/c214c36e-2bc7-4b98-a74e-529aae99f9cf)][[Uptycs Warzone UAC Bypass November 2020](https://app.tidalcyber.com/references/1324b314-a4d9-43e7-81d6-70b6917fe527)]", "meta": { @@ -22750,6 +23674,10 @@ "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, + { + "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", + "type": "used-by" + }, { "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", "type": "used-by" @@ -22902,11 +23830,11 @@ }, "related": [ { - "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", + "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" }, { - "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", + "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" }, { @@ -23005,7 +23933,15 @@ }, "related": [ { - "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", + "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", + "type": "used-by" + }, + { + "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", + "type": "used-by" + }, + { + "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" }, { @@ -23017,15 +23953,7 @@ "type": "used-by" }, { - "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", - "type": "used-by" - }, - { - "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", - "type": "used-by" - }, - { - "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", + "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" }, { @@ -23197,11 +24125,11 @@ }, "related": [ { - "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", + "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, { - "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", + "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", "type": "used-by" } ], @@ -23239,6 +24167,10 @@ "software_attack_id": "S5081", "source": "Tidal Cyber", "tags": [ + "c5a258ce-9045-48d9-b254-ec2bf6437bb5", + "cc4ea215-87ce-4351-9579-cf527caf5992", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", "e1af18e3-3224-4e4c-9d0f-533768474508", "c45ce044-b5b9-426a-866c-130e9f2a4427", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", @@ -23250,6 +24182,10 @@ ] }, "related": [ + { + "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", + "type": "used-by" + }, { "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" @@ -23294,6 +24230,9 @@ "software_attack_id": "S5046", "source": "Tidal Cyber", "tags": [ + "d903e38b-600d-4736-9e3b-cf1a6e436481", + "c5a258ce-9045-48d9-b254-ec2bf6437bb5", + "cc4ea215-87ce-4351-9579-cf527caf5992", "d819ae1a-e385-49fd-88d5-f66660729ecb", "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -23313,6 +24252,14 @@ ] }, "related": [ + { + "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", + "type": "used-by" + }, + { + "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", + "type": "used-by" + }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" @@ -23381,6 +24328,22 @@ "uuid": "627e05c2-c02e-433e-9288-c2d78bce156f", "value": "Wiper" }, + { + "description": "[WIREFIRE](https://app.tidalcyber.com/software/93b02819-8acc-5d7d-ad11-abb33f9309cc) is a web shell written in Python that exists as trojanized logic to the visits.py component of Ivanti Connect Secure VPN appliances. [WIREFIRE](https://app.tidalcyber.com/software/93b02819-8acc-5d7d-ad11-abb33f9309cc) was used during [Cutting Edge](https://app.tidalcyber.com/campaigns/4e605e33-57fe-5bb2-b0ad-ec146aac041b) for downloading files and command execution.[[Mandiant Cutting Edge January 2024](https://app.tidalcyber.com/references/9d9ec923-89c1-5155-ae6e-98d4776d4250)]", + "meta": { + "platforms": [ + "Network" + ], + "software_attack_id": "S1115", + "source": "MITRE", + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "93b02819-8acc-5d7d-ad11-abb33f9309cc", + "value": "WIREFIRE" + }, { "description": "Wireshark is a popular open-source packet analyzer utility.", "meta": { @@ -24020,6 +24983,22 @@ "uuid": "34d0c5b5-f6e1-41e9-9061-cf9d36fe61c8", "value": "Zipfldr" }, + { + "description": "[ZIPLINE](https://app.tidalcyber.com/software/976a7797-3008-5316-9e28-19c9a05959d0) is a passive backdoor that was used during [Cutting Edge](https://app.tidalcyber.com/campaigns/4e605e33-57fe-5bb2-b0ad-ec146aac041b) on compromised Secure Connect VPNs for reverse shell and proxy functionality.[[Mandiant Cutting Edge January 2024](https://app.tidalcyber.com/references/9d9ec923-89c1-5155-ae6e-98d4776d4250)]", + "meta": { + "platforms": [ + "Network" + ], + "software_attack_id": "S1114", + "source": "MITRE", + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "976a7797-3008-5316-9e28-19c9a05959d0", + "value": "ZIPLINE" + }, { "description": "[ZLib](https://app.tidalcyber.com/software/1ac8d363-2903-43da-9c1d-2b28179638c8) is a full-featured backdoor that was used as a second-stage implant during [Operation Dust Storm](https://app.tidalcyber.com/campaigns/af0c0f55-dc4f-4cb5-9350-3a2d7c07595f) since at least 2014. [ZLib](https://app.tidalcyber.com/software/1ac8d363-2903-43da-9c1d-2b28179638c8) is malware and should not be confused with the legitimate compression library from which its name is derived.[[Cylance Dust Storm](https://app.tidalcyber.com/references/001dd53c-74e6-4add-aeb7-da76b0d2afe8)]", "meta": { @@ -24097,11 +25076,11 @@ "type": "used-by" }, { - "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", + "dest-uuid": "4173c301-0307-458d-89dd-2583e94247ec", "type": "used-by" }, { - "dest-uuid": "4173c301-0307-458d-89dd-2583e94247ec", + "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, { diff --git a/clusters/tidal-tactic.json b/clusters/tidal-tactic.json index b24c5fd..55b3070 100644 --- a/clusters/tidal-tactic.json +++ b/clusters/tidal-tactic.json @@ -384,6 +384,14 @@ { "dest-uuid": "478da817-1914-50f6-b1fd-434081a34354", "type": "uses" + }, + { + "dest-uuid": "9938f7ab-c7d0-5483-bdb9-565431a049ff", + "type": "uses" + }, + { + "dest-uuid": "f57c8d43-ca88-5351-9828-36b1937daf0e", + "type": "uses" } ], "uuid": "989d09c2-12b8-4419-9b34-a328cf295fff", @@ -636,6 +644,10 @@ { "dest-uuid": "944a7b91-c58e-567d-9e2c-515b93713c50", "type": "uses" + }, + { + "dest-uuid": "889b6cfa-dfb4-5d9f-beef-6c7c2e171454", + "type": "uses" } ], "uuid": "dad2337d-6d35-410a-acc5-da36ff83ee44", @@ -1108,6 +1120,18 @@ { "dest-uuid": "0719ea2b-d630-5ada-9b04-c3136ff530ae", "type": "uses" + }, + { + "dest-uuid": "3d6727cd-d297-51e9-a6a2-8718284bf8e5", + "type": "uses" + }, + { + "dest-uuid": "b9490b5f-645c-54a6-bf50-ad63540e6a07", + "type": "uses" + }, + { + "dest-uuid": "2fa370dd-42be-5c10-85e8-294624c8a778", + "type": "uses" } ], "uuid": "ec4f9786-c00c-430a-bc6d-0d0d22fdd393", @@ -1536,6 +1560,18 @@ { "dest-uuid": "15660958-1f4f-4136-8cda-82123fd38232", "type": "uses" + }, + { + "dest-uuid": "3d6727cd-d297-51e9-a6a2-8718284bf8e5", + "type": "uses" + }, + { + "dest-uuid": "b9490b5f-645c-54a6-bf50-ad63540e6a07", + "type": "uses" + }, + { + "dest-uuid": "769d2e67-5430-5fdd-9a07-d1b227110ec0", + "type": "uses" } ], "uuid": "b17dde68-dbcf-4cfd-9bb8-be014ec65c37", @@ -2312,6 +2348,34 @@ { "dest-uuid": "04e8e75c-434e-51e0-9780-580a3823a8cb", "type": "uses" + }, + { + "dest-uuid": "3b8f1fe2-f6f1-5660-a0b3-2f6be096b791", + "type": "uses" + }, + { + "dest-uuid": "49714d10-6f44-5035-a448-66c2a3f3cdd6", + "type": "uses" + }, + { + "dest-uuid": "3d6727cd-d297-51e9-a6a2-8718284bf8e5", + "type": "uses" + }, + { + "dest-uuid": "b02bc1f4-fbed-5eab-918c-f367c39cc3ba", + "type": "uses" + }, + { + "dest-uuid": "2fa370dd-42be-5c10-85e8-294624c8a778", + "type": "uses" + }, + { + "dest-uuid": "afe01d48-73bc-5e52-aa5f-2310911c2e3c", + "type": "uses" + }, + { + "dest-uuid": "769d2e67-5430-5fdd-9a07-d1b227110ec0", + "type": "uses" } ], "uuid": "8e29c6c9-0c10-4bb0-827d-ff0ab8922726", @@ -2580,6 +2644,10 @@ { "dest-uuid": "260571a6-3c08-5419-98c5-3fa1aa8e675d", "type": "uses" + }, + { + "dest-uuid": "2fa370dd-42be-5c10-85e8-294624c8a778", + "type": "uses" } ], "uuid": "0c3132d5-c0df-4793-b5f2-1a95bd64ab53", @@ -3212,6 +3280,10 @@ { "dest-uuid": "3f95e4f2-cd4a-502c-a12a-becb8d28440c", "type": "uses" + }, + { + "dest-uuid": "a3a2a527-39e7-58b4-a3cc-932eb0cef562", + "type": "uses" } ], "uuid": "94ffe549-1c29-438d-9c7f-e27f7acee0bb", diff --git a/clusters/tidal-technique.json b/clusters/tidal-technique.json index b6cf9e6..b71a532 100644 --- a/clusters/tidal-technique.json +++ b/clusters/tidal-technique.json @@ -10,7 +10,7 @@ "uuid": "298b6aee-981b-4fd8-8759-a2e72ad223fa", "values": [ { - "description": "Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.", + "description": "Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk.[[TechNet How UAC Works](https://app.tidalcyber.com/references/bbf8d1a3-115e-4bc8-be43-47ce3b295d45)][[sudo man page 2018](https://app.tidalcyber.com/references/659d4302-d4cf-41af-8007-aa1da0208aa0)] An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.[[OSX Keydnap malware](https://app.tidalcyber.com/references/d43e0dd1-0946-4f49-bcc7-3ef38445eac3)][[Fortinet Fareit](https://app.tidalcyber.com/references/d06223d7-2d86-41c6-af23-50865a1810c0)]", "meta": { "platforms": [ "Azure AD", @@ -79,7 +79,7 @@ "value": "Account Access Removal" }, { - "description": "Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406)).\n\nAdversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment.\n\nFor examples, cloud environments typically provide easily accessible interfaces to obtain user lists. On hosts, adversaries can use default [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system’s files.", + "description": "Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406)).\n\nAdversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment.\n\nFor examples, cloud environments typically provide easily accessible interfaces to obtain user lists.[[AWS List Users](https://app.tidalcyber.com/references/517e3d27-36da-4810-b256-3f47147b36e3)][[Google Cloud - IAM Servie Accounts List API](https://app.tidalcyber.com/references/3ffad706-1dac-41dd-b197-06f22fec3b30)] On hosts, adversaries can use default [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system’s files.", "meta": { "platforms": [ "Azure AD", @@ -103,7 +103,7 @@ "value": "Account Discovery" }, { - "description": "Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406).", + "description": "Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.[[FireEye SMOKEDHAM June 2021](https://app.tidalcyber.com/references/a81ad3ef-fd96-432c-a7c8-ccc86d127a1b)] These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406).", "meta": { "platforms": [ "Azure AD", @@ -150,7 +150,7 @@ "value": "Acquire Access" }, { - "description": "Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.[[TrendmicroHideoutsLease](https://app.tidalcyber.com/references/527de869-3c76-447c-98c4-c37a2acf75e2)] Additionally, botnets are available for rent or purchase.\n\nUse of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support [Proxy](https://app.tidalcyber.com/technique/ba6a869a-c870-4be6-bc08-e078f0efdc3b), including from residential proxy services.[[amnesty_nso_pegasus](https://app.tidalcyber.com/references/9e40d93a-fe91-504a-a6f2-e6546067ba53)][[FBI Proxies Credential Stuffing](https://app.tidalcyber.com/references/17f9b7b0-3e1a-5d75-9030-da79fcccdb49)][[Mandiant APT29 Microsoft 365 2022](https://app.tidalcyber.com/references/e141408e-d22b-58e4-884f-0cbff25444da)] Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.", + "description": "Adversaries may buy, lease, rent, or obtain infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.[[TrendmicroHideoutsLease](https://app.tidalcyber.com/references/527de869-3c76-447c-98c4-c37a2acf75e2)] Some infrastructure providers offer free trial periods, enabling infrastructure acquisition at limited to no cost.[[Free Trial PurpleUrchin](https://app.tidalcyber.com/references/841f397d-d103-56d7-9854-7ce43c684879)] Additionally, botnets are available for rent or purchase.\n\nUse of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support [Proxy](https://app.tidalcyber.com/technique/ba6a869a-c870-4be6-bc08-e078f0efdc3b), including from residential proxy services.[[amnesty_nso_pegasus](https://app.tidalcyber.com/references/9e40d93a-fe91-504a-a6f2-e6546067ba53)][[FBI Proxies Credential Stuffing](https://app.tidalcyber.com/references/17f9b7b0-3e1a-5d75-9030-da79fcccdb49)][[Mandiant APT29 Microsoft 365 2022](https://app.tidalcyber.com/references/e141408e-d22b-58e4-884f-0cbff25444da)] Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.", "meta": { "platforms": [ "PRE" @@ -184,7 +184,7 @@ "value": "Active Scanning" }, { - "description": "Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://app.tidalcyber.com/technique/bbad213d-477d-43bf-9501-ad7d74bac323), [Transmitted Data Manipulation](https://app.tidalcyber.com/technique/70365fab-8531-4a0e-b147-7cabdfdef243), or replay attacks ([Exploitation for Credential Access](https://app.tidalcyber.com/technique/afdfa503-0464-4b42-a79c-a6fc828492ef)). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.[[Rapid7 MiTM Basics](https://app.tidalcyber.com/references/33b25966-0ab9-4cc6-9702-62263a23af9c)]\n\nFor example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.[[ttint_rat](https://app.tidalcyber.com/references/f3e60cae-3225-4800-bc15-cb46ff715061)][[dns_changer_trojans](https://app.tidalcyber.com/references/082a0fde-d9f9-45f2-915d-f14c77b62254)][[ad_blocker_with_miner](https://app.tidalcyber.com/references/8e30f71e-80b8-4662-bc95-bf3cf7cfcf40)] Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials and session cookies.[[volexity_0day_sophos_FW](https://app.tidalcyber.com/references/85bee18e-216d-4ea6-b34e-b071e3f63382)] [Downgrade Attack](https://app.tidalcyber.com/technique/257fffe4-d17b-4e63-a41c-8388936d6215)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.[[mitm_tls_downgrade_att](https://app.tidalcyber.com/references/af907fe1-1e37-4f44-8ad4-fcc3826ee6fb)][[taxonomy_downgrade_att_tls](https://app.tidalcyber.com/references/4459076e-7c79-4855-9091-5aabd274f586)][[tlseminar_downgrade_att](https://app.tidalcyber.com/references/8b5d46bf-fb4e-4ecd-b8a9-9c084c1864a3)]\n\nAdversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in [Transmitted Data Manipulation](https://app.tidalcyber.com/technique/70365fab-8531-4a0e-b147-7cabdfdef243). Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to [Impair Defenses](https://app.tidalcyber.com/technique/e3be3d76-0a36-4060-8003-3b39c557f728) and/or in support of a [Network Denial of Service](https://app.tidalcyber.com/technique/e6c14a7b-1fb8-4557-83e7-7f5b89717311).", + "description": "Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://app.tidalcyber.com/technique/bbad213d-477d-43bf-9501-ad7d74bac323), [Transmitted Data Manipulation](https://app.tidalcyber.com/technique/70365fab-8531-4a0e-b147-7cabdfdef243), or replay attacks ([Exploitation for Credential Access](https://app.tidalcyber.com/technique/afdfa503-0464-4b42-a79c-a6fc828492ef)). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.[[Rapid7 MiTM Basics](https://app.tidalcyber.com/references/33b25966-0ab9-4cc6-9702-62263a23af9c)]\n\nFor example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.[[ttint_rat](https://app.tidalcyber.com/references/f3e60cae-3225-4800-bc15-cb46ff715061)][[dns_changer_trojans](https://app.tidalcyber.com/references/082a0fde-d9f9-45f2-915d-f14c77b62254)][[ad_blocker_with_miner](https://app.tidalcyber.com/references/8e30f71e-80b8-4662-bc95-bf3cf7cfcf40)] Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials, including access tokens ([Steal Application Access Token](https://app.tidalcyber.com/technique/f78f2c87-626a-468f-93a5-31b61be17727)) and session cookies ([Steal Web Session Cookie](https://app.tidalcyber.com/technique/17f9e46d-4e3d-4491-a0d9-0cc042531d6e)).[[volexity_0day_sophos_FW](https://app.tidalcyber.com/references/85bee18e-216d-4ea6-b34e-b071e3f63382)][[Token tactics](https://app.tidalcyber.com/references/e254e336-2e3e-5bea-a9e9-0f42f333b894)] [Downgrade Attack](https://app.tidalcyber.com/technique/257fffe4-d17b-4e63-a41c-8388936d6215)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.[[mitm_tls_downgrade_att](https://app.tidalcyber.com/references/af907fe1-1e37-4f44-8ad4-fcc3826ee6fb)][[taxonomy_downgrade_att_tls](https://app.tidalcyber.com/references/4459076e-7c79-4855-9091-5aabd274f586)][[tlseminar_downgrade_att](https://app.tidalcyber.com/references/8b5d46bf-fb4e-4ecd-b8a9-9c084c1864a3)]\n\nAdversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in [Transmitted Data Manipulation](https://app.tidalcyber.com/technique/70365fab-8531-4a0e-b147-7cabdfdef243). Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to [Impair Defenses](https://app.tidalcyber.com/technique/e3be3d76-0a36-4060-8003-3b39c557f728) and/or in support of a [Network Denial of Service](https://app.tidalcyber.com/technique/e6c14a7b-1fb8-4557-83e7-7f5b89717311).", "meta": { "platforms": [ "Linux", @@ -208,11 +208,12 @@ "value": "Adversary-in-the-Middle" }, { - "description": "Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP. ", + "description": "Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.[[Mandiant APT29 Eye Spy Email Nov 22](https://app.tidalcyber.com/references/452ca091-42b1-5bef-8a01-921c1f46bbee)] ", "meta": { "platforms": [ "Linux", "macOS", + "Network", "Windows" ], "source": "MITRE" @@ -246,7 +247,7 @@ "value": "Application Window Discovery" }, { - "description": "An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.\n\nBoth compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.", + "description": "An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network.[[DOJ GRU Indictment Jul 2018](https://app.tidalcyber.com/references/d65f371b-19d0-49de-b92b-94a2bea1d988)] Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.\n\nBoth compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.", "meta": { "platforms": [ "Linux", @@ -265,7 +266,7 @@ "value": "Archive Collected Data" }, { - "description": "An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.\n\nMalware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.", + "description": "An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.[[ESET Attor Oct 2019](https://app.tidalcyber.com/references/fdd57c56-d989-4a6f-8cc5-5b3713605dec)]\n\nMalware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.", "meta": { "platforms": [ "Linux", @@ -284,7 +285,7 @@ "value": "Audio Capture" }, { - "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://app.tidalcyber.com/technique/a2184d53-63b1-4c40-81ed-da799080c36c) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. In cloud-based environments, adversaries may also use cloud APIs, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data. This functionality could also be built into remote access tools. \n\nThis technique may incorporate use of other techniques such as [File and Directory Discovery](https://app.tidalcyber.com/technique/1492c4ba-c933-47b8-953d-6de3db8cfce8) and [Lateral Tool Transfer](https://app.tidalcyber.com/technique/3dea57fc-3131-408b-a1fd-ff2eea1d858f) to identify and move files, as well as [Cloud Service Dashboard](https://app.tidalcyber.com/technique/315ce434-ad6d-4dae-a1dd-6db944a44422) and [Cloud Storage Object Discovery](https://app.tidalcyber.com/technique/92761d92-a288-4407-a112-bb2720f07d07) to identify resources in cloud environments.", + "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://app.tidalcyber.com/technique/a2184d53-63b1-4c40-81ed-da799080c36c) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. \n\nIn cloud-based environments, adversaries may also use cloud APIs, data pipelines, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data.[[Mandiant UNC3944 SMS Phishing 2023](https://app.tidalcyber.com/references/3a310dbd-4b5c-5eaf-a4ce-699e52007c9b)] \n\nThis functionality could also be built into remote access tools. \n\nThis technique may incorporate use of other techniques such as [File and Directory Discovery](https://app.tidalcyber.com/technique/1492c4ba-c933-47b8-953d-6de3db8cfce8) and [Lateral Tool Transfer](https://app.tidalcyber.com/technique/3dea57fc-3131-408b-a1fd-ff2eea1d858f) to identify and move files, as well as [Cloud Service Dashboard](https://app.tidalcyber.com/technique/315ce434-ad6d-4dae-a1dd-6db944a44422) and [Cloud Storage Object Discovery](https://app.tidalcyber.com/technique/92761d92-a288-4407-a112-bb2720f07d07) to identify resources in cloud environments.", "meta": { "platforms": [ "IaaS", @@ -305,7 +306,7 @@ "value": "Automated Collection" }, { - "description": "Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection. \n\nWhen automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://app.tidalcyber.com/technique/89203cae-d3f1-4eef-9b5a-29042eb05d19) and [Exfiltration Over Alternative Protocol](https://app.tidalcyber.com/technique/192d25ea-bae1-48e4-88de-e0acd481ab88).", + "description": "Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.[[ESET Gamaredon June 2020](https://app.tidalcyber.com/references/6532664d-2311-4b38-8960-f43762471729)] \n\nWhen automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://app.tidalcyber.com/technique/89203cae-d3f1-4eef-9b5a-29042eb05d19) and [Exfiltration Over Alternative Protocol](https://app.tidalcyber.com/technique/192d25ea-bae1-48e4-88de-e0acd481ab88).", "meta": { "platforms": [ "Linux", @@ -351,6 +352,7 @@ "platforms": [ "Linux", "macOS", + "Network", "Windows" ], "source": "MITRE" @@ -369,11 +371,12 @@ "value": "Boot or Logon Autostart Execution" }, { - "description": "Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely. \n\nAdversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary. \n\nAn adversary may also be able to escalate their privileges since some boot or logon initialization scripts run with higher privileges.", + "description": "Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence.[[Mandiant APT29 Eye Spy Email Nov 22](https://app.tidalcyber.com/references/452ca091-42b1-5bef-8a01-921c1f46bbee)][[Anomali Rocke March 2019](https://app.tidalcyber.com/references/31051c8a-b523-4b8e-b834-2168c59e783b)] Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely. \n\nAdversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary. \n\nAn adversary may also be able to escalate their privileges since some boot or logon initialization scripts run with higher privileges.", "meta": { "platforms": [ "Linux", "macOS", + "Network", "Windows" ], "source": "MITRE" @@ -392,7 +395,7 @@ "value": "Boot or Logon Initialization Scripts" }, { - "description": "Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.[[Wikipedia Browser Extension](https://app.tidalcyber.com/references/52aef082-3f8e-41b4-af95-6631ce4c9e91)][[Chrome Extensions Definition](https://app.tidalcyber.com/references/fe00cee9-54d9-4775-86da-b7db73295bf7)]\n\nMalicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.[[Malicious Chrome Extension Numbers](https://app.tidalcyber.com/references/f34fcf1f-370e-4b6e-9cc4-7ee4075faf6e)] Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions.\n\nPrevious to macOS 11, adversaries could silently install browser extensions via the command line using the profiles tool to install malicious .mobileconfig files. In macOS 11+, the use of the profiles tool can no longer install configuration profiles, however .mobileconfig files can be planted and installed with user interaction.[[xorrior chrome extensions macOS](https://app.tidalcyber.com/references/84bfd3a1-bda2-4821-ac52-6af8515e5879)]\n\nOnce the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser (including credentials), and be used as an installer for a RAT for persistence.[[Chrome Extension Crypto Miner](https://app.tidalcyber.com/references/ae28f530-40da-451e-89b8-b472340c3e0a)][[ICEBRG Chrome Extensions](https://app.tidalcyber.com/references/459bfd4a-7a9b-4d65-b574-acb221428dad)][[Banker Google Chrome Extension Steals Creds](https://app.tidalcyber.com/references/93f37adc-d060-4b35-9a4d-62d2ad61cdf3)][[Catch All Chrome Extension](https://app.tidalcyber.com/references/eddd2ea8-89c1-40f9-b6e3-37cbdebd210e)]\n\nThere have also been instances of botnets using a persistent backdoor through malicious Chrome extensions.[[Stantinko Botnet](https://app.tidalcyber.com/references/d81e0274-76f4-43ce-b829-69f761e280dc)] There have also been similar examples of extensions being used for command & control.[[Chrome Extension C2 Malware](https://app.tidalcyber.com/references/b0fdf9c7-614b-4269-ba3e-7d8b02aa8502)]", + "description": "Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.[[Wikipedia Browser Extension](https://app.tidalcyber.com/references/52aef082-3f8e-41b4-af95-6631ce4c9e91)][[Chrome Extensions Definition](https://app.tidalcyber.com/references/fe00cee9-54d9-4775-86da-b7db73295bf7)]\n\nMalicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.[[Malicious Chrome Extension Numbers](https://app.tidalcyber.com/references/f34fcf1f-370e-4b6e-9cc4-7ee4075faf6e)] Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions.\n\nPrevious to macOS 11, adversaries could silently install browser extensions via the command line using the profiles tool to install malicious .mobileconfig files. In macOS 11+, the use of the profiles tool can no longer install configuration profiles, however .mobileconfig files can be planted and installed with user interaction.[[xorrior chrome extensions macOS](https://app.tidalcyber.com/references/84bfd3a1-bda2-4821-ac52-6af8515e5879)]\n\nOnce the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser (including credentials), and be used as an installer for a RAT for persistence.[[Chrome Extension Crypto Miner](https://app.tidalcyber.com/references/ae28f530-40da-451e-89b8-b472340c3e0a)][[ICEBRG Chrome Extensions](https://app.tidalcyber.com/references/459bfd4a-7a9b-4d65-b574-acb221428dad)][[Banker Google Chrome Extension Steals Creds](https://app.tidalcyber.com/references/93f37adc-d060-4b35-9a4d-62d2ad61cdf3)][[Catch All Chrome Extension](https://app.tidalcyber.com/references/eddd2ea8-89c1-40f9-b6e3-37cbdebd210e)]\n\nThere have also been instances of botnets using a persistent backdoor through malicious Chrome extensions for [Command and Control](https://app.tidalcyber.com/tactics/94ffe549-1c29-438d-9c7f-e27f7acee0bb).[[Stantinko Botnet](https://app.tidalcyber.com/references/d81e0274-76f4-43ce-b829-69f761e280dc)][[Chrome Extension C2 Malware](https://app.tidalcyber.com/references/b0fdf9c7-614b-4269-ba3e-7d8b02aa8502)] Adversaries may also use browser extensions to modify browser permissions and components, privacy settings, and other security controls for [Defense Evasion](https://app.tidalcyber.com/tactics/8e29c6c9-0c10-4bb0-827d-ff0ab8922726).[[Browers FriarFox](https://app.tidalcyber.com/references/3fe79fc8-c86d-57ad-961f-30fddd0e5f62)][[Browser Adrozek](https://app.tidalcyber.com/references/48afb730-b5e1-5a85-bb60-9ef9b536e397)] ", "meta": { "platforms": [ "Linux", @@ -447,7 +450,7 @@ "value": "Browser Session Hijacking" }, { - "description": "Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.\n\nBrute forcing credentials may take place at various points during a breach. For example, adversaries may attempt to brute force access to [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) within a victim environment leveraging knowledge gathered from other post-compromise behaviors such as [OS Credential Dumping](https://app.tidalcyber.com/technique/368f85f9-2b15-4732-80fe-087694eaf34d), [Account Discovery](https://app.tidalcyber.com/technique/6736995e-b9ea-401b-81fa-6caeb7a17ce3), or [Password Policy Discovery](https://app.tidalcyber.com/technique/2bf2e498-99c8-4e36-ad4b-e675d95ac925). Adversaries may also combine brute forcing activity with behaviors such as [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4) as part of Initial Access.", + "description": "Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.[[TrendMicro Pawn Storm Dec 2020](https://app.tidalcyber.com/references/3bc249cd-f29a-4a74-a179-a6860e43683f)] Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism.[[Dragos Crashoverride 2018](https://app.tidalcyber.com/references/d14442d5-2557-4a92-9a29-b15a20752f56)] Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.\n\nBrute forcing credentials may take place at various points during a breach. For example, adversaries may attempt to brute force access to [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) within a victim environment leveraging knowledge gathered from other post-compromise behaviors such as [OS Credential Dumping](https://app.tidalcyber.com/technique/368f85f9-2b15-4732-80fe-087694eaf34d), [Account Discovery](https://app.tidalcyber.com/technique/6736995e-b9ea-401b-81fa-6caeb7a17ce3), or [Password Policy Discovery](https://app.tidalcyber.com/technique/2bf2e498-99c8-4e36-ad4b-e675d95ac925). Adversaries may also combine brute forcing activity with behaviors such as [External Remote Services](https://app.tidalcyber.com/technique/c1f7e330-f1c4-4923-b8ad-bbd79cc63cb4) as part of Initial Access.", "meta": { "platforms": [ "Azure AD", @@ -509,10 +512,9 @@ "value": "Clipboard Data" }, { - "description": "Adversaries may abuse cloud management services to execute commands within virtual machines or hybrid-joined devices. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. Similarly, in Azure AD environments, Microsoft Endpoint Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices joined to the Azure AD.[[AWS Systems Manager Run Command](https://app.tidalcyber.com/references/ef66f17b-6a5b-5eb8-83de-943e2bddd114)][[Microsoft Run Command](https://app.tidalcyber.com/references/4f2e6adb-6e3d-5f1f-b873-4b99797f2bfa)][[SpecterOps Lateral Movement from Azure to On-Prem AD 2020](https://app.tidalcyber.com/references/eb97d3d6-21cb-5f27-9a78-1e8576acecdc)]\n\nIf an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environment’s virtual machines or on-premises hybrid-joined devices. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a [Trusted Relationship](https://app.tidalcyber.com/technique/7549c2f9-b5d2-4773-90ed-42f668aecacf) to execute commands in connected virtual machines.[[MSTIC Nobelium Oct 2021](https://app.tidalcyber.com/references/7b6cc308-9871-47e5-9039-a9a7e66ce373)]", + "description": "Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. [[AWS Systems Manager Run Command](https://app.tidalcyber.com/references/ef66f17b-6a5b-5eb8-83de-943e2bddd114)][[Microsoft Run Command](https://app.tidalcyber.com/references/4f2e6adb-6e3d-5f1f-b873-4b99797f2bfa)]\n\nIf an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environment’s virtual machines. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a [Trusted Relationship](https://app.tidalcyber.com/technique/7549c2f9-b5d2-4773-90ed-42f668aecacf) to execute commands in connected virtual machines.[[MSTIC Nobelium Oct 2021](https://app.tidalcyber.com/references/7b6cc308-9871-47e5-9039-a9a7e66ce373)]", "meta": { "platforms": [ - "Azure AD", "IaaS" ], "source": "MITRE" @@ -550,7 +552,8 @@ "Azure AD", "Google Workspace", "IaaS", - "Office 365" + "Office 365", + "SaaS" ], "source": "MITRE" }, @@ -626,7 +629,7 @@ "value": "Command and Scripting Interpreter" }, { - "description": "Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by [Replication Through Removable Media](https://app.tidalcyber.com/technique/6a7ab25e-49ed-4cd3-b199-5d80b728b416). Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.", + "description": "Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system.[[ESET Sednit USBStealer 2014](https://app.tidalcyber.com/references/8673f7fc-5b23-432a-a2d8-700ece46bd0f)] Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by [Replication Through Removable Media](https://app.tidalcyber.com/technique/6a7ab25e-49ed-4cd3-b199-5d80b728b416). Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.", "meta": { "platforms": [ "Linux", @@ -662,7 +665,7 @@ "value": "Compromise Accounts" }, { - "description": "Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers.\n\nAdversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)[[Unit42 Banking Trojans Hooking 2022](https://app.tidalcyber.com/references/411c3df4-08e6-518a-953d-19988b663dc4)] prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.[[ESET FontOnLake Analysis 2021](https://app.tidalcyber.com/references/dbcced87-91ee-514f-98c8-29a85d967384)]\n\nSince these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host.", + "description": "Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.\n\nAdversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host.\n\nAn adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)[[Unit42 Banking Trojans Hooking 2022](https://app.tidalcyber.com/references/411c3df4-08e6-518a-953d-19988b663dc4)] prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.[[ESET FontOnLake Analysis 2021](https://app.tidalcyber.com/references/dbcced87-91ee-514f-98c8-29a85d967384)]", "meta": { "platforms": [ "Linux", @@ -678,10 +681,10 @@ } ], "uuid": "05435e33-05fe-4a41-b8e4-694d45eb9147", - "value": "Compromise Client Software Binary" + "value": "Compromise Host Software Binary" }, { - "description": "Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.[[Mandiant APT1](https://app.tidalcyber.com/references/865eba93-cf6a-4e41-bc09-de9b0b3c2669)][[ICANNDomainNameHijacking](https://app.tidalcyber.com/references/96c5ec6c-d53d-49c3-bca1-0b6abe0080e6)][[Talos DNSpionage Nov 2018](https://app.tidalcyber.com/references/d597ad7d-f808-4289-b42a-79807248c2d6)][[FireEye EPS Awakens Part 2](https://app.tidalcyber.com/references/7fd58ef5-a0b7-40b6-8771-ca5e87740965)] Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.\n\nUse of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://app.tidalcyber.com/technique/4c0db4e5-14e0-4fb7-88b0-bb391ce5ad58)) to further blend in and support staged information gathering and/or [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533) campaigns.[[FireEye DNS Hijack 2019](https://app.tidalcyber.com/references/2c696e90-11eb-4196-9946-b5c4c11ccddc)] Additionally, adversaries may also compromise infrastructure to support [Proxy](https://app.tidalcyber.com/technique/ba6a869a-c870-4be6-bc08-e078f0efdc3b) and/or proxyware services.[[amnesty_nso_pegasus](https://app.tidalcyber.com/references/9e40d93a-fe91-504a-a6f2-e6546067ba53)][[Sysdig Proxyjacking](https://app.tidalcyber.com/references/26562be2-cab6-5867-9a43-d8a59c663596)]\n\nBy using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.[[NSA NCSC Turla OilRig](https://app.tidalcyber.com/references/3e86a807-5188-4278-9a58-babd23b86410)]", + "description": "Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, network devices, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.[[Mandiant APT1](https://app.tidalcyber.com/references/865eba93-cf6a-4e41-bc09-de9b0b3c2669)][[ICANNDomainNameHijacking](https://app.tidalcyber.com/references/96c5ec6c-d53d-49c3-bca1-0b6abe0080e6)][[Talos DNSpionage Nov 2018](https://app.tidalcyber.com/references/d597ad7d-f808-4289-b42a-79807248c2d6)][[FireEye EPS Awakens Part 2](https://app.tidalcyber.com/references/7fd58ef5-a0b7-40b6-8771-ca5e87740965)] Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.\n\nUse of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://app.tidalcyber.com/technique/4c0db4e5-14e0-4fb7-88b0-bb391ce5ad58)) to further blend in and support staged information gathering and/or [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533) campaigns.[[FireEye DNS Hijack 2019](https://app.tidalcyber.com/references/2c696e90-11eb-4196-9946-b5c4c11ccddc)] Additionally, adversaries may also compromise infrastructure to support [Proxy](https://app.tidalcyber.com/technique/ba6a869a-c870-4be6-bc08-e078f0efdc3b) and/or proxyware services.[[amnesty_nso_pegasus](https://app.tidalcyber.com/references/9e40d93a-fe91-504a-a6f2-e6546067ba53)][[Sysdig Proxyjacking](https://app.tidalcyber.com/references/26562be2-cab6-5867-9a43-d8a59c663596)]\n\nBy using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.[[NSA NCSC Turla OilRig](https://app.tidalcyber.com/references/3e86a807-5188-4278-9a58-babd23b86410)]", "meta": { "platforms": [ "PRE" @@ -755,7 +758,7 @@ "value": "Content Injection" }, { - "description": "Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.\n\nAccounts may be created on the local system or within a domain or cloud tenant. In cloud environments, adversaries may create accounts that only have access to specific services, which can reduce the chance of detection.", + "description": "Adversaries may create an account to maintain access to victim systems.[[Symantec WastedLocker June 2020](https://app.tidalcyber.com/references/061d8f74-a202-4089-acae-687e4f96933b)] With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.\n\nAccounts may be created on the local system or within a domain or cloud tenant. In cloud environments, adversaries may create accounts that only have access to specific services, which can reduce the chance of detection.", "meta": { "platforms": [ "Azure AD", @@ -784,6 +787,7 @@ "description": "Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services.[[TechNet Services](https://app.tidalcyber.com/references/b50a3c2e-e997-4af5-8be0-3a8b3a959827)] On macOS, launchd processes known as [Launch Daemon](https://app.tidalcyber.com/technique/eff618a9-6498-4b01-bca1-cd5f3784fc27) and [Launch Agent](https://app.tidalcyber.com/technique/6dbe030c-5f87-4b45-9b6b-5bba2c0fad00) are run to finish system initialization and load user specific parameters.[[AppleDocs Launch Agent Daemons](https://app.tidalcyber.com/references/310d18f8-6f9a-48b7-af12-6b921209d1ab)] \n\nAdversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect. \n\nServices, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges.[[OSX Malware Detection](https://app.tidalcyber.com/references/0df0e28a-3c0b-4418-9f5a-77fffe37ac8a)] ", "meta": { "platforms": [ + "Containers", "Linux", "macOS", "Windows" @@ -804,7 +808,7 @@ "value": "Create or Modify System Process" }, { - "description": "Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.", + "description": "Adversaries may search for common password storage locations to obtain user credentials.[[F-Secure The Dukes](https://app.tidalcyber.com/references/cc0dc623-ceb5-4ac6-bfbb-4f8514d45a27)] Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.", "meta": { "platforms": [ "IaaS", @@ -1002,7 +1006,7 @@ "value": "Data from Removable Media" }, { - "description": "Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.\n\nThe type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.", + "description": "Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data.[[Sygnia Elephant Beetle Jan 2022](https://app.tidalcyber.com/references/932897a6-0fa4-5be3-bf0b-20d6ddad238e)] By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.\n\nThe type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.", "meta": { "platforms": [ "Linux", @@ -1021,7 +1025,7 @@ "value": "Data Manipulation" }, { - "description": "Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols. ", + "description": "Adversaries may obfuscate command and control traffic to make it more difficult to detect.[[Bitdefender FunnyDream Campaign November 2020](https://app.tidalcyber.com/references/b62a9f2c-02ca-4dfa-95fc-5dc6ad9568de)] Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols. ", "meta": { "platforms": [ "Linux", @@ -1141,7 +1145,7 @@ "value": "Deobfuscate/Decode Files or Information" }, { - "description": "Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment.\n\nContainers can be deployed by various means, such as via Docker's create and start APIs or via a web application such as the Kubernetes dashboard or Kubeflow.[[Docker Containers API](https://app.tidalcyber.com/references/2351cb32-23d6-4557-9c52-e6e228402bab)][[Kubernetes Dashboard](https://app.tidalcyber.com/references/02f23351-df83-4aae-a0bd-614ed91bc683)][[Kubeflow Pipelines](https://app.tidalcyber.com/references/0b40474c-173c-4a8c-8cc7-bac2dcfcaedd)] Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.[[Aqua Build Images on Hosts](https://app.tidalcyber.com/references/efd64f41-13cc-4b2b-864c-4d2352cdadcd)]", + "description": "Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://app.tidalcyber.com/technique/bebaf25b-9f50-4e3b-96cc-cc55c5765b61) and access other containers running on the node. [[AppSecco Kubernetes Namespace Breakout 2020](https://app.tidalcyber.com/references/85852b3e-f6a3-5406-9dd5-a649358a53de)]\n\nContainers can be deployed by various means, such as via Docker's create and start APIs or via a web application such as the Kubernetes dashboard or Kubeflow. [[Docker Containers API](https://app.tidalcyber.com/references/2351cb32-23d6-4557-9c52-e6e228402bab)][[Kubernetes Dashboard](https://app.tidalcyber.com/references/02f23351-df83-4aae-a0bd-614ed91bc683)][[Kubeflow Pipelines](https://app.tidalcyber.com/references/0b40474c-173c-4a8c-8cc7-bac2dcfcaedd)] In Kubernetes environments, containers may be deployed through workloads such as ReplicaSets or DaemonSets, which can allow containers to be deployed across multiple nodes.[[Kubernetes Workload Management](https://app.tidalcyber.com/references/f207163b-08a8-5219-aca8-812e83e0dad3)] Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.[[Aqua Build Images on Hosts](https://app.tidalcyber.com/references/efd64f41-13cc-4b2b-864c-4d2352cdadcd)]", "meta": { "platforms": [ "Containers" @@ -1201,6 +1205,7 @@ "description": "Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. [[Hakobyan 2009](https://app.tidalcyber.com/references/d92f6dc0-e902-4a4a-9083-8d1667a7003e)]\n\nUtilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.[[Github PowerSploit Ninjacopy](https://app.tidalcyber.com/references/e92aed6b-348b-4dab-8292-fee0698e4a85)] Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://app.tidalcyber.com/software/a7589733-6b04-4215-a4e7-4b62cd4610fa)) to create shadow copies or backups of data from system volumes.[[LOLBAS Esentutl](https://app.tidalcyber.com/references/691b4907-3544-4ad0-989c-b5c845e0330f)]", "meta": { "platforms": [ + "Network", "Windows" ], "source": "MITRE" @@ -1235,10 +1240,11 @@ "value": "Disk Wipe" }, { - "description": "Adversaries may modify the configuration settings of a domain to evade defenses and/or escalate privileges in domain environments. Domains provide a centralized means of managing how computer resources (ex: computers, user accounts) can act, and interact with each other, on a network. The policy of the domain also includes configuration settings that may apply between domains in a multi-domain/forest environment. Modifications to domain settings may include altering domain Group Policy Objects (GPOs) or changing trust settings for domains, including federation trusts.\n\nWith sufficient permissions, adversaries can modify domain policy settings. Since domain configuration settings control many of the interactions within the Active Directory (AD) environment, there are a great number of potential attacks that can stem from this abuse. Examples of such abuse include modifying GPOs to push a malicious [Scheduled Task](https://app.tidalcyber.com/technique/723c6d51-91db-4658-9ee0-eafb953c2d82) to computers throughout the domain environment[[ADSecurity GPO Persistence 2016](https://app.tidalcyber.com/references/e304715f-7da1-4342-ba5b-d0387d93aeb2)][[Wald0 Guide to GPOs](https://app.tidalcyber.com/references/48bb84ac-56c8-4840-9a11-2cc76213e24e)][[Harmj0y Abusing GPO Permissions](https://app.tidalcyber.com/references/18cc9426-9b51-46fa-9106-99688385ebe4)] or modifying domain trusts to include an adversary controlled domain where they can control access tokens that will subsequently be accepted by victim domain resources.[[Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks](https://app.tidalcyber.com/references/47031992-841f-4ef4-87c6-bb4c077fb8dc)] Adversaries can also change configuration settings within the AD environment to implement a [Rogue Domain Controller](https://app.tidalcyber.com/technique/c5eb5b88-6c62-4900-9b14-c4d67d420002).\n\nAdversaries may temporarily modify domain policy, carry out a malicious action(s), and then revert the change to remove suspicious indicators.", + "description": "Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally managed environments. Such services provide a centralized means of managing identity resources such as devices and accounts, and often include configuration settings that may apply between domains or tenants such as trust relationships, identity syncing, or identity federation.\n\nModifications to domain or tenant settings may include altering domain Group Policy Objects (GPOs) in Microsoft Active Directory (AD) or changing trust settings for domains, including federation trusts relationships between domains or tenants.\n\nWith sufficient permissions, adversaries can modify domain or tenant policy settings. Since configuration settings for these services apply to a large number of identity resources, there are a great number of potential attacks malicious outcomes that can stem from this abuse. Examples of such abuse include: \n\n* modifying GPOs to push a malicious [Scheduled Task](https://app.tidalcyber.com/technique/723c6d51-91db-4658-9ee0-eafb953c2d82) to computers throughout the domain environment[[ADSecurity GPO Persistence 2016](https://app.tidalcyber.com/references/e304715f-7da1-4342-ba5b-d0387d93aeb2)][[Wald0 Guide to GPOs](https://app.tidalcyber.com/references/48bb84ac-56c8-4840-9a11-2cc76213e24e)][[Harmj0y Abusing GPO Permissions](https://app.tidalcyber.com/references/18cc9426-9b51-46fa-9106-99688385ebe4)]\n* modifying domain trusts to include an adversary-controlled domain, allowing adversaries to forge access tokens that will subsequently be accepted by victim domain resources[[Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks](https://app.tidalcyber.com/references/47031992-841f-4ef4-87c6-bb4c077fb8dc)]\n* changing configuration settings within the AD environment to implement a [Rogue Domain Controller](https://app.tidalcyber.com/technique/c5eb5b88-6c62-4900-9b14-c4d67d420002).\n* adding new, adversary-controlled federated identity providers to identity tenants, allowing adversaries to authenticate as any user managed by the victim tenant [[Okta Cross-Tenant Impersonation 2023](https://app.tidalcyber.com/references/d54188b5-86eb-52a0-8384-823c45431762)]\n\nAdversaries may temporarily modify domain or tenant policy, carry out a malicious action(s), and then revert the change to remove suspicious indicators.", "meta": { "platforms": [ "Azure AD", + "SaaS", "Windows" ], "source": "MITRE" @@ -1254,7 +1260,7 @@ } ], "uuid": "d092a9e1-63d0-415d-8cd0-666a261be5d9", - "value": "Domain Policy Modification" + "value": "Domain or Tenant Policy Modification" }, { "description": "Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.[[Microsoft Trusts](https://app.tidalcyber.com/references/e6bfc6a8-9eea-4c65-9c2b-04749da72a92)] Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct [SID-History Injection](https://app.tidalcyber.com/technique/dcb323f0-0fe6-4e26-9039-4f26f10cd3a5), [Pass the Ticket](https://app.tidalcyber.com/technique/5e771f38-6286-4330-b7b4-38071ad6b68a), and [Kerberoasting](https://app.tidalcyber.com/technique/2f980aed-b34a-4300-ac6b-70e7ddf6d9be).[[AdSecurity Forging Trust Tickets](https://app.tidalcyber.com/references/09d3ccc1-cd8a-4675-88c0-84110f5b8e8b)][[Harmj0y Domain Trusts](https://app.tidalcyber.com/references/23a9ef6c-9f71-47bb-929f-9a92f24553eb)] Domain trusts can be enumerated using the `DSEnumerateDomainTrusts()` Win32 API call, .NET methods, and LDAP.[[Harmj0y Domain Trusts](https://app.tidalcyber.com/references/23a9ef6c-9f71-47bb-929f-9a92f24553eb)] The Windows utility [Nltest](https://app.tidalcyber.com/software/fbb1546a-f288-4e43-9e5c-14c94423c4f6) is known to be used by adversaries to enumerate domain trusts.[[Microsoft Operation Wilysupply](https://app.tidalcyber.com/references/567ce633-a061-460b-84af-01dfe3d818c7)]", @@ -1334,11 +1340,12 @@ "value": "Email Collection" }, { - "description": "Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.", + "description": "Adversaries may employ an encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.", "meta": { "platforms": [ "Linux", "macOS", + "Network", "Windows" ], "source": "MITRE" @@ -1378,7 +1385,7 @@ "value": "Endpoint Denial of Service" }, { - "description": "Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.[[Docker Overview](https://app.tidalcyber.com/references/52954bb1-16b0-4717-a72c-8a6dec97610b)]\n\nThere are multiple ways an adversary may escape to a host environment. Examples include creating a container configured to mount the host’s filesystem using the bind parameter, which allows the adversary to drop payloads and execute control utilities such as cron on the host; utilizing a privileged container to run commands or load a malicious kernel module on the underlying host; or abusing system calls such as `unshare` and `keyctl` to escalate privileges and steal secrets.[[Docker Bind Mounts](https://app.tidalcyber.com/references/b298b3d1-30c1-4894-b1de-be11812cde6b)][[Trend Micro Privileged Container](https://app.tidalcyber.com/references/92ac290c-4863-4774-b334-848ed72e3627)][[Intezer Doki July 20](https://app.tidalcyber.com/references/688b2582-6602-44e1-aaac-3a4b8e168b04)][[Container Escape](https://app.tidalcyber.com/references/8248917a-9afd-4ec6-a086-1a97a68deff1)][[Crowdstrike Kubernetes Container Escape](https://app.tidalcyber.com/references/84d5f015-9014-417c-b2a9-f650fe19d448)][[Keyctl-unmask](https://app.tidalcyber.com/references/75db8c88-e547-4d1b-8f22-6ace2b3d7ad4)]\n\nAdditionally, an adversary may be able to exploit a compromised container with a mounted container management socket, such as `docker.sock`, to break out of the container via a [Container Administration Command](https://app.tidalcyber.com/technique/0b9609dd-9f19-4747-ba6e-421b6b7ff03f).[[Container Escape](https://app.tidalcyber.com/references/8248917a-9afd-4ec6-a086-1a97a68deff1)] Adversaries may also escape via [Exploitation for Privilege Escalation](https://app.tidalcyber.com/technique/9cc715d7-9969-485f-87a2-c9f7ed3cc44c), such as exploiting vulnerabilities in global symbolic links in order to access the root directory of a host machine.[[Windows Server Containers Are Open](https://app.tidalcyber.com/references/9a801256-5852-433e-95bd-768f9b70b9fe)]\n\nGaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, or setting up a command and control channel on the host.", + "description": "Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.[[Docker Overview](https://app.tidalcyber.com/references/52954bb1-16b0-4717-a72c-8a6dec97610b)]\n\nThere are multiple ways an adversary may escape to a host environment. Examples include creating a container configured to mount the host’s filesystem using the bind parameter, which allows the adversary to drop payloads and execute control utilities such as cron on the host; utilizing a privileged container to run commands or load a malicious kernel module on the underlying host; or abusing system calls such as `unshare` and `keyctl` to escalate privileges and steal secrets.[[Docker Bind Mounts](https://app.tidalcyber.com/references/b298b3d1-30c1-4894-b1de-be11812cde6b)][[Trend Micro Privileged Container](https://app.tidalcyber.com/references/92ac290c-4863-4774-b334-848ed72e3627)][[Intezer Doki July 20](https://app.tidalcyber.com/references/688b2582-6602-44e1-aaac-3a4b8e168b04)][[Container Escape](https://app.tidalcyber.com/references/8248917a-9afd-4ec6-a086-1a97a68deff1)][[Crowdstrike Kubernetes Container Escape](https://app.tidalcyber.com/references/84d5f015-9014-417c-b2a9-f650fe19d448)][[Keyctl-unmask](https://app.tidalcyber.com/references/75db8c88-e547-4d1b-8f22-6ace2b3d7ad4)]\n\nAdditionally, an adversary may be able to exploit a compromised container with a mounted container management socket, such as `docker.sock`, to break out of the container via a [Container Administration Command](https://app.tidalcyber.com/technique/0b9609dd-9f19-4747-ba6e-421b6b7ff03f).[[Container Escape](https://app.tidalcyber.com/references/8248917a-9afd-4ec6-a086-1a97a68deff1)] Adversaries may also escape via [Exploitation for Privilege Escalation](https://app.tidalcyber.com/technique/9cc715d7-9969-485f-87a2-c9f7ed3cc44c), such as exploiting vulnerabilities in global symbolic links in order to access the root directory of a host machine.[[Windows Server Containers Are Open](https://app.tidalcyber.com/references/9a801256-5852-433e-95bd-768f9b70b9fe)]\n\nGaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, accessing other containers running on the host, or setting up a command and control channel on the host.", "meta": { "platforms": [ "Containers", @@ -1397,7 +1404,7 @@ "value": "Escape to Host" }, { - "description": "Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.[[NEWSCASTER2014](https://app.tidalcyber.com/references/9abb4bbb-bad3-4d22-b235-c8a35465f2ce)][[BlackHatRobinSage](https://app.tidalcyber.com/references/82068e93-a3f8-4d05-9358-6fe76a0055bb)]\n\nFor operations incorporating social engineering, the utilization of an online persona may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, GitHub, Docker Hub, etc.). Establishing a persona may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.[[NEWSCASTER2014](https://app.tidalcyber.com/references/9abb4bbb-bad3-4d22-b235-c8a35465f2ce)][[BlackHatRobinSage](https://app.tidalcyber.com/references/82068e93-a3f8-4d05-9358-6fe76a0055bb)]\n\nEstablishing accounts can also include the creation of accounts with email providers, which may be directly leveraged for [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06) or [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533).[[Mandiant APT1](https://app.tidalcyber.com/references/865eba93-cf6a-4e41-bc09-de9b0b3c2669)]", + "description": "Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.[[NEWSCASTER2014](https://app.tidalcyber.com/references/9abb4bbb-bad3-4d22-b235-c8a35465f2ce)][[BlackHatRobinSage](https://app.tidalcyber.com/references/82068e93-a3f8-4d05-9358-6fe76a0055bb)]\n\nFor operations incorporating social engineering, the utilization of an online persona may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, GitHub, Docker Hub, etc.). Establishing a persona may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.[[NEWSCASTER2014](https://app.tidalcyber.com/references/9abb4bbb-bad3-4d22-b235-c8a35465f2ce)][[BlackHatRobinSage](https://app.tidalcyber.com/references/82068e93-a3f8-4d05-9358-6fe76a0055bb)]\n\nEstablishing accounts can also include the creation of accounts with email providers, which may be directly leveraged for [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06) or [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533).[[Mandiant APT1](https://app.tidalcyber.com/references/865eba93-cf6a-4e41-bc09-de9b0b3c2669)] In addition, establishing accounts may allow adversaries to abuse free services, such as registering for trial periods to [Acquire Infrastructure](https://app.tidalcyber.com/technique/66ce76fb-5e1b-4462-9b46-d59bdfc6d3f3) for malicious purposes.[[Free Trial PurpleUrchin](https://app.tidalcyber.com/references/841f397d-d103-56d7-9854-7ce43c684879)]\n", "meta": { "platforms": [ "PRE" @@ -1661,7 +1668,7 @@ "value": "Exploitation of Remote Services" }, { - "description": "Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.\n\nExploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.[[NVD CVE-2016-6662](https://app.tidalcyber.com/references/1813c26d-da68-4a82-a959-27351dd5e51b)][[CIS Multiple SMB Vulnerabilities](https://app.tidalcyber.com/references/76d9da2c-1503-4105-b017-cb2b69298296)][[US-CERT TA18-106A Network Infrastructure Devices 2018](https://app.tidalcyber.com/references/8fdf280d-680f-4b8f-8fb9-6b3118ec3983)][[Cisco Blog Legacy Device Attacks](https://app.tidalcyber.com/references/f7ce5099-7e04-4c0b-8767-e0eec664b18e)][[NVD CVE-2014-7169](https://app.tidalcyber.com/references/c3aab918-51c6-4773-8677-a89b27a00eb1)] Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://app.tidalcyber.com/technique/15b65bf2-dbe5-47bc-be09-ed97684bf391). \n\nIf an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://app.tidalcyber.com/technique/bebaf25b-9f50-4e3b-96cc-cc55c5765b61), or take advantage of weak identity and access management policies.\n\nAdversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.[[Mandiant Fortinet Zero Day](https://app.tidalcyber.com/references/7bdc5bbb-ebbd-5eb8-bd10-9087c883aea7)][[Wired Russia Cyberwar](https://app.tidalcyber.com/references/28c53a97-5500-5bfb-8aac-3c0bf94c2dfe)]\n\nFor websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.[[OWASP Top 10](https://app.tidalcyber.com/references/c6db3a77-4d01-4b4d-886d-746d676ed6d0)][[CWE top 25](https://app.tidalcyber.com/references/d8ee8b1f-c18d-48f3-9758-6860cd31c3e3)]", + "description": "Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.\n\nExploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.[[NVD CVE-2016-6662](https://app.tidalcyber.com/references/1813c26d-da68-4a82-a959-27351dd5e51b)][[CIS Multiple SMB Vulnerabilities](https://app.tidalcyber.com/references/76d9da2c-1503-4105-b017-cb2b69298296)][[US-CERT TA18-106A Network Infrastructure Devices 2018](https://app.tidalcyber.com/references/8fdf280d-680f-4b8f-8fb9-6b3118ec3983)][[Cisco Blog Legacy Device Attacks](https://app.tidalcyber.com/references/f7ce5099-7e04-4c0b-8767-e0eec664b18e)][[NVD CVE-2014-7169](https://app.tidalcyber.com/references/c3aab918-51c6-4773-8677-a89b27a00eb1)] Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://app.tidalcyber.com/technique/15b65bf2-dbe5-47bc-be09-ed97684bf391) or [Exploitation for Client Execution](https://app.tidalcyber.com/technique/068df3d7-f788-44e4-9e6b-2ae443af1609).\n\nIf an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://app.tidalcyber.com/technique/bebaf25b-9f50-4e3b-96cc-cc55c5765b61), or take advantage of weak identity and access management policies.\n\nAdversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.[[Mandiant Fortinet Zero Day](https://app.tidalcyber.com/references/7bdc5bbb-ebbd-5eb8-bd10-9087c883aea7)][[Wired Russia Cyberwar](https://app.tidalcyber.com/references/28c53a97-5500-5bfb-8aac-3c0bf94c2dfe)]\n\nFor websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.[[OWASP Top 10](https://app.tidalcyber.com/references/c6db3a77-4d01-4b4d-886d-746d676ed6d0)][[CWE top 25](https://app.tidalcyber.com/references/d8ee8b1f-c18d-48f3-9758-6860cd31c3e3)]", "meta": { "platforms": [ "Containers", @@ -1726,7 +1733,7 @@ "value": "Fallback Channels" }, { - "description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://app.tidalcyber.com/technique/1492c4ba-c933-47b8-953d-6de3db8cfce8) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nMany command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate.[[Windows Commands JPCERT](https://app.tidalcyber.com/references/9d935f7f-bc2a-4d09-a51a-82074ffd7d77)] Custom tools may also be used to gather file and directory information and interact with the [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560). Adversaries may also leverage a [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) on network devices to gather file and directory information (e.g. dir, show flash, and/or nvram).[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)]", + "description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://app.tidalcyber.com/technique/1492c4ba-c933-47b8-953d-6de3db8cfce8) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nMany command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate.[[Windows Commands JPCERT](https://app.tidalcyber.com/references/9d935f7f-bc2a-4d09-a51a-82074ffd7d77)] Custom tools may also be used to gather file and directory information and interact with the [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560). Adversaries may also leverage a [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) on network devices to gather file and directory information (e.g. dir, show flash, and/or nvram).[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)]\n\nSome files and directories may require elevated or specific user permissions to access.", "meta": { "platforms": [ "Linux", @@ -1765,7 +1772,7 @@ "value": "File and Directory Permissions Modification" }, { - "description": "Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,[[FBI-ransomware](https://app.tidalcyber.com/references/54e296c9-edcc-5af7-99be-b118da29711f)] business email compromise (BEC) and fraud,[[FBI-BEC](https://app.tidalcyber.com/references/3388bfec-7822-56dc-a384-95aa79f42fe8)] \"pig butchering,\"[[wired-pig butchering](https://app.tidalcyber.com/references/dc833e17-7105-5790-b30b-b4fed7fd2d2f)] bank hacking,[[DOJ-DPRK Heist](https://app.tidalcyber.com/references/c50d2a5b-1d44-5f18-aaff-4be9f6d3f3ac)] and exploiting cryptocurrency networks.[[BBC-Ronin](https://app.tidalcyber.com/references/8e162e39-a58f-5ba0-9a8e-101d4cfa324c)] \n\nAdversaries may [Compromise Accounts](https://app.tidalcyber.com/technique/c6374cbe-799a-4648-b1e2-2a66bb42d3f3) to conduct unauthorized transfers of funds.[[Internet crime report 2022](https://app.tidalcyber.com/references/ef30c4eb-3da3-5c7b-a304-188acd2f7ebc)] In the case of business email compromise or email fraud, an adversary may utilize [Impersonation](https://app.tidalcyber.com/technique/20417e43-6ffa-5d36-a2ef-e27cd5a4b8f1) of a trusted entity. Once the social engineering is successful, victims can be deceived into sending money to financial accounts controlled by an adversary.[[FBI-BEC](https://app.tidalcyber.com/references/3388bfec-7822-56dc-a384-95aa79f42fe8)] This creates the potential for multiple victims (i.e., compromised accounts as well as the ultimate monetary loss) in incidents involving financial theft.[[VEC](https://app.tidalcyber.com/references/4fd7c9f7-4731-524a-b332-9cb7f2c025ae)]\n\nExtortion by ransomware may occur, for example, when an adversary demands payment from a victim after [Data Encrypted for Impact](https://app.tidalcyber.com/technique/f0c36d24-263c-4811-8784-f716c77ec6b3) [[NYT-Colonial](https://app.tidalcyber.com/references/58900911-ab4b-5157-968c-67fa69cc122d)] and [Exfiltration](https://app.tidalcyber.com/tactics/66249a6d-be4e-43ab-a295-349d03a98023) of data, followed by threatening public exposure unless payment is made to the adversary.[[Mandiant-leaks](https://app.tidalcyber.com/references/aecc3ffb-c524-5ad9-b621-7228f53e27c3)]\n\nDue to the potentially immense business impact of financial theft, an adversary may abuse the possibility of financial theft and seeking monetary gain to divert attention from their true goals such as [Data Destruction](https://app.tidalcyber.com/technique/e5016c2b-85fe-4e6b-917d-0dd5b441cc34) and business disruption.[[AP-NotPetya](https://app.tidalcyber.com/references/7f1af58a-33fd-538f-b092-789a8776780c)]", + "description": "Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,[[FBI-ransomware](https://app.tidalcyber.com/references/54e296c9-edcc-5af7-99be-b118da29711f)] business email compromise (BEC) and fraud,[[FBI-BEC](https://app.tidalcyber.com/references/3388bfec-7822-56dc-a384-95aa79f42fe8)] \"pig butchering,\"[[wired-pig butchering](https://app.tidalcyber.com/references/dc833e17-7105-5790-b30b-b4fed7fd2d2f)] bank hacking,[[DOJ-DPRK Heist](https://app.tidalcyber.com/references/c50d2a5b-1d44-5f18-aaff-4be9f6d3f3ac)] and exploiting cryptocurrency networks.[[BBC-Ronin](https://app.tidalcyber.com/references/8e162e39-a58f-5ba0-9a8e-101d4cfa324c)] \n\nAdversaries may [Compromise Accounts](https://app.tidalcyber.com/technique/c6374cbe-799a-4648-b1e2-2a66bb42d3f3) to conduct unauthorized transfers of funds.[[Internet crime report 2022](https://app.tidalcyber.com/references/ef30c4eb-3da3-5c7b-a304-188acd2f7ebc)] In the case of business email compromise or email fraud, an adversary may utilize [Impersonation](https://app.tidalcyber.com/technique/20417e43-6ffa-5d36-a2ef-e27cd5a4b8f1) of a trusted entity. Once the social engineering is successful, victims can be deceived into sending money to financial accounts controlled by an adversary.[[FBI-BEC](https://app.tidalcyber.com/references/3388bfec-7822-56dc-a384-95aa79f42fe8)] This creates the potential for multiple victims (i.e., compromised accounts as well as the ultimate monetary loss) in incidents involving financial theft.[[VEC](https://app.tidalcyber.com/references/4fd7c9f7-4731-524a-b332-9cb7f2c025ae)]\n\nExtortion by ransomware may occur, for example, when an adversary demands payment from a victim after [Data Encrypted for Impact](https://app.tidalcyber.com/technique/f0c36d24-263c-4811-8784-f716c77ec6b3) [[NYT-Colonial](https://app.tidalcyber.com/references/58900911-ab4b-5157-968c-67fa69cc122d)] and [Exfiltration](https://app.tidalcyber.com/tactics/66249a6d-be4e-43ab-a295-349d03a98023) of data, followed by threatening to leak sensitive data to the public unless payment is made to the adversary.[[Mandiant-leaks](https://app.tidalcyber.com/references/aecc3ffb-c524-5ad9-b621-7228f53e27c3)] Adversaries may use dedicated leak sites to distribute victim data.[[Crowdstrike-leaks](https://app.tidalcyber.com/references/a91c3252-94b8-52a8-bb0d-cadac6afa161)]\n\nDue to the potentially immense business impact of financial theft, an adversary may abuse the possibility of financial theft and seeking monetary gain to divert attention from their true goals such as [Data Destruction](https://app.tidalcyber.com/technique/e5016c2b-85fe-4e6b-917d-0dd5b441cc34) and business disruption.[[AP-NotPetya](https://app.tidalcyber.com/references/7f1af58a-33fd-538f-b092-789a8776780c)]", "meta": { "platforms": [ "Google Workspace", @@ -1865,7 +1872,7 @@ "value": "Gather Victim Host Information" }, { - "description": "Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, etc.) as well as sensitive details such as credentials.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06). Information about users could also be enumerated via other active means (i.e. [Active Scanning](https://app.tidalcyber.com/technique/a930437d-5a12-4dc4-b311-f5fd6a766c85)) such as probing and analyzing responses from authentication services that may reveal valid usernames in a system.[[GrimBlog UsernameEnum](https://app.tidalcyber.com/references/cab25908-63da-484d-8c42-4451f46086e2)] Information about victims may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://app.tidalcyber.com/technique/d97c3d34-1210-4c71-b305-59dcccab8f45) or [Search Victim-Owned Websites](https://app.tidalcyber.com/technique/c55c0462-d59f-4bd8-9728-05cf711917b0)).[[OPM Leak](https://app.tidalcyber.com/references/b67ed4e9-ed44-460a-bd59-c978bdfda32f)][[Register Deloitte](https://app.tidalcyber.com/references/e6b10687-8666-4c9c-ac77-1988378e096d)][[Register Uber](https://app.tidalcyber.com/references/89b85928-a962-4230-875c-63742b3c9d37)][[Detectify Slack Tokens](https://app.tidalcyber.com/references/46c40ed4-5a15-4b38-b625-bebc569dbf69)][[Forbes GitHub Creds](https://app.tidalcyber.com/references/303f8801-bdd6-4a0c-a90a-37867898c99c)][[GitHub truffleHog](https://app.tidalcyber.com/references/324a563f-55ee-49e9-9fc7-2b8e35f36875)][[GitHub Gitrob](https://app.tidalcyber.com/references/1dee0842-15cc-4835-b8a8-938e0c94807b)][[CNET Leaks](https://app.tidalcyber.com/references/46df3a49-e7c4-4169-b35c-0aecc78c31ea)]\n\nGathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6) or [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06)), establishing operational resources (ex: [Compromise Accounts](https://app.tidalcyber.com/technique/c6374cbe-799a-4648-b1e2-2a66bb42d3f3)), and/or initial access (ex: [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533) or [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406)).", + "description": "Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, security question responses, etc.) as well as sensitive details such as credentials or multi-factor authentication (MFA) configurations.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06). Information about users could also be enumerated via other active means (i.e. [Active Scanning](https://app.tidalcyber.com/technique/a930437d-5a12-4dc4-b311-f5fd6a766c85)) such as probing and analyzing responses from authentication services that may reveal valid usernames in a system or permitted MFA /methods associated with those usernames.[[GrimBlog UsernameEnum](https://app.tidalcyber.com/references/cab25908-63da-484d-8c42-4451f46086e2)][[Obsidian SSPR Abuse 2023](https://app.tidalcyber.com/references/7f28f770-ef06-5923-b759-b731ceabe08a)] Information about victims may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://app.tidalcyber.com/technique/d97c3d34-1210-4c71-b305-59dcccab8f45) or [Search Victim-Owned Websites](https://app.tidalcyber.com/technique/c55c0462-d59f-4bd8-9728-05cf711917b0)).[[OPM Leak](https://app.tidalcyber.com/references/b67ed4e9-ed44-460a-bd59-c978bdfda32f)][[Register Deloitte](https://app.tidalcyber.com/references/e6b10687-8666-4c9c-ac77-1988378e096d)][[Register Uber](https://app.tidalcyber.com/references/89b85928-a962-4230-875c-63742b3c9d37)][[Detectify Slack Tokens](https://app.tidalcyber.com/references/46c40ed4-5a15-4b38-b625-bebc569dbf69)][[Forbes GitHub Creds](https://app.tidalcyber.com/references/303f8801-bdd6-4a0c-a90a-37867898c99c)][[GitHub truffleHog](https://app.tidalcyber.com/references/324a563f-55ee-49e9-9fc7-2b8e35f36875)][[GitHub Gitrob](https://app.tidalcyber.com/references/1dee0842-15cc-4835-b8a8-938e0c94807b)][[CNET Leaks](https://app.tidalcyber.com/references/46df3a49-e7c4-4169-b35c-0aecc78c31ea)]\n\nGathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://app.tidalcyber.com/technique/f2d216e3-43d6-4a2e-aa5b-d6be78d018b6) or [Phishing for Information](https://app.tidalcyber.com/technique/b6fe2fda-9c05-4f05-b049-7bb5b9ba5b06)), establishing operational resources (ex: [Compromise Accounts](https://app.tidalcyber.com/technique/c6374cbe-799a-4648-b1e2-2a66bb42d3f3)), and/or initial access (ex: [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533) or [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406)).", "meta": { "platforms": [ "PRE" @@ -1916,7 +1923,7 @@ "value": "Gather Victim Org Information" }, { - "description": "Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\\\\SYSVOL\\\\Policies\\`.[[TechNet Group Policy Basics](https://app.tidalcyber.com/references/9b9c8c6c-c272-424e-a594-a34b7bf62477)][[ADSecurity GPO Persistence 2016](https://app.tidalcyber.com/references/e304715f-7da1-4342-ba5b-d0387d93aeb2)]\n\nAdversaries may use commands such as gpresult or various publicly available PowerShell functions, such as Get-DomainGPO and Get-DomainGPOLocalGroup, to gather information on Group Policy settings.[[Microsoft gpresult](https://app.tidalcyber.com/references/88af38e8-e437-4153-80af-a1be8c6a8629)][[Github PowerShell Empire](https://app.tidalcyber.com/references/017ec673-454c-492a-a65b-10d3a20dfdab)] Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. [Domain Policy Modification](https://app.tidalcyber.com/technique/d092a9e1-63d0-415d-8cd0-666a261be5d9)) for their benefit.", + "description": "Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\\\\SYSVOL\\\\Policies\\`.[[TechNet Group Policy Basics](https://app.tidalcyber.com/references/9b9c8c6c-c272-424e-a594-a34b7bf62477)][[ADSecurity GPO Persistence 2016](https://app.tidalcyber.com/references/e304715f-7da1-4342-ba5b-d0387d93aeb2)]\n\nAdversaries may use commands such as gpresult or various publicly available PowerShell functions, such as Get-DomainGPO and Get-DomainGPOLocalGroup, to gather information on Group Policy settings.[[Microsoft gpresult](https://app.tidalcyber.com/references/88af38e8-e437-4153-80af-a1be8c6a8629)][[Github PowerShell Empire](https://app.tidalcyber.com/references/017ec673-454c-492a-a65b-10d3a20dfdab)] Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. [Domain or Tenant Policy Modification](https://app.tidalcyber.com/technique/d092a9e1-63d0-415d-8cd0-666a261be5d9)) for their benefit.", "meta": { "platforms": [ "Windows" @@ -1971,6 +1978,26 @@ "uuid": "f37f0cd5-0446-415f-9309-94e25aa1165d", "value": "Hide Artifacts" }, + { + "description": "Adversaries may manipulate network traffic in order to hide and evade detection of their C2 infrastructure. This can be accomplished in various ways including by identifying and filtering traffic from defensive tools,[[TA571](https://app.tidalcyber.com/references/5b463ad7-f425-5e70-b0b0-28514730a888)] masking malicious domains to obfuscate the true destination from both automated scanning tools and security researchers,[[Schema-abuse](https://app.tidalcyber.com/references/75b860d9-a48d-57de-ba1e-b0db970abb1b)][[Facad1ng](https://app.tidalcyber.com/references/bd80f3d7-e653-5f8f-ba8a-00b8780ae935)][[Browser-updates](https://app.tidalcyber.com/references/89e913a8-1d52-53fe-b692-fb72e21d794f)] and otherwise hiding malicious artifacts to delay discovery and prolong the effectiveness of adversary infrastructure that could otherwise be identified, blocked, or taken down entirely.\n\nC2 networks may include the use of [Proxy](https://app.tidalcyber.com/technique/ba6a869a-c870-4be6-bc08-e078f0efdc3b) or VPNs to disguise IP addresses, which can allow adversaries to blend in with normal network traffic and bypass conditional access policies or anti-abuse protections. For example, an adversary may use a virtual private cloud to spoof their IP address to closer align with a victim's IP address ranges. This may also bypass security measures relying on geolocation of the source IP address.[[sysdig](https://app.tidalcyber.com/references/80cb54c2-2c44-5e19-bbc5-da9f4aaf976a)][[Orange Residential Proxies](https://app.tidalcyber.com/references/df4b99f3-1796-57b3-a352-37be5380badc)]\n\nAdversaries may also attempt to filter network traffic in order to evade defensive tools in numerous ways, including blocking/redirecting common incident responder or security appliance user agents.[[mod_rewrite](https://app.tidalcyber.com/references/3568b09c-7368-5fc2-85b3-d16ee9b9c686)][[SocGholish-update](https://app.tidalcyber.com/references/01d9c3ba-29e2-5090-b399-0e7adf50a6b9)] Filtering traffic based on IP and geo-fencing may also avoid automated sandboxing or researcher activity (i.e., [Virtualization/Sandbox Evasion](https://app.tidalcyber.com/technique/63baf71d-f46f-4ac8-a3a6-8345ddd2f7a8)).[[TA571](https://app.tidalcyber.com/references/5b463ad7-f425-5e70-b0b0-28514730a888)][[mod_rewrite](https://app.tidalcyber.com/references/3568b09c-7368-5fc2-85b3-d16ee9b9c686)]\n\nHiding C2 infrastructure may also be supported by [Resource Development](https://app.tidalcyber.com/tactics/989d09c2-12b8-4419-9b34-a328cf295fff) activities such as [Acquire Infrastructure](https://app.tidalcyber.com/technique/66ce76fb-5e1b-4462-9b46-d59bdfc6d3f3) and [Compromise Infrastructure](https://app.tidalcyber.com/technique/c12d81d3-abe4-43d7-8a65-f4b3150e722d). For example, using widely trusted hosting services or domains such as prominent URL shortening providers or marketing services for C2 networks may enable adversaries to present benign content that later redirects victims to malicious web pages or infrastructure once specific conditions are met.[[StarBlizzard](https://app.tidalcyber.com/references/68b16960-1893-51a1-b46c-974a09d4a0c4)][[QR-cofense](https://app.tidalcyber.com/references/eda8270f-c76f-5d01-b45f-74246945ec50)]", + "meta": { + "platforms": [ + "Linux", + "macOS", + "Network", + "Windows" + ], + "source": "MITRE" + }, + "related": [ + { + "dest-uuid": "94ffe549-1c29-438d-9c7f-e27f7acee0bb", + "type": "uses" + } + ], + "uuid": "a3a2a527-39e7-58b4-a3cc-932eb0cef562", + "value": "Hide Infrastructure" + }, { "description": "Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.\n\nThere are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.", "meta": { @@ -2102,11 +2129,12 @@ "value": "Indirect Command Execution" }, { - "description": "Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://app.tidalcyber.com/software/062deac9-8f05-44e2-b347-96b59ba166ca). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://app.tidalcyber.com/technique/3dea57fc-3131-408b-a1fd-ff2eea1d858f)). \n\nOn Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, [certutil](https://app.tidalcyber.com/software/2fe21578-ee31-4ee8-b6ab-b5f76f97d043), and [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.[[t1105_lolbas](https://app.tidalcyber.com/references/80e649f5-6c74-4d66-a452-4f4cd51501da)]\n\nAdversaries may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred using various [Web Service](https://app.tidalcyber.com/technique/a729feee-8e21-444e-8eea-2ec595b09931)s as well as native or otherwise present tools on the victim system.[[PTSecurity Cobalt Dec 2016](https://app.tidalcyber.com/references/2de4d38f-c99d-4149-89e6-0349a4902aa2)] In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.[[Dropbox Malware Sync](https://app.tidalcyber.com/references/06ca63fa-8c6c-501c-96d3-5e7e45ca1e04)]", + "description": "Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://app.tidalcyber.com/software/062deac9-8f05-44e2-b347-96b59ba166ca). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://app.tidalcyber.com/technique/3dea57fc-3131-408b-a1fd-ff2eea1d858f)). \n\nOn Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, [certutil](https://app.tidalcyber.com/software/2fe21578-ee31-4ee8-b6ab-b5f76f97d043), and [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.[[t1105_lolbas](https://app.tidalcyber.com/references/80e649f5-6c74-4d66-a452-4f4cd51501da)]\n\nAdversaries may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872) (typically after interacting with [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533) lures).[[T1105: Trellix_search-ms](https://app.tidalcyber.com/references/7079d170-9ead-5be4-bbc8-13c3f082b3dd)]\n\nFiles can also be transferred using various [Web Service](https://app.tidalcyber.com/technique/a729feee-8e21-444e-8eea-2ec595b09931)s as well as native or otherwise present tools on the victim system.[[PTSecurity Cobalt Dec 2016](https://app.tidalcyber.com/references/2de4d38f-c99d-4149-89e6-0349a4902aa2)] In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.[[Dropbox Malware Sync](https://app.tidalcyber.com/references/06ca63fa-8c6c-501c-96d3-5e7e45ca1e04)]", "meta": { "platforms": [ "Linux", "macOS", + "Network", "Windows" ], "source": "MITRE" @@ -2121,7 +2149,7 @@ "value": "Ingress Tool Transfer" }, { - "description": "Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.[[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)][[FireEye WannaCry 2017](https://app.tidalcyber.com/references/34b15fe1-c550-4150-87bc-ac9662547247)] This may deny access to available backups and recovery options.\n\nOperating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://app.tidalcyber.com/technique/e5016c2b-85fe-4e6b-917d-0dd5b441cc34) and [Data Encrypted for Impact](https://app.tidalcyber.com/technique/f0c36d24-263c-4811-8784-f716c77ec6b3).[[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)][[FireEye WannaCry 2017](https://app.tidalcyber.com/references/34b15fe1-c550-4150-87bc-ac9662547247)] Furthermore, adversaries may disable recovery notifications, then corrupt backups.[[disable_notif_synology_ransom](https://app.tidalcyber.com/references/d53e8f89-df78-565b-a316-cf2644c5ed36)]\n\nA number of native Windows utilities have been used by adversaries to disable or delete system recovery features:\n\n* vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet\n* [Windows Management Instrumentation](https://app.tidalcyber.com/technique/c37795d9-8970-461f-9491-3086d6b4b69a) can be used to delete volume shadow copies - wmic shadowcopy delete\n* wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet\n* bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no\n* REAgentC.exe can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system\n\nOn network devices, adversaries may leverage [Disk Wipe](https://app.tidalcyber.com/technique/ea2b3980-05fd-41a3-8ab9-3106e833c821) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://app.tidalcyber.com/technique/24787dca-6afd-4ab3-ab6c-32e9486ec418) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.\n\nAdversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.[[ZDNet Ransomware Backups 2020](https://app.tidalcyber.com/references/301da9c8-60de-58f0-989f-6b504e3457a3)] In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.[[Dark Reading Code Spaces Cyber Attack](https://app.tidalcyber.com/references/e5a3028a-f4cc-537c-9ddd-769792ab33be)][[Rhino Security Labs AWS S3 Ransomware](https://app.tidalcyber.com/references/785c6b11-c5f0-5cb4-931b-cf75fcc368a1)]", + "description": "Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.[[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)][[FireEye WannaCry 2017](https://app.tidalcyber.com/references/34b15fe1-c550-4150-87bc-ac9662547247)] This may deny access to available backups and recovery options.\n\nOperating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://app.tidalcyber.com/technique/e5016c2b-85fe-4e6b-917d-0dd5b441cc34) and [Data Encrypted for Impact](https://app.tidalcyber.com/technique/f0c36d24-263c-4811-8784-f716c77ec6b3).[[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)][[FireEye WannaCry 2017](https://app.tidalcyber.com/references/34b15fe1-c550-4150-87bc-ac9662547247)] Furthermore, adversaries may disable recovery notifications, then corrupt backups.[[disable_notif_synology_ransom](https://app.tidalcyber.com/references/d53e8f89-df78-565b-a316-cf2644c5ed36)]\n\nA number of native Windows utilities have been used by adversaries to disable or delete system recovery features:\n\n* vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet\n* [Windows Management Instrumentation](https://app.tidalcyber.com/technique/c37795d9-8970-461f-9491-3086d6b4b69a) can be used to delete volume shadow copies - wmic shadowcopy delete\n* wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet\n* bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no\n* REAgentC.exe can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system\n* diskshadow.exe can be used to delete all volume shadow copies on a system - diskshadow delete shadows all [[Diskshadow](https://app.tidalcyber.com/references/9e8b57a5-7e31-5add-ac3e-8b9c0f7f27aa)] [[Crytox Ransomware](https://app.tidalcyber.com/references/7c22d9d0-a2d8-5936-a6b1-5c696a2a19c6)]\n\nOn network devices, adversaries may leverage [Disk Wipe](https://app.tidalcyber.com/technique/ea2b3980-05fd-41a3-8ab9-3106e833c821) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://app.tidalcyber.com/technique/24787dca-6afd-4ab3-ab6c-32e9486ec418) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.\n\nAdversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.[[ZDNet Ransomware Backups 2020](https://app.tidalcyber.com/references/301da9c8-60de-58f0-989f-6b504e3457a3)] In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.[[Dark Reading Code Spaces Cyber Attack](https://app.tidalcyber.com/references/e5a3028a-f4cc-537c-9ddd-769792ab33be)][[Rhino Security Labs AWS S3 Ransomware](https://app.tidalcyber.com/references/785c6b11-c5f0-5cb4-931b-cf75fcc368a1)]", "meta": { "platforms": [ "Containers", @@ -2167,7 +2195,7 @@ "value": "Input Capture" }, { - "description": "Adversaries may use internal spearphishing to gain access to additional information or exploit other users within the same organization after they already have access to accounts or systems within the environment. Internal spearphishing is multi-staged campaign where an email account is owned either by controlling the user's device with previously installed malware or by compromising the account credentials of the user. Adversaries attempt to take advantage of a trusted internal account to increase the likelihood of tricking the target into falling for the phish attempt.[[Trend Micro When Phishing Starts from the Inside 2017](https://app.tidalcyber.com/references/dbdc2009-a468-439b-bd96-e6153b3fb8a1)]\n\nAdversaries may leverage [Spearphishing Attachment](https://app.tidalcyber.com/technique/ba553ad4-5699-4458-ae4e-76e1faa43291) or [Spearphishing Link](https://app.tidalcyber.com/technique/d08a9977-9fc2-46bb-84f9-dbb5187c426d) as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through [Input Capture](https://app.tidalcyber.com/technique/5ee96331-a7b7-4c32-a8f1-3fb164078f5f) on sites that mimic email login interfaces.\n\nThere have been notable incidents where internal spearphishing has been used. The Eye Pyramid campaign used phishing emails with malicious attachments for lateral movement between victims, compromising nearly 18,000 email accounts in the process.[[Trend Micro When Phishing Starts from the Inside 2017](https://app.tidalcyber.com/references/dbdc2009-a468-439b-bd96-e6153b3fb8a1)] The Syrian Electronic Army (SEA) compromised email accounts at the Financial Times (FT) to steal additional account credentials. Once FT learned of the campaign and began warning employees of the threat, the SEA sent phishing emails mimicking the Financial Times IT department and were able to compromise even more users.[[THE FINANCIAL TIMES LTD 2019.](https://app.tidalcyber.com/references/5a01f0b7-86f7-44a1-bf35-46a631402ceb)]", + "description": "After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization. Internal spearphishing is multi-staged campaign where a legitimate account is initially compromised either by controlling the user's device or by compromising the account credentials of the user. Adversaries may then attempt to take advantage of the trusted internal account to increase the likelihood of tricking more victims into falling for phish attempts, often incorporating [Impersonation](https://app.tidalcyber.com/technique/20417e43-6ffa-5d36-a2ef-e27cd5a4b8f1).[[Trend Micro - Int SP](https://app.tidalcyber.com/references/1c21c911-11db-560c-b623-5937dc478b74)]\n\nFor example, adversaries may leverage [Spearphishing Attachment](https://app.tidalcyber.com/technique/ba553ad4-5699-4458-ae4e-76e1faa43291) or [Spearphishing Link](https://app.tidalcyber.com/technique/d08a9977-9fc2-46bb-84f9-dbb5187c426d) as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through [Input Capture](https://app.tidalcyber.com/technique/5ee96331-a7b7-4c32-a8f1-3fb164078f5f) on sites that mimic login interfaces.\n\nAdversaries may also leverage internal chat apps, such as Microsoft Teams, to spread malicious content or engage users in attempts to capture sensitive information and/or credentials.[[Int SP - chat apps](https://app.tidalcyber.com/references/8d0db0f2-9b29-5216-8c9c-de8bf0c541de)]", "meta": { "platforms": [ "Google Workspace", @@ -2247,7 +2275,7 @@ "value": "Log Enumeration" }, { - "description": "Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\n\nRenaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://app.tidalcyber.com/technique/a0adacc1-8d2a-4e0b-92c1-3766264df4fd).[[LOLBAS Main Site](https://app.tidalcyber.com/references/615f6fa5-3059-49fc-9fa4-5ca0aeff4331)] Masquerading may also include the use of [Proxy](https://app.tidalcyber.com/technique/ba6a869a-c870-4be6-bc08-e078f0efdc3b) or VPNs to disguise IP addresses, which can allow adversaries to blend in with normal network traffic and bypass conditional access policies or anti-abuse protections.", + "description": "Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\n\nRenaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://app.tidalcyber.com/technique/a0adacc1-8d2a-4e0b-92c1-3766264df4fd).[[LOLBAS Main Site](https://app.tidalcyber.com/references/615f6fa5-3059-49fc-9fa4-5ca0aeff4331)]", "meta": { "platforms": [ "Containers", @@ -2370,7 +2398,7 @@ "value": "Multi-Factor Authentication Interception" }, { - "description": "Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.\n\nAdversaries in possession of credentials to [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) may be unable to complete the login process if they lack access to the 2FA or MFA mechanisms required as an additional credential and security control. To circumvent this, adversaries may abuse the automatic generation of push notifications to MFA services such as Duo Push, Microsoft Authenticator, Okta, or similar services to have the user grant access to their account.\n\nIn some cases, adversaries may continuously repeat login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls, potentially resulting in the user finally accepting the authentication request in response to “MFA fatigue.”[[Russian 2FA Push Annoyance - Cimpanu](https://app.tidalcyber.com/references/ad2b0648-b657-4daa-9510-82375a252fc4)][[MFA Fatigue Attacks - PortSwigger](https://app.tidalcyber.com/references/1b7b0f00-71ba-4762-ae81-bce24591cff4)][[Suspected Russian Activity Targeting Government and Business Entities Around the Globe](https://app.tidalcyber.com/references/f45a0551-8d49-4d40-989f-659416dc25ec)]", + "description": "Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.\n\nAdversaries in possession of credentials to [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) may be unable to complete the login process if they lack access to the 2FA or MFA mechanisms required as an additional credential and security control. To circumvent this, adversaries may abuse the automatic generation of push notifications to MFA services such as Duo Push, Microsoft Authenticator, Okta, or similar services to have the user grant access to their account. If adversaries lack credentials to victim accounts, they may also abuse automatic push notification generation when this option is configured for self-service password reset (SSPR).[[Obsidian SSPR Abuse 2023](https://app.tidalcyber.com/references/7f28f770-ef06-5923-b759-b731ceabe08a)]\n\nIn some cases, adversaries may continuously repeat login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls, potentially resulting in the user finally accepting the authentication request in response to “MFA fatigue.”[[Russian 2FA Push Annoyance - Cimpanu](https://app.tidalcyber.com/references/ad2b0648-b657-4daa-9510-82375a252fc4)][[MFA Fatigue Attacks - PortSwigger](https://app.tidalcyber.com/references/1b7b0f00-71ba-4762-ae81-bce24591cff4)][[Suspected Russian Activity Targeting Government and Business Entities Around the Globe](https://app.tidalcyber.com/references/f45a0551-8d49-4d40-989f-659416dc25ec)]", "meta": { "platforms": [ "Azure AD", @@ -2515,7 +2543,7 @@ "value": "Network Share Discovery" }, { - "description": "Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n\nData captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://app.tidalcyber.com/technique/b44a263f-76b2-4a1f-baeb-dd285974eca6), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.\n\nNetwork sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.\n\nIn cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.[[AWS Traffic Mirroring](https://app.tidalcyber.com/references/6b77a2f3-39b8-4574-8dee-cde7ba9debff)][[GCP Packet Mirroring](https://app.tidalcyber.com/references/c91c6399-3520-4410-936d-48c3b13235ca)][[Azure Virtual Network TAP](https://app.tidalcyber.com/references/3f106d7e-f101-4adb-bbd1-d8c04a347f85)] Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.[[Rhino Security Labs AWS VPC Traffic Mirroring](https://app.tidalcyber.com/references/09cac813-862c-47c8-a47f-154c5436afbb)][[SpecterOps AWS Traffic Mirroring](https://app.tidalcyber.com/references/6ab2cfa1-230f-498e-8049-fcdd2f7296dd)] The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.[[Rhino Security Labs AWS VPC Traffic Mirroring](https://app.tidalcyber.com/references/09cac813-862c-47c8-a47f-154c5436afbb)]\n\nOn network devices, adversaries may perform network captures using [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) commands such as `monitor capture`.[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)][[capture_embedded_packet_on_software](https://app.tidalcyber.com/references/5d973180-a28a-5c8f-b13a-45d21331700f)]", + "description": "Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n\nData captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://app.tidalcyber.com/technique/b44a263f-76b2-4a1f-baeb-dd285974eca6), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.\n\nNetwork sniffing may reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent [Lateral Movement](https://app.tidalcyber.com/tactics/50ba4930-7c8e-4ef9-bc36-70e7dae661eb) and/or [Defense Evasion](https://app.tidalcyber.com/tactics/8e29c6c9-0c10-4bb0-827d-ff0ab8922726) activities. Adversaries may likely also utilize network sniffing during [Adversary-in-the-Middle](https://app.tidalcyber.com/technique/d98dbf30-c454-42ff-a9f3-2cd3319cc0d9) (AiTM) to passively gain additional knowledge about the environment.\n\nIn cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.[[AWS Traffic Mirroring](https://app.tidalcyber.com/references/6b77a2f3-39b8-4574-8dee-cde7ba9debff)][[GCP Packet Mirroring](https://app.tidalcyber.com/references/c91c6399-3520-4410-936d-48c3b13235ca)][[Azure Virtual Network TAP](https://app.tidalcyber.com/references/3f106d7e-f101-4adb-bbd1-d8c04a347f85)] Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.[[Rhino Security Labs AWS VPC Traffic Mirroring](https://app.tidalcyber.com/references/09cac813-862c-47c8-a47f-154c5436afbb)][[SpecterOps AWS Traffic Mirroring](https://app.tidalcyber.com/references/6ab2cfa1-230f-498e-8049-fcdd2f7296dd)] The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.[[Rhino Security Labs AWS VPC Traffic Mirroring](https://app.tidalcyber.com/references/09cac813-862c-47c8-a47f-154c5436afbb)]\n\nOn network devices, adversaries may perform network captures using [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) commands such as `monitor capture`.[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)][[capture_embedded_packet_on_software](https://app.tidalcyber.com/references/5d973180-a28a-5c8f-b13a-45d21331700f)]", "meta": { "platforms": [ "IaaS", @@ -2584,6 +2612,7 @@ "platforms": [ "Linux", "macOS", + "Network", "Windows" ], "source": "MITRE" @@ -2633,7 +2662,7 @@ "value": "Office Application Startup" }, { - "description": "Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform [Lateral Movement](https://app.tidalcyber.com/tactics/50ba4930-7c8e-4ef9-bc36-70e7dae661eb) and access restricted information.\n\nSeveral of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.\n", + "description": "Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.[[Brining MimiKatz to Unix](https://app.tidalcyber.com/references/5ad06565-6694-4c42-81c9-880d66f6d07f)] Credentials can then be used to perform [Lateral Movement](https://app.tidalcyber.com/tactics/50ba4930-7c8e-4ef9-bc36-70e7dae661eb) and access restricted information.\n\nSeveral of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.\n", "meta": { "platforms": [ "Linux", @@ -2817,7 +2846,7 @@ "value": "Pre-OS Boot" }, { - "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://app.tidalcyber.com/technique/710ae610-0556-44e5-9de9-8be6159a23dd) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nIn Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://app.tidalcyber.com/software/abae8f19-9497-4a71-82b6-ae6edd26ad98) utility via [cmd](https://app.tidalcyber.com/software/98d89476-63ec-4baf-b2b3-86c52170f5d8) or Get-Process via [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde). Information about processes can also be extracted from the output of [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560) calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc.\n\nOn network devices, [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) commands such as `show processes` can be used to display current running processes.[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)][[show_processes_cisco_cmd](https://app.tidalcyber.com/references/944e529b-5e8a-54a1-b205-71dcb7dd304f)]", + "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Administrator or otherwise elevated access may provide better process details. Adversaries may use the information from [Process Discovery](https://app.tidalcyber.com/technique/710ae610-0556-44e5-9de9-8be6159a23dd) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nIn Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://app.tidalcyber.com/software/abae8f19-9497-4a71-82b6-ae6edd26ad98) utility via [cmd](https://app.tidalcyber.com/software/98d89476-63ec-4baf-b2b3-86c52170f5d8) or Get-Process via [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde). Information about processes can also be extracted from the output of [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560) calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via `/proc`. \n\nOn network devices, [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) commands such as `show processes` can be used to display current running processes.[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)][[show_processes_cisco_cmd](https://app.tidalcyber.com/references/944e529b-5e8a-54a1-b205-71dcb7dd304f)]", "meta": { "platforms": [ "Linux", @@ -2916,7 +2945,7 @@ "value": "Query Registry" }, { - "description": "Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk. Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).[[Introducing Donut](https://app.tidalcyber.com/references/8fd099c6-e002-44d0-8b7f-65f290a42c07)][[S1 Custom Shellcode Tool](https://app.tidalcyber.com/references/f49bfd00-48d5-4d84-a7b7-cb23fcdf861b)][[Stuart ELF Memory](https://app.tidalcyber.com/references/402745e1-a65a-4fa1-a86d-99b37221095c)][[00sec Droppers](https://app.tidalcyber.com/references/7569e79b-5a80-4f42-b467-8548cc9fc319)][[Mandiant BYOL](https://app.tidalcyber.com/references/445efe8b-659a-4023-afc7-aa7cd21ee5a1)]\n\nReflective code injection is very similar to [Process Injection](https://app.tidalcyber.com/technique/7a6208ac-c75e-4e73-8969-0aaf6085cb6e) except that the “injection” loads code into the processes’ own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.[[Stuart ELF Memory](https://app.tidalcyber.com/references/402745e1-a65a-4fa1-a86d-99b37221095c)][[00sec Droppers](https://app.tidalcyber.com/references/7569e79b-5a80-4f42-b467-8548cc9fc319)][[Intezer ACBackdoor](https://app.tidalcyber.com/references/e6cb833f-cf18-498b-a233-848853423412)][[S1 Old Rat New Tricks](https://app.tidalcyber.com/references/20ef3645-fb92-4e13-a5a8-99367869bcba)]", + "description": "Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk (e.g., [Shared Modules](https://app.tidalcyber.com/technique/8941d1f4-d80c-4aaa-821a-a059c2a0f854)).\n\nReflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).[[Introducing Donut](https://app.tidalcyber.com/references/8fd099c6-e002-44d0-8b7f-65f290a42c07)][[S1 Custom Shellcode Tool](https://app.tidalcyber.com/references/f49bfd00-48d5-4d84-a7b7-cb23fcdf861b)][[Stuart ELF Memory](https://app.tidalcyber.com/references/402745e1-a65a-4fa1-a86d-99b37221095c)][[00sec Droppers](https://app.tidalcyber.com/references/7569e79b-5a80-4f42-b467-8548cc9fc319)][[Mandiant BYOL](https://app.tidalcyber.com/references/445efe8b-659a-4023-afc7-aa7cd21ee5a1)] For example, the `Assembly.Load()` method executed by [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) may be abused to load raw code into the running process.[[Microsoft AssemblyLoad](https://app.tidalcyber.com/references/3d980d7a-7074-5812-9bb1-ca8e27e028bd)]\n\nReflective code injection is very similar to [Process Injection](https://app.tidalcyber.com/technique/7a6208ac-c75e-4e73-8969-0aaf6085cb6e) except that the “injection” loads code into the processes’ own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.[[Stuart ELF Memory](https://app.tidalcyber.com/references/402745e1-a65a-4fa1-a86d-99b37221095c)][[00sec Droppers](https://app.tidalcyber.com/references/7569e79b-5a80-4f42-b467-8548cc9fc319)][[Intezer ACBackdoor](https://app.tidalcyber.com/references/e6cb833f-cf18-498b-a233-848853423412)][[S1 Old Rat New Tricks](https://app.tidalcyber.com/references/20ef3645-fb92-4e13-a5a8-99367869bcba)]", "meta": { "platforms": [ "Linux", @@ -2935,7 +2964,7 @@ "value": "Reflective Code Loading" }, { - "description": "An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.[[Symantec Living off the Land](https://app.tidalcyber.com/references/4bad4659-f501-4eb6-b3ca-0359e3ba824e)][[CrowdStrike 2015 Global Threat Report](https://app.tidalcyber.com/references/50d467da-286b-45f3-8d5a-e9d8632f7bf1)][[CrySyS Blog TeamSpy](https://app.tidalcyber.com/references/f21ea3e2-7983-44d2-b78f-80d84bbc4f52)]\n\nRemote access software may be installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.\n \nAdversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access.\n\nInstallation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://app.tidalcyber.com/technique/31c6dd3c-3eb2-46a9-ab85-9e8e145810a1)).", + "description": "An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.[[Symantec Living off the Land](https://app.tidalcyber.com/references/4bad4659-f501-4eb6-b3ca-0359e3ba824e)][[CrowdStrike 2015 Global Threat Report](https://app.tidalcyber.com/references/50d467da-286b-45f3-8d5a-e9d8632f7bf1)][[CrySyS Blog TeamSpy](https://app.tidalcyber.com/references/f21ea3e2-7983-44d2-b78f-80d84bbc4f52)]\n\nRemote access software may be installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary-controlled system.\n \nAdversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access.\n\nInstallation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://app.tidalcyber.com/technique/31c6dd3c-3eb2-46a9-ab85-9e8e145810a1)). Remote access modules/features may also exist as part of otherwise existing software (e.g., Google Chrome’s Remote Desktop).[[Google Chrome Remote Desktop](https://app.tidalcyber.com/references/70c87a07-38eb-53d2-8b63-013eb3ce62c8)][[Chrome Remote Desktop](https://app.tidalcyber.com/references/c1b2d0e9-2396-5080-aea3-58a99c027d20)]", "meta": { "platforms": [ "Linux", @@ -3302,12 +3331,13 @@ "value": "Shared Modules" }, { - "description": "Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.). \n\nAccess to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints. Network infrastructure may also have administration tools that can be similarly abused by adversaries. [[Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation](https://app.tidalcyber.com/references/a43dd8ce-23d6-5768-8522-6973dc45e1ac)]\n\nThe permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose.", + "description": "Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications may be used in an enterprise network or cloud environment for routine administration purposes. These systems may also be integrated into CI/CD pipelines. Examples of such solutions include: SCCM, HBSS, Altiris, AWS Systems Manager, Microsoft Intune, Azure Arc, and GCP Deployment Manager. \n\nAccess to network-wide or enterprise-wide endpoint management software may enable an adversary to achieve remote code execution on all connected systems. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.\n\nSaaS-based configuration management services may allow for broad [Cloud Administration Command](https://app.tidalcyber.com/technique/944a7b91-c58e-567d-9e2c-515b93713c50) on cloud-hosted instances, as well as the execution of arbitrary commands on on-premises endpoints. For example, Microsoft Configuration Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices joined to Azure AD.[[SpecterOps Lateral Movement from Azure to On-Prem AD 2020](https://app.tidalcyber.com/references/eb97d3d6-21cb-5f27-9a78-1e8576acecdc)] Such services may also utilize [Web Protocols](https://app.tidalcyber.com/technique/9a21ec7b-9714-4073-9bf3-4df41995c698) to communicate back to adversary owned infrastructure.[[Mitiga Security Advisory: SSM Agent as Remote Access Trojan](https://app.tidalcyber.com/references/88fecbcd-a89b-536a-a1f6-6ddfb2b452da)]\n\nNetwork infrastructure devices may also have configuration management tools that can be similarly abused by adversaries.[[Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation](https://app.tidalcyber.com/references/a43dd8ce-23d6-5768-8522-6973dc45e1ac)]\n\nThe permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to access specific functionality.", "meta": { "platforms": [ "Linux", "macOS", "Network", + "SaaS", "Windows" ], "source": "MITRE" @@ -3326,16 +3356,12 @@ "value": "Software Deployment Tools" }, { - "description": "Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://app.tidalcyber.com/technique/e9bff6ff-3142-4910-8f67-19b868912602) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nAdversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://app.tidalcyber.com/technique/9cc715d7-9969-485f-87a2-c9f7ed3cc44c).", + "description": "Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://app.tidalcyber.com/technique/e9bff6ff-3142-4910-8f67-19b868912602) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nSuch software may be deployed widely across the environment for configuration management or security reasons, such as [Software Deployment Tools](https://app.tidalcyber.com/technique/1bcf9fb5-6848-44d9-b394-ffbd3c357058), and may allow adversaries broad access to infect devices or move laterally.\n\nAdversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://app.tidalcyber.com/technique/9cc715d7-9969-485f-87a2-c9f7ed3cc44c).", "meta": { "platforms": [ - "Azure AD", - "Google Workspace", "IaaS", "Linux", "macOS", - "Office 365", - "SaaS", "Windows" ], "source": "MITRE" @@ -3367,7 +3393,7 @@ "value": "Stage Capabilities" }, { - "description": "Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.\n\nApplication access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).[[Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019](https://app.tidalcyber.com/references/8ec52402-7e54-463d-8906-f373e5855018)] OAuth is one commonly implemented framework that issues tokens to users for access to systems. Adversaries who steal account API tokens in cloud and containerized environments may be able to access data and perform actions with the permissions of these accounts, which can lead to privilege escalation and further compromise of the environment.\n\nIn Kubernetes environments, processes running inside a container communicate with the Kubernetes API server using service account tokens. If a container is compromised, an attacker may be able to steal the container’s token and thereby gain access to Kubernetes API commands.[[Kubernetes Service Accounts](https://app.tidalcyber.com/references/a74ffa28-8a2e-4bfd-bc66-969b463bebd9)]\n\nToken theft can also occur through social engineering, in which case user action may be required to grant access. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft's Authorization Code Grant flow.[[Microsoft Identity Platform Protocols May 2019](https://app.tidalcyber.com/references/a99d2292-be39-4e55-a952-30c9d6a3d0a3)][[Microsoft - OAuth Code Authorization flow - June 2019](https://app.tidalcyber.com/references/a41c2123-8b8d-4f98-a535-e58e3e746b69)] An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials. \n \nAdversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user's OAuth token.[[Amnesty OAuth Phishing Attacks, August 2019](https://app.tidalcyber.com/references/0b0f9cf6-f0af-4f86-9699-a63ff36c49e2)][[Trend Micro Pawn Storm OAuth 2017](https://app.tidalcyber.com/references/7d12c764-facd-4086-acd0-5c0287344520)] The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.[[Microsoft - Azure AD App Registration - May 2019](https://app.tidalcyber.com/references/36a06c99-55ca-4163-9450-c3b84ae10039)] Then, they can send a [Spearphishing Link](https://app.tidalcyber.com/technique/d08a9977-9fc2-46bb-84f9-dbb5187c426d) to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through [Application Access Token](https://app.tidalcyber.com/technique/8592f37d-850a-43d1-86f2-cc981ad7d7dc).[[Microsoft - Azure AD Identity Tokens - Aug 2019](https://app.tidalcyber.com/references/44767d53-8cd7-44dd-a69d-8a7bebc1d87d)]\n\nApplication access tokens may function within a limited lifetime, limiting how long an adversary can utilize the stolen token. However, in some cases, adversaries can also steal application refresh tokens[[Auth0 Understanding Refresh Tokens](https://app.tidalcyber.com/references/84eb3d8a-f6b1-4bb5-9411-2c8da29b5946)], allowing them to obtain new access tokens without prompting the user. \n\n", + "description": "Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.\n\nApplication access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).[[Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019](https://app.tidalcyber.com/references/8ec52402-7e54-463d-8906-f373e5855018)] Adversaries who steal account API tokens in cloud and containerized environments may be able to access data and perform actions with the permissions of these accounts, which can lead to privilege escalation and further compromise of the environment.\n\nFor example, in Kubernetes environments, processes running inside a container may communicate with the Kubernetes API server using service account tokens. If a container is compromised, an adversary may be able to steal the container’s token and thereby gain access to Kubernetes API commands.[[Kubernetes Service Accounts](https://app.tidalcyber.com/references/a74ffa28-8a2e-4bfd-bc66-969b463bebd9)] Similarly, instances within continuous-development / continuous-integration (CI/CD) pipelines will often use API tokens to authenticate to other services for testing and deployment.[[Cider Security Top 10 CICD Security Risks](https://app.tidalcyber.com/references/512974b7-b464-52af-909a-2cb880b524e5)] If these pipelines are compromised, adversaries may be able to steal these tokens and leverage their privileges.\n\nToken theft can also occur through social engineering, in which case user action may be required to grant access. OAuth is one commonly implemented framework that issues tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft's Authorization Code Grant flow.[[Microsoft Identity Platform Protocols May 2019](https://app.tidalcyber.com/references/a99d2292-be39-4e55-a952-30c9d6a3d0a3)][[Microsoft - OAuth Code Authorization flow - June 2019](https://app.tidalcyber.com/references/a41c2123-8b8d-4f98-a535-e58e3e746b69)] An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials. \n \nAdversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user's OAuth token.[[Amnesty OAuth Phishing Attacks, August 2019](https://app.tidalcyber.com/references/0b0f9cf6-f0af-4f86-9699-a63ff36c49e2)][[Trend Micro Pawn Storm OAuth 2017](https://app.tidalcyber.com/references/7d12c764-facd-4086-acd0-5c0287344520)] The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.[[Microsoft - Azure AD App Registration - May 2019](https://app.tidalcyber.com/references/36a06c99-55ca-4163-9450-c3b84ae10039)] Then, they can send a [Spearphishing Link](https://app.tidalcyber.com/technique/d08a9977-9fc2-46bb-84f9-dbb5187c426d) to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through [Application Access Token](https://app.tidalcyber.com/technique/8592f37d-850a-43d1-86f2-cc981ad7d7dc).[[Microsoft - Azure AD Identity Tokens - Aug 2019](https://app.tidalcyber.com/references/44767d53-8cd7-44dd-a69d-8a7bebc1d87d)]\n\nApplication access tokens may function within a limited lifetime, limiting how long an adversary can utilize the stolen token. However, in some cases, adversaries can also steal application refresh tokens[[Auth0 Understanding Refresh Tokens](https://app.tidalcyber.com/references/84eb3d8a-f6b1-4bb5-9411-2c8da29b5946)], allowing them to obtain new access tokens without prompting the user. \n\n", "meta": { "platforms": [ "Azure AD", @@ -3427,7 +3453,7 @@ "value": "Steal or Forge Kerberos Tickets" }, { - "description": "An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.\n\nCookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.[[Pass The Cookie](https://app.tidalcyber.com/references/dc67930f-5c7b-41be-97e9-d8f4a55e6019)]\n\nThere are several examples of malware targeting cookies from web browsers on the local system.[[Kaspersky TajMahal April 2019](https://app.tidalcyber.com/references/1ed20522-52ae-4d0c-b42e-c680490958ac)][[Unit 42 Mac Crypto Cookies January 2019](https://app.tidalcyber.com/references/0a88e730-8ed2-4983-8f11-2cb2e4abfe3e)] There are also open source frameworks such as `Evilginx2` and `Muraena` that can gather session cookies through a malicious proxy (ex: [Adversary-in-the-Middle](https://app.tidalcyber.com/technique/d98dbf30-c454-42ff-a9f3-2cd3319cc0d9)) that can be set up by an adversary and used in phishing campaigns.[[Github evilginx2](https://app.tidalcyber.com/references/322e5d90-5095-47ea-b0e2-e7e5fb45fcca)][[GitHub Mauraena](https://app.tidalcyber.com/references/578ecf62-b546-4f52-9d50-92557edf2dd4)]\n\nAfter an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://app.tidalcyber.com/technique/d36a5323-e249-44e8-9c8b-5cc9c023a5e1) technique to login to the corresponding web application.", + "description": "An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.\n\nCookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.[[Pass The Cookie](https://app.tidalcyber.com/references/dc67930f-5c7b-41be-97e9-d8f4a55e6019)]\n\nThere are several examples of malware targeting cookies from web browsers on the local system.[[Kaspersky TajMahal April 2019](https://app.tidalcyber.com/references/1ed20522-52ae-4d0c-b42e-c680490958ac)][[Unit 42 Mac Crypto Cookies January 2019](https://app.tidalcyber.com/references/0a88e730-8ed2-4983-8f11-2cb2e4abfe3e)] Adversaries may also steal cookies by injecting malicious JavaScript content into websites or relying on [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872) by tricking victims into running malicious JavaScript in their browser.[[Talos Roblox Scam 2023](https://app.tidalcyber.com/references/9371ee4a-ac23-5acb-af3f-132ef3645392)][[Krebs Discord Bookmarks 2023](https://app.tidalcyber.com/references/1d0a21f4-9a8e-5514-894a-3d55263ff973)]\n\nThere are also open source frameworks such as `Evilginx2` and `Muraena` that can gather session cookies through a malicious proxy (e.g., [Adversary-in-the-Middle](https://app.tidalcyber.com/technique/d98dbf30-c454-42ff-a9f3-2cd3319cc0d9)) that can be set up by an adversary and used in phishing campaigns.[[Github evilginx2](https://app.tidalcyber.com/references/322e5d90-5095-47ea-b0e2-e7e5fb45fcca)][[GitHub Mauraena](https://app.tidalcyber.com/references/578ecf62-b546-4f52-9d50-92557edf2dd4)]\n\nAfter an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://app.tidalcyber.com/technique/d36a5323-e249-44e8-9c8b-5cc9c023a5e1) technique to login to the corresponding web application.", "meta": { "platforms": [ "Google Workspace", @@ -3683,9 +3709,11 @@ "value": "System Shutdown/Reboot" }, { - "description": "An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. [[MSDN System Time](https://app.tidalcyber.com/references/5e15e03b-be8b-4f3d-a3ae-0df7a4ecfbec)][[Technet Windows Time Service](https://app.tidalcyber.com/references/0d908e07-abc1-40fc-b147-9b9fd483b262)]\n\nSystem time information may be gathered in a number of ways, such as with [Net](https://app.tidalcyber.com/software/c9b8522f-126d-40ff-b44e-1f46098bd8cc) on Windows by performing net time \\\\hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz.[[Technet Windows Time Service](https://app.tidalcyber.com/references/0d908e07-abc1-40fc-b147-9b9fd483b262)]\n\nOn network devices, [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) commands such as `show clock detail` can be used to see the current time configuration.[[show_clock_detail_cisco_cmd](https://app.tidalcyber.com/references/a2215813-31b0-5624-92d8-479e7bd1a30b)]\n\nThis information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://app.tidalcyber.com/technique/0baf02af-ffaa-403f-9f0d-da51f463a1d8)[[RSA EU12 They're Inside](https://app.tidalcyber.com/references/8330ab88-9c73-4332-97d6-c1fb95b1a155)], or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://app.tidalcyber.com/technique/90e6a093-3e87-4d74-8b68-38c7d7e5e93c)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.[[AnyRun TimeBomb](https://app.tidalcyber.com/references/cd369bf9-80a8-426f-a0aa-c9745b40696c)]", + "description": "An adversary may gather the system time and/or time zone settings from a local or remote system. The system time is set and stored by services, such as the Windows Time Service on Windows or systemsetup on macOS.[[MSDN System Time](https://app.tidalcyber.com/references/5e15e03b-be8b-4f3d-a3ae-0df7a4ecfbec)][[Technet Windows Time Service](https://app.tidalcyber.com/references/0d908e07-abc1-40fc-b147-9b9fd483b262)][[systemsetup mac time](https://app.tidalcyber.com/references/a85bd111-a2ca-5e66-b90e-f52ff780fc5c)] These time settings may also be synchronized between systems and services in an enterprise network, typically accomplished with a network time server within a domain.[[Mac Time Sync](https://app.tidalcyber.com/references/b36dd8af-045d-57b0-b0a9-45d831fe6373)][[linux system time](https://app.tidalcyber.com/references/2dfd22d7-c78b-5967-b732-736f37ea5489)]\n\nSystem time information may be gathered in a number of ways, such as with [Net](https://app.tidalcyber.com/software/c9b8522f-126d-40ff-b44e-1f46098bd8cc) on Windows by performing net time \\\\hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz.[[Technet Windows Time Service](https://app.tidalcyber.com/references/0d908e07-abc1-40fc-b147-9b9fd483b262)] In addition, adversaries can discover device uptime through functions such as GetTickCount() to determine how long it has been since the system booted up.[[Virtualization/Sandbox Evasion](https://app.tidalcyber.com/references/a3031616-f21a-574f-a9a5-a808a6230aa8)]\n\nOn network devices, [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) commands such as `show clock detail` can be used to see the current time configuration.[[show_clock_detail_cisco_cmd](https://app.tidalcyber.com/references/a2215813-31b0-5624-92d8-479e7bd1a30b)]\n\nIn addition, system calls – such as time() – have been used to collect the current time on Linux devices.[[MAGNET GOBLIN](https://app.tidalcyber.com/references/955b6449-4cd5-5512-a5f3-2bcb91def3ef)] On macOS systems, adversaries may use commands such as systemsetup -gettimezone or timeIntervalSinceNow to gather current time zone information or current date and time.[[System Information Discovery Technique](https://app.tidalcyber.com/references/6123fbd4-c6fc-504c-92f2-5d405730c298)][[ESET DazzleSpy Jan 2022](https://app.tidalcyber.com/references/212012ac-9084-490f-8dd2-5cc9ac6e6de1)]\n\nThis information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://app.tidalcyber.com/technique/0baf02af-ffaa-403f-9f0d-da51f463a1d8)[[RSA EU12 They're Inside](https://app.tidalcyber.com/references/8330ab88-9c73-4332-97d6-c1fb95b1a155)], or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://app.tidalcyber.com/technique/90e6a093-3e87-4d74-8b68-38c7d7e5e93c)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.[[AnyRun TimeBomb](https://app.tidalcyber.com/references/cd369bf9-80a8-426f-a0aa-c9745b40696c)]", "meta": { "platforms": [ + "Linux", + "macOS", "Network", "Windows" ], @@ -3767,10 +3795,13 @@ "value": "Traffic Signaling" }, { - "description": "Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection.\n\nA defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.\n\nIncidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.[[DOJ GRU Indictment Jul 2018](https://app.tidalcyber.com/references/d65f371b-19d0-49de-b92b-94a2bea1d988)] ", + "description": "Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.\n\nA defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.[[TLDRSec AWS Attacks](https://app.tidalcyber.com/references/b8de9dd2-3c57-5417-a24f-0260dff6afc6)]\n\nAdversaries may also use cloud-native mechanisms to share victim data with adversary-controlled cloud accounts, such as creating anonymous file sharing links or, in Azure, a shared access signature (SAS) URI.[[Microsoft Azure Storage Shared Access Signature](https://app.tidalcyber.com/references/9031357f-04ac-5c07-a59d-97b9e32edf79)]\n\nIncidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.[[DOJ GRU Indictment Jul 2018](https://app.tidalcyber.com/references/d65f371b-19d0-49de-b92b-94a2bea1d988)] ", "meta": { "platforms": [ - "IaaS" + "Google Workspace", + "IaaS", + "Office 365", + "SaaS" ], "source": "MITRE" }, @@ -3823,7 +3854,7 @@ "value": "Trusted Relationship" }, { - "description": "Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Bash History](https://app.tidalcyber.com/technique/065d1cca-8ca5-4f8b-a333-2340706f589e)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://app.tidalcyber.com/technique/cdac2469-52ca-42a8-aefe-0321a7e3d658)), or other specialized files/artifacts (e.g. [Private Keys](https://app.tidalcyber.com/technique/e493bf4a-0eba-4e60-a7a6-c699084dc98a)).", + "description": "Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Bash History](https://app.tidalcyber.com/technique/065d1cca-8ca5-4f8b-a333-2340706f589e)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://app.tidalcyber.com/technique/cdac2469-52ca-42a8-aefe-0321a7e3d658)), or other specialized files/artifacts (e.g. [Private Keys](https://app.tidalcyber.com/technique/e493bf4a-0eba-4e60-a7a6-c699084dc98a)).[[Brining MimiKatz to Unix](https://app.tidalcyber.com/references/5ad06565-6694-4c42-81c9-880d66f6d07f)]", "meta": { "platforms": [ "Azure AD", @@ -3892,7 +3923,7 @@ "value": "Use Alternate Authentication Material" }, { - "description": "An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533).\n\nWhile [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://app.tidalcyber.com/technique/4f4ea659-7653-4bfd-a525-b2af32c5899b).\n\nAdversaries may also deceive users into performing actions such as enabling [Remote Access Software](https://app.tidalcyber.com/technique/acf828f4-7e7e-43e1-bf15-ceab42021430), allowing direct control of the system to the adversary, or downloading and executing malware for [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872). For example, tech support scams can be facilitated through [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software](https://app.tidalcyber.com/technique/acf828f4-7e7e-43e1-bf15-ceab42021430).[[Telephone Attack Delivery](https://app.tidalcyber.com/references/9670da7b-0600-4072-9ecc-65a918b89ac5)]", + "description": "An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533).\n\nWhile [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://app.tidalcyber.com/technique/4f4ea659-7653-4bfd-a525-b2af32c5899b).\n\nAdversaries may also deceive users into performing actions such as enabling [Remote Access Software](https://app.tidalcyber.com/technique/acf828f4-7e7e-43e1-bf15-ceab42021430), allowing direct control of the system to the adversary; running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://app.tidalcyber.com/technique/17f9e46d-4e3d-4491-a0d9-0cc042531d6e)s; or downloading and executing malware for [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872).[[Talos Roblox Scam 2023](https://app.tidalcyber.com/references/9371ee4a-ac23-5acb-af3f-132ef3645392)][[Krebs Discord Bookmarks 2023](https://app.tidalcyber.com/references/1d0a21f4-9a8e-5514-894a-3d55263ff973)]\n\nFor example, tech support scams can be facilitated through [Phishing](https://app.tidalcyber.com/technique/d4a36624-50cb-43d3-95af-a2e10878a533), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software](https://app.tidalcyber.com/technique/acf828f4-7e7e-43e1-bf15-ceab42021430).[[Telephone Attack Delivery](https://app.tidalcyber.com/references/9670da7b-0600-4072-9ecc-65a918b89ac5)]", "meta": { "platforms": [ "Containers", @@ -4029,7 +4060,7 @@ "value": "Web Service" }, { - "description": "Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://app.tidalcyber.com/technique/30ef3f13-5e9b-4712-9adf-f0da4ef157a1) such as [Distributed Component Object Model](https://app.tidalcyber.com/technique/ebc5fabb-5634-49f2-8979-94ea98da114a) (DCOM) and [Windows Remote Management](https://app.tidalcyber.com/technique/c2866fd3-754e-4b40-897a-e73a8c1fcf7b) (WinRM).[[MSDN WMI](https://app.tidalcyber.com/references/210ca539-71f6-4494-91ea-402a3e0e2a10)] Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.[[MSDN WMI](https://app.tidalcyber.com/references/210ca539-71f6-4494-91ea-402a3e0e2a10)][[FireEye WMI 2015](https://app.tidalcyber.com/references/135ccd72-2714-4453-9c8f-f5fde31905ee)]\n\nAn adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as remote Execution of files as part of Lateral Movement. [[FireEye WMI SANS 2015](https://app.tidalcyber.com/references/a9333ef5-5637-4a4c-9aaf-fdc9daf8b860)] [[FireEye WMI 2015](https://app.tidalcyber.com/references/135ccd72-2714-4453-9c8f-f5fde31905ee)]", + "description": "Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.[[WMI 1-3](https://app.tidalcyber.com/references/fe0a3b0c-8526-5a0d-acb8-660bbc0c9328)] WMI is an administration feature that provides a uniform environment to access Windows system components.\n\nThe WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://app.tidalcyber.com/technique/30ef3f13-5e9b-4712-9adf-f0da4ef157a1) such as [Distributed Component Object Model](https://app.tidalcyber.com/technique/ebc5fabb-5634-49f2-8979-94ea98da114a) and [Windows Remote Management](https://app.tidalcyber.com/technique/c2866fd3-754e-4b40-897a-e73a8c1fcf7b).[[WMI 1-3](https://app.tidalcyber.com/references/fe0a3b0c-8526-5a0d-acb8-660bbc0c9328)] Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.[[WMI 1-3](https://app.tidalcyber.com/references/fe0a3b0c-8526-5a0d-acb8-660bbc0c9328)] [[Mandiant WMI](https://app.tidalcyber.com/references/8d237948-7b10-5055-b9e6-52e6cab16f32)]\n\nAn adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for [Discovery](https://app.tidalcyber.com/tactics/ee7e5a85-a940-46e4-b408-12956f3baafa) as well as [Execution](https://app.tidalcyber.com/tactics/dad2337d-6d35-410a-acc5-da36ff83ee44) of commands and payloads.[[Mandiant WMI](https://app.tidalcyber.com/references/8d237948-7b10-5055-b9e6-52e6cab16f32)] For example, `wmic.exe` can be abused by an adversary to delete shadow copies with the command `wmic.exe Shadowcopy Delete` (i.e., [Inhibit System Recovery](https://app.tidalcyber.com/technique/d207c03b-fbe7-420e-a053-339f4650c043)).[[WMI 6](https://app.tidalcyber.com/references/df07a086-0d38-570b-b0c5-9f5061212db7)]\n\n**Note:** `wmic.exe` is deprecated as of January of 2024, with the WMIC feature being “disabled by default” on Windows 11+. WMIC will be removed from subsequent Windows releases and replaced by [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) as the primary WMI interface.[[WMI 7,8](https://app.tidalcyber.com/references/819cecb2-5bd3-5c20-bbda-372516b00d6e)] In addition to PowerShell and tools like `wbemtool.exe`, COM APIs can also be used to programmatically interact with WMI via C++, .NET, VBScript, etc.[[WMI 7,8](https://app.tidalcyber.com/references/819cecb2-5bd3-5c20-bbda-372516b00d6e)]", "meta": { "platforms": [ "Windows" From 2fa94fad66beb9ad62c8c1dfc5150f30f438e99d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 16 May 2024 20:32:48 +0200 Subject: [PATCH 03/12] chg: [doc] README updated --- README.md | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 55bd5c3..b0e45b5 100644 --- a/README.md +++ b/README.md @@ -179,6 +179,14 @@ Category: *guidelines* - source: *Open Sources* - total: *23* elements [[HTML](https://www.misp-project.org/galaxy.html#_election_guidelines)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/election-guidelines.json)] +## Entity + +[Entity](https://www.misp-project.org/galaxy.html#_entity) - Description of entities that can be involved in events. + +Category: *actor* - source: *MISP Project* - total: *4* elements + +[[HTML](https://www.misp-project.org/galaxy.html#_entity)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/entity.json)] + ## Exploit-Kit [Exploit-Kit](https://www.misp-project.org/galaxy.html#_exploit-kit) - Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years @@ -255,7 +263,7 @@ Category: *attack-pattern* - source: *https://github.com/mitre-atlas/atlas-navig [MITRE ATLAS Course of Action](https://www.misp-project.org/galaxy.html#_mitre_atlas_course_of_action) - MITRE ATLAS Mitigation - Adversarial Threat Landscape for Artificial-Intelligence Systems -Category: *course-of-action* - source: *https://github.com/mitre-atlas/atlas-navigator-data* - total: *19* elements +Category: *course-of-action* - source: *https://github.com/mitre-atlas/atlas-navigator-data* - total: *20* elements [[HTML](https://www.misp-project.org/galaxy.html#_mitre_atlas_course_of_action)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-atlas-course-of-action.json)] @@ -495,7 +503,7 @@ Category: *measure* - source: *MISP Project* - total: *20* elements [Producer](https://www.misp-project.org/galaxy.html#_producer) - List of threat intelligence producer from security vendors to CERTs including any producer of intelligence at large. -Category: *actor* - source: *MISP Project* - total: *15* elements +Category: *actor* - source: *MISP Project* - total: *21* elements [[HTML](https://www.misp-project.org/galaxy.html#_producer)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/producer.json)] @@ -543,7 +551,7 @@ Category: *sector* - source: *CERT-EU* - total: *118* elements [Sigma-Rules](https://www.misp-project.org/galaxy.html#_sigma-rules) - MISP galaxy cluster based on Sigma Rules. -Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2876* elements +Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2888* elements [[HTML](https://www.misp-project.org/galaxy.html#_sigma-rules)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sigma-rules.json)] @@ -607,7 +615,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements [Threat Actor](https://www.misp-project.org/galaxy.html#_threat_actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group. -Category: *actor* - source: *MISP Project* - total: *671* elements +Category: *actor* - source: *MISP Project* - total: *675* elements [[HTML](https://www.misp-project.org/galaxy.html#_threat_actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)] @@ -615,7 +623,7 @@ Category: *actor* - source: *MISP Project* - total: *671* elements [Tidal Campaigns](https://www.misp-project.org/galaxy.html#_tidal_campaigns) - Tidal Campaigns Cluster -Category: *Campaigns* - source: *https://app-api.tidalcyber.com/api/v1/campaigns/* - total: *41* elements +Category: *Campaigns* - source: *https://app-api.tidalcyber.com/api/v1/campaigns/* - total: *48* elements [[HTML](https://www.misp-project.org/galaxy.html#_tidal_campaigns)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-campaigns.json)] @@ -623,7 +631,7 @@ Category: *Campaigns* - source: *https://app-api.tidalcyber.com/api/v1/campaigns [Tidal Groups](https://www.misp-project.org/galaxy.html#_tidal_groups) - Tidal Groups Galaxy -Category: *Threat Groups* - source: *https://app-api.tidalcyber.com/api/v1/groups/* - total: *163* elements +Category: *Threat Groups* - source: *https://app-api.tidalcyber.com/api/v1/groups/* - total: *172* elements [[HTML](https://www.misp-project.org/galaxy.html#_tidal_groups)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-groups.json)] @@ -631,7 +639,7 @@ Category: *Threat Groups* - source: *https://app-api.tidalcyber.com/api/v1/group [Tidal References](https://www.misp-project.org/galaxy.html#_tidal_references) - Tidal References Cluster -Category: *References* - source: *https://app-api.tidalcyber.com/api/v1/references/* - total: *3872* elements +Category: *References* - source: *https://app-api.tidalcyber.com/api/v1/references/* - total: *4104* elements [[HTML](https://www.misp-project.org/galaxy.html#_tidal_references)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-references.json)] @@ -639,7 +647,7 @@ Category: *References* - source: *https://app-api.tidalcyber.com/api/v1/referenc [Tidal Software](https://www.misp-project.org/galaxy.html#_tidal_software) - Tidal Software Cluster -Category: *Software* - source: *https://app-api.tidalcyber.com/api/v1/software/* - total: *931* elements +Category: *Software* - source: *https://app-api.tidalcyber.com/api/v1/software/* - total: *962* elements [[HTML](https://www.misp-project.org/galaxy.html#_tidal_software)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-software.json)] @@ -655,7 +663,7 @@ Category: *Tactic* - source: *https://app-api.tidalcyber.com/api/v1/tactic/* - t [Tidal Technique](https://www.misp-project.org/galaxy.html#_tidal_technique) - Tidal Technique Cluster -Category: *Technique* - source: *https://app-api.tidalcyber.com/api/v1/technique/* - total: *201* elements +Category: *Technique* - source: *https://app-api.tidalcyber.com/api/v1/technique/* - total: *202* elements [[HTML](https://www.misp-project.org/galaxy.html#_tidal_technique)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-technique.json)] From 1d5af5c245a8d99ccb5be4f74ab3c9269841d044 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 16 May 2024 20:35:06 +0200 Subject: [PATCH 04/12] chg: [tidal-software] remove duplicate from the API --- clusters/tidal-software.json | 25 ------------------------- 1 file changed, 25 deletions(-) diff --git a/clusters/tidal-software.json b/clusters/tidal-software.json index 2325240..5300386 100644 --- a/clusters/tidal-software.json +++ b/clusters/tidal-software.json @@ -5110,31 +5110,6 @@ "uuid": "39d81c48-8f7c-54cb-8fac-485598e31a55", "value": "DarkGate" }, - { - "description": "*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nDarkGate is a commodity downloader. Researchers have often observed DarkGate samples making use of legitimate copies of AutoIt, a freeware BASIC-like scripting language, using it to run AutoIt scripts as part of its execution chain. Reports of DarkGate infections surged following the announcement of the disruption of the QakBot botnet by international authorities in late August 2023.[[Bleeping Computer DarkGate October 14 2023](/references/313e5558-d8f9-4457-9004-810d9fa5340c)] The delivery of DarkGate payloads via instant messaging platforms including Microsoft Teams and Skype was reported in September and October 2023.[[DarkGate Loader delivered via Teams - Truesec](/references/4222a06f-9528-4076-8037-a27012c2930c)][[Trend Micro DarkGate October 12 2023](/references/81650f5b-628b-4e76-80d6-2c15cf70d37a)]", - "meta": { - "owner": "TidalCyberIan", - "platforms": [ - "Windows" - ], - "software_attack_id": "S5266", - "source": "Tidal Cyber", - "tags": [ - "84615fe0-c2a5-4e07-8957-78ebc29b4635" - ], - "type": [ - "malware" - ] - }, - "related": [ - { - "dest-uuid": "28f3dbcc-b248-442f-9ff3-234210bb2f2a", - "type": "used-by" - } - ], - "uuid": "7144b703-f471-4bde-bedc-e8b274854de5", - "value": "DarkGate" - }, { "description": "[DarkTortilla](https://app.tidalcyber.com/software/35abcb6b-3259-57c1-94fc-50cfd5bde786) is a highly configurable .NET-based crypter that has been possibly active since at least August 2015. [DarkTortilla](https://app.tidalcyber.com/software/35abcb6b-3259-57c1-94fc-50cfd5bde786) has been used to deliver popular information stealers, RATs, and payloads such as [Agent Tesla](https://app.tidalcyber.com/software/304650b1-a0b5-460c-9210-23a5b53815a4), AsyncRat, [NanoCore](https://app.tidalcyber.com/software/db05dbaa-eb3a-4303-b37e-18d67e7e85a1), RedLine, [Cobalt Strike](https://app.tidalcyber.com/software/9b6bcbba-3ab4-4a4c-a233-cd12254823f6), and Metasploit.[[Secureworks DarkTortilla Aug 2022](https://app.tidalcyber.com/references/4b48cc22-55ac-5b61-b183-9008f7db37fd)]", "meta": { From 8eb46a1e5aa5702fa7af4199af3acab5bca65ed8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 21 May 2024 07:33:37 +0000 Subject: [PATCH 05/12] --- updated-dependencies: - dependency-name: requests dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- tools/mkdocs/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/mkdocs/requirements.txt b/tools/mkdocs/requirements.txt index d0e5fcf..b1473d8 100644 --- a/tools/mkdocs/requirements.txt +++ b/tools/mkdocs/requirements.txt @@ -37,7 +37,7 @@ python-dateutil==2.8.2 PyYAML==6.0.1 pyyaml_env_tag==0.1 regex==2023.12.25 -requests==2.31.0 +requests==2.32.0 six==1.16.0 smmap==5.0.1 typing_extensions==4.9.0 From 6fe19ac915e575e9a93e70d433f100e66737939c Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 21 May 2024 06:56:41 -0700 Subject: [PATCH 06/12] [threat-actors] Add PhantomCore --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2d5e637..7785cbd 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -15945,6 +15945,16 @@ }, "uuid": "19ddf2b0-9cfb-430f-8919-49205cbec863", "value": "Water Orthrus" + }, + { + "description": "PhantomCore is a threat actor group known for using a remote access malware called PhantomRAT. They have been observed executing malicious code through specially crafted RAR archives, different from previous attacks exploiting vulnerabilities. The attribution of their campaign to Ukraine is uncertain due to limited visibility inside Russian networks. PhantomCore's use of RAR archives in their attack chain has been previously observed in other threat actor groups like Forest Blizzard.", + "meta": { + "refs": [ + "https://therecord.media/russian-researchers-winrar-bug-ukraine-espionage" + ] + }, + "uuid": "485947c7-edb6-4a07-9276-2114dc767551", + "value": "PhantomCore" } ], "version": 308 From 754a9b08f891d13de0ff4bb1d90f774fa8122068 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 21 May 2024 06:56:41 -0700 Subject: [PATCH 07/12] [threat-actors] Add CiberInteligenciaSV --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 7785cbd..70ae18d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -15955,6 +15955,17 @@ }, "uuid": "485947c7-edb6-4a07-9276-2114dc767551", "value": "PhantomCore" + }, + { + "description": "CiberInteligenciaSV is a threat actor that leaked 5.1 million Salvadoran records on Breach Forums. They have also compromised El Salvador's state Bitcoin wallet, Chivo, leaking its source code and VPN credentials. The group aims to obscure their involvement by associating with the Guacamaya group and its proxies.", + "meta": { + "refs": [ + "https://securityaffairs.com/162790/data-breach/el-salvador-massive-leak-biometric-data.html", + "https://www.cysecurity.news/2024/04/cryptocurrency-chaos-el-salvadors.html" + ] + }, + "uuid": "0558bc64-21d9-43e4-8b12-18172d9b5c7d", + "value": "CiberInteligenciaSV" } ], "version": 308 From e17f2eda0c7e7bf84e4b84ab3f94633299f646a0 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 21 May 2024 06:56:41 -0700 Subject: [PATCH 08/12] [threat-actors] Add Void Manticore --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 70ae18d..b6062de 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -15966,6 +15966,17 @@ }, "uuid": "0558bc64-21d9-43e4-8b12-18172d9b5c7d", "value": "CiberInteligenciaSV" + }, + { + "description": "Void Manticore is an Iranian APT group affiliated with MOIS, known for conducting destructive wiping attacks and influence operations. They collaborate with Scarred Manticore, sharing targets and conducting disruptive operations using custom wipers. Void Manticore's TTPs involve manual file deletion, lateral movement via RDP, and the deployment of custom wipers like the BiBi wiper. The group utilizes online personas like 'Karma' and 'Homeland Justice' to leak information and amplify the impact of their attacks.", + "meta": { + "country": "IR", + "refs": [ + "https://research.checkpoint.com/2024/bad-karma-no-justice-void-manticore-destructive-activities-in-israel/" + ] + }, + "uuid": "53ac2695-35ba-4ab2-a5cd-48ca533f1b72", + "value": "Void Manticore" } ], "version": 308 From d172320fad5de3fd5f567243796c1d5c3a9b369b Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 21 May 2024 06:56:42 -0700 Subject: [PATCH 09/12] [threat-actors] Add Kimsuky aliases --- clusters/threat-actor.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b6062de..278e80a 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5675,7 +5675,8 @@ "https://asec.ahnlab.com/en/61082/", "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-north-korean-apt-kimsuky-aka-black-banshee-active-iocs-29/", "https://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/", - "https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html" + "https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html", + "https://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-may-16b" ], "synonyms": [ "Velvet Chollima", @@ -5685,7 +5686,8 @@ "G0086", "APT43", "Emerald Sleet", - "THALLIUM" + "THALLIUM", + "Springtail" ], "targeted-sector": [ "Research - Innovation", From f3a145c96fcc0c79e2113eab130d3c2c73a38768 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 21 May 2024 16:59:07 +0200 Subject: [PATCH 10/12] chg: [threat-actor] updated following PR #977 The `master` branch should not be used --- clusters/threat-actor.json | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2d5e637..1ca0539 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5675,7 +5675,8 @@ "https://asec.ahnlab.com/en/61082/", "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-north-korean-apt-kimsuky-aka-black-banshee-active-iocs-29/", "https://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/", - "https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html" + "https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage" ], "synonyms": [ "Velvet Chollima", @@ -5685,7 +5686,8 @@ "G0086", "APT43", "Emerald Sleet", - "THALLIUM" + "THALLIUM", + "Springtail" ], "targeted-sector": [ "Research - Innovation", @@ -15947,5 +15949,5 @@ "value": "Water Orthrus" } ], - "version": 308 + "version": 309 } From e97ecd46b0810fdbf7b19c98008a22f615ee14cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mathieu=20B=C3=A9ligon?= Date: Tue, 21 May 2024 19:23:04 +0200 Subject: [PATCH 11/12] Add phantomcore reference Co-authored-by: Rony <49360849+r0ny123@users.noreply.github.com> --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 278e80a..cd41dc9 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -15952,7 +15952,8 @@ "description": "PhantomCore is a threat actor group known for using a remote access malware called PhantomRAT. They have been observed executing malicious code through specially crafted RAR archives, different from previous attacks exploiting vulnerabilities. The attribution of their campaign to Ukraine is uncertain due to limited visibility inside Russian networks. PhantomCore's use of RAR archives in their attack chain has been previously observed in other threat actor groups like Forest Blizzard.", "meta": { "refs": [ - "https://therecord.media/russian-researchers-winrar-bug-ukraine-espionage" + "https://therecord.media/russian-researchers-winrar-bug-ukraine-espionage", + "https://www.facct.ru/blog/phantomdl-loader" ] }, "uuid": "485947c7-edb6-4a07-9276-2114dc767551", From 32b9051873ca5dc32885d75bfe4f55f96032e45d Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Tue, 21 May 2024 19:29:26 +0200 Subject: [PATCH 12/12] [threat actors] fix merge --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 401c2db..a2ba1b3 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5676,7 +5676,7 @@ "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-north-korean-apt-kimsuky-aka-black-banshee-active-iocs-29/", "https://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/", "https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html", - "https://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-may-16b" + "https://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-may-16b", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage" ], "synonyms": [