diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-1212/web_exploit_cve_2024_1212_.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-1212/web_exploit_cve_2024_1212_.yml index aceda597750..40d980e1b03 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-1212/web_exploit_cve_2024_1212_.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-1212/web_exploit_cve_2024_1212_.yml @@ -1,6 +1,6 @@ title: CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection id: eafb8bd5-7605-4bfe-a9ec-0442bc151f15 -status: experimental +status: test description: | Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster. It looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an "Authorization" header with a base64 encoded value with an uncommon character. diff --git a/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml b/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml index fdedc59a001..be3c9710f42 100644 --- a/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml +++ b/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml @@ -1,6 +1,6 @@ title: Potential KamiKakaBot Activity - Lure Document Execution id: 24474469-bd80-46cc-9e08-9fbe81bfaaca -status: experimental +status: test description: | Detects the execution of a Word document via the WinWord Start Menu shortcut. This behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection. diff --git a/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_schtasks_persistence.yml b/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_schtasks_persistence.yml index 2f7e2ac822a..b6bd4d92644 100644 --- a/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_schtasks_persistence.yml +++ b/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_schtasks_persistence.yml @@ -1,6 +1,6 @@ title: Potential KamiKakaBot Activity - Shutdown Schedule Task Creation id: fe9e8ba9-4419-41e6-a574-bd9f7b3af961 -status: experimental +status: test description: | Detects the creation of a schedule task that runs weekly and execute the "shutdown /l /f" command. This behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system. diff --git a/rules-emerging-threats/2024/Malware/KamiKakaBot/registry_set_malware_kamikakabot_winlogon_persistence.yml b/rules-emerging-threats/2024/Malware/KamiKakaBot/registry_set_malware_kamikakabot_winlogon_persistence.yml index 8db60f70e9c..f60f41bdc3e 100644 --- a/rules-emerging-threats/2024/Malware/KamiKakaBot/registry_set_malware_kamikakabot_winlogon_persistence.yml +++ b/rules-emerging-threats/2024/Malware/KamiKakaBot/registry_set_malware_kamikakabot_winlogon_persistence.yml @@ -1,6 +1,6 @@ title: Potential KamiKakaBot Activity - Winlogon Shell Persistence id: c9b86500-1ec2-4de6-9120-d744c8fb5caf -status: experimental +status: test description: | Detects changes to the "Winlogon" registry key where a process will set the value of the "Shell" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence. references: diff --git a/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_non_local_ip.yml b/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_non_local_ip.yml index 9ed2da51da6..9185d2c5003 100644 --- a/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_non_local_ip.yml +++ b/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_non_local_ip.yml @@ -1,6 +1,6 @@ title: Dfsvc.EXE Network Connection To Non-Local IPs id: 3c21219b-49b5-4268-bce6-c914ed50f09c -status: experimental +status: test description: Detects network connections from "dfsvc.exe" used to handled ClickOnce applications to non-local IPs references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 diff --git a/rules-threat-hunting/windows/network_connection/net_connection_win_powershell_network_connection.yml b/rules-threat-hunting/windows/network_connection/net_connection_win_powershell_network_connection.yml index cfc045bbef7..7396f6e8c2f 100644 --- a/rules-threat-hunting/windows/network_connection/net_connection_win_powershell_network_connection.yml +++ b/rules-threat-hunting/windows/network_connection/net_connection_win_powershell_network_connection.yml @@ -1,6 +1,6 @@ title: Network Connection Initiated By PowerShell Process id: 1f21ec3f-810d-4b0e-8045-322202e22b4b -status: experimental +status: test description: | Detects a network connection that was initiated from a PowerShell process. Often times malicious powershell scripts download additional payloads or communicate back to command and control channels via uncommon ports or IPs. diff --git a/rules-threat-hunting/windows/registry/registry_set/registry_set_service_image_path_user_controlled_folder.yml b/rules-threat-hunting/windows/registry/registry_set/registry_set_service_image_path_user_controlled_folder.yml index 3ec4f793b5b..a0673f43ad3 100644 --- a/rules-threat-hunting/windows/registry/registry_set/registry_set_service_image_path_user_controlled_folder.yml +++ b/rules-threat-hunting/windows/registry/registry_set/registry_set_service_image_path_user_controlled_folder.yml @@ -3,7 +3,7 @@ id: 277dc340-0540-42e7-8efb-5ff460045e07 related: - id: 277dc340-0540-42e7-8efb-5ff460045e07 type: obsolete -status: experimental +status: test description: | Detects the setting of the "ImagePath" value of a service registry key to a path controlled by a non-administrator user such as "\AppData\" or "\ProgramData\". Attackers often use such directories for staging purposes. diff --git a/rules/application/kubernetes/audit/kubernetes_audit_deployment_deleted.yml b/rules/application/kubernetes/audit/kubernetes_audit_deployment_deleted.yml index 4663c8029aa..732c65e11ae 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_deployment_deleted.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_deployment_deleted.yml @@ -1,6 +1,6 @@ title: Deployment Deleted From Kubernetes Cluster id: 40967487-139b-4811-81d9-c9767a92aa5a -status: experimental +status: test description: | Detects the removal of a deployment from a Kubernetes cluster. This could indicate disruptive activity aiming to impact business operations. diff --git a/rules/application/kubernetes/audit/kubernetes_audit_events_deleted.yml b/rules/application/kubernetes/audit/kubernetes_audit_events_deleted.yml index d7dafc6eb7a..66c45fd8b08 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_events_deleted.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_events_deleted.yml @@ -3,7 +3,7 @@ id: 3132570d-cab2-4561-9ea6-1743644b2290 related: - id: 225d8b09-e714-479c-a0e4-55e6f29adf35 type: derived -status: experimental +status: test description: | Detects when events are deleted in Kubernetes. An adversary may delete Kubernetes events in an attempt to evade detection. diff --git a/rules/application/kubernetes/audit/kubernetes_audit_exec_into_container.yml b/rules/application/kubernetes/audit/kubernetes_audit_exec_into_container.yml index 8c6ca815397..1d853591044 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_exec_into_container.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_exec_into_container.yml @@ -1,6 +1,6 @@ title: Potential Remote Command Execution In Pod Container id: a1b0ca4e-7835-413e-8471-3ff2b8a66be6 -status: experimental +status: test description: | Detects attempts to execute remote commands, within a Pod's container using e.g. the "kubectl exec" command. references: diff --git a/rules/application/kubernetes/audit/kubernetes_audit_hostpath_mount.yml b/rules/application/kubernetes/audit/kubernetes_audit_hostpath_mount.yml index fe9e05c30ef..0dd15057467 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_hostpath_mount.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_hostpath_mount.yml @@ -1,6 +1,6 @@ title: Container With A hostPath Mount Created id: 402b955c-8fe0-4a8c-b635-622b4ac5f902 -status: experimental +status: test description: | Detects creation of a container with a hostPath mount. A hostPath volume mounts a directory or a file from the node to the container. diff --git a/rules/application/kubernetes/audit/kubernetes_audit_pod_in_system_namespace.yml b/rules/application/kubernetes/audit/kubernetes_audit_pod_in_system_namespace.yml index 512c0e2fba8..7fa1d7b7566 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_pod_in_system_namespace.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_pod_in_system_namespace.yml @@ -1,6 +1,6 @@ title: Creation Of Pod In System Namespace id: a80d927d-ac6e-443f-a867-e8d6e3897318 -status: experimental +status: test description: | Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods. System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names. diff --git a/rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml b/rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml index a9a04702bed..fcc1685829c 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml @@ -1,6 +1,6 @@ title: Privileged Container Deployed id: c5cd1b20-36bb-488d-8c05-486be3d0cb97 -status: experimental +status: test description: | Detects the creation of a "privileged" container, an action which could be indicative of a threat actor mounting a container breakout attacks. A privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host. diff --git a/rules/application/kubernetes/audit/kubernetes_audit_rbac_permisions_listing.yml b/rules/application/kubernetes/audit/kubernetes_audit_rbac_permisions_listing.yml index cefd4c4b86c..d680a46448a 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_rbac_permisions_listing.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_rbac_permisions_listing.yml @@ -1,6 +1,6 @@ title: RBAC Permission Enumeration Attempt id: 84b777bd-c946-4d17-aa2e-c39f5a454325 -status: experimental +status: test description: | Detects identities attempting to enumerate their Kubernetes RBAC permissions. In the early stages of a breach, attackers will aim to list the permissions they have within the compromised environment. diff --git a/rules/application/kubernetes/audit/kubernetes_audit_secrets_enumeration.yml b/rules/application/kubernetes/audit/kubernetes_audit_secrets_enumeration.yml index 0dc2b66d1af..d690e59753a 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_secrets_enumeration.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_secrets_enumeration.yml @@ -3,7 +3,7 @@ id: eeb3e9e1-b685-44e4-9232-6bb701f925b5 related: - id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c type: derived -status: experimental +status: test description: Detects enumeration of Kubernetes secrets. references: - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/ diff --git a/rules/application/kubernetes/audit/kubernetes_audit_serviceaccount_creation.yml b/rules/application/kubernetes/audit/kubernetes_audit_serviceaccount_creation.yml index 6c41efac815..3755cb1b13d 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_serviceaccount_creation.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_serviceaccount_creation.yml @@ -3,7 +3,7 @@ id: e31bae15-83ed-473e-bf31-faf4f8a17d36 related: - id: 12d027c3-b48c-4d9d-8bb6-a732200034b2 type: derived -status: experimental +status: test description: | Detects creation of new Kubernetes service account, which could indicate an attacker's attempt to persist within a cluster. references: diff --git a/rules/application/kubernetes/audit/kubernetes_audit_sidecar_injection.yml b/rules/application/kubernetes/audit/kubernetes_audit_sidecar_injection.yml index 4ff32df2898..3a6fa87b7e1 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_sidecar_injection.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_sidecar_injection.yml @@ -1,6 +1,6 @@ title: Potential Sidecar Injection Into Running Deployment id: ad9012a6-e518-4432-9890-f3b82b8fc71f -status: experimental +status: test description: | Detects attempts to inject a sidecar container into a running deployment. A sidecar container is an additional container within a pod, that resides alongside the main container. diff --git a/rules/application/opencanary/opencanary_ftp_login_attempt.yml b/rules/application/opencanary/opencanary_ftp_login_attempt.yml index 46632d2320b..9fb47b670be 100644 --- a/rules/application/opencanary/opencanary_ftp_login_attempt.yml +++ b/rules/application/opencanary/opencanary_ftp_login_attempt.yml @@ -1,6 +1,6 @@ title: OpenCanary - FTP Login Attempt id: 6991bc2b-ae2e-447f-bc55-3a1ba04c14e5 -status: experimental +status: test description: Detects instances where an FTP service on an OpenCanary node has had a login attempt. references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration diff --git a/rules/application/opencanary/opencanary_git_clone_request.yml b/rules/application/opencanary/opencanary_git_clone_request.yml index cb928c35577..ef03fa7ba94 100644 --- a/rules/application/opencanary/opencanary_git_clone_request.yml +++ b/rules/application/opencanary/opencanary_git_clone_request.yml @@ -1,6 +1,6 @@ title: OpenCanary - GIT Clone Request id: 4fe17521-aef3-4e6a-9d6b-4a7c8de155a8 -status: experimental +status: test description: Detects instances where a GIT service on an OpenCanary node has had Git Clone request. references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration diff --git a/rules/application/opencanary/opencanary_http_get.yml b/rules/application/opencanary/opencanary_http_get.yml index c65cc666337..41c5bbd6901 100644 --- a/rules/application/opencanary/opencanary_http_get.yml +++ b/rules/application/opencanary/opencanary_http_get.yml @@ -1,6 +1,6 @@ title: OpenCanary - HTTP GET Request id: af6c3078-84cd-4c68-8842-08b76bd81b13 -status: experimental +status: test description: Detects instances where an HTTP service on an OpenCanary node has received a GET request. references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration diff --git a/rules/application/opencanary/opencanary_http_post_login_attempt.yml b/rules/application/opencanary/opencanary_http_post_login_attempt.yml index 1bc99bf01aa..ef35ae4d917 100644 --- a/rules/application/opencanary/opencanary_http_post_login_attempt.yml +++ b/rules/application/opencanary/opencanary_http_post_login_attempt.yml @@ -1,6 +1,6 @@ title: OpenCanary - HTTP POST Login Attempt id: af1ac430-df6b-4b38-b976-0b52f07a0252 -status: experimental +status: test description: | Detects instances where an HTTP service on an OpenCanary node has had login attempt via Form POST. references: diff --git a/rules/application/opencanary/opencanary_httpproxy_login_attempt.yml b/rules/application/opencanary/opencanary_httpproxy_login_attempt.yml index 20693573c29..7fac3a3b71b 100644 --- a/rules/application/opencanary/opencanary_httpproxy_login_attempt.yml +++ b/rules/application/opencanary/opencanary_httpproxy_login_attempt.yml @@ -1,6 +1,6 @@ title: OpenCanary - HTTPPROXY Login Attempt id: 5498fc09-adc6-4804-b9d9-5cca1f0b8760 -status: experimental +status: test description: | Detects instances where an HTTPPROXY service on an OpenCanary node has had an attempt to proxy another page. references: diff --git a/rules/application/opencanary/opencanary_mssql_login_sqlauth.yml b/rules/application/opencanary/opencanary_mssql_login_sqlauth.yml index 66e236c2620..8cd7fd0301c 100644 --- a/rules/application/opencanary/opencanary_mssql_login_sqlauth.yml +++ b/rules/application/opencanary/opencanary_mssql_login_sqlauth.yml @@ -1,6 +1,6 @@ title: OpenCanary - MSSQL Login Attempt Via SQLAuth id: 3ec9a16d-0b4f-4967-9542-ebf38ceac7dd -status: experimental +status: test description: | Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using SQLAuth. references: diff --git a/rules/application/opencanary/opencanary_mssql_login_winauth.yml b/rules/application/opencanary/opencanary_mssql_login_winauth.yml index a731303ab90..2d15c251e49 100644 --- a/rules/application/opencanary/opencanary_mssql_login_winauth.yml +++ b/rules/application/opencanary/opencanary_mssql_login_winauth.yml @@ -1,6 +1,6 @@ title: OpenCanary - MSSQL Login Attempt Via Windows Authentication id: 6e78f90f-0043-4a01-ac41-f97681613a66 -status: experimental +status: test description: | Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication. references: diff --git a/rules/application/opencanary/opencanary_mysql_login_attempt.yml b/rules/application/opencanary/opencanary_mysql_login_attempt.yml index 405c03c8604..9017a46d117 100644 --- a/rules/application/opencanary/opencanary_mysql_login_attempt.yml +++ b/rules/application/opencanary/opencanary_mysql_login_attempt.yml @@ -1,6 +1,6 @@ title: OpenCanary - MySQL Login Attempt id: e7d79a1b-25ed-4956-bd56-bd344fa8fd06 -status: experimental +status: test description: Detects instances where a MySQL service on an OpenCanary node has had a login attempt. references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration diff --git a/rules/application/opencanary/opencanary_ntp_monlist.yml b/rules/application/opencanary/opencanary_ntp_monlist.yml index e6ae4e0d9ba..8f694286d06 100644 --- a/rules/application/opencanary/opencanary_ntp_monlist.yml +++ b/rules/application/opencanary/opencanary_ntp_monlist.yml @@ -1,6 +1,6 @@ title: OpenCanary - NTP Monlist Request id: 7cded4b3-f09e-405a-b96f-24248433ba44 -status: experimental +status: test description: Detects instances where an NTP service on an OpenCanary node has had a NTP monlist request. references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration diff --git a/rules/application/opencanary/opencanary_redis_command.yml b/rules/application/opencanary/opencanary_redis_command.yml index 9a18bee4af8..3cc252d8659 100644 --- a/rules/application/opencanary/opencanary_redis_command.yml +++ b/rules/application/opencanary/opencanary_redis_command.yml @@ -1,6 +1,6 @@ title: OpenCanary - REDIS Action Command Attempt id: 547dfc53-ebf6-4afe-8d2e-793d9574975d -status: experimental +status: test description: Detects instances where a REDIS service on an OpenCanary node has had an action command attempted. references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration diff --git a/rules/application/opencanary/opencanary_sip_request.yml b/rules/application/opencanary/opencanary_sip_request.yml index 56f71242ab1..23f4d998683 100644 --- a/rules/application/opencanary/opencanary_sip_request.yml +++ b/rules/application/opencanary/opencanary_sip_request.yml @@ -1,6 +1,6 @@ title: OpenCanary - SIP Request id: e30de276-68ec-435c-ab99-ef3befec6c61 -status: experimental +status: test description: Detects instances where an SIP service on an OpenCanary node has had a SIP request. references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration diff --git a/rules/application/opencanary/opencanary_smb_file_open.yml b/rules/application/opencanary/opencanary_smb_file_open.yml index 7c12e2563e2..f4415ffb216 100644 --- a/rules/application/opencanary/opencanary_smb_file_open.yml +++ b/rules/application/opencanary/opencanary_smb_file_open.yml @@ -1,6 +1,6 @@ title: OpenCanary - SMB File Open Request id: 22777c9e-873a-4b49-855f-6072ab861a52 -status: experimental +status: test description: Detects instances where an SMB service on an OpenCanary node has had a file open request. references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration diff --git a/rules/application/opencanary/opencanary_snmp_cmd.yml b/rules/application/opencanary/opencanary_snmp_cmd.yml index deb9ee93584..57bd9a57013 100644 --- a/rules/application/opencanary/opencanary_snmp_cmd.yml +++ b/rules/application/opencanary/opencanary_snmp_cmd.yml @@ -1,6 +1,6 @@ title: OpenCanary - SNMP OID Request id: e9856028-fd4e-46e6-b3d1-10f7ceb95078 -status: experimental +status: test description: Detects instances where an SNMP service on an OpenCanary node has had an OID request. references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration diff --git a/rules/application/opencanary/opencanary_ssh_login_attempt.yml b/rules/application/opencanary/opencanary_ssh_login_attempt.yml index 431b5fe18eb..0e15724263a 100644 --- a/rules/application/opencanary/opencanary_ssh_login_attempt.yml +++ b/rules/application/opencanary/opencanary_ssh_login_attempt.yml @@ -1,6 +1,6 @@ title: OpenCanary - SSH Login Attempt id: ff7139bc-fdb1-4437-92f2-6afefe8884cb -status: experimental +status: test description: Detects instances where an SSH service on an OpenCanary node has had a login attempt. references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration diff --git a/rules/application/opencanary/opencanary_ssh_new_connection.yml b/rules/application/opencanary/opencanary_ssh_new_connection.yml index 223bcd0e1c5..f3656da4c7e 100644 --- a/rules/application/opencanary/opencanary_ssh_new_connection.yml +++ b/rules/application/opencanary/opencanary_ssh_new_connection.yml @@ -1,6 +1,6 @@ title: OpenCanary - SSH New Connection Attempt id: cd55f721-5623-4663-bd9b-5229cab5237d -status: experimental +status: test description: Detects instances where an SSH service on an OpenCanary node has had a connection attempt. references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration diff --git a/rules/application/opencanary/opencanary_telnet_login_attempt.yml b/rules/application/opencanary/opencanary_telnet_login_attempt.yml index f3bb08fabd8..0d4aca20261 100644 --- a/rules/application/opencanary/opencanary_telnet_login_attempt.yml +++ b/rules/application/opencanary/opencanary_telnet_login_attempt.yml @@ -1,6 +1,6 @@ title: OpenCanary - Telnet Login Attempt id: 512cff7a-683a-43ad-afe0-dd398e872f36 -status: experimental +status: test description: Detects instances where a Telnet service on an OpenCanary node has had a login attempt. references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration diff --git a/rules/application/opencanary/opencanary_tftp_request.yml b/rules/application/opencanary/opencanary_tftp_request.yml index dfd59599810..1af398358f2 100644 --- a/rules/application/opencanary/opencanary_tftp_request.yml +++ b/rules/application/opencanary/opencanary_tftp_request.yml @@ -1,6 +1,6 @@ title: OpenCanary - TFTP Request id: b4e6b016-a2ac-4759-ad85-8000b300d61e -status: experimental +status: test description: Detects instances where a TFTP service on an OpenCanary node has had a request. references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration diff --git a/rules/application/opencanary/opencanary_vnc_connection_attempt.yml b/rules/application/opencanary/opencanary_vnc_connection_attempt.yml index b9b99a2e106..44669aad6fc 100644 --- a/rules/application/opencanary/opencanary_vnc_connection_attempt.yml +++ b/rules/application/opencanary/opencanary_vnc_connection_attempt.yml @@ -1,6 +1,6 @@ title: OpenCanary - VNC Connection Attempt id: 9db5446c-b44a-4291-8b89-fcab5609c3b3 -status: experimental +status: test description: Detects instances where a VNC service on an OpenCanary node has had a connection attempt. references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration diff --git a/rules/linux/process_creation/proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml b/rules/linux/process_creation/proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml index 0ddc7f59fb2..6a344a515e2 100644 --- a/rules/linux/process_creation/proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml +++ b/rules/linux/process_creation/proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml @@ -5,7 +5,7 @@ related: type: similar - id: f459ccb4-9805-41ea-b5b2-55e279e2424a type: similar -status: experimental +status: test description: | Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder. diff --git a/rules/macos/process_creation/proc_creation_macos_remote_access_tools_teamviewer_incoming_connection.yml b/rules/macos/process_creation/proc_creation_macos_remote_access_tools_teamviewer_incoming_connection.yml index 3ccdd9b1251..088ffdb2098 100644 --- a/rules/macos/process_creation/proc_creation_macos_remote_access_tools_teamviewer_incoming_connection.yml +++ b/rules/macos/process_creation/proc_creation_macos_remote_access_tools_teamviewer_incoming_connection.yml @@ -5,7 +5,7 @@ related: type: similar - id: 1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d type: similar -status: experimental +status: test description: | Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder. diff --git a/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml b/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml index 0f9cfc8cb00..41f7ade4b0a 100644 --- a/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml +++ b/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml @@ -1,6 +1,6 @@ title: EVTX Created In Uncommon Location id: 65236ec7-ace0-4f0c-82fd-737b04fd4dcb -status: experimental +status: test description: | Detects the creation of new files with the ".evtx" extension in non-common or non-standard location. This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within. diff --git a/rules/windows/network_connection/net_connection_win_domain_external_ip_lookup.yml b/rules/windows/network_connection/net_connection_win_domain_external_ip_lookup.yml index 86927b8a05e..36797e38ec1 100644 --- a/rules/windows/network_connection/net_connection_win_domain_external_ip_lookup.yml +++ b/rules/windows/network_connection/net_connection_win_domain_external_ip_lookup.yml @@ -3,7 +3,7 @@ id: edf3485d-dac4-4d50-90e4-b0e5813f7e60 related: - id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2 type: derived -status: experimental +status: test description: Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity. references: - https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md diff --git a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml index baa9d935549..e95a87358ca 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml @@ -5,7 +5,7 @@ related: type: derived - id: 4f4eaa9f-5ad4-410c-a4be-bc6132b0175a type: similar -status: experimental +status: test description: | Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location. This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration. diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml index fe0adf15d0e..1a3e92091bb 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml @@ -5,7 +5,7 @@ related: type: derived - id: 65d2be45-8600-4042-b4c0-577a1ff8a60e type: obsolete -status: experimental +status: test description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension. references: - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml index 4eb010662e1..5c3cee11b09 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml @@ -5,7 +5,7 @@ related: type: similar - id: f459ccb4-9805-41ea-b5b2-55e279e2424a type: similar -status: experimental +status: test description: | Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder. diff --git a/rules/windows/process_creation/proc_creation_win_renamed_nircmd.yml b/rules/windows/process_creation/proc_creation_win_renamed_nircmd.yml index 521f4e2b549..8588008340a 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_nircmd.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_nircmd.yml @@ -1,6 +1,6 @@ title: Renamed NirCmd.EXE Execution id: 264982dc-dbad-4dce-b707-1e0d3e0f73d9 -status: experimental +status: test description: Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields. references: - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml b/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml index a349f84d3a2..4da867588a1 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml @@ -1,6 +1,6 @@ title: Rundll32 Execution With Uncommon DLL Extension id: c3a99af4-35a9-4668-879e-c09aeb4f2bdf -status: experimental +status: test description: Detects the execution of rundll32 with a command line that doesn't contain a common extension references: - https://twitter.com/mrd0x/status/1481630810495139841?s=12 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml b/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml index d2470cf015b..70ed5f6d156 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml @@ -1,6 +1,6 @@ title: Suspicious Command Patterns In Scheduled Task Creation id: f2c64357-b1d2-41b7-849f-34d2682c0fad -status: experimental +status: test description: Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands references: - https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/ diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml index 7df179152bb..1cdcaf4610a 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml @@ -1,6 +1,6 @@ title: Kernel Memory Dump Via LiveKD id: c7746f1c-47d3-43d6-8c45-cd1e54b6b0a2 -status: experimental +status: test description: Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory references: - https://learn.microsoft.com/en-us/sysinternals/downloads/livekd diff --git a/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml b/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml index 8fdc84c0681..7c65d3eb6d7 100644 --- a/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml +++ b/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml @@ -1,6 +1,6 @@ title: Loaded Module Enumeration Via Tasklist.EXE id: 34275eb8-fa19-436b-b959-3d9ecd53fa1f -status: experimental +status: test description: | Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe". This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question. diff --git a/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml b/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml index 8b3a681b329..4905def493e 100644 --- a/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml +++ b/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml @@ -1,6 +1,6 @@ title: Registry Persistence via Service in Safe Mode id: 1547e27c-3974-43e2-a7d7-7f484fb928ec -status: experimental +status: test description: Detects the modification of the registry to allow a driver or service to persist in Safe Mode. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network diff --git a/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml b/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml index 9ab7067df90..75ac8d1ae6d 100644 --- a/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml +++ b/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml @@ -1,6 +1,6 @@ title: Add Port Monitor Persistence in Registry id: 944e8941-f6f6-4ee8-ac05-1c224e923c0e -status: experimental +status: test description: | Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. diff --git a/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml b/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml index c7fd6a068c0..3cff92e1fd4 100644 --- a/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml +++ b/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml @@ -1,6 +1,6 @@ title: Sysmon Driver Altitude Change id: 4916a35e-bfc4-47d0-8e25-a003d7067061 -status: experimental +status: test description: | Detects changes in Sysmon driver altitude value. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot. diff --git a/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml b/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml index 02892198ec1..fb68051379c 100644 --- a/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml +++ b/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml @@ -1,6 +1,6 @@ title: Change Winevt Channel Access Permission Via Registry id: 7d9263bd-dc47-4a58-bc92-5474abab390c -status: experimental +status: test description: Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel. references: - https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/ diff --git a/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml b/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml index 011974d7f23..d88fbea338f 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml @@ -1,6 +1,6 @@ title: Windows Defender Service Disabled - Registry id: e1aa95de-610a-427d-b9e7-9b46cfafbe6a -status: experimental +status: test description: Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ diff --git a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml index eab8aeb9540..7feacfa6242 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml @@ -1,6 +1,6 @@ title: Disable Windows Event Logging Via Registry id: 2f78da12-f7c7-430b-8b19-a28f269b77a3 -status: experimental +status: test description: Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel references: - https://twitter.com/WhichbufferArda/status/1543900539280293889 diff --git a/rules/windows/registry/registry_set/registry_set_hide_file.yml b/rules/windows/registry/registry_set/registry_set_hide_file.yml index c861b98a596..8b6699d4e9f 100644 --- a/rules/windows/registry/registry_set/registry_set_hide_file.yml +++ b/rules/windows/registry/registry_set/registry_set_hide_file.yml @@ -1,6 +1,6 @@ title: Displaying Hidden Files Feature Disabled id: 5a5152f1-463f-436b-b2f5-8eceb3964b42 -status: experimental +status: test description: | Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files. This technique is abused by several malware families to hide their files from normal users. diff --git a/rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml b/rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml index cdd2cdc28ae..fb5498fc473 100644 --- a/rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml +++ b/rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml @@ -1,6 +1,6 @@ title: MaxMpxCt Registry Value Changed id: 0e6a9e62-627e-496c-aef5-bfa39da29b5e -status: experimental +status: test description: | Detects changes to the "MaxMpxCt" registry value. MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate. diff --git a/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml b/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml index 2859ab5115e..04e14bc0b98 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml @@ -1,6 +1,6 @@ title: Register New IFiltre For Persistence id: b23818c7-e575-4d13-8012-332075ec0a2b -status: experimental +status: test description: | Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files. diff --git a/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml b/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml index b4ccf276412..48962dc34b9 100644 --- a/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml +++ b/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml @@ -1,6 +1,6 @@ title: ServiceDll Hijack id: 612e47e9-8a59-43a6-b404-f48683f45bd6 -status: experimental +status: test description: | Detects changes to the "ServiceDLL" value related to a service in the registry. This is often used as a method of persistence. diff --git a/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml b/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml index 9e4e6b7c425..f334d0f2ffa 100644 --- a/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml +++ b/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml @@ -1,6 +1,6 @@ title: New TimeProviders Registered With Uncommon DLL Name id: e88a6ddc-74f7-463b-9b26-f69fc0d2ce85 -status: experimental +status: test description: | Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. Adversaries may abuse time providers to execute DLLs when the system boots.