From 13f186687e2ad9c6a931cdb2940d6fe89f790184 Mon Sep 17 00:00:00 2001 From: dekelpaz Date: Wed, 1 May 2024 00:11:27 +0000 Subject: [PATCH] chore: promote older rules status from `experimental` to `test` --- .../2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml | 2 +- .../2018/TA/OilRig/win_system_apt_oilrig_mar18.yml | 2 +- .../2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml | 2 +- .../web_cve_2021_26084_confluence_rce_exploit.yml | 2 +- .../CVE-2021-27905/web_cve_2021_27905_apache_solr_exploit.yml | 2 +- .../CVE-2021-40444/file_event_win_exploit_cve_2021_40444.yml | 2 +- ...on_win_exploit_cve_2021_40444_office_directory_traversal.yml | 2 +- .../CVE-2021-41773/web_cve_2021_41773_apache_path_traversal.yml | 2 +- .../Exploits/CVE-2021-44228/web_cve_2021_44228_log4j_fields.yml | 2 +- .../Exploits/ProxyShell-Exploit/web_exchange_proxyshell.yml | 2 +- .../file_event_win_malware_devil_bait_script_drop.yml | 2 +- .../proc_creation_win_malware_devil_bait_output_redirect.yml | 2 +- .../file_event_win_malware_goofy_guineapig_file_indicators.yml | 2 +- .../proc_creation_win_malware_goofy_guineapig_broken_cmd.yml | 2 +- ...are_goofy_guineapig_googleupdate_uncommon_child_instance.yml | 2 +- .../proxy_malware_goofy_gunieapig_c2_communication.yml | 2 +- .../win_system_malware_goofy_guineapig_service_persistence.yml | 2 +- .../Malware/Pingback/image_load_malware_pingback_backdoor.yml | 2 +- .../file_event_win_malware_small_sieve_evasion_typo.yml | 2 +- .../proxy_malware_small_sieve_telegram_communication.yml | 2 +- .../proc_creation_win_exploit_cve_2023_21554_queuejumper.yml | 2 +- .../Exploits/CVE-2022-21587/web_cve_2022_21587_oracle_ebs.yml | 2 +- ...n_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml | 2 +- .../2022/Exploits/CVE-2022-27925/web_cve_2022_27925_exploit.yml | 2 +- .../proc_creation_win_exploit_cve_2022_29072_7zip.yml | 2 +- .../Exploits/CVE-2022-31656/web_cve_2022_31656_auth_bypass.yml | 2 +- .../Exploits/CVE-2022-31659/web_cve_2022_31659_vmware_rce.yml | 2 +- .../web_cve_2022_33891_spark_shell_command_injection.yml | 2 +- ...web_cve_2022_36804_atlassian_bitbucket_command_injection.yml | 2 +- .../CVE-2022-44877/web_cve_2022_44877_exploitation_attempt.yml | 2 +- .../web_cve_2022_46169_cacti_exploitation_attempt.yml | 2 +- .../OWASSRF-Exploit/web_exchange_owassrf_exploitation.yml | 2 +- .../OWASSRF-Exploit/web_exchange_owassrf_poc_exploitation.yml | 2 +- ...win_security_malware_bluesky_ransomware_files_indicators.yml | 2 +- ...ation_win_malware_raspberry_robin_single_dot_ending_file.yml | 2 +- .../2022/TA/MERCURY/proc_creation_win_apt_mercury.yml | 2 +- ..._sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml | 2 +- ...ecurity_exploit_cve_2023_23397_outlook_remote_file_query.yml | 2 +- ..._connectivity_exploit_cve_2023_23397_outlook_remote_file.yml | 2 +- .../web_cve_2023_23752_joomla_exploit_attempt.yml | 2 +- .../web_cve_2023_25157_geoserver_sql_injection.yml | 2 +- ...web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yml | 2 +- .../file_event_win_exploit_cve_2023_34362_moveit_transfer.yml | 2 +- ...c_creation_win_exploit_other_win_server_undocumented_rce.yml | 2 +- .../2023/Exploits/win_msmq_corrupted_packet.yml | 2 +- .../COLDSTEEL/file_event_win_malware_coldsteel_renamed_cmd.yml | 2 +- .../file_event_win_malware_coldsteel_service_dll_creation.yml | 2 +- .../image_load_malware_coldsteel_persistence_service_dll.yml | 2 +- .../proc_creation_win_malware_coldsteel_anonymous_process.yml | 2 +- .../COLDSTEEL/proc_creation_win_malware_coldsteel_cleanup.yml | 2 +- .../proc_creation_win_malware_coldsteel_service_persistence.yml | 2 +- .../Griffon/proc_creation_win_malware_griffon_patterns.yml | 2 +- .../proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml | 2 +- .../proc_creation_win_malware_qakbot_rundll32_execution.yml | 2 +- .../proc_creation_win_malware_qakbot_rundll32_exports.yml | 2 +- ..._creation_win_malware_qakbot_rundll32_fake_dll_execution.yml | 2 +- ...roc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml | 2 +- .../proc_creation_win_malware_rorschach_ransomware_activity.yml | 2 +- .../file_event_win_malware_snake_encrypted_payload_ioc.yml | 2 +- .../SNAKE/file_event_win_malware_snake_installers_ioc.yml | 2 +- .../SNAKE/file_event_win_malware_snake_werfault_creation.yml | 2 +- .../proc_creation_win_malware_snake_installer_cli_args.yml | 2 +- .../SNAKE/proc_creation_win_malware_snake_installer_exec.yml | 2 +- .../SNAKE/proc_creation_win_malware_snake_service_execution.yml | 2 +- .../SNAKE/registry_event_malware_snake_covert_store_key.yml | 2 +- .../SNAKE/win_system_malware_snake_persistence_service.yml | 2 +- .../dns_query_win_malware_socgholish_second_stage_c2.yml | 2 +- .../3CX-Supply-Chain/dns_query_win_malware_3cx_compromise.yml | 2 +- .../image_load_malware_3cx_compromise_susp_dll.yml | 2 +- ...connection_win_malware_3cx_compromise_beaconing_activity.yml | 2 +- .../proc_creation_win_malware_3cx_compromise_execution.yml | 2 +- .../proc_creation_win_malware_3cx_compromise_susp_children.yml | 2 +- .../proc_creation_win_malware_3cx_compromise_susp_update.yml | 2 +- .../proxy_malware_3cx_compromise_c2_beacon_activity.yml | 2 +- .../proxy_malware_3cx_compromise_susp_ico_requests.yml | 2 +- .../net_dns_apt_equation_group_triangulation_c2_coms.yml | 2 +- .../proxy_apt_equation_group_triangulation_c2_coms.yml | 2 +- ..._event_win_apt_fin7_powershell_scripts_naming_convention.yml | 2 +- .../proc_creation_win_apt_fin7_powertrash_lateral_movement.yml | 2 +- .../proc_creation_win_apt_mustang_panda_indicators.yml | 2 +- .../file_event_lnx_apt_unc4841_exfil_mail_pattern.yml | 2 +- .../file_event_lnx_apt_unc4841_file_indicators.yml | 2 +- .../proc_creation_lnx_apt_unc4841_openssl_connection.yml | 2 +- ...on_lnx_apt_unc4841_wget_download_compressed_file_tmep_sh.yml | 2 +- ...eation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml | 2 +- .../proc_creation_lnx_atp_unc4841_seaspy_execution.yml | 2 +- .../builtin/security/win_security_exploit_cve_2020_1472.yml | 2 +- .../proc_creation_win_userdomain_variable_enumeration.yml | 2 +- .../windows/image_load/image_load_office_excel_xll_load.yml | 2 +- .../net_connection_win_dfsvc_suspicious_ip.yml | 2 +- .../powershell_script/posh_ps_registry_reconnaissance.yml | 2 +- .../process_creation/proc_creation_win_curl_download.yml | 2 +- .../proc_creation_win_dfsvc_child_processes.yml | 2 +- .../proc_creation_win_findstr_password_recon.yml | 2 +- .../proc_creation_win_powershell_import_module.yml | 2 +- .../jvm/java_jndi_injection_exploitation_attempt.yml | 2 +- rules/application/jvm/java_local_file_read.yml | 2 +- .../jvm/java_ognl_injection_exploitation_attempt.yml | 2 +- rules/application/jvm/java_rce_exploitation_attempt.yml | 2 +- rules/application/jvm/java_xxe_exploitation_attempt.yml | 2 +- rules/application/nodejs/nodejs_rce_exploitation_attempt.yml | 2 +- rules/application/spring/spring_spel_injection.yml | 2 +- rules/application/velocity/velocity_ssti_injection.yml | 2 +- rules/category/database/db_anomalous_query.yml | 2 +- rules/cloud/aws/cloudtrail/aws_delete_identity.yml | 2 +- .../cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml | 2 +- rules/cloud/aws/cloudtrail/aws_enum_buckets.yml | 2 +- .../aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml | 2 +- .../aws_iam_s3browser_templated_s3_bucket_policy_creation.yml | 2 +- .../cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml | 2 +- .../cloud/azure/audit_logs/azure_app_privileged_permissions.yml | 2 +- ...isky_sign_ins_with_singlefactorauth_from_unknown_devices.yml | 2 +- .../signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml | 2 +- rules/cloud/github/github_delete_action_invoked.yml | 2 +- rules/cloud/github/github_disable_high_risk_configuration.yml | 2 +- .../github_disabled_outdated_dependency_or_vulnerability.yml | 2 +- rules/cloud/github/github_new_org_member.yml | 2 +- rules/cloud/github/github_new_secret_created.yml | 2 +- rules/cloud/github/github_outside_collaborator_detected.yml | 2 +- .../cloud/github/github_self_hosted_runner_changes_detected.yml | 2 +- rules/cloud/okta/okta_admin_role_assignment_created.yml | 2 +- rules/cloud/okta/okta_fastpass_phishing_detection.yml | 2 +- rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml | 2 +- rules/linux/auditd/lnx_auditd_modify_system_firewall.yml | 2 +- .../auditd/lnx_auditd_unix_shell_configuration_modification.yml | 2 +- .../builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml | 2 +- .../builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml | 2 +- rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml | 2 +- rules/linux/builtin/lnx_susp_dev_tcp.yml | 2 +- .../file_event/file_event_lnx_persistence_sudoers_files.yml | 2 +- ...file_event_lnx_susp_shell_script_under_profile_directory.yml | 2 +- .../file_event_lnx_triple_cross_rootkit_lock_file.yml | 2 +- .../file_event_lnx_triple_cross_rootkit_persistence.yml | 2 +- .../file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml | 2 +- .../process_creation/proc_creation_lnx_base64_execution.yml | 2 +- .../proc_creation_lnx_bash_interactive_shell.yml | 2 +- .../proc_creation_lnx_bpf_kprob_tracing_enabled.yml | 2 +- .../linux/process_creation/proc_creation_lnx_capa_discovery.yml | 2 +- .../proc_creation_lnx_cp_passwd_or_shadow_tmp.yml | 2 +- .../process_creation/proc_creation_lnx_crontab_enumeration.yml | 2 +- rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml | 2 +- .../proc_creation_lnx_grep_os_arch_discovery.yml | 2 +- rules/linux/process_creation/proc_creation_lnx_groupdel.yml | 2 +- rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml | 2 +- rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml | 2 +- .../proc_creation_lnx_install_suspicioua_packages.yml | 2 +- .../process_creation/proc_creation_lnx_iptables_flush_ufw.yml | 2 +- rules/linux/process_creation/proc_creation_lnx_kill_process.yml | 2 +- .../proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml | 2 +- .../proc_creation_lnx_mkfifo_named_pipe_creation.yml | 2 +- ...oc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml | 2 +- .../linux/process_creation/proc_creation_lnx_mount_hidepid.yml | 2 +- .../process_creation/proc_creation_lnx_netcat_reverse_shell.yml | 2 +- .../process_creation/proc_creation_lnx_nohup_susp_execution.yml | 2 +- .../process_creation/proc_creation_lnx_perl_reverse_shell.yml | 2 +- .../process_creation/proc_creation_lnx_php_reverse_shell.yml | 2 +- .../process_creation/proc_creation_lnx_python_pty_spawn.yml | 2 +- .../process_creation/proc_creation_lnx_python_reverse_shell.yml | 2 +- .../linux/process_creation/proc_creation_lnx_remove_package.yml | 2 +- .../process_creation/proc_creation_lnx_ruby_reverse_shell.yml | 2 +- .../process_creation/proc_creation_lnx_susp_curl_fileupload.yml | 2 +- .../proc_creation_lnx_susp_execution_tmp_folder.yml | 2 +- .../process_creation/proc_creation_lnx_susp_find_execution.yml | 2 +- .../linux/process_creation/proc_creation_lnx_susp_git_clone.yml | 2 +- .../proc_creation_lnx_susp_sensitive_file_access.yml | 2 +- ...tion_lnx_susp_shell_child_process_from_parent_tmp_folder.yml | 2 +- ...c_creation_lnx_susp_shell_script_exec_from_susp_location.yml | 2 +- rules/linux/process_creation/proc_creation_lnx_touch_susp.yml | 2 +- rules/linux/process_creation/proc_creation_lnx_userdel.yml | 2 +- .../process_creation/proc_creation_lnx_webshell_detection.yml | 2 +- .../proc_creation_lnx_wget_download_suspicious_directory.yml | 2 +- .../process_creation/proc_creation_lnx_xterm_reverse_shell.yml | 2 +- .../proc_creation_macos_clipboard_data_via_osascript.yml | 2 +- .../proc_creation_macos_dscl_add_user_to_admin_group.yml | 2 +- .../proc_creation_macos_installer_susp_child_process.yml | 2 +- .../proc_creation_macos_jxa_in_memory_execution.yml | 2 +- .../proc_creation_macos_office_susp_child_processes.yml | 2 +- .../proc_creation_macos_osacompile_runonly_execution.yml | 2 +- .../proc_creation_macos_persistence_via_plistbuddy.yml | 2 +- .../proc_creation_macos_susp_browser_child_process.yml | 2 +- .../proc_creation_macos_susp_execution_macos_script_editor.yml | 2 +- .../proc_creation_macos_susp_find_execution.yml | 2 +- .../proc_creation_macos_suspicious_applet_behaviour.yml | 2 +- .../proc_creation_macos_sysadminctl_add_user_to_admin_group.yml | 2 +- .../proc_creation_macos_sysadminctl_enable_guest_account.yml | 2 +- rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml | 2 +- rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml | 2 +- rules/network/huawei/bgp/huawei_bgp_auth_failed.yml | 2 +- rules/network/juniper/bgp/juniper_bgp_missing_md5.yml | 2 +- rules/web/proxy_generic/proxy_exchange_owassrf_exploitation.yml | 2 +- .../proxy_generic/proxy_exchange_owassrf_poc_exploitation.yml | 2 +- rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml | 2 +- rules/web/proxy_generic/proxy_ua_base64_encoded.yml | 2 +- rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml | 2 +- rules/web/proxy_generic/proxy_ua_susp_base64.yml | 2 +- rules/web/webserver_generic/web_java_payload_in_access_logs.yml | 2 +- rules/web/webserver_generic/web_susp_useragents.yml | 2 +- rules/web/webserver_generic/web_susp_windows_path_uri.yml | 2 +- .../application_error/win_application_msmpeng_crash_error.yml | 2 +- .../win_software_restriction_policies_block.yml | 2 +- .../win_application_msmpeng_crash_wer.yml | 2 +- .../win_appxdeployment_server_applocker_block.yml | 2 +- .../win_appxdeployment_server_mal_appx_names.yml | 2 +- .../win_appxdeployment_server_policy_block.yml | 2 +- ...win_appxdeployment_server_susp_appx_package_installation.yml | 2 +- .../win_appxdeployment_server_susp_package_locations.yml | 2 +- .../win_appxdeployment_server_uncommon_package_locations.yml | 2 +- .../win_appxpackaging_om_sups_appx_signature.yml | 2 +- .../bits_client/win_bits_client_new_job_via_powershell.yml | 2 +- .../win_bits_client_new_transfer_saving_susp_extensions.yml | 2 +- .../bits_client/win_bits_client_new_transfer_via_ip_address.yml | 2 +- .../win_bits_client_new_transfer_via_uncommon_tld.yml | 2 +- .../win_bits_client_new_trasnfer_susp_local_folder.yml | 2 +- .../builtin/capi2/win_capi2_acquire_certificate_private_key.yml | 2 +- ...certificateservicesclient_lifecycle_system_cert_exported.yml | 2 +- .../win_codeintegrity_blocked_protected_process_file.yml | 2 +- .../code_integrity/win_codeintegrity_enforced_policy_block.yml | 2 +- .../code_integrity/win_codeintegrity_revoked_driver_blocked.yml | 2 +- .../code_integrity/win_codeintegrity_revoked_driver_loaded.yml | 2 +- .../code_integrity/win_codeintegrity_revoked_image_blocked.yml | 2 +- .../code_integrity/win_codeintegrity_revoked_image_loaded.yml | 2 +- .../code_integrity/win_codeintegrity_unsigned_driver_loaded.yml | 2 +- .../code_integrity/win_codeintegrity_unsigned_image_loaded.yml | 2 +- .../builtin/code_integrity/win_codeintegrity_whql_failure.yml | 2 +- .../builtin/dns_client/win_dns_client_anonymfiles_com.yml | 2 +- .../dns_server/win_dns_server_failed_dns_zone_transfer.yml | 2 +- .../firewall_as/win_firewall_as_add_rule_susp_folder.yml | 2 +- .../windows/builtin/firewall_as/win_firewall_as_change_rule.yml | 2 +- .../builtin/firewall_as/win_firewall_as_delete_all_rules.yml | 2 +- .../windows/builtin/firewall_as/win_firewall_as_delete_rule.yml | 2 +- .../builtin/firewall_as/win_firewall_as_failed_load_gpo.yml | 2 +- .../builtin/firewall_as/win_firewall_as_reset_config.yml | 2 +- .../builtin/firewall_as/win_firewall_as_setting_change.yml | 2 +- .../builtin/lsa_server/win_lsa_server_normal_user_admin.yml | 2 +- .../msexchange/win_exchange_proxyshell_mailbox_export.yml | 2 +- .../account_management/win_security_access_token_abuse.yml | 2 +- .../win_security_successful_external_remote_rdp_login.yml | 2 +- .../win_security_successful_external_remote_smb_login.yml | 2 +- .../security/win_security_password_policy_enumerated.yml | 2 +- .../builtin/security/win_security_scheduled_task_deletion.yml | 2 +- .../win_security_service_install_remote_access_software.yml | 2 +- .../win_security_service_installation_by_unusal_client.yml | 2 +- .../builtin/security/win_security_susp_computer_name.yml | 2 +- .../win_security_susp_scheduled_task_delete_or_disable.yml | 2 +- .../windows/builtin/system/lsasrv/win_system_lsasrv_ntlmv1.yml | 2 +- .../win_system_lpe_indicators_tabtip.yml | 2 +- .../microsoft_windows_eventlog/win_system_eventlog_cleared.yml | 2 +- .../win_system_susp_eventlog_cleared.yml | 2 +- .../win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml | 2 +- .../win_system_invoke_obfuscation_clip_services.yml | 2 +- .../win_system_service_install_remote_access_software.yml | 2 +- .../win_system_service_terminated_error_generic.yml | 2 +- .../win_system_service_terminated_error_important.yml | 2 +- .../win_system_service_terminated_unexpectedly.yml | 2 +- .../win_system_system_service_installation_by_unusal_client.yml | 2 +- .../win_taskscheduler_execution_from_susp_locations.yml | 2 +- .../win_taskscheduler_lolbin_execution_via_task_scheduler.yml | 2 +- .../taskscheduler/win_taskscheduler_susp_schtasks_delete.yml | 2 +- .../create_remote_thread/create_remote_thread_win_keepass.yml | 2 +- .../create_remote_thread_win_powershell_susp_targets.yml | 2 +- .../create_stream_hash_creation_internet_file.yml | 2 +- .../create_stream_hash/create_stream_hash_hacktool_download.yml | 2 +- .../create_stream_hash/create_stream_hash_susp_ip_domains.yml | 2 +- .../create_stream_hash_winget_susp_package_source.yml | 2 +- .../create_stream_hash/create_stream_hash_zip_tld_download.yml | 2 +- rules/windows/dns_query/dns_query_win_anonymfiles_com.yml | 2 +- .../windows/driver_load/driver_load_win_pua_process_hacker.yml | 2 +- .../windows/driver_load/driver_load_win_pua_system_informer.yml | 2 +- .../file_delete_win_cve_2021_1675_print_nightmare.yml | 2 +- .../file/file_delete/file_delete_win_delete_backup_file.yml | 2 +- .../file/file_delete/file_delete_win_delete_event_log_files.yml | 2 +- .../file_delete_win_delete_exchange_powershell_logs.yml | 2 +- .../file/file_delete/file_delete_win_delete_iis_access_logs.yml | 2 +- .../file_delete_win_delete_powershell_command_history.yml | 2 +- .../file/file_delete/file_delete_win_delete_prefetch.yml | 2 +- .../file/file_delete/file_delete_win_delete_tomcat_logs.yml | 2 +- .../file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml | 2 +- .../file/file_event/file_event_win_bloodhound_collection.yml | 2 +- .../file/file_event/file_event_win_create_non_existent_dlls.yml | 2 +- .../file/file_event/file_event_win_hktl_remote_cred_dump.yml | 2 +- .../file_event_win_lolbin_gather_network_info_script_output.yml | 2 +- .../file/file_event/file_event_win_msdt_susp_directories.yml | 2 +- .../windows/file/file_event/file_event_win_net_cli_artefact.yml | 2 +- .../file_event_win_new_files_in_uncommon_appdata_folder.yml | 2 +- .../file_event/file_event_win_notepad_plus_plus_persistence.yml | 2 +- .../file/file_event/file_event_win_ntds_dit_creation.yml | 2 +- .../file_event/file_event_win_office_macro_files_downloaded.yml | 2 +- .../file_event_win_office_macro_files_from_susp_process.yml | 2 +- .../file_event_win_office_onenote_susp_dropped_files.yml | 2 +- .../file/file_event/file_event_win_office_outlook_newform.yml | 2 +- .../file_event_win_office_publisher_files_in_susp_locations.yml | 2 +- .../file_event/file_event_win_office_susp_file_extension.yml | 2 +- .../file_event/file_event_win_office_uncommon_file_startup.yml | 2 +- .../file/file_event/file_event_win_perflogs_susp_files.yml | 2 +- .../file_event_win_powershell_drop_binary_or_script.yml | 2 +- .../file_event/file_event_win_powershell_drop_powershell.yml | 2 +- .../file_event/file_event_win_powershell_module_creation.yml | 2 +- .../file_event_win_powershell_module_susp_creation.yml | 2 +- .../file_event/file_event_win_powershell_startup_shortcuts.yml | 2 +- .../file/file_event/file_event_win_rdp_file_susp_creation.yml | 2 +- rules/windows/file/file_event/file_event_win_ripzip_attack.yml | 2 +- rules/windows/file/file_event/file_event_win_sam_dump.yml | 2 +- .../file_event/file_event_win_shell_write_susp_directory.yml | 2 +- .../file_event_win_shell_write_susp_files_extensions.yml | 2 +- rules/windows/file/file_event/file_event_win_susp_colorcpl.yml | 2 +- .../file/file_event/file_event_win_susp_homoglyph_filename.yml | 2 +- .../file_event_win_susp_legitimate_app_dropping_exe.yml | 2 +- .../file_event_win_susp_legitimate_app_dropping_script.yml | 2 +- .../file_event_win_susp_startup_folder_persistence.yml | 2 +- .../file_event_win_susp_vscode_powershell_profile.yml | 2 +- .../file_event/file_event_win_susp_winsxs_binary_creation.yml | 2 +- .../file_event_win_sysinternals_livekd_default_dump_name.yml | 2 +- .../file_event/file_event_win_sysinternals_livekd_driver.yml | 2 +- .../file_event_win_sysinternals_livekd_driver_susp_creation.yml | 2 +- ...file_event_win_sysinternals_procexp_driver_susp_creation.yml | 2 +- ...file_event_win_sysinternals_procmon_driver_susp_creation.yml | 2 +- .../file_event_win_sysinternals_psexec_service_key.yml | 2 +- .../file/file_event/file_event_win_wmiexec_default_filename.yml | 2 +- .../windows/file/file_rename/file_rename_win_not_dll_to_dll.yml | 2 +- rules/windows/file/file_rename/file_rename_win_ransomware.yml | 2 +- .../image_load/image_load_cmstp_load_dll_from_susp_location.yml | 2 +- .../windows/image_load/image_load_dll_amsi_uncommon_process.yml | 2 +- .../image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml | 2 +- .../windows/image_load/image_load_dll_sdiageng_load_by_msdt.yml | 2 +- rules/windows/image_load/image_load_dll_system_drawing_load.yml | 2 +- .../image_load_dll_system_management_automation_susp_load.yml | 2 +- rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml | 2 +- rules/windows/image_load/image_load_dll_vssapi_susp_load.yml | 2 +- rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml | 2 +- rules/windows/image_load/image_load_hktl_sharpevtmute.yml | 2 +- .../image_load/image_load_office_excel_xll_susp_load.yml | 2 +- .../image_load/image_load_office_powershell_dll_load.yml | 2 +- rules/windows/image_load/image_load_side_load_7za.yml | 2 +- rules/windows/image_load/image_load_side_load_antivirus.yml | 2 +- rules/windows/image_load/image_load_side_load_appverifui.yml | 2 +- ...ge_load_side_load_aruba_networks_virtual_intranet_access.yml | 2 +- .../image_load/image_load_side_load_chrome_frame_helper.yml | 2 +- rules/windows/image_load/image_load_side_load_coregen.yml | 2 +- rules/windows/image_load/image_load_side_load_dbgcore_dll.yml | 2 +- rules/windows/image_load/image_load_side_load_dbghelp_dll.yml | 2 +- rules/windows/image_load/image_load_side_load_edputil.yml | 2 +- rules/windows/image_load/image_load_side_load_goopdate.yml | 2 +- rules/windows/image_load/image_load_side_load_gup_libcurl.yml | 2 +- rules/windows/image_load/image_load_side_load_iviewers.yml | 2 +- rules/windows/image_load/image_load_side_load_libvlc.yml | 2 +- .../image_load/image_load_side_load_non_existent_dlls.yml | 2 +- rules/windows/image_load/image_load_side_load_office_dlls.yml | 2 +- rules/windows/image_load/image_load_side_load_rcdll.yml | 2 +- .../image_load_side_load_rjvplatform_default_location.yml | 2 +- .../image_load_side_load_rjvplatform_non_default_location.yml | 2 +- rules/windows/image_load/image_load_side_load_robform.yml | 2 +- rules/windows/image_load/image_load_side_load_shelldispatch.yml | 2 +- rules/windows/image_load/image_load_side_load_smadhook.yml | 2 +- .../windows/image_load/image_load_side_load_solidpdfcreator.yml | 2 +- rules/windows/image_load/image_load_side_load_vmware_xfer.yml | 2 +- rules/windows/image_load/image_load_side_load_waveedit.yml | 2 +- rules/windows/image_load/image_load_side_load_wazuh.yml | 2 +- rules/windows/image_load/image_load_side_load_wwlib.yml | 2 +- .../image_load_susp_clickonce_unsigned_module_loaded.yml | 2 +- .../net_connection_win_dfsvc_uncommon_ports.yml | 2 +- .../net_connection_win_google_api_non_browser_access.yml | 2 +- .../net_connection_win_notion_api_susp_communication.yml | 2 +- .../net_connection_win_reddit_api_non_browser_access.yml | 2 +- .../net_connection_win_susp_external_ip_lookup.yml | 2 +- .../net_connection_win_telegram_api_non_browser_access.yml | 2 +- .../net_connection_win_winlogon_net_connections.yml | 2 +- .../posh_pm_active_directory_module_dll_import.yml | 2 +- .../powershell/powershell_module/posh_pm_exploit_scripts.yml | 2 +- .../powershell/powershell_module/posh_pm_get_clipboard.yml | 2 +- .../posh_pm_invoke_obfuscation_obfuscated_iex.yml | 2 +- .../posh_pm_invoke_obfuscation_via_use_mhsta.yml | 2 +- .../powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml | 2 +- .../powershell/powershell_module/posh_pm_susp_download.yml | 2 +- .../powershell_module/posh_pm_susp_invocation_generic.yml | 2 +- .../powershell_module/posh_pm_susp_invocation_specific.yml | 2 +- .../posh_ps_aadinternals_cmdlets_execution.yml | 2 +- .../posh_ps_active_directory_module_dll_import.yml | 2 +- .../powershell_script/posh_ps_add_windows_capability.yml | 2 +- .../powershell_script/posh_ps_amsi_null_bits_bypass.yml | 2 +- .../powershell/powershell_script/posh_ps_audio_exfiltration.yml | 2 +- .../powershell_script/posh_ps_dotnet_assembly_from_file.yml | 2 +- .../powershell_script/posh_ps_download_com_cradles.yml | 2 +- .../posh_ps_enable_susp_windows_optional_feature.yml | 2 +- .../powershell_script/posh_ps_frombase64string_archive.yml | 2 +- .../powershell/powershell_script/posh_ps_hktl_rubeus.yml | 2 +- .../powershell_script/posh_ps_import_module_susp_dirs.yml | 2 +- .../posh_ps_install_unsigned_appx_packages.yml | 2 +- .../posh_ps_invoke_obfuscation_obfuscated_iex.yml | 2 +- .../powershell_script/posh_ps_nishang_malicious_commandlets.yml | 2 +- .../powershell_script/posh_ps_remote_session_creation.yml | 2 +- .../powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml | 2 +- .../powershell_script/posh_ps_resolve_list_of_ip_from_file.yml | 2 +- .../posh_ps_script_with_upload_capabilities.yml | 2 +- .../posh_ps_set_policies_to_unsecure_level.yml | 2 +- .../powershell/powershell_script/posh_ps_susp_ace_tampering.yml | 2 +- .../powershell_script/posh_ps_susp_alias_obfscuation.yml | 2 +- .../powershell_script/posh_ps_susp_invocation_specific.yml | 2 +- .../posh_ps_susp_invoke_webrequest_useragent.yml | 2 +- .../powershell_script/posh_ps_susp_keylogger_activity.yml | 2 +- .../powershell/powershell_script/posh_ps_susp_set_alias.yml | 2 +- .../posh_ps_tamper_windows_defender_set_mp.yml | 2 +- .../powershell/powershell_script/posh_ps_token_obfuscation.yml | 2 +- .../posh_ps_veeam_credential_dumping_script.yml | 2 +- .../powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml | 2 +- .../powershell_script/posh_ps_win_api_susp_access.yml | 2 +- .../posh_ps_windows_firewall_profile_disabled.yml | 2 +- .../powershell/powershell_script/posh_ps_x509enrollment.yml | 2 +- rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml | 2 +- .../process_access/proc_access_win_cred_dump_lsass_access.yml | 2 +- .../process_access/proc_access_win_invoke_patchingapi.yml | 2 +- rules/windows/process_access/proc_access_win_invoke_phantom.yml | 2 +- .../process_access/proc_access_win_susp_proc_access_lsass.yml | 2 +- .../proc_access_win_susp_proc_access_lsass_susp_source.yml | 2 +- .../proc_creation_win_7zip_password_extraction.yml | 2 +- .../process_creation/proc_creation_win_adplus_memory_dump.yml | 2 +- .../proc_creation_win_agentexecutor_potential_abuse.yml | 2 +- .../proc_creation_win_agentexecutor_susp_usage.yml | 2 +- .../process_creation/proc_creation_win_attrib_system.yml | 2 +- .../proc_creation_win_attrib_system_susp_paths.yml | 2 +- .../proc_creation_win_bitsadmin_download_direct_ip.yml | 2 +- .../proc_creation_win_bitsadmin_download_susp_extensions.yml | 2 +- .../proc_creation_win_bitsadmin_download_susp_targetfolder.yml | 2 +- ...oc_creation_win_bitsadmin_download_uncommon_targetfolder.yml | 2 +- .../proc_creation_win_browsers_chromium_headless_debugging.yml | 2 +- .../proc_creation_win_browsers_remote_debugging.yml | 2 +- .../process_creation/proc_creation_win_certoc_load_dll.yml | 2 +- .../proc_creation_win_certoc_load_dll_susp_locations.yml | 2 +- .../proc_creation_win_certutil_download_direct_ip.yml | 2 +- .../proc_creation_win_certutil_encode_susp_extensions.yml | 2 +- .../proc_creation_win_certutil_encode_susp_location.yml | 2 +- .../proc_creation_win_certutil_ntlm_coercion.yml | 2 +- .../process_creation/proc_creation_win_chcp_codepage_lookup.yml | 2 +- .../proc_creation_win_cipher_overwrite_deleted_data.yml | 2 +- .../proc_creation_win_cloudflared_tunnel_cleanup.yml | 2 +- .../proc_creation_win_cloudflared_tunnel_run.yml | 2 +- .../proc_creation_win_cmd_assoc_tamper_exe_file_association.yml | 2 +- .../process_creation/proc_creation_win_cmd_del_execution.yml | 2 +- .../process_creation/proc_creation_win_cmd_dir_execution.yml | 2 +- .../process_creation/proc_creation_win_cmd_dosfuscation.yml | 2 +- .../proc_creation_win_cmd_net_use_and_exec_combo.yml | 2 +- .../proc_creation_win_cmd_no_space_execution.yml | 2 +- .../proc_creation_win_cmd_ping_del_combined_execution.yml | 2 +- .../windows/process_creation/proc_creation_win_cmd_redirect.yml | 2 +- .../proc_creation_win_cmd_redirection_susp_folder.yml | 2 +- .../process_creation/proc_creation_win_cmd_rmdir_execution.yml | 2 +- .../proc_creation_win_cmd_shadowcopy_access.yml | 2 +- .../process_creation/proc_creation_win_cmd_stdin_redirect.yml | 2 +- .../proc_creation_win_cmd_sticky_keys_replace.yml | 2 +- .../process_creation/proc_creation_win_cmd_unusual_parent.yml | 2 +- .../proc_creation_win_cmdkey_adding_generic_creds.yml | 2 +- .../windows/process_creation/proc_creation_win_cmdkey_recon.yml | 2 +- .../proc_creation_win_conhost_susp_child_process.yml | 2 +- .../proc_creation_win_conhost_uncommon_parent.yml | 2 +- .../windows/process_creation/proc_creation_win_csvde_export.yml | 2 +- .../proc_creation_win_curl_insecure_connection.yml | 2 +- .../process_creation/proc_creation_win_curl_susp_download.yml | 2 +- .../proc_creation_win_deviceenroller_dll_sideloading.yml | 2 +- .../proc_creation_win_dfsvc_suspicious_child_processes.yml | 2 +- .../process_creation/proc_creation_win_dirlister_execution.yml | 2 +- .../proc_creation_win_dllhost_no_cli_execution.yml | 2 +- .../proc_creation_win_dns_susp_child_process.yml | 2 +- .../process_creation/proc_creation_win_dnscmd_discovery.yml | 2 +- .../proc_creation_win_dsacls_abuse_permissions.yml | 2 +- .../proc_creation_win_dsacls_password_spray.yml | 2 +- .../proc_creation_win_dumpminitool_execution.yml | 2 +- .../proc_creation_win_dumpminitool_susp_execution.yml | 2 +- .../proc_creation_win_findstr_recon_everyone.yml | 2 +- .../proc_creation_win_fsutil_symlinkevaluation.yml | 2 +- .../process_creation/proc_creation_win_git_susp_clone.yml | 2 +- .../proc_creation_win_googleupdate_susp_child_process.yml | 2 +- .../proc_creation_win_gup_arbitrary_binary_execution.yml | 2 +- .../windows/process_creation/proc_creation_win_gup_download.yml | 2 +- .../proc_creation_win_hh_chm_remote_download_or_execution.yml | 2 +- .../windows/process_creation/proc_creation_win_hktl_certify.yml | 2 +- .../windows/process_creation/proc_creation_win_hktl_certipy.yml | 2 +- .../proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml | 2 +- .../proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml | 2 +- .../proc_creation_win_hktl_cobaltstrike_process_patterns.yml | 2 +- .../proc_creation_win_hktl_crackmapexec_patterns.yml | 2 +- .../proc_creation_win_hktl_execution_via_imphashes.yml | 2 +- .../proc_creation_win_hktl_execution_via_pe_metadata.yml | 2 +- rules/windows/process_creation/proc_creation_win_hktl_gmer.yml | 2 +- .../process_creation/proc_creation_win_hktl_handlekatz.yml | 2 +- .../proc_creation_win_hktl_htran_or_natbypass.yml | 2 +- .../process_creation/proc_creation_win_hktl_impersonate.yml | 2 +- .../windows/process_creation/proc_creation_win_hktl_inveigh.yml | 2 +- .../proc_creation_win_hktl_jlaive_batch_execution.yml | 2 +- .../process_creation/proc_creation_win_hktl_krbrelay.yml | 2 +- .../process_creation/proc_creation_win_hktl_krbrelayup.yml | 2 +- .../process_creation/proc_creation_win_hktl_localpotato.yml | 2 +- .../process_creation/proc_creation_win_hktl_pchunter.yml | 2 +- .../process_creation/proc_creation_win_hktl_powertool.yml | 2 +- .../process_creation/proc_creation_win_hktl_quarks_pwdump.yml | 2 +- .../process_creation/proc_creation_win_hktl_safetykatz.yml | 2 +- .../process_creation/proc_creation_win_hktl_sharp_chisel.yml | 2 +- .../proc_creation_win_hktl_sharp_impersonation.yml | 2 +- .../proc_creation_win_hktl_sharp_ldap_monitor.yml | 2 +- .../process_creation/proc_creation_win_hktl_sharpersist.yml | 2 +- .../process_creation/proc_creation_win_hktl_sharpevtmute.yml | 2 +- .../process_creation/proc_creation_win_hktl_sharpldapwhoami.yml | 2 +- .../windows/process_creation/proc_creation_win_hktl_sharpup.yml | 2 +- .../process_creation/proc_creation_win_hktl_sharpview.yml | 2 +- .../proc_creation_win_hktl_sliver_c2_execution_pattern.yml | 2 +- .../proc_creation_win_hktl_stracciatella_execution.yml | 2 +- .../process_creation/proc_creation_win_hktl_sysmoneop.yml | 2 +- .../process_creation/proc_creation_win_hktl_trufflesnout.yml | 2 +- .../windows/process_creation/proc_creation_win_hktl_winpeas.yml | 2 +- .../proc_creation_win_hktl_wmiexec_default_powershell.yml | 2 +- .../proc_creation_win_homoglyph_cyrillic_lookalikes.yml | 2 +- .../proc_creation_win_iis_appcmd_http_logging.yml | 2 +- ..._creation_win_iis_appcmd_service_account_password_dumped.yml | 2 +- .../proc_creation_win_iis_appcmd_susp_rewrite_rule.yml | 2 +- .../proc_creation_win_iis_connection_strings_decryption.yml | 2 +- .../proc_creation_win_imagingdevices_unusual_parents.yml | 2 +- .../proc_creation_win_java_keytool_susp_child_process.yml | 2 +- .../proc_creation_win_java_susp_child_process.yml | 2 +- .../windows/process_creation/proc_creation_win_kd_execution.yml | 2 +- .../proc_creation_win_ksetup_password_change_computer.yml | 2 +- .../proc_creation_win_ksetup_password_change_user.yml | 2 +- .../process_creation/proc_creation_win_ldifde_export.yml | 2 +- .../process_creation/proc_creation_win_ldifde_file_load.yml | 2 +- .../proc_creation_win_lodctr_performance_counter_tampering.yml | 2 +- .../process_creation/proc_creation_win_lolbin_appvlp.yml | 2 +- .../process_creation/proc_creation_win_lolbin_defaultpack.yml | 2 +- .../process_creation/proc_creation_win_lolbin_dotnet_dump.yml | 2 +- .../process_creation/proc_creation_win_lolbin_gpscript.yml | 2 +- .../proc_creation_win_lolbin_mspub_download.yml | 2 +- .../process_creation/proc_creation_win_lolbin_pcalua.yml | 2 +- .../proc_creation_win_lolbin_protocolhandler_download.yml | 2 +- .../process_creation/proc_creation_win_lolbin_runexehelper.yml | 2 +- .../process_creation/proc_creation_win_lolbin_squirrel.yml | 2 +- rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml | 2 +- .../process_creation/proc_creation_win_lolbin_unregmp2.yml | 2 +- .../process_creation/proc_creation_win_mofcomp_execution.yml | 2 +- .../proc_creation_win_msdt_arbitrary_command_execution.yml | 2 +- .../proc_creation_win_msdt_susp_cab_options.yml | 2 +- .../process_creation/proc_creation_win_msdt_susp_parent.yml | 2 +- rules/windows/process_creation/proc_creation_win_mshta_http.yml | 2 +- .../proc_creation_win_mshta_inline_vbscript.yml | 2 +- .../process_creation/proc_creation_win_mshta_susp_pattern.yml | 2 +- .../windows/process_creation/proc_creation_win_msiexec_dll.yml | 2 +- .../proc_creation_win_msiexec_install_quiet.yml | 2 +- .../proc_creation_win_msra_process_injection.yml | 2 +- .../proc_creation_win_mssql_susp_child_process.yml | 2 +- .../proc_creation_win_mssql_veaam_susp_child_processes.yml | 2 +- .../proc_creation_win_mstsc_remote_connection.yml | 2 +- .../proc_creation_win_mstsc_run_local_rdp_file.yml | 2 +- ...proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml | 2 +- .../proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml | 2 +- .../proc_creation_win_net_default_accounts_manipulation.yml | 2 +- .../proc_creation_win_net_groups_and_accounts_recon.yml | 2 +- .../proc_creation_win_net_network_connections_discovery.yml | 2 +- .../process_creation/proc_creation_win_net_stop_service.yml | 2 +- .../process_creation/proc_creation_win_net_use_mount_share.yml | 2 +- .../process_creation/proc_creation_win_netsh_fw_delete_rule.yml | 2 +- .../proc_creation_win_netsh_fw_rules_discovery.yml | 2 +- .../process_creation/proc_creation_win_nltest_execution.yml | 2 +- .../windows/process_creation/proc_creation_win_nltest_recon.yml | 2 +- rules/windows/process_creation/proc_creation_win_node_abuse.yml | 2 +- .../proc_creation_win_odbcconf_driver_install.yml | 2 +- .../proc_creation_win_odbcconf_driver_install_susp.yml | 2 +- .../proc_creation_win_odbcconf_exec_susp_locations.yml | 2 +- .../proc_creation_win_odbcconf_register_dll_regsvr.yml | 2 +- .../proc_creation_win_odbcconf_register_dll_regsvr_susp.yml | 2 +- .../proc_creation_win_odbcconf_response_file.yml | 2 +- .../proc_creation_win_odbcconf_response_file_susp.yml | 2 +- .../proc_creation_win_odbcconf_uncommon_child_process.yml | 2 +- .../proc_creation_win_office_arbitrary_cli_download.yml | 2 +- .../proc_creation_win_office_onenote_susp_child_processes.yml | 2 +- .../proc_creation_win_office_spawn_exe_from_users_directory.yml | 2 +- .../proc_creation_win_office_svchost_parent.yml | 2 +- .../process_creation/proc_creation_win_pdqdeploy_execution.yml | 2 +- .../proc_creation_win_perl_inline_command_execution.yml | 2 +- .../proc_creation_win_php_inline_command_execution.yml | 2 +- ...c_creation_win_powershell_aadinternals_cmdlets_execution.yml | 2 +- ...eation_win_powershell_active_directory_module_dll_import.yml | 2 +- .../proc_creation_win_powershell_add_windows_capability.yml | 2 +- .../proc_creation_win_powershell_amsi_null_bits_bypass.yml | 2 +- .../proc_creation_win_powershell_base64_mppreference.yml | 2 +- .../proc_creation_win_powershell_base64_wmi_classes.yml | 2 +- .../proc_creation_win_powershell_decode_gzip.yml | 2 +- .../proc_creation_win_powershell_decrypt_pattern.yml | 2 +- .../proc_creation_win_powershell_disable_firewall.yml | 2 +- .../proc_creation_win_powershell_download_com_cradles.yml | 2 +- .../proc_creation_win_powershell_download_cradles.yml | 2 +- .../proc_creation_win_powershell_download_dll.yml | 2 +- .../proc_creation_win_powershell_download_iex.yml | 2 +- ...tion_win_powershell_enable_susp_windows_optional_feature.yml | 2 +- .../process_creation/proc_creation_win_powershell_encode.yml | 2 +- .../proc_creation_win_powershell_encoded_cmd_patterns.yml | 2 +- .../proc_creation_win_powershell_encoded_obfusc.yml | 2 +- .../proc_creation_win_powershell_exec_data_file.yml | 2 +- .../proc_creation_win_powershell_export_certificate.yml | 2 +- .../proc_creation_win_powershell_frombase64string_archive.yml | 2 +- .../proc_creation_win_powershell_import_cert_susp_locations.yml | 2 +- .../proc_creation_win_powershell_import_module_susp_dirs.yml | 2 +- ...c_creation_win_powershell_install_unsigned_appx_packages.yml | 2 +- .../proc_creation_win_powershell_invocation_specific.yml | 2 +- ...proc_creation_win_powershell_invoke_webrequest_direct_ip.yml | 2 +- .../proc_creation_win_powershell_invoke_webrequest_download.yml | 2 +- .../proc_creation_win_powershell_malicious_cmdlets.yml | 2 +- .../proc_creation_win_powershell_set_service_disabled.yml | 2 +- .../proc_creation_win_powershell_shadowcopy_deletion.yml | 2 +- .../proc_creation_win_powershell_snapins_hafnium.yml | 2 +- .../proc_creation_win_powershell_stop_service.yml | 2 +- .../proc_creation_win_powershell_susp_child_processes.yml | 2 +- .../proc_creation_win_powershell_token_obfuscation.yml | 2 +- .../proc_creation_win_powershell_webclient_casing.yml | 2 +- .../proc_creation_win_powershell_x509enrollment.yml | 2 +- .../process_creation/proc_creation_win_pua_3proxy_execution.yml | 2 +- .../proc_creation_win_pua_adfind_enumeration.yml | 2 +- .../proc_creation_win_pua_advanced_ip_scanner.yml | 2 +- .../proc_creation_win_pua_advanced_port_scanner.yml | 2 +- .../process_creation/proc_creation_win_pua_advancedrun.yml | 2 +- .../proc_creation_win_pua_advancedrun_priv_user.yml | 2 +- rules/windows/process_creation/proc_creation_win_pua_chisel.yml | 2 +- .../process_creation/proc_creation_win_pua_cleanwipe.yml | 2 +- .../windows/process_creation/proc_creation_win_pua_crassus.yml | 2 +- rules/windows/process_creation/proc_creation_win_pua_csexec.yml | 2 +- .../process_creation/proc_creation_win_pua_defendercheck.yml | 2 +- rules/windows/process_creation/proc_creation_win_pua_frp.yml | 2 +- rules/windows/process_creation/proc_creation_win_pua_iox.yml | 2 +- rules/windows/process_creation/proc_creation_win_pua_netcat.yml | 2 +- .../windows/process_creation/proc_creation_win_pua_nimgrab.yml | 2 +- rules/windows/process_creation/proc_creation_win_pua_nircmd.yml | 2 +- rules/windows/process_creation/proc_creation_win_pua_nps.yml | 2 +- rules/windows/process_creation/proc_creation_win_pua_nsudo.yml | 2 +- .../process_creation/proc_creation_win_pua_process_hacker.yml | 2 +- .../process_creation/proc_creation_win_pua_rcedit_execution.yml | 2 +- .../process_creation/proc_creation_win_pua_rclone_execution.yml | 2 +- .../windows/process_creation/proc_creation_win_pua_seatbelt.yml | 2 +- .../process_creation/proc_creation_win_pua_system_informer.yml | 2 +- .../proc_creation_win_pua_webbrowserpassview.yml | 2 +- .../proc_creation_win_pua_wsudo_susp_execution.yml | 2 +- .../proc_creation_win_python_inline_command_execution.yml | 2 +- .../process_creation/proc_creation_win_query_session_exfil.yml | 2 +- .../proc_creation_win_rar_susp_greedy_compression.yml | 2 +- .../proc_creation_win_reg_defender_exclusion.yml | 2 +- .../process_creation/proc_creation_win_reg_delete_safeboot.yml | 2 +- .../process_creation/proc_creation_win_reg_delete_services.yml | 2 +- .../proc_creation_win_reg_import_from_suspicious_paths.yml | 2 +- .../proc_creation_win_reg_lsa_disable_restricted_admin.yml | 2 +- .../proc_creation_win_reg_lsa_ppl_protection_disabled.yml | 2 +- .../process_creation/proc_creation_win_reg_rdp_keys_tamper.yml | 2 +- .../proc_creation_win_reg_windows_defender_tamper.yml | 2 +- .../proc_creation_win_regasm_suspicious_execution.yml | 2 +- rules/windows/process_creation/proc_creation_win_regini_ads.yml | 2 +- .../process_creation/proc_creation_win_regini_execution.yml | 2 +- .../proc_creation_win_registry_logon_script.yml | 2 +- .../proc_creation_win_registry_new_network_provider.yml | 2 +- ...roc_creation_win_registry_set_unsecure_powershell_policy.yml | 2 +- .../proc_creation_win_regsvr32_http_ip_pattern.yml | 2 +- .../proc_creation_win_regsvr32_network_pattern.yml | 2 +- .../proc_creation_win_regsvr32_susp_child_process.yml | 2 +- .../proc_creation_win_regsvr32_susp_exec_path_1.yml | 2 +- .../proc_creation_win_regsvr32_susp_exec_path_2.yml | 2 +- .../proc_creation_win_regsvr32_susp_extensions.yml | 2 +- .../process_creation/proc_creation_win_regsvr32_susp_parent.yml | 2 +- ...n_win_remote_access_tools_anydesk_piped_password_via_cli.yml | 2 +- .../proc_creation_win_remote_access_tools_anydesk_susp_exec.yml | 2 +- .../proc_creation_win_remote_access_tools_netsupport.yml | 2 +- ...oc_creation_win_remote_access_tools_netsupport_susp_exec.yml | 2 +- ...ation_win_remote_access_tools_rurat_non_default_location.yml | 2 +- ...c_creation_win_remote_access_tools_screenconnect_anomaly.yml | 2 +- .../process_creation/proc_creation_win_renamed_browsercore.yml | 2 +- .../process_creation/proc_creation_win_renamed_createdump.yml | 2 +- .../process_creation/proc_creation_win_renamed_mavinject.yml | 2 +- .../windows/process_creation/proc_creation_win_renamed_msdt.yml | 2 +- .../proc_creation_win_renamed_netsupport_rat.yml | 2 +- .../process_creation/proc_creation_win_renamed_plink.yml | 2 +- .../proc_creation_win_renamed_rundll32_dllregisterserver.yml | 2 +- .../process_creation/proc_creation_win_renamed_rurat.yml | 2 +- .../proc_creation_win_renamed_sysinternals_sdelete.yml | 2 +- .../process_creation/proc_creation_win_renamed_vmnat.yml | 2 +- .../proc_creation_win_ruby_inline_command_execution.yml | 2 +- .../proc_creation_win_rundll32_ads_stored_dll_execution.yml | 2 +- ...oc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml | 2 +- .../proc_creation_win_rundll32_installscreensaver.yml | 2 +- .../process_creation/proc_creation_win_rundll32_keymgr.yml | 2 +- .../process_creation/proc_creation_win_rundll32_ntlmrelay.yml | 2 +- .../proc_creation_win_rundll32_obfuscated_ordinal_call.yml | 2 +- .../process_creation/proc_creation_win_rundll32_script_run.yml | 2 +- .../proc_creation_win_rundll32_shell32_susp_execution.yml | 2 +- ...proc_creation_win_rundll32_shelldispatch_potential_abuse.yml | 2 +- ...reation_win_rundll32_susp_execution_with_image_extension.yml | 2 +- .../proc_creation_win_rundll32_susp_shellexec_execution.yml | 2 +- .../process_creation/proc_creation_win_rundll32_user32_dll.yml | 2 +- .../process_creation/proc_creation_win_sc_disable_service.yml | 2 +- .../proc_creation_win_sc_sdset_allow_service_changes.yml | 2 +- .../proc_creation_win_sc_sdset_modification.yml | 2 +- .../process_creation/proc_creation_win_sc_stop_service.yml | 2 +- .../process_creation/proc_creation_win_schtasks_env_folder.yml | 2 +- .../proc_creation_win_schtasks_one_time_only_midnight_task.yml | 2 +- ...proc_creation_win_schtasks_persistence_windows_telemetry.yml | 2 +- .../proc_creation_win_schtasks_powershell_persistence.yml | 2 +- ..._creation_win_schtasks_schedule_via_masqueraded_xml_file.yml | 2 +- .../proc_creation_win_schtasks_susp_pattern.yml | 2 +- .../process_creation/proc_creation_win_secedit_execution.yml | 2 +- .../proc_creation_win_sndvol_susp_child_processes.yml | 2 +- .../proc_creation_win_sqlcmd_veeam_db_recon.yml | 2 +- .../proc_creation_win_sqlite_chromium_profile_data.yml | 2 +- .../proc_creation_win_sqlite_firefox_gecko_profile_data.yml | 2 +- .../process_creation/proc_creation_win_ssh_port_forward.yml | 2 +- .../process_creation/proc_creation_win_ssh_rdp_tunneling.yml | 2 +- .../proc_creation_win_susp_add_user_local_admin_group.yml | 2 +- ...ation_win_susp_always_install_elevated_windows_installer.yml | 2 +- .../proc_creation_win_susp_bad_opsec_sacrificial_processes.yml | 2 +- ...roc_creation_win_susp_commandline_path_traversal_evasion.yml | 2 +- .../proc_creation_win_susp_double_extension_parent.yml | 2 +- .../proc_creation_win_susp_execution_from_guid_folder_names.yml | 2 +- .../process_creation/proc_creation_win_susp_execution_path.yml | 2 +- .../proc_creation_win_susp_inline_win_api_access.yml | 2 +- .../proc_creation_win_susp_ntfs_short_name_path_use_image.yml | 2 +- .../proc_creation_win_susp_priv_escalation_via_named_pipe.yml | 2 +- .../proc_creation_win_susp_right_to_left_override.yml | 2 +- .../proc_creation_win_sysinternals_adexplorer_execution.yml | 2 +- ...proc_creation_win_sysinternals_adexplorer_susp_execution.yml | 2 +- .../proc_creation_win_sysinternals_eula_accepted.yml | 2 +- .../proc_creation_win_sysinternals_livekd_execution.yml | 2 +- ...proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml | 2 +- .../proc_creation_win_sysinternals_procdump.yml | 2 +- ..._creation_win_sysinternals_psexec_paexec_escalate_system.yml | 2 +- .../proc_creation_win_sysinternals_psexec_remote_execution.yml | 2 +- .../proc_creation_win_sysinternals_psexesvc.yml | 2 +- .../proc_creation_win_sysinternals_psexesvc_as_system.yml | 2 +- .../proc_creation_win_sysinternals_psloglist.yml | 2 +- .../proc_creation_win_sysinternals_psservice.yml | 2 +- .../proc_creation_win_sysinternals_pssuspend_execution.yml | 2 +- .../proc_creation_win_sysinternals_pssuspend_susp_execution.yml | 2 +- .../process_creation/proc_creation_win_sysinternals_sdelete.yml | 2 +- .../proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml | 2 +- ...eation_win_systemsettingsadminflows_turn_on_dev_features.yml | 2 +- ...c_creation_win_teams_suspicious_command_line_cred_access.yml | 2 +- .../proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml | 2 +- .../proc_creation_win_tscon_rdp_session_hijacking.yml | 2 +- .../proc_creation_win_vmware_toolbox_cmd_persistence.yml | 2 +- .../proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml | 2 +- .../proc_creation_win_werfault_reflect_debugger_exec.yml | 2 +- .../process_creation/proc_creation_win_wevtutil_recon.yml | 2 +- ...roc_creation_win_whoami_execution_from_high_priv_process.yml | 2 +- .../proc_creation_win_whoami_groups_discovery.yml | 2 +- .../proc_creation_win_whoami_parent_anomaly.yml | 2 +- .../proc_creation_win_whoami_priv_discovery.yml | 2 +- .../process_creation/proc_creation_win_whoami_susp_flags.yml | 2 +- .../proc_creation_win_windows_terminal_susp_children.yml | 2 +- .../proc_creation_win_winget_add_custom_source.yml | 2 +- .../proc_creation_win_winget_add_insecure_custom_source.yml | 2 +- .../proc_creation_win_winget_add_susp_custom_source.yml | 2 +- .../proc_creation_win_winget_local_install_via_manifest.yml | 2 +- .../proc_creation_win_wmic_namespace_defender.yml | 2 +- .../proc_creation_win_wmic_recon_computersystem.yml | 2 +- .../process_creation/proc_creation_win_wmic_recon_csproduct.yml | 2 +- .../process_creation/proc_creation_win_wmic_recon_group.yml | 2 +- .../process_creation/proc_creation_win_wmic_recon_hotfix.yml | 2 +- .../process_creation/proc_creation_win_wmic_recon_process.yml | 2 +- .../process_creation/proc_creation_win_wmic_recon_product.yml | 2 +- .../proc_creation_win_wmic_recon_product_class.yml | 2 +- .../process_creation/proc_creation_win_wmic_recon_service.yml | 2 +- .../proc_creation_win_wmic_recon_system_info_discovery.yml | 2 +- .../proc_creation_win_wmic_remote_execution.yml | 2 +- .../proc_creation_win_wmic_service_manipulation.yml | 2 +- ...proc_creation_win_wmic_susp_execution_via_office_process.yml | 2 +- .../proc_creation_win_wmic_uninstall_application.yml | 2 +- .../proc_creation_win_wscript_cscript_susp_child_processes.yml | 2 +- ...roc_creation_win_wscript_cscript_uncommon_extension_exec.yml | 2 +- .../proc_creation_win_wsl_windows_binaries_execution.yml | 2 +- .../registry/registry_add/registry_add_malware_netwire.yml | 2 +- .../registry_add/registry_add_persistence_amsi_providers.yml | 2 +- .../registry_add/registry_add_persistence_com_key_linking.yml | 2 +- .../registry_add_persistence_disk_cleanup_handler_entry.yml | 2 +- .../registry_add_pua_sysinternals_execution_via_eula.yml | 2 +- ...registry_add_pua_sysinternals_renamed_execution_via_eula.yml | 2 +- .../registry_add_pua_sysinternals_susp_execution_via_eula.yml | 2 +- .../registry_delete_exploit_guard_protected_folders.yml | 2 +- ...gistry_delete_schtasks_hide_task_via_index_value_removal.yml | 2 +- .../registry_delete_schtasks_hide_task_via_sd_value_removal.yml | 2 +- .../registry_event/registry_event_malware_qakbot_registry.yml | 2 +- .../registry_event/registry_event_susp_atbroker_change.yml | 2 +- ...set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml | 2 +- .../registry_set/registry_set_fax_change_service_user.yml | 2 +- .../registry/registry_set/registry_set_fax_dll_persistance.yml | 2 +- .../registry_set_persistence_custom_protocol_handler.yml | 2 +- .../registry_set/registry_set_persistence_reflectdebugger.yml | 2 +- .../registry_set_susp_pendingfilerenameoperations.yml | 2 +- 784 files changed, 784 insertions(+), 784 deletions(-) diff --git a/rules-emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml b/rules-emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml index adb1e30fc315..0860e557ca59 100644 --- a/rules-emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml +++ b/rules-emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml @@ -1,6 +1,6 @@ title: Rejetto HTTP File Server RCE id: a133193c-2daa-4a29-8022-018695fcf0ae -status: experimental +status: test description: Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287 references: - https://vk9-sec.com/hfs-code-execution-cve-2014-6287/ diff --git a/rules-emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml b/rules-emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml index 855303ca773c..67c8c5d5fddd 100644 --- a/rules-emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml +++ b/rules-emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml @@ -7,7 +7,7 @@ related: type: similar - id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06 # ProcessCreation type: similar -status: experimental +status: test description: Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report references: - https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf diff --git a/rules-emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml b/rules-emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml index c88a5c934f50..d14cb8f96185 100644 --- a/rules-emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml +++ b/rules-emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml @@ -1,6 +1,6 @@ title: Potential EmpireMonkey Activity id: 10152a7b-b566-438f-a33c-390b607d1c8d -status: experimental +status: test description: Detects potential EmpireMonkey APT activity references: - https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/ diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-26084/web_cve_2021_26084_confluence_rce_exploit.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-26084/web_cve_2021_26084_confluence_rce_exploit.yml index b9d335b7a98a..20f54c14b655 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-26084/web_cve_2021_26084_confluence_rce_exploit.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-26084/web_cve_2021_26084_confluence_rce_exploit.yml @@ -1,7 +1,7 @@ title: Potential CVE-2021-26084 Exploitation Attempt id: 38825179-3c78-4fed-b222-2e2166b926b1 description: Detects potential exploitation of CVE-2021-260841 a Confluence RCE using OGNL injection -status: experimental +status: test references: - https://github.com/TesterCC/exp_poc_library/blob/master/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md - https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-27905/web_cve_2021_27905_apache_solr_exploit.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-27905/web_cve_2021_27905_apache_solr_exploit.yml index 3caa867879cb..137cb1afc0b5 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-27905/web_cve_2021_27905_apache_solr_exploit.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-27905/web_cve_2021_27905_apache_solr_exploit.yml @@ -1,6 +1,6 @@ title: Potential CVE-2021-27905 Exploitation Attempt id: 0bbcd74b-0596-41a4-94a0-4e88a76ffdb3 -status: experimental +status: test description: Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1. references: - https://twitter.com/Al1ex4/status/1382981479727128580 diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-40444/file_event_win_exploit_cve_2021_40444.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-40444/file_event_win_exploit_cve_2021_40444.yml index e1518fc55966..5a93cde8583d 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-40444/file_event_win_exploit_cve_2021_40444.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-40444/file_event_win_exploit_cve_2021_40444.yml @@ -1,6 +1,6 @@ title: Suspicious Word Cab File Write CVE-2021-40444 id: 60c0a111-787a-4e8a-9262-ee485f3ef9d5 -status: experimental +status: test description: Detects file creation patterns noticeable during the exploitation of CVE-2021-40444 references: - https://twitter.com/RonnyTNL/status/1436334640617373699?s=20 diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml index 1d4be35ab19c..286d33c83012 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml @@ -1,6 +1,6 @@ title: Potential Exploitation Attempt From Office Application id: 868955d9-697e-45d4-a3da-360cefd7c216 -status: experimental +status: test description: Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE) references: - https://twitter.com/sbousseaden/status/1531653369546301440 diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-41773/web_cve_2021_41773_apache_path_traversal.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-41773/web_cve_2021_41773_apache_path_traversal.yml index 682e43579d6f..b9bec4de8124 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-41773/web_cve_2021_41773_apache_path_traversal.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-41773/web_cve_2021_41773_apache_path_traversal.yml @@ -1,6 +1,6 @@ title: CVE-2021-41773 Exploitation Attempt id: 3007fec6-e761-4319-91af-e32e20ac43f5 -status: experimental +status: test description: | Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j_fields.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j_fields.yml index 697865552432..4a2ef9565d7c 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j_fields.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j_fields.yml @@ -1,6 +1,6 @@ title: Log4j RCE CVE-2021-44228 in Fields id: 9be472ed-893c-4ec0-94da-312d2765f654 -status: experimental +status: test description: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell) references: - https://www.lunasec.io/docs/blog/log4j-zero-day/ diff --git a/rules-emerging-threats/2021/Exploits/ProxyShell-Exploit/web_exchange_proxyshell.yml b/rules-emerging-threats/2021/Exploits/ProxyShell-Exploit/web_exchange_proxyshell.yml index c1145049dff7..b7ac162c2f2a 100644 --- a/rules-emerging-threats/2021/Exploits/ProxyShell-Exploit/web_exchange_proxyshell.yml +++ b/rules-emerging-threats/2021/Exploits/ProxyShell-Exploit/web_exchange_proxyshell.yml @@ -1,6 +1,6 @@ title: Exchange ProxyShell Pattern id: 23eee45e-933b-49f9-ae1b-df706d2d52ef -status: experimental +status: test description: Detects URL patterns that could be found in ProxyShell exploitation attempts against Exchange servers (failed and successful) references: - https://youtu.be/5mqid-7zp8k?t=2231 diff --git a/rules-emerging-threats/2021/Malware/Devil-Bait/file_event_win_malware_devil_bait_script_drop.yml b/rules-emerging-threats/2021/Malware/Devil-Bait/file_event_win_malware_devil_bait_script_drop.yml index c64f8175cb9f..63368bd53f06 100644 --- a/rules-emerging-threats/2021/Malware/Devil-Bait/file_event_win_malware_devil_bait_script_drop.yml +++ b/rules-emerging-threats/2021/Malware/Devil-Bait/file_event_win_malware_devil_bait_script_drop.yml @@ -1,6 +1,6 @@ title: Potential Devil Bait Related Indicator id: 93d5f1b4-36df-45ed-8680-f66f242b8415 -status: experimental +status: test description: Detects the creation of ".xml" and ".txt" files in folders of the "\AppData\Roaming\Microsoft" directory by uncommon processes. This behavior was seen common across different Devil Bait samples and stages as described by the NCSC references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf diff --git a/rules-emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml b/rules-emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml index bbfa00cca78b..36048b04297c 100644 --- a/rules-emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml +++ b/rules-emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml @@ -3,7 +3,7 @@ id: e8954be4-b2b8-4961-be18-da1a5bda709c related: - id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892 type: derived -status: experimental +status: test description: Detects specific process behavior observed with Devil Bait samples references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf diff --git a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/file_event_win_malware_goofy_guineapig_file_indicators.yml b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/file_event_win_malware_goofy_guineapig_file_indicators.yml index a43f7f96ad60..a011d515529d 100644 --- a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/file_event_win_malware_goofy_guineapig_file_indicators.yml +++ b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/file_event_win_malware_goofy_guineapig_file_indicators.yml @@ -1,6 +1,6 @@ title: Goofy Guineapig Backdoor IOC id: f0bafe60-1240-4798-9e60-4364b97e6bad -status: experimental +status: test description: Detects malicious indicators seen used by the Goofy Guineapig malware references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf diff --git a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml index d97e464f7bdd..1b60f29cf72d 100644 --- a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml +++ b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml @@ -1,6 +1,6 @@ title: Potential Goofy Guineapig Backdoor Activity id: 477a5ed3-a374-4282-9f3b-ed94e159a108 -status: experimental +status: test description: Detects a specific broken command that was used by Goofy-Guineapig as described by the NCSC report. references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf diff --git a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml index c5611d4b5040..b01465ca7134 100644 --- a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml +++ b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml @@ -1,6 +1,6 @@ title: Potential Goofy Guineapig GoolgeUpdate Process Anomaly id: bdbab15a-3826-48fa-a1b7-723cd8f32fcc -status: experimental +status: test description: Detects "GoogleUpdate.exe" spawning a new instance of itself in an uncommon location as seen used by the Goofy Guineapig backdoor references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf diff --git a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proxy_malware_goofy_gunieapig_c2_communication.yml b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proxy_malware_goofy_gunieapig_c2_communication.yml index 0a30cb20471f..56a12c8c75bb 100644 --- a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proxy_malware_goofy_gunieapig_c2_communication.yml +++ b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proxy_malware_goofy_gunieapig_c2_communication.yml @@ -1,6 +1,6 @@ title: Goofy Guineapig Backdoor Potential C2 Communication id: 4f573bb6-701a-4b8d-91db-87ae106e9a61 -status: experimental +status: test description: Detects potential C2 communication related to Goofy Guineapig backdoor references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf diff --git a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/win_system_malware_goofy_guineapig_service_persistence.yml b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/win_system_malware_goofy_guineapig_service_persistence.yml index f33537d0812b..a4f6d9eef597 100644 --- a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/win_system_malware_goofy_guineapig_service_persistence.yml +++ b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/win_system_malware_goofy_guineapig_service_persistence.yml @@ -1,6 +1,6 @@ title: Goofy Guineapig Backdoor Service Creation id: 8c15dd74-9570-4f48-80b2-29996fd91ee6 -status: experimental +status: test description: Detects service creation persistence used by the Goofy Guineapig backdoor references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf diff --git a/rules-emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml b/rules-emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml index 90ab872bfe46..ad9a1165aa5b 100644 --- a/rules-emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml +++ b/rules-emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml @@ -5,7 +5,7 @@ related: type: similar - id: b2400ffb-7680-47c0-b08a-098a7de7e7a9 # Process Creation type: similar -status: experimental +status: test description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel diff --git a/rules-emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml b/rules-emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml index b449d2d952c0..69b13e62a029 100644 --- a/rules-emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml +++ b/rules-emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml @@ -1,6 +1,6 @@ title: Small Sieve Malware File Indicator Creation id: 39466c42-c189-476a-989f-8cdb135c163a -status: experimental +status: test description: Detects filename indicators that contain a specific typo seen used by the Small Sieve malware. references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf diff --git a/rules-emerging-threats/2021/Malware/Small-Sieve/proxy_malware_small_sieve_telegram_communication.yml b/rules-emerging-threats/2021/Malware/Small-Sieve/proxy_malware_small_sieve_telegram_communication.yml index d2bb906ac78e..45e49e8d3eda 100644 --- a/rules-emerging-threats/2021/Malware/Small-Sieve/proxy_malware_small_sieve_telegram_communication.yml +++ b/rules-emerging-threats/2021/Malware/Small-Sieve/proxy_malware_small_sieve_telegram_communication.yml @@ -1,6 +1,6 @@ title: Small Sieve Malware Potential C2 Communication id: b0422664-37a4-4e78-949a-4a139309eaf0 -status: experimental +status: test description: Detects potential C2 communication related to Small Sieve malware references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-21554/proc_creation_win_exploit_cve_2023_21554_queuejumper.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-21554/proc_creation_win_exploit_cve_2023_21554_queuejumper.yml index 879387907c9f..30168bc4ff5c 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-21554/proc_creation_win_exploit_cve_2023_21554_queuejumper.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-21554/proc_creation_win_exploit_cve_2023_21554_queuejumper.yml @@ -1,6 +1,6 @@ title: Potential CVE-2023-21554 QueueJumper Exploitation id: 53207cc2-0745-4c19-bc72-80be1cc16b3f -status: experimental +status: test description: Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper) references: - https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/ diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-21587/web_cve_2022_21587_oracle_ebs.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-21587/web_cve_2022_21587_oracle_ebs.yml index 82e3f69c27f1..346fdb0d2bce 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-21587/web_cve_2022_21587_oracle_ebs.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-21587/web_cve_2022_21587_oracle_ebs.yml @@ -1,6 +1,6 @@ title: Potential CVE-2022-21587 Exploitation Attempt id: d033cb8a-8669-4a8e-a974-48d4185a8503 -status: experimental +status: test description: Detects potential exploitation attempts of CVE-2022-21587 an arbitrary file upload vulnerability impacting Oracle E-Business Suite (EBS). CVE-2022-21587 can lead to unauthenticated remote code execution. references: - https://www.rapid7.com/blog/post/2023/02/07/etr-cve-2022-21587-rapid7-observed-exploitation-of-oracle-e-business-suite-vulnerability/ diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-26809/proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-26809/proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml index 153ec50860be..5c46a52bbece 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-26809/proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-26809/proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml @@ -1,6 +1,6 @@ title: Potential CVE-2022-26809 Exploitation Attempt id: a7cd7306-df8b-4398-b711-6f3e4935cf16 -status: experimental +status: test description: Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809) references: - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809 diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-27925/web_cve_2022_27925_exploit.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-27925/web_cve_2022_27925_exploit.yml index b542a5370d49..49746fb11306 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-27925/web_cve_2022_27925_exploit.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-27925/web_cve_2022_27925_exploit.yml @@ -1,6 +1,6 @@ title: Zimbra Collaboration Suite Email Server Unauthenticated RCE id: dd218fb6-4d02-42dc-85f0-a0a376072efd -status: experimental +status: test description: Detects an attempt to leverage the vulnerable servlet "mboximport" for an unauthenticated remote command injection references: - https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/ diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml index 88b3a5d03679..8cd0fe17492e 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml @@ -1,6 +1,6 @@ title: Potential CVE-2022-29072 Exploitation Attempt id: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3 -status: experimental +status: test description: | Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability. 7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-31656/web_cve_2022_31656_auth_bypass.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-31656/web_cve_2022_31656_auth_bypass.yml index b94d97cb0fee..051ba4540965 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-31656/web_cve_2022_31656_auth_bypass.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-31656/web_cve_2022_31656_auth_bypass.yml @@ -1,6 +1,6 @@ title: CVE-2022-31656 VMware Workspace ONE Access Auth Bypass id: fcf1101d-07c9-49b2-ad81-7e421ff96d80 -status: experimental +status: test description: | Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656 VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-31659/web_cve_2022_31659_vmware_rce.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-31659/web_cve_2022_31659_vmware_rce.yml index 0950724767ba..01ef72fc07d7 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-31659/web_cve_2022_31659_vmware_rce.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-31659/web_cve_2022_31659_vmware_rce.yml @@ -1,6 +1,6 @@ title: CVE-2022-31659 VMware Workspace ONE Access RCE id: efdb2003-a922-48aa-8f37-8b80021a9706 -status: experimental +status: test description: Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659 references: - https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-33891/web_cve_2022_33891_spark_shell_command_injection.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-33891/web_cve_2022_33891_spark_shell_command_injection.yml index 1cf72efe2740..ec4286e571c2 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-33891/web_cve_2022_33891_spark_shell_command_injection.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-33891/web_cve_2022_33891_spark_shell_command_injection.yml @@ -1,6 +1,6 @@ title: Apache Spark Shell Command Injection - Weblogs id: 1a9a04fd-02d1-465c-abad-d733fd409f9c -status: experimental +status: test description: Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective references: - https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-36804/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-36804/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml index b8dd2926f881..161dd5a6a5cc 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-36804/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-36804/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml @@ -1,6 +1,6 @@ title: Atlassian Bitbucket Command Injection Via Archive API id: 65c0a0ab-d675-4441-bd6b-d3db226a2685 -status: experimental +status: test description: Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804 references: - https://twitter.com/_0xf4n9x_/status/1572052954538192901 diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-44877/web_cve_2022_44877_exploitation_attempt.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-44877/web_cve_2022_44877_exploitation_attempt.yml index d7bb5eb9e665..9c1ef9ed6b12 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-44877/web_cve_2022_44877_exploitation_attempt.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-44877/web_cve_2022_44877_exploitation_attempt.yml @@ -1,6 +1,6 @@ title: Potential Centos Web Panel Exploitation Attempt - CVE-2022-44877 id: 1b2eeb27-949b-4704-8bfa-d8e5cfa045a1 -status: experimental +status: test description: Detects potential exploitation attempts that target the Centos Web Panel 7 Unauthenticated Remote Code Execution CVE-2022-44877 references: - https://seclists.org/fulldisclosure/2023/Jan/1 diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-46169/web_cve_2022_46169_cacti_exploitation_attempt.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-46169/web_cve_2022_46169_cacti_exploitation_attempt.yml index a7180e1b320e..649685829f50 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-46169/web_cve_2022_46169_cacti_exploitation_attempt.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-46169/web_cve_2022_46169_cacti_exploitation_attempt.yml @@ -1,6 +1,6 @@ title: Potential CVE-2022-46169 Exploitation Attempt id: 738cb115-881f-4df3-82cc-56ab02fc5192 -status: experimental +status: test description: Detects potential exploitation attempts that target the Cacti Command Injection CVE-2022-46169 references: - https://github.com/0xf4n9x/CVE-2022-46169 diff --git a/rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_exploitation.yml b/rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_exploitation.yml index bc6d0776ff94..9b05e9bf3a90 100644 --- a/rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_exploitation.yml +++ b/rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_exploitation.yml @@ -1,6 +1,6 @@ title: Potential OWASSRF Exploitation Attempt - Webserver id: 181f49fa-0b21-4665-a98c-a57025ebb8c7 -status: experimental +status: test description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint references: - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/ diff --git a/rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_poc_exploitation.yml b/rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_poc_exploitation.yml index 3377316b7a01..af04159771c1 100644 --- a/rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_poc_exploitation.yml +++ b/rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_poc_exploitation.yml @@ -1,6 +1,6 @@ title: OWASSRF Exploitation Attempt Using Public POC - Webserver id: 92d78c63-5a5c-4c40-9b60-463810ffb082 -status: experimental +status: test description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint references: - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/ diff --git a/rules-emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml b/rules-emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml index 487eed77406a..e4c1f2d2600f 100644 --- a/rules-emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml +++ b/rules-emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml @@ -1,6 +1,6 @@ title: BlueSky Ransomware Artefacts id: eee8311f-a752-44f0-bf2f-6b007db16300 -status: experimental +status: test description: Detect access to files and shares with names and extensions used by BlueSky ransomware which could indicate a current or previous encryption attempt. references: - https://unit42.paloaltonetworks.com/bluesky-ransomware/ diff --git a/rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml b/rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml index 76b8049a9a45..e8800536468a 100644 --- a/rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml +++ b/rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml @@ -1,6 +1,6 @@ title: Potential Raspberry Robin Dot Ending File id: a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a -status: experimental +status: test description: Detects commandline containing reference to files ending with a "." This scheme has been seen used by raspberry-robin author: Nasreddine Bencherchali (Nextron Systems) references: diff --git a/rules-emerging-threats/2022/TA/MERCURY/proc_creation_win_apt_mercury.yml b/rules-emerging-threats/2022/TA/MERCURY/proc_creation_win_apt_mercury.yml index 1bcdafd0738f..da5e708848a6 100644 --- a/rules-emerging-threats/2022/TA/MERCURY/proc_creation_win_apt_mercury.yml +++ b/rules-emerging-threats/2022/TA/MERCURY/proc_creation_win_apt_mercury.yml @@ -1,6 +1,6 @@ title: MERCURY APT Activity id: a62298a3-1fe0-422f-9a68-ffbcbc5a123d -status: experimental +status: test description: Detects suspicious command line patterns seen being used by MERCURY APT references: - https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/ diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml index 634bb0c9fc19..cc8c4871a886 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml @@ -1,6 +1,6 @@ title: Potential CVE-2023-2283 Exploitation id: 8b244735-5833-4517-a45b-28d8c63924c0 -status: experimental +status: test description: Detects potential exploitation attempt of CVE-2023-2283 an authentication bypass in libSSH. The exploitation method causes an error message stating that keys for curve25519 could not be generated. It is an error message that is a sign of an exploitation attempt. It is not a sign of a successful exploitation. references: - https://twitter.com/kevin_backhouse/status/1666459308941357056?s=20 diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml index 751644b88149..339cf4adaa45 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml @@ -1,6 +1,6 @@ title: CVE-2023-23397 Exploitation Attempt id: 73c59189-6a6d-4b9f-a748-8f6f9bbed75c -status: experimental +status: test description: Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation. author: Robert Lee @quantum_cookie date: 2023/03/16 diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml index 053642181556..bfdec81c4342 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml @@ -1,6 +1,6 @@ title: Potential CVE-2023-23397 Exploitation Attempt - SMB id: de96b824-02b0-4241-9356-7e9b47f04bac -status: experimental +status: test description: Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397. references: - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/ diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-23752/web_cve_2023_23752_joomla_exploit_attempt.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-23752/web_cve_2023_23752_joomla_exploit_attempt.yml index 9709ad6a344c..013f7bf33844 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-23752/web_cve_2023_23752_joomla_exploit_attempt.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-23752/web_cve_2023_23752_joomla_exploit_attempt.yml @@ -1,6 +1,6 @@ title: Potential CVE-2023-23752 Exploitation Attempt id: 0e1ebc5a-15d0-4bf6-8199-b2535397433a -status: experimental +status: test description: Detects the potential exploitation attempt of CVE-2023-23752 an Improper access check, in web service endpoints in Joomla references: - https://xz.aliyun.com/t/12175 diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-25157/web_cve_2023_25157_geoserver_sql_injection.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-25157/web_cve_2023_25157_geoserver_sql_injection.yml index f22ec5abff65..f925b9797df0 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-25157/web_cve_2023_25157_geoserver_sql_injection.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-25157/web_cve_2023_25157_geoserver_sql_injection.yml @@ -1,6 +1,6 @@ title: Potential CVE-2023-25157 Exploitation Attempt id: c0341543-5ed0-4475-aabc-7eea8c52aa66 -status: experimental +status: test description: Detects a potential exploitation attempt of CVE-2023-25157 a SQL injection in GeoServer references: - https://github.com/win3zz/CVE-2023-25157 diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-25717/web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-25717/web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yml index 9b36d3f1c1be..511b3e0cdbf6 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-25717/web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-25717/web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yml @@ -1,6 +1,6 @@ title: Potential CVE-2023-25717 Exploitation Attempt id: 043c1609-0e32-4462-a6f2-5a0c2da3fafe -status: experimental +status: test description: Detects a potential exploitation attempt of CVE-2023-25717 a Remote Code Execution via an unauthenticated HTTP GET Request, in Ruckus Wireless Admin references: - https://cybir.com/2023/cve/proof-of-concept-ruckus-wireless-admin-10-4-unauthenticated-remote-code-execution-csrf-ssrf/ diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml index 0ce87ec11076..d4a4760be1d1 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml @@ -1,6 +1,6 @@ title: Potential MOVEit Transfer CVE-2023-34362 Exploitation id: c3b2a774-3152-4989-83c1-7afc48fd1599 -status: experimental +status: test description: Detects file indicators of potential exploitation of MOVEit CVE-2023-34362. references: - https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/ diff --git a/rules-emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/proc_creation_win_exploit_other_win_server_undocumented_rce.yml b/rules-emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/proc_creation_win_exploit_other_win_server_undocumented_rce.yml index 08fd3e661ebe..2febe5e8b1a2 100644 --- a/rules-emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/proc_creation_win_exploit_other_win_server_undocumented_rce.yml +++ b/rules-emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/proc_creation_win_exploit_other_win_server_undocumented_rce.yml @@ -1,6 +1,6 @@ title: Potential Exploitation Attempt Of Undocumented WindowsServer RCE id: 6d5b8176-d87d-4402-8af4-53aee9db7b5d -status: experimental +status: test description: Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE) references: - https://github.com/SigmaHQ/sigma/pull/3946 diff --git a/rules-emerging-threats/2023/Exploits/win_msmq_corrupted_packet.yml b/rules-emerging-threats/2023/Exploits/win_msmq_corrupted_packet.yml index 0c3408e66094..43a2e2704ee4 100644 --- a/rules-emerging-threats/2023/Exploits/win_msmq_corrupted_packet.yml +++ b/rules-emerging-threats/2023/Exploits/win_msmq_corrupted_packet.yml @@ -1,6 +1,6 @@ title: MSMQ Corrupted Packet Encountered id: ae94b10d-fee9-4767-82bb-439b309d5a27 -status: experimental +status: test description: Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation references: - https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/ diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_renamed_cmd.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_renamed_cmd.yml index 0684adff58ab..41b37aa37569 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_renamed_cmd.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_renamed_cmd.yml @@ -1,6 +1,6 @@ title: Potential COLDSTEEL RAT File Indicators id: c708a93f-46b4-4674-a5b8-54aa6219c5fa -status: experimental +status: test description: Detects the creation of a file named "dllhost.exe" in the "C:\users\public\Documents\" directory. Seen being used by the COLDSTEEL RAT in some of its variants. references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_service_dll_creation.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_service_dll_creation.yml index 095322bc1889..f148f5f42549 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_service_dll_creation.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_service_dll_creation.yml @@ -1,6 +1,6 @@ title: Potential COLDSTEEL Persistence Service DLL Creation id: 1fea93a2-1524-4a3c-9828-3aa0c2414e27 -status: experimental +status: test description: Detects the creation of a file in a specific location and with a specific name related to COLDSTEEL RAT references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/image_load_malware_coldsteel_persistence_service_dll.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/image_load_malware_coldsteel_persistence_service_dll.yml index c61a57cb931c..de1b29d530e4 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/image_load_malware_coldsteel_persistence_service_dll.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/image_load_malware_coldsteel_persistence_service_dll.yml @@ -1,6 +1,6 @@ title: Potential COLDSTEEL Persistence Service DLL Load id: 1d7a57da-02e0-4f7f-92b1-c7b486ccfed5 -status: experimental +status: test description: | Detects a suspicious DLL load by an "svchost" process based on location and name that might be related to ColdSteel RAT. This DLL location and name has been seen used by ColdSteel as the service DLL for its persistence mechanism references: diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml index 8512127ccb2e..ced5e608d53a 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml @@ -1,6 +1,6 @@ title: COLDSTEEL RAT Anonymous User Process Execution id: e01b6eb5-1eb4-4465-a165-85d40d874add -status: experimental +status: test description: Detects the creation of a process executing as user called "ANONYMOUS" seen used by the "MileStone2016" variant of COLDSTEEL references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_cleanup.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_cleanup.yml index 10f4bba171d4..904cd08149e8 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_cleanup.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_cleanup.yml @@ -1,6 +1,6 @@ title: COLDSTEEL RAT Cleanup Command Execution id: 88516f06-ebe0-47ad-858e-ae9fd060ddea -status: experimental +status: test description: Detects the creation of a "rundll32" process from the ColdSteel persistence service to initiate the cleanup command by calling one of its own exports. This functionality is not present in "MileStone2017" and some "MileStone2016" samples references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml index be9c89b69f26..3f68e1c21b07 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml @@ -1,6 +1,6 @@ title: COLDSTEEL RAT Service Persistence Execution id: 9f9cd389-cea0-4142-bf1a-a3fd424abedd -status: experimental +status: test description: Detects the creation of an "svchost" process with specific command line flags, that were seen present and used by ColdSteel RAT references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf diff --git a/rules-emerging-threats/2023/Malware/Griffon/proc_creation_win_malware_griffon_patterns.yml b/rules-emerging-threats/2023/Malware/Griffon/proc_creation_win_malware_griffon_patterns.yml index 03bad8008d73..5704ee15534c 100644 --- a/rules-emerging-threats/2023/Malware/Griffon/proc_creation_win_malware_griffon_patterns.yml +++ b/rules-emerging-threats/2023/Malware/Griffon/proc_creation_win_malware_griffon_patterns.yml @@ -1,6 +1,6 @@ title: Griffon Malware Attack Pattern id: bcc6f179-11cd-4111-a9a6-0fab68515cf7 -status: experimental +status: test description: Detects process execution patterns related to Griffon malware as reported by Kaspersky references: - https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/ diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml index ae9419fbd1ca..a21081913021 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml @@ -1,6 +1,6 @@ title: Qakbot Regsvr32 Calc Pattern id: 0033cf83-fb87-446d-9cac-43d63ad4d5a9 -status: experimental +status: test description: Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot references: - https://github.com/pr0xylife/Qakbot/ diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml index 91b42fddbef6..e5c57fe7b3e3 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml @@ -1,6 +1,6 @@ title: Potential Qakbot Rundll32 Execution id: cf879ffb-793a-4753-9a14-bc8f37cc90df -status: experimental +status: test description: Detects specific process tree behavior of a "rundll32" execution often linked with potential Qakbot activity. references: - https://github.com/pr0xylife/Qakbot/ diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml index 964552aa4039..24689638426d 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml @@ -1,6 +1,6 @@ title: Qakbot Rundll32 Exports Execution id: 339ed3d6-5490-46d0-96a7-8abe33078f58 -status: experimental +status: test description: Detects specific process tree behavior of a "rundll32" execution with exports linked with Qakbot activity. references: - https://github.com/pr0xylife/Qakbot/ diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml index d545e79e49f1..710a5c5b10c5 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml @@ -1,6 +1,6 @@ title: Qakbot Rundll32 Fake DLL Extension Execution id: bfd34392-c591-4009-b938-9fd985a28b85 -status: experimental +status: test description: Detects specific process tree behavior of a "rundll32" execution where the DLL doesn't have the ".dll" extension. This is often linked with potential Qakbot activity. references: - https://github.com/pr0xylife/Qakbot/ diff --git a/rules-emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml b/rules-emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml index 93139d4792bf..4ecc9b1098a0 100644 --- a/rules-emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml +++ b/rules-emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml @@ -1,6 +1,6 @@ title: Rhadamanthys Stealer Module Launch Via Rundll32.EXE id: 5cdbc2e8-86dd-43df-9a1a-200d4745fba5 -status: experimental +status: test description: Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023 references: - https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88 diff --git a/rules-emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml b/rules-emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml index 24f24928799b..a180ce934956 100644 --- a/rules-emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml +++ b/rules-emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml @@ -1,6 +1,6 @@ title: Rorschach Ransomware Execution Activity id: 0e9e6c63-1350-48c4-9fa1-7ccb235edc68 -status: experimental +status: test description: Detects Rorschach ransomware execution activity references: - https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/ diff --git a/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_encrypted_payload_ioc.yml b/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_encrypted_payload_ioc.yml index 081111fd9d49..d29e486f37fa 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_encrypted_payload_ioc.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_encrypted_payload_ioc.yml @@ -1,6 +1,6 @@ title: SNAKE Malware Kernel Driver File Indicator id: d6d9d23f-69c1-41b5-8305-fa8250bd027f -status: experimental +status: test description: Detects SNAKE malware kernel driver file indicator references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF diff --git a/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_installers_ioc.yml b/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_installers_ioc.yml index 3f9600b7ec68..879097f9e42c 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_installers_ioc.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_installers_ioc.yml @@ -1,6 +1,6 @@ title: SNAKE Malware Installer Name Indicators id: 99eccc2b-7182-442f-8806-b76cc36d866b -status: experimental +status: test description: Detects filename indicators associated with the SNAKE malware as reported by CISA in their report references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF diff --git a/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_werfault_creation.yml b/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_werfault_creation.yml index 09c2d1c72043..1c4baed9fa01 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_werfault_creation.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_werfault_creation.yml @@ -1,6 +1,6 @@ title: SNAKE Malware WerFault Persistence File Creation id: 64827580-e4c3-4c64-97eb-c72325d45399 -status: experimental +status: test description: Detects the creation of a file named "WerFault.exe" in the WinSxS directory by a non-system process, which can be indicative of potential SNAKE malware activity references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF diff --git a/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_cli_args.yml b/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_cli_args.yml index 542a864b2bf1..1983488b5251 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_cli_args.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_cli_args.yml @@ -1,6 +1,6 @@ title: Potential SNAKE Malware Installation CLI Arguments Indicator id: 02cbc035-b390-49fe-a9ff-3bb402c826db -status: experimental +status: test description: Detects a specific command line arguments sequence seen used by SNAKE malware during its installation as described by CISA in their report references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF diff --git a/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_exec.yml b/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_exec.yml index a4b89dffb0f9..0d8c23094089 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_exec.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_exec.yml @@ -1,6 +1,6 @@ title: Potential SNAKE Malware Installation Binary Indicator id: d91ff53f-fd0c-419d-a6b8-ae038d5c3733 -status: experimental +status: test description: Detects a specific binary name seen used by SNAKE malware during its installation as described by CISA in their report references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF diff --git a/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_service_execution.yml b/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_service_execution.yml index f9a6b6a58062..6041bf8a8680 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_service_execution.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_service_execution.yml @@ -1,6 +1,6 @@ title: Potential SNAKE Malware Persistence Service Execution id: f7536642-4a08-4dd9-b6d5-c3286d8975ed -status: experimental +status: test description: Detects a specific child/parent process relationship indicative of a "WerFault" process running from the "WinSxS" as a service. This could be indicative of potential SNAKE malware activity as reported by CISA. references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF diff --git a/rules-emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml b/rules-emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml index 3b8b9ea18a72..ceb6ccb75d89 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml @@ -1,6 +1,6 @@ title: SNAKE Malware Covert Store Registry Key id: d0fa35db-0e92-400e-aa16-d32ae2521618 -status: experimental +status: test description: Detects any registry event that targets the key 'SECURITY\Policy\Secrets\n' which is a key related to SNAKE malware as described by CISA references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF diff --git a/rules-emerging-threats/2023/Malware/SNAKE/win_system_malware_snake_persistence_service.yml b/rules-emerging-threats/2023/Malware/SNAKE/win_system_malware_snake_persistence_service.yml index 5aa9f3bed0e4..c6788a232ba2 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/win_system_malware_snake_persistence_service.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/win_system_malware_snake_persistence_service.yml @@ -1,6 +1,6 @@ title: SNAKE Malware Service Persistence id: b2e60816-96b2-45bd-ba91-b63578c03ef6 -status: experimental +status: test description: Detects the creation of a service named "WerFaultSvc" which seems to be used by the SNAKE malware as a persistence mechanism as described by CISA in their report references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF diff --git a/rules-emerging-threats/2023/Malware/dns_query_win_malware_socgholish_second_stage_c2.yml b/rules-emerging-threats/2023/Malware/dns_query_win_malware_socgholish_second_stage_c2.yml index 1a6e420192ad..b9df2c515a41 100644 --- a/rules-emerging-threats/2023/Malware/dns_query_win_malware_socgholish_second_stage_c2.yml +++ b/rules-emerging-threats/2023/Malware/dns_query_win_malware_socgholish_second_stage_c2.yml @@ -1,6 +1,6 @@ title: Potential SocGholish Second Stage C2 DNS Query id: 70761fe8-6aa2-4f80-98c1-a57049c08e66 -status: experimental +status: test description: Detects a DNS query initiated from a "wscript" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic references: - https://www.virustotal.com/gui/file/0e2854753d17b1bb534de8e765d5813c9fb584a745978b3d92bc6ca78e3e7735/relations diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/dns_query_win_malware_3cx_compromise.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/dns_query_win_malware_3cx_compromise.yml index a83f11b4f09d..c2f3cf3d95c9 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/dns_query_win_malware_3cx_compromise.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/dns_query_win_malware_3cx_compromise.yml @@ -15,7 +15,7 @@ related: type: similar - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad type: similar -status: experimental +status: test description: Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise references: - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml index 6f1f5d6b51d2..bc018e9a87b3 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml @@ -15,7 +15,7 @@ related: type: similar - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update type: similar -status: experimental +status: test description: Detects DLL load activity of known compromised DLLs used in by the compromised 3CXDesktopApp references: - https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/ diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/net_connection_win_malware_3cx_compromise_beaconing_activity.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/net_connection_win_malware_3cx_compromise_beaconing_activity.yml index 5aff60374cdd..bc4c7360b099 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/net_connection_win_malware_3cx_compromise_beaconing_activity.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/net_connection_win_malware_3cx_compromise_beaconing_activity.yml @@ -15,7 +15,7 @@ related: type: similar - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad type: similar -status: experimental +status: test description: Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise references: - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml index a0fda2d7f260..6c87274d4f77 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml @@ -15,7 +15,7 @@ related: type: similar - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad type: similar -status: experimental +status: test description: Detects execution of known compromised version of 3CXDesktopApp references: - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml index e5efa9b6a689..30679a9b6ebb 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml @@ -15,7 +15,7 @@ related: type: similar - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad type: similar -status: experimental +status: test description: Detects potential suspicious child processes of "3CXDesktopApp.exe". Which could be related to the 3CXDesktopApp supply chain compromise references: - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_update.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_update.yml index 5f27a12967b8..ea8e3ef0151c 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_update.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_update.yml @@ -15,7 +15,7 @@ related: type: similar - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad type: similar -status: experimental +status: test description: Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software references: - https://www.linkedin.com/feed/update/urn:li:activity:7047435754834198529/ diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_c2_beacon_activity.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_c2_beacon_activity.yml index ea73ef901579..4e915b81f189 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_c2_beacon_activity.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_c2_beacon_activity.yml @@ -15,7 +15,7 @@ related: type: similar - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad type: similar -status: experimental +status: test description: Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise references: - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_susp_ico_requests.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_susp_ico_requests.yml index 7d2cd5e0e19f..08f6fa5a93d0 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_susp_ico_requests.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_susp_ico_requests.yml @@ -15,7 +15,7 @@ related: type: similar - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad type: similar -status: experimental +status: test description: Detects potential malicious .ICO files download from a compromised 3CXDesktopApp via web requests to the the malicious Github repository references: - https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/ diff --git a/rules-emerging-threats/2023/TA/EquationGroup/net_dns_apt_equation_group_triangulation_c2_coms.yml b/rules-emerging-threats/2023/TA/EquationGroup/net_dns_apt_equation_group_triangulation_c2_coms.yml index 913d4f9f53a6..5e7a8cc1c4c9 100644 --- a/rules-emerging-threats/2023/TA/EquationGroup/net_dns_apt_equation_group_triangulation_c2_coms.yml +++ b/rules-emerging-threats/2023/TA/EquationGroup/net_dns_apt_equation_group_triangulation_c2_coms.yml @@ -3,7 +3,7 @@ id: 7fc30d63-728d-48d9-ad6f-14d14f4accf7 related: - id: aa03c712-75c6-438b-8d42-de88f2427e09 # Proxy C2 type: similar -status: experimental +status: test description: Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB references: - https://securelist.com/operation-triangulation/109842/ diff --git a/rules-emerging-threats/2023/TA/EquationGroup/proxy_apt_equation_group_triangulation_c2_coms.yml b/rules-emerging-threats/2023/TA/EquationGroup/proxy_apt_equation_group_triangulation_c2_coms.yml index da3dfcd3570a..be5f12946bab 100644 --- a/rules-emerging-threats/2023/TA/EquationGroup/proxy_apt_equation_group_triangulation_c2_coms.yml +++ b/rules-emerging-threats/2023/TA/EquationGroup/proxy_apt_equation_group_triangulation_c2_coms.yml @@ -3,7 +3,7 @@ id: aa03c712-75c6-438b-8d42-de88f2427e09 related: - id: 7fc30d63-728d-48d9-ad6f-14d14f4accf7 # DNS C2 type: similar -status: experimental +status: test description: Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB references: - https://securelist.com/operation-triangulation/109842/ diff --git a/rules-emerging-threats/2023/TA/FIN7/file_event_win_apt_fin7_powershell_scripts_naming_convention.yml b/rules-emerging-threats/2023/TA/FIN7/file_event_win_apt_fin7_powershell_scripts_naming_convention.yml index e130d292fb68..d266dc0d6265 100644 --- a/rules-emerging-threats/2023/TA/FIN7/file_event_win_apt_fin7_powershell_scripts_naming_convention.yml +++ b/rules-emerging-threats/2023/TA/FIN7/file_event_win_apt_fin7_powershell_scripts_naming_convention.yml @@ -1,6 +1,6 @@ title: Potential APT FIN7 Related PowerShell Script Created id: a88d9f45-ec8a-4b0e-85ee-c9f6a65e9128 -status: experimental +status: test description: Detects PowerShell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers diff --git a/rules-emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml b/rules-emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml index 8a5118dfaf8c..36f7cdaca5ab 100644 --- a/rules-emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml +++ b/rules-emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml @@ -1,6 +1,6 @@ title: Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity id: 911389c7-5ae3-43ea-bab3-a947ebdeb85e -status: experimental +status: test description: Detects specific command line execution used by FIN7 as reported by WithSecureLabs for reconnaissance and POWERTRASH execution references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers diff --git a/rules-emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml b/rules-emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml index 4d4c002d16f7..a988bf3c413e 100644 --- a/rules-emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml +++ b/rules-emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml @@ -1,6 +1,6 @@ title: Potential APT Mustang Panda Activity Against Australian Gov id: 7806bb49-f653-48d3-a915-5115c1a85234 -status: experimental +status: test description: Detects specific command line execution used by Mustang Panda in a targeted attack against the Australian government as reported by Lab52 references: - https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/ diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_exfil_mail_pattern.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_exfil_mail_pattern.yml index f8e96747daf3..d9679eec399c 100644 --- a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_exfil_mail_pattern.yml +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_exfil_mail_pattern.yml @@ -1,6 +1,6 @@ title: UNC4841 - Email Exfiltration File Pattern id: 0785f462-60b0-4031-9ff4-b4f3a0ba589a -status: experimental +status: test description: Detects filename pattern of email related data used by UNC4841 for staging and exfiltration references: - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_file_indicators.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_file_indicators.yml index 04d1cd61a955..03a3fc7e7b7f 100644 --- a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_file_indicators.yml +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_file_indicators.yml @@ -1,6 +1,6 @@ title: UNC4841 - Barracuda ESG Exploitation Indicators id: 5627c337-a9b2-407a-a82d-5fd97035ff39 -status: experimental +status: test description: Detects file indicators as seen used by UNC4841 during their Barracuda ESG zero day exploitation. references: - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_openssl_connection.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_openssl_connection.yml index 7079ee0b22ce..8d3101025754 100644 --- a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_openssl_connection.yml +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_openssl_connection.yml @@ -1,6 +1,6 @@ title: UNC4841 - SSL Certificate Exfiltration Via Openssl id: 60911c07-f989-4362-84af-c609828ef829 -status: experimental +status: test description: Detects the execution of "openssl" to connect to an IP address. This techniques was used by UNC4841 to exfiltrate SSL certificates and as a C2 channel with named pipes. Investigate commands executed in the temporal vicinity of this command. references: - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_compressed_file_tmep_sh.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_compressed_file_tmep_sh.yml index 1bf081ed8e0a..797ffe90f9a7 100644 --- a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_compressed_file_tmep_sh.yml +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_compressed_file_tmep_sh.yml @@ -1,6 +1,6 @@ title: UNC4841 - Download Compressed Files From Temp.sh Using Wget id: 60d050c4-e253-4d9a-b673-5ac100cfddfb -status: experimental +status: test description: Detects execution of "wget" to download a ".zip" or ".rar" files from "temp.sh". As seen used by UNC4841 during their Barracuda ESG zero day exploitation. references: - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml index 3f5d5e8d82e3..d66d14c1ef74 100644 --- a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml @@ -1,6 +1,6 @@ title: UNC4841 - Download Tar File From Untrusted Direct IP Via Wget id: 23835beb-ec38-4e74-a5d4-b99af6684e91 -status: experimental +status: test description: Detects execution of "wget" to download a "tar" from an IP address that doesn't have a trusted certificate. As seen used by UNC4841 during their Barracuda ESG zero day exploitation. references: - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_atp_unc4841_seaspy_execution.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_atp_unc4841_seaspy_execution.yml index a9dbb5d263d7..26a0081f9f58 100644 --- a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_atp_unc4841_seaspy_execution.yml +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_atp_unc4841_seaspy_execution.yml @@ -1,6 +1,6 @@ title: UNC4841 - Potential SEASPY Execution id: f6a711f3-d032-4f9e-890b-bbe776236c84 -status: experimental +status: test description: Detects execution of specific named binaries which were used by UNC4841 to deploy their SEASPY backdoor references: - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally diff --git a/rules-placeholder/windows/builtin/security/win_security_exploit_cve_2020_1472.yml b/rules-placeholder/windows/builtin/security/win_security_exploit_cve_2020_1472.yml index 317ef0b71ffe..7d557a63ad72 100644 --- a/rules-placeholder/windows/builtin/security/win_security_exploit_cve_2020_1472.yml +++ b/rules-placeholder/windows/builtin/security/win_security_exploit_cve_2020_1472.yml @@ -1,6 +1,6 @@ title: Potential Zerologon (CVE-2020-1472) Exploitation id: dd7876d8-0f09-11eb-adc1-0242ac120002 -status: experimental +status: test description: Detects potential Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472) references: - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 diff --git a/rules-placeholder/windows/process_creation/proc_creation_win_userdomain_variable_enumeration.yml b/rules-placeholder/windows/process_creation/proc_creation_win_userdomain_variable_enumeration.yml index 6d9abac3eb88..26bbc586f2c0 100644 --- a/rules-placeholder/windows/process_creation/proc_creation_win_userdomain_variable_enumeration.yml +++ b/rules-placeholder/windows/process_creation/proc_creation_win_userdomain_variable_enumeration.yml @@ -1,6 +1,6 @@ title: Userdomain Variable Enumeration id: 43311e65-84d8-42a5-b3d4-c94d9b67038f -status: experimental +status: test description: Detects suspicious enumeration of the domain the user is associated with. references: - https://www.arxiv-vanity.com/papers/2008.04676/ diff --git a/rules-threat-hunting/windows/image_load/image_load_office_excel_xll_load.yml b/rules-threat-hunting/windows/image_load/image_load_office_excel_xll_load.yml index 1272d93aeb8c..aeb45f6b2929 100644 --- a/rules-threat-hunting/windows/image_load/image_load_office_excel_xll_load.yml +++ b/rules-threat-hunting/windows/image_load/image_load_office_excel_xll_load.yml @@ -1,6 +1,6 @@ title: Microsoft Excel Add-In Loaded id: c5f4b5cb-4c25-4249-ba91-aa03626e3185 -status: experimental +status: test description: Detects Microsoft Excel loading an Add-In (.xll) file references: - https://www.mandiant.com/resources/blog/lnk-between-browsers diff --git a/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_suspicious_ip.yml b/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_suspicious_ip.yml index 6c46d2ac7109..ba3fc34acb27 100644 --- a/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_suspicious_ip.yml +++ b/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_suspicious_ip.yml @@ -1,6 +1,6 @@ title: Dfsvc.EXE Network Connection To Non-Local IPs id: 3c21219b-49b5-4268-bce6-c914ed50f09c -status: experimental +status: test description: Detects network connections from "dfsvc.exe" used to handled ClickOnce applications to non-local IPs references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml index 3369c27b5561..e1c0d42dc999 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml @@ -3,7 +3,7 @@ id: 064060aa-09fb-4636-817f-020a32aa7e9e related: - id: 970007b7-ce32-49d0-a4a4-fbef016950bd type: similar -status: experimental +status: test description: Detects PowerShell scripts with potential registry reconnaissance capabilities. Adversaries may interact with the Windows registry to gather information about the system credentials, configuration, and installed software. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_download.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_download.yml index 330497255eb9..ae6d38c1586a 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_download.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_download.yml @@ -5,7 +5,7 @@ related: type: derived - id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 # Suspicious curl execution type: derived -status: experimental +status: test description: Detects file download using curl.exe references: - https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464 diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_dfsvc_child_processes.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_dfsvc_child_processes.yml index 4eb3db3c8bd4..c9a79e1f3fde 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_dfsvc_child_processes.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_dfsvc_child_processes.yml @@ -1,6 +1,6 @@ title: ClickOnce Deployment Execution - Dfsvc.EXE Child Process id: 241d52b5-eee0-49d0-ac8a-8b9c15c7221c -status: experimental +status: test description: Detects child processes of "dfsvc" which indicates a ClickOnce deployment execution. references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_findstr_password_recon.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_findstr_password_recon.yml index 6f0b30e3ff8d..ad3536933bd9 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_findstr_password_recon.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_findstr_password_recon.yml @@ -1,6 +1,6 @@ title: Potential Password Reconnaissance Via Findstr.EXE id: 1a0f6f16-2099-4753-9a02-43b6ac7a1fa5 -status: experimental +status: test description: Detects command line usage of "findstr" to search for the "passwords" keyword in a variety of different languages references: - https://steflan-security.com/windows-privilege-escalation-credential-harvesting/ diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml index 299dec08e995..f20e51ddffcb 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml @@ -1,6 +1,6 @@ title: Import New Module Via PowerShell CommandLine id: 4ad74d01-f48c-42d0-b88c-b31efa4d2262 -status: experimental +status: test description: Detects usage of the "Import-Module" cmdlet in order to add new Cmdlets to the current PowerShell session references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/import-module?view=powershell-7.3 diff --git a/rules/application/jvm/java_jndi_injection_exploitation_attempt.yml b/rules/application/jvm/java_jndi_injection_exploitation_attempt.yml index cbe9ce0dc5b8..7a2cc3b397e3 100644 --- a/rules/application/jvm/java_jndi_injection_exploitation_attempt.yml +++ b/rules/application/jvm/java_jndi_injection_exploitation_attempt.yml @@ -1,6 +1,6 @@ title: Potential JNDI Injection Exploitation In JVM Based Application id: bb0e9cec-d4da-46f5-997f-22efc59f3dca -status: experimental +status: test description: Detects potential JNDI Injection exploitation. Often coupled with Log4Shell exploitation. references: - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs diff --git a/rules/application/jvm/java_local_file_read.yml b/rules/application/jvm/java_local_file_read.yml index ce63649eb17b..c271a0fe2a2f 100644 --- a/rules/application/jvm/java_local_file_read.yml +++ b/rules/application/jvm/java_local_file_read.yml @@ -1,6 +1,6 @@ title: Potential Local File Read Vulnerability In JVM Based Application id: e032f5bc-4563-4096-ae3b-064bab588685 -status: experimental +status: test description: | Detects potential local file read vulnerability in JVM based apps. If the exceptions are caused due to user input and contain path traversal payloads then it's a red flag. diff --git a/rules/application/jvm/java_ognl_injection_exploitation_attempt.yml b/rules/application/jvm/java_ognl_injection_exploitation_attempt.yml index fa109bcf23f0..9154fb000da2 100644 --- a/rules/application/jvm/java_ognl_injection_exploitation_attempt.yml +++ b/rules/application/jvm/java_ognl_injection_exploitation_attempt.yml @@ -1,6 +1,6 @@ title: Potential OGNL Injection Exploitation In JVM Based Application id: 4d0af518-828e-4a04-a751-a7d03f3046ad -status: experimental +status: test description: | Detects potential OGNL Injection exploitation, which may lead to RCE. OGNL is an expression language that is supported in many JVM based systems. diff --git a/rules/application/jvm/java_rce_exploitation_attempt.yml b/rules/application/jvm/java_rce_exploitation_attempt.yml index c350a2e7030d..3d122585c71d 100644 --- a/rules/application/jvm/java_rce_exploitation_attempt.yml +++ b/rules/application/jvm/java_rce_exploitation_attempt.yml @@ -1,6 +1,6 @@ title: Process Execution Error In JVM Based Application id: d65f37da-a26a-48f8-8159-3dde96680ad2 -status: experimental +status: test description: Detects process execution related exceptions in JVM based apps, often relates to RCE references: - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs diff --git a/rules/application/jvm/java_xxe_exploitation_attempt.yml b/rules/application/jvm/java_xxe_exploitation_attempt.yml index 8e294073746a..95689d5aa3e0 100644 --- a/rules/application/jvm/java_xxe_exploitation_attempt.yml +++ b/rules/application/jvm/java_xxe_exploitation_attempt.yml @@ -1,6 +1,6 @@ title: Potential XXE Exploitation Attempt In JVM Based Application id: c4e06896-e27c-4583-95ac-91ce2279345d -status: experimental +status: test description: Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely. references: - https://rules.sonarsource.com/java/RSPEC-2755 diff --git a/rules/application/nodejs/nodejs_rce_exploitation_attempt.yml b/rules/application/nodejs/nodejs_rce_exploitation_attempt.yml index a5426932c769..95f812860ac0 100644 --- a/rules/application/nodejs/nodejs_rce_exploitation_attempt.yml +++ b/rules/application/nodejs/nodejs_rce_exploitation_attempt.yml @@ -1,6 +1,6 @@ title: Potential RCE Exploitation Attempt In NodeJS id: 97661d9d-2beb-4630-b423-68985291a8af -status: experimental +status: test description: Detects process execution related errors in NodeJS. If the exceptions are caused due to user input then they may suggest an RCE vulnerability. references: - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs diff --git a/rules/application/spring/spring_spel_injection.yml b/rules/application/spring/spring_spel_injection.yml index 6176cb5176a6..4f021ab7e408 100644 --- a/rules/application/spring/spring_spel_injection.yml +++ b/rules/application/spring/spring_spel_injection.yml @@ -1,6 +1,6 @@ title: Potential SpEL Injection In Spring Framework id: e9edd087-89d8-48c9-b0b4-5b9bb10896b8 -status: experimental +status: test description: Detects potential SpEL Injection exploitation, which may lead to RCE. references: - https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection diff --git a/rules/application/velocity/velocity_ssti_injection.yml b/rules/application/velocity/velocity_ssti_injection.yml index 70373fb24a03..b8dbea1c7b83 100644 --- a/rules/application/velocity/velocity_ssti_injection.yml +++ b/rules/application/velocity/velocity_ssti_injection.yml @@ -1,6 +1,6 @@ title: Potential Server Side Template Injection In Velocity id: 16c86189-b556-4ee8-b4c7-7e350a195a4f -status: experimental +status: test description: Detects exceptions in velocity template renderer, this most likely happens due to dynamic rendering of user input and may lead to RCE. references: - https://antgarsil.github.io/posts/velocity/ diff --git a/rules/category/database/db_anomalous_query.yml b/rules/category/database/db_anomalous_query.yml index 3b0ef70270bc..2810e8541a4d 100644 --- a/rules/category/database/db_anomalous_query.yml +++ b/rules/category/database/db_anomalous_query.yml @@ -1,6 +1,6 @@ title: Suspicious SQL Query id: d84c0ded-edd7-4123-80ed-348bb3ccc4d5 -status: experimental +status: test description: Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields author: '@juju4' date: 2022/12/27 diff --git a/rules/cloud/aws/cloudtrail/aws_delete_identity.yml b/rules/cloud/aws/cloudtrail/aws_delete_identity.yml index fc4f7caf4b9e..c52d5975b105 100644 --- a/rules/cloud/aws/cloudtrail/aws_delete_identity.yml +++ b/rules/cloud/aws/cloudtrail/aws_delete_identity.yml @@ -1,6 +1,6 @@ title: SES Identity Has Been Deleted id: 20f754db-d025-4a8f-9d74-e0037e999a9a -status: experimental +status: test description: Detects an instance of an SES identity being deleted via the "DeleteIdentity" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities references: - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ diff --git a/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml b/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml index 257b7f62661e..09eac93acd0b 100644 --- a/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml +++ b/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml @@ -1,6 +1,6 @@ title: AWS ECS Task Definition That Queries The Credential Endpoint id: b94bf91e-c2bf-4047-9c43-c6810f43baad -status: experimental +status: test description: | Detects when an Elastic Container Service (ECS) Task Definition includes a command to query the credential endpoint. This can indicate a potential adversary adding a backdoor to establish persistence or escalate privileges. diff --git a/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml b/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml index ae7f84a06a90..9b14c04d3488 100644 --- a/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml +++ b/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml @@ -3,7 +3,7 @@ id: f305fd62-beca-47da-ad95-7690a0620084 related: - id: 4723218f-2048-41f6-bcb0-417f2d784f61 type: similar -status: experimental +status: test description: Looks for potential enumeration of AWS buckets via ListBuckets. references: - https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md diff --git a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml index 6755f3547a77..d21df2190e44 100644 --- a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml +++ b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml @@ -1,6 +1,6 @@ title: AWS IAM S3Browser LoginProfile Creation id: db014773-b1d3-46bd-ba26-133337c0ffee -status: experimental +status: test description: Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile. references: - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor diff --git a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml index 3f38039a203e..abb9586eabe6 100644 --- a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml +++ b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml @@ -1,6 +1,6 @@ title: AWS IAM S3Browser Templated S3 Bucket Policy Creation id: db014773-7375-4f4e-b83b-133337c0ffee -status: experimental +status: test description: Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "". references: - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor diff --git a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml index e4e9323a4d39..1fd5582964c4 100644 --- a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml +++ b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml @@ -1,6 +1,6 @@ title: AWS IAM S3Browser User or AccessKey Creation id: db014773-d9d9-4792-91e5-133337c0ffee -status: experimental +status: test description: Detects S3 Browser utility creating IAM User or AccessKey. references: - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor diff --git a/rules/cloud/azure/audit_logs/azure_app_privileged_permissions.yml b/rules/cloud/azure/audit_logs/azure_app_privileged_permissions.yml index b235c2eced02..18ad0b8b3415 100644 --- a/rules/cloud/azure/audit_logs/azure_app_privileged_permissions.yml +++ b/rules/cloud/azure/audit_logs/azure_app_privileged_permissions.yml @@ -3,7 +3,7 @@ id: 5aecf3d5-f8a0-48e7-99be-3a759df7358f related: - id: ba2a7c80-027b-460f-92e2-57d113897dbc type: obsoletes -status: experimental +status: test description: Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions diff --git a/rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml b/rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml index d8a495a7d160..dee8102defe0 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml @@ -1,6 +1,6 @@ title: Suspicious SignIns From A Non Registered Device id: 572b12d4-9062-11ed-a1eb-0242ac120002 -status: experimental +status: test description: Detects risky authencaition from a non AD registered device without MFA being required. references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in diff --git a/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml b/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml index 7a663533d3bf..f5bdb20e125b 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml @@ -1,6 +1,6 @@ title: Potential MFA Bypass Using Legacy Client Authentication id: 53bb4f7f-48a8-4475-ac30-5a82ddfdf6fc -status: experimental +status: test description: Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack. references: - https://blooteem.com/march-2022 diff --git a/rules/cloud/github/github_delete_action_invoked.yml b/rules/cloud/github/github_delete_action_invoked.yml index 50fb5e72cbad..e0d8f5847822 100644 --- a/rules/cloud/github/github_delete_action_invoked.yml +++ b/rules/cloud/github/github_delete_action_invoked.yml @@ -1,6 +1,6 @@ title: Github Delete Action Invoked id: 16a71777-0b2e-4db7-9888-9d59cb75200b -status: experimental +status: test description: Detects delete action in the Github audit logs for codespaces, environment, project and repo. author: Muhammad Faisal date: 2023/01/19 diff --git a/rules/cloud/github/github_disable_high_risk_configuration.yml b/rules/cloud/github/github_disable_high_risk_configuration.yml index 02c00f418c14..fbe4fa23b3b4 100644 --- a/rules/cloud/github/github_disable_high_risk_configuration.yml +++ b/rules/cloud/github/github_disable_high_risk_configuration.yml @@ -1,6 +1,6 @@ title: Github High Risk Configuration Disabled id: 8622c92d-c00e-463c-b09d-fd06166f6794 -status: experimental +status: test description: Detects when a user disables a critical security feature for an organization. author: Muhammad Faisal date: 2023/01/29 diff --git a/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml b/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml index 02052af786d2..5ad33bcf317e 100644 --- a/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml +++ b/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml @@ -1,6 +1,6 @@ title: Outdated Dependency Or Vulnerability Alert Disabled id: 34e1c7d4-0cd5-419d-9f1b-1dad3f61018d -status: experimental +status: test description: | Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts. This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories. diff --git a/rules/cloud/github/github_new_org_member.yml b/rules/cloud/github/github_new_org_member.yml index a23d3a98beb1..505626f1d8cb 100644 --- a/rules/cloud/github/github_new_org_member.yml +++ b/rules/cloud/github/github_new_org_member.yml @@ -1,6 +1,6 @@ title: New Github Organization Member Added id: 3908d64a-3c06-4091-b503-b3a94424533b -status: experimental +status: test description: Detects when a new member is added or invited to a github organization. author: Muhammad Faisal date: 2023/01/29 diff --git a/rules/cloud/github/github_new_secret_created.yml b/rules/cloud/github/github_new_secret_created.yml index 96767ef8931b..7daa5cc37be0 100644 --- a/rules/cloud/github/github_new_secret_created.yml +++ b/rules/cloud/github/github_new_secret_created.yml @@ -1,6 +1,6 @@ title: Github New Secret Created id: f9405037-bc97-4eb7-baba-167dad399b83 -status: experimental +status: test description: Detects when a user creates action secret for the organization, environment, codespaces or repository. author: Muhammad Faisal date: 2023/01/20 diff --git a/rules/cloud/github/github_outside_collaborator_detected.yml b/rules/cloud/github/github_outside_collaborator_detected.yml index fbd16b49e5c4..6127829674fe 100644 --- a/rules/cloud/github/github_outside_collaborator_detected.yml +++ b/rules/cloud/github/github_outside_collaborator_detected.yml @@ -1,6 +1,6 @@ title: Github Outside Collaborator Detected id: eaa9ac35-1730-441f-9587-25767bde99d7 -status: experimental +status: test description: | Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA. author: Muhammad Faisal diff --git a/rules/cloud/github/github_self_hosted_runner_changes_detected.yml b/rules/cloud/github/github_self_hosted_runner_changes_detected.yml index 7dc420524d87..23f9b0cb41b8 100644 --- a/rules/cloud/github/github_self_hosted_runner_changes_detected.yml +++ b/rules/cloud/github/github_self_hosted_runner_changes_detected.yml @@ -1,6 +1,6 @@ title: Github Self Hosted Runner Changes Detected id: f8ed0e8f-7438-4b79-85eb-f358ef2fbebd -status: experimental +status: test description: | A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, diff --git a/rules/cloud/okta/okta_admin_role_assignment_created.yml b/rules/cloud/okta/okta_admin_role_assignment_created.yml index f8fa2039186c..e16a60c69f6e 100644 --- a/rules/cloud/okta/okta_admin_role_assignment_created.yml +++ b/rules/cloud/okta/okta_admin_role_assignment_created.yml @@ -1,6 +1,6 @@ title: Okta Admin Role Assignment Created id: 139bdd4b-9cd7-49ba-a2f4-744d0a8f5d8c -status: experimental +status: test description: Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence references: - https://developer.okta.com/docs/reference/api/system-log/ diff --git a/rules/cloud/okta/okta_fastpass_phishing_detection.yml b/rules/cloud/okta/okta_fastpass_phishing_detection.yml index 0149ef7a3e00..1928185e8ebc 100644 --- a/rules/cloud/okta/okta_fastpass_phishing_detection.yml +++ b/rules/cloud/okta/okta_fastpass_phishing_detection.yml @@ -1,6 +1,6 @@ title: Okta FastPass Phishing Detection id: ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e -status: experimental +status: test description: Detects when Okta FastPass prevents a known phishing site. references: - https://sec.okta.com/fastpassphishingdetection diff --git a/rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml b/rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml index 8e13c18dd8c0..ea5f53b8d006 100644 --- a/rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml +++ b/rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml @@ -3,7 +3,7 @@ id: 9e1bef8d-0fff-46f6-8465-9aa54e128c1e related: - id: d08722cd-3d09-449a-80b4-83ea2d9d4616 type: similar -status: experimental +status: test description: Detects calls to hidden files or files located in hidden directories in NIX systems. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md diff --git a/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml b/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml index 9328341cce16..3a042511c1dc 100644 --- a/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml +++ b/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml @@ -3,7 +3,7 @@ id: 323ff3f5-0013-4847-bbd4-250b5edb62cc related: - id: 53059bc0-1472-438b-956a-7508a94a91f0 type: similar -status: experimental +status: test description: | Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access. Detection rules that match only on the disabling of firewalls will miss this. diff --git a/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml b/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml index 67bbb29040c2..5c76b3f5bdfe 100644 --- a/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml +++ b/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml @@ -3,7 +3,7 @@ id: a94cdd87-6c54-4678-a6cc-2814ffe5a13d related: - id: e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9 type: obsoletes -status: experimental +status: test description: Detect unix shell configuration modification. Adversaries may establish persistence through executing malicious commands triggered when a new shell is opened. references: - https://objective-see.org/blog/blog_0x68.html diff --git a/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml b/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml index a4f894a3c134..27829b539317 100644 --- a/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml +++ b/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml @@ -1,6 +1,6 @@ title: PwnKit Local Privilege Escalation id: 0506a799-698b-43b4-85a1-ac4c84c720e9 -status: experimental +status: test description: Detects potential PwnKit exploitation CVE-2021-4034 in auth logs references: - https://twitter.com/wdormann/status/1486161836961579020 diff --git a/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml b/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml index 6b91e6096303..91ef302ee222 100644 --- a/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml +++ b/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml @@ -1,6 +1,6 @@ title: Nimbuspwn Exploitation id: 7ba05b43-adad-4c02-b5e9-c8c35cdf9fa8 -status: experimental +status: test description: Detects exploitation of Nimbuspwn privilege escalation vulnerability (CVE-2022-29799 and CVE-2022-29800) references: - https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/ diff --git a/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml b/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml index 5df2269909bf..624efdca8cab 100644 --- a/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml +++ b/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml @@ -1,6 +1,6 @@ title: Potential Suspicious BPF Activity - Linux id: 0fadd880-6af3-4610-b1e5-008dc3a11b8a -status: experimental +status: test description: Detects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system. references: - https://redcanary.com/blog/ebpf-malware/ diff --git a/rules/linux/builtin/lnx_susp_dev_tcp.yml b/rules/linux/builtin/lnx_susp_dev_tcp.yml index 32412662001f..d8f68a34fc61 100644 --- a/rules/linux/builtin/lnx_susp_dev_tcp.yml +++ b/rules/linux/builtin/lnx_susp_dev_tcp.yml @@ -1,6 +1,6 @@ title: Suspicious Use of /dev/tcp id: 6cc5fceb-9a71-4c23-aeeb-963abe0b279c -status: experimental +status: test description: Detects suspicious command with /dev/tcp references: - https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/ diff --git a/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml b/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml index 6788ea844376..1ba00ab8ec1c 100644 --- a/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml +++ b/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml @@ -1,6 +1,6 @@ title: Persistence Via Sudoers Files id: ddb26b76-4447-4807-871f-1b035b2bfa5d -status: experimental +status: test description: Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user. references: - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh diff --git a/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml b/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml index 533c0c4eddc6..02764040e459 100644 --- a/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml +++ b/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious Shell Script Creation in Profile Folder id: 13f08f54-e705-4498-91fd-cce9d9cee9f1 -status: experimental +status: test description: Detects the creation of shell scripts under the "profile.d" path. references: - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html diff --git a/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml b/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml index 66311708c1da..4c56cf49f654 100644 --- a/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml +++ b/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml @@ -1,6 +1,6 @@ title: Triple Cross eBPF Rootkit Default LockFile id: c0239255-822c-4630-b7f1-35362bcb8f44 -status: experimental +status: test description: Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running. references: - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L33 diff --git a/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml b/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml index e07e35706900..81fc28ec889f 100644 --- a/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml +++ b/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml @@ -1,6 +1,6 @@ title: Triple Cross eBPF Rootkit Default Persistence id: 1a2ea919-d11d-4d1e-8535-06cda13be20f -status: experimental +status: test description: Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method references: - https://github.com/h3xduck/TripleCross/blob/12629558b8b0a27a5488a0b98f1ea7042e76f8ab/apps/deployer.sh diff --git a/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml b/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml index facf55864d22..14d61ef7f1a1 100644 --- a/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml +++ b/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml @@ -1,6 +1,6 @@ title: Wget Creating Files in Tmp Directory id: 35a05c60-9012-49b6-a11f-6bab741c9f74 -status: experimental +status: test description: Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp" references: - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html diff --git a/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml b/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml index 02cd87e731c3..c3ea5de42ad3 100644 --- a/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml @@ -1,6 +1,6 @@ title: Linux Base64 Encoded Pipe to Shell id: ba592c6d-6888-43c3-b8c6-689b8fe47337 -status: experimental +status: test description: Detects suspicious process command line that uses base64 encoded input for execution with a shell references: - https://github.com/arget13/DDexec diff --git a/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml b/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml index f91f893d6106..5867934c3071 100644 --- a/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml @@ -1,6 +1,6 @@ title: Bash Interactive Shell id: 6104e693-a7d6-4891-86cb-49a258523559 -status: experimental +status: test description: Detects execution of the bash shell with the interactive flag "-i". references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet diff --git a/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml b/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml index f3bff8bb7d13..eb6839b7bfe8 100644 --- a/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml +++ b/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml @@ -1,6 +1,6 @@ title: Enable BPF Kprobes Tracing id: 7692f583-bd30-4008-8615-75dab3f08a99 -status: experimental +status: test description: Detects common command used to enable bpf kprobes tracing references: - https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/ diff --git a/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml index 5e7c45d954af..f8d78e67687f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml @@ -1,6 +1,6 @@ title: Capabilities Discovery - Linux id: d8d97d51-122d-4cdd-9e2f-01b4b4933530 -status: experimental +status: test description: Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other. references: - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes diff --git a/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml b/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml index 09f4affa66e1..585d63236b14 100644 --- a/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml +++ b/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml @@ -1,6 +1,6 @@ title: Copy Passwd Or Shadow From TMP Path id: fa4aaed5-4fe0-498d-bbc0-08e3346387ba -status: experimental +status: test description: Detects when the file "passwd" or "shadow" is copied from tmp path references: - https://blogs.blackberry.com/ diff --git a/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml b/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml index 15f24392aa37..f92b908ab735 100644 --- a/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml +++ b/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml @@ -1,6 +1,6 @@ title: Crontab Enumeration id: 403ed92c-b7ec-4edd-9947-5b535ee12d46 -status: experimental +status: test description: Detects usage of crontab to list the tasks of the user references: - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html diff --git a/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml b/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml index 3282ade13590..f99cf647cbd4 100644 --- a/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml +++ b/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml @@ -1,6 +1,6 @@ title: Ufw Force Stop Using Ufw-Init id: 84c9e83c-599a-458a-a0cb-0ecce44e807a -status: experimental +status: test description: Detects attempts to force stop the ufw using ufw-init references: - https://blogs.blackberry.com/ diff --git a/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml index 73eaf0076a01..ea1e5b0c9ec0 100644 --- a/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml @@ -1,6 +1,6 @@ title: OS Architecture Discovery Via Grep id: d27ab432-2199-483f-a297-03633c05bae6 -status: experimental +status: test description: | Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo" references: diff --git a/rules/linux/process_creation/proc_creation_lnx_groupdel.yml b/rules/linux/process_creation/proc_creation_lnx_groupdel.yml index fb8f9b8caee5..6d10e5a4f6b4 100644 --- a/rules/linux/process_creation/proc_creation_lnx_groupdel.yml +++ b/rules/linux/process_creation/proc_creation_lnx_groupdel.yml @@ -1,6 +1,6 @@ title: Group Has Been Deleted Via Groupdel id: 8a46f16c-8c4c-82d1-b121-0fdd3ba70a84 -status: experimental +status: test description: Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks references: - https://linuxize.com/post/how-to-delete-group-in-linux/ diff --git a/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml b/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml index e65fede776ea..2ef7e1b58d24 100644 --- a/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml +++ b/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml @@ -1,6 +1,6 @@ title: Apt GTFOBin Abuse - Linux id: bb382fd5-b454-47ea-a264-1828e4c766d6 -status: experimental +status: test description: Detects usage of "apt" and "apt-get" as a GTFOBin to execute and proxy command and binary execution references: - https://gtfobins.github.io/gtfobins/apt/ diff --git a/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml b/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml index c61ab6526b84..de4f854c3656 100644 --- a/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml +++ b/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml @@ -1,6 +1,6 @@ title: Vim GTFOBin Abuse - Linux id: 7ab8f73a-fcff-428b-84aa-6a5ff7877dea -status: experimental +status: test description: Detects usage of "vim" and it's siblings as a GTFOBin to execute and proxy command and binary execution references: - https://gtfobins.github.io/gtfobins/vim/ diff --git a/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml b/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml index 0975b798b442..48712c358dba 100644 --- a/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml +++ b/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml @@ -1,6 +1,6 @@ title: Suspicious Package Installed - Linux id: 700fb7e8-2981-401c-8430-be58e189e741 -status: experimental +status: test description: Detects installation of suspicious packages using system installation utilities references: - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt diff --git a/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml b/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml index dde4d2f5a1d0..7c13288f2716 100644 --- a/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml +++ b/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml @@ -1,6 +1,6 @@ title: Flush Iptables Ufw Chain id: 3be619f4-d9ec-4ea8-a173-18fdd01996ab -status: experimental +status: test description: Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic references: - https://blogs.blackberry.com/ diff --git a/rules/linux/process_creation/proc_creation_lnx_kill_process.yml b/rules/linux/process_creation/proc_creation_lnx_kill_process.yml index 2504e3cff413..1ebfc0e5c985 100644 --- a/rules/linux/process_creation/proc_creation_lnx_kill_process.yml +++ b/rules/linux/process_creation/proc_creation_lnx_kill_process.yml @@ -1,6 +1,6 @@ title: Terminate Linux Process Via Kill id: 64c41342-6b27-523b-5d3f-c265f3efcdb3 -status: experimental +status: test description: Detects usage of command line tools such as "kill", "pkill" or "killall" to terminate or signal a running process. references: - https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html diff --git a/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml index 5b618f296a01..eabb5c08bebe 100644 --- a/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml @@ -1,6 +1,6 @@ title: Potential GobRAT File Discovery Via Grep id: e34cfa0c-0a50-4210-9cb3-5632d08eb041 -status: experimental +status: test description: Detects the use of grep to discover specific files created by the GobRAT malware references: - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html diff --git a/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml b/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml index d60f1cb6e0c6..737e41af7713 100644 --- a/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml +++ b/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml @@ -1,6 +1,6 @@ title: Named Pipe Created Via Mkfifo id: 9d779ce8-5256-4b13-8b6f-b91c602b43f4 -status: experimental +status: test description: Detects the creation of a new named pipe using the "mkfifo" utility references: - https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk diff --git a/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml b/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml index 4f773c3d95fc..250cba342db9 100644 --- a/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml +++ b/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml @@ -3,7 +3,7 @@ id: 999c3b12-0a8c-40b6-8e13-dd7d62b75c7a related: - id: 9d779ce8-5256-4b13-8b6f-b91c602b43f4 type: derived -status: experimental +status: test description: Detects the creation of a new named pipe using the "mkfifo" utility in a potentially suspicious location references: - https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk diff --git a/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml b/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml index 4aff51475054..2629345c566a 100644 --- a/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml +++ b/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml @@ -1,6 +1,6 @@ title: Mount Execution With Hidepid Parameter id: ec52985a-d024-41e3-8ff6-14169039a0b3 -status: experimental +status: test description: Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system references: - https://blogs.blackberry.com/ diff --git a/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml b/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml index 4324459a7949..2e43b72af9ff 100644 --- a/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml @@ -1,6 +1,6 @@ title: Potential Netcat Reverse Shell Execution id: 7f734ed0-4f47-46c0-837f-6ee62505abd9 -status: experimental +status: test description: Detects execution of netcat with the "-e" flag followed by common shells. This could be a sign of a potential reverse shell setup. references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet diff --git a/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml b/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml index 5359bdca92b8..03af205e6fb1 100644 --- a/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml @@ -3,7 +3,7 @@ id: 457df417-8b9d-4912-85f3-9dbda39c3645 related: - id: e4ffe466-6ff8-48d4-94bd-e32d1a6061e2 type: derived -status: experimental +status: test description: Detects execution of binaries located in potentially suspicious locations via "nohup" references: - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html diff --git a/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml b/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml index 51ae4c429d0b..54d39c730385 100644 --- a/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml @@ -1,6 +1,6 @@ title: Potential Perl Reverse Shell Execution id: 259df6bc-003f-4306-9f54-4ff1a08fa38e -status: experimental +status: test description: Detects execution of the perl binary with the "-e" flag and common strings related to potential reverse shell activity references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet diff --git a/rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml b/rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml index 37c588ba60dd..4dc456108d25 100644 --- a/rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml @@ -1,6 +1,6 @@ title: Potential PHP Reverse Shell id: c6714a24-d7d5-4283-a36b-3ffd091d5f7e -status: experimental +status: test description: | Detects usage of the PHP CLI with the "-r" flag which allows it to run inline PHP code. The rule looks for calls to the "fsockopen" function which allows the creation of sockets. Attackers often leverage this in combination with functions such as "exec" or "fopen" to initiate a reverse shell connection. diff --git a/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml b/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml index add5b3a117a2..d42e55c0a72d 100644 --- a/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml +++ b/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml @@ -3,7 +3,7 @@ id: c4042d54-110d-45dd-a0e1-05c47822c937 related: - id: 32e62bc7-3de0-4bb1-90af-532978fe42c0 type: similar -status: experimental +status: test description: Detects python spawning a pretty tty which could be indicative of potential reverse shell activity references: - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/ diff --git a/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml b/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml index 32e41d206f77..b138ebc9e0f1 100644 --- a/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml @@ -3,7 +3,7 @@ id: 32e62bc7-3de0-4bb1-90af-532978fe42c0 related: - id: c4042d54-110d-45dd-a0e1-05c47822c937 type: similar -status: experimental +status: test description: Detects executing python with keywords related to network activity that could indicate a potential reverse shell references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet diff --git a/rules/linux/process_creation/proc_creation_lnx_remove_package.yml b/rules/linux/process_creation/proc_creation_lnx_remove_package.yml index 969bc480c003..06346824c76b 100644 --- a/rules/linux/process_creation/proc_creation_lnx_remove_package.yml +++ b/rules/linux/process_creation/proc_creation_lnx_remove_package.yml @@ -1,6 +1,6 @@ title: Linux Package Uninstall id: 95d61234-7f56-465c-6f2d-b562c6fedbc4 -status: experimental +status: test description: Detects linux package removal using builtin tools such as "yum", "apt", "apt-get" or "dpkg". references: - https://sysdig.com/blog/mitre-defense-evasion-falco diff --git a/rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml b/rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml index 2aad0ebf3745..6bacb829c389 100644 --- a/rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml @@ -1,6 +1,6 @@ title: Potential Ruby Reverse Shell id: b8bdac18-c06e-4016-ac30-221553e74f59 -status: experimental +status: test description: Detects execution of ruby with the "-e" flag and calls to "socket" related functions. This could be an indication of a potential attempt to setup a reverse shell references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml b/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml index 4e882da0b512..13629815405c 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml @@ -3,7 +3,7 @@ id: 00b90cc1-17ec-402c-96ad-3a8117d7a582 related: - id: 00bca14a-df4e-4649-9054-3f2aa676bc04 type: derived -status: experimental +status: test description: Detects a suspicious curl process start the adds a file to a web request references: - https://twitter.com/d1r4c/status/1279042657508081664 diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml b/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml index c0ac903fab88..98d0b8074499 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious Execution From Tmp Folder id: 312b42b1-bded-4441-8b58-163a3af58775 -status: experimental +status: test description: Detects a potentially suspicious execution of a process located in the '/tmp/' folder references: - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_find_execution.yml b/rules/linux/process_creation/proc_creation_lnx_susp_find_execution.yml index c24d14e0048b..7c15f0efb515 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_find_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_find_execution.yml @@ -3,7 +3,7 @@ id: 8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf related: - id: 85de3a19-b675-4a51-bfc6-b11a5186c971 type: similar -status: experimental +status: test description: Detects usage of "find" binary in a suspicious manner to perform discovery references: - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml b/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml index 50f15fe25fab..8abc41bc3036 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml @@ -1,6 +1,6 @@ title: Suspicious Git Clone - Linux id: cfec9d29-64ec-4a0f-9ffe-0fdb856d5446 -status: experimental +status: test description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious references: - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml b/rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml index 7d5a91f8663a..cf0ec3e19557 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml @@ -1,6 +1,6 @@ title: Potential Suspicious Change To Sensitive/Critical Files id: 86157017-c2b1-4d4a-8c33-93b8e67e4af4 -status: experimental +status: test description: Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system. references: - https://docs.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml b/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml index 64236d73d0fd..600a994ff1b6 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml @@ -1,6 +1,6 @@ title: Shell Execution Of Process Located In Tmp Directory id: 2fade0b6-7423-4835-9d4f-335b39b83867 -status: experimental +status: test description: Detects execution of shells from a parent process located in a temporary (/tmp) directory references: - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml b/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml index 71eedc0df005..514239ba6195 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml @@ -1,6 +1,6 @@ title: Execution Of Script Located In Potentially Suspicious Directory id: 30bcce26-51c5-49f2-99c8-7b59e3af36c7 -status: experimental +status: test description: Detects executions of scripts located in potentially suspicious locations such as "/tmp" via a shell such as "bash", "sh", etc. references: - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html diff --git a/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml b/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml index 1c0389fff02e..ac6b07c9c021 100644 --- a/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml +++ b/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml @@ -1,6 +1,6 @@ title: Touch Suspicious Service File id: 31545105-3444-4584-bebf-c466353230d2 -status: experimental +status: test description: Detects usage of the "touch" process in service file. references: - https://blogs.blackberry.com/ diff --git a/rules/linux/process_creation/proc_creation_lnx_userdel.yml b/rules/linux/process_creation/proc_creation_lnx_userdel.yml index f226f649b420..eed85d3c1d39 100644 --- a/rules/linux/process_creation/proc_creation_lnx_userdel.yml +++ b/rules/linux/process_creation/proc_creation_lnx_userdel.yml @@ -1,6 +1,6 @@ title: User Has Been Deleted Via Userdel id: 08f26069-6f80-474b-8d1f-d971c6fedea0 -status: experimental +status: test description: Detects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks references: - https://linuxize.com/post/how-to-delete-group-in-linux/ diff --git a/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml b/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml index d4da8acbc43d..8cf0416cf315 100644 --- a/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml +++ b/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml @@ -1,6 +1,6 @@ title: Linux Webshell Indicators id: 818f7b24-0fba-4c49-a073-8b755573b9c7 -status: experimental +status: test description: Detects suspicious sub processes of web server processes references: - https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/ diff --git a/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml b/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml index 87af0ce34f8d..1b4668243bdf 100644 --- a/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml +++ b/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml @@ -1,6 +1,6 @@ title: Download File To Potentially Suspicious Directory Via Wget id: cf610c15-ed71-46e1-bdf8-2bd1a99de6c4 -status: experimental +status: test description: Detects the use of wget to download content to a suspicious directory references: - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html diff --git a/rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml b/rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml index 6c3ece2e1266..85a089c11887 100644 --- a/rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml @@ -1,6 +1,6 @@ title: Potential Xterm Reverse Shell id: 4e25af4b-246d-44ea-8563-e42aacab006b -status: experimental +status: test description: Detects usage of "xterm" as a potential reverse shell tunnel references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet diff --git a/rules/macos/process_creation/proc_creation_macos_clipboard_data_via_osascript.yml b/rules/macos/process_creation/proc_creation_macos_clipboard_data_via_osascript.yml index 2ba571211013..4e7ef66d7a81 100644 --- a/rules/macos/process_creation/proc_creation_macos_clipboard_data_via_osascript.yml +++ b/rules/macos/process_creation/proc_creation_macos_clipboard_data_via_osascript.yml @@ -3,7 +3,7 @@ id: 7794fa3c-edea-4cff-bec7-267dd4770fd7 related: - id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55 type: derived -status: experimental +status: test description: Detects possible collection of data from the clipboard via execution of the osascript binary references: - https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/ diff --git a/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml b/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml index 0ab601940909..b847f32c7488 100644 --- a/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml +++ b/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml @@ -3,7 +3,7 @@ id: b743623c-2776-40e0-87b1-682b975d0ca5 related: - id: 0c1ffcf9-efa9-436e-ab68-23a9496ebf5b type: obsoletes -status: experimental +status: test description: Detects attempts to create and add an account to the admin group via "dscl" references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-2---create-local-account-with-admin-privileges---macos diff --git a/rules/macos/process_creation/proc_creation_macos_installer_susp_child_process.yml b/rules/macos/process_creation/proc_creation_macos_installer_susp_child_process.yml index e4b5b8bdd025..c0104c9ec614 100644 --- a/rules/macos/process_creation/proc_creation_macos_installer_susp_child_process.yml +++ b/rules/macos/process_creation/proc_creation_macos_installer_susp_child_process.yml @@ -1,6 +1,6 @@ title: Suspicious Installer Package Child Process id: e0cfaecd-602d-41af-988d-f6ccebb2af26 -status: experimental +status: test description: Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters references: - https://redcanary.com/blog/clipping-silver-sparrows-wings/ diff --git a/rules/macos/process_creation/proc_creation_macos_jxa_in_memory_execution.yml b/rules/macos/process_creation/proc_creation_macos_jxa_in_memory_execution.yml index c2d032152678..d17fb3ffd98c 100644 --- a/rules/macos/process_creation/proc_creation_macos_jxa_in_memory_execution.yml +++ b/rules/macos/process_creation/proc_creation_macos_jxa_in_memory_execution.yml @@ -3,7 +3,7 @@ id: f1408a58-0e94-4165-b80a-da9f96cf6fc3 related: - id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55 type: derived -status: experimental +status: test description: Detects possible malicious execution of JXA in-memory via OSAScript references: - https://redcanary.com/blog/applescript/ diff --git a/rules/macos/process_creation/proc_creation_macos_office_susp_child_processes.yml b/rules/macos/process_creation/proc_creation_macos_office_susp_child_processes.yml index 7e26acd3fdb1..84af621ca796 100644 --- a/rules/macos/process_creation/proc_creation_macos_office_susp_child_processes.yml +++ b/rules/macos/process_creation/proc_creation_macos_office_susp_child_processes.yml @@ -1,6 +1,6 @@ title: Suspicious Microsoft Office Child Process - MacOS id: 69483748-1525-4a6c-95ca-90dc8d431b68 -status: experimental +status: test description: Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution references: - https://redcanary.com/blog/applescript/ diff --git a/rules/macos/process_creation/proc_creation_macos_osacompile_runonly_execution.yml b/rules/macos/process_creation/proc_creation_macos_osacompile_runonly_execution.yml index b0df25c9d180..ed9df6e6a6c7 100644 --- a/rules/macos/process_creation/proc_creation_macos_osacompile_runonly_execution.yml +++ b/rules/macos/process_creation/proc_creation_macos_osacompile_runonly_execution.yml @@ -1,6 +1,6 @@ title: OSACompile Run-Only Execution id: b9d9b652-d8ed-4697-89a2-a1186ee680ac -status: experimental +status: test description: Detects potential suspicious run-only executions compiled using OSACompile references: - https://redcanary.com/blog/applescript/ diff --git a/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml b/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml index ed6a1f53de8f..9ea30486925f 100644 --- a/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml +++ b/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via PlistBuddy id: 65d506d3-fcfe-4071-b4b2-bcefe721bbbb -status: experimental +status: test description: Detects potential persistence activity using LaunchAgents or LaunchDaemons via the PlistBuddy utility references: - https://redcanary.com/blog/clipping-silver-sparrows-wings/ diff --git a/rules/macos/process_creation/proc_creation_macos_susp_browser_child_process.yml b/rules/macos/process_creation/proc_creation_macos_susp_browser_child_process.yml index 2da82ca85b49..20424bbdc653 100644 --- a/rules/macos/process_creation/proc_creation_macos_susp_browser_child_process.yml +++ b/rules/macos/process_creation/proc_creation_macos_susp_browser_child_process.yml @@ -1,6 +1,6 @@ title: Suspicious Browser Child Process - MacOS id: 0250638a-2b28-4541-86fc-ea4c558fa0c6 -status: experimental +status: test description: Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation. references: - https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang diff --git a/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml b/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml index 0a7ba1c0378f..9590d7a92269 100644 --- a/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml +++ b/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml @@ -1,6 +1,6 @@ title: Suspicious Execution via macOS Script Editor id: 6e4dcdd1-e48b-42f7-b2d8-3b413fc58cb4 -status: experimental +status: test description: Detects when the macOS Script Editor utility spawns an unusual child process. author: Tim Rauch (rule), Elastic (idea) references: diff --git a/rules/macos/process_creation/proc_creation_macos_susp_find_execution.yml b/rules/macos/process_creation/proc_creation_macos_susp_find_execution.yml index 9d94cc951ed1..9aebe117cfa7 100644 --- a/rules/macos/process_creation/proc_creation_macos_susp_find_execution.yml +++ b/rules/macos/process_creation/proc_creation_macos_susp_find_execution.yml @@ -3,7 +3,7 @@ id: 85de3a19-b675-4a51-bfc6-b11a5186c971 related: - id: 8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf type: similar -status: experimental +status: test description: Detects usage of "find" binary in a suspicious manner to perform discovery references: - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes diff --git a/rules/macos/process_creation/proc_creation_macos_suspicious_applet_behaviour.yml b/rules/macos/process_creation/proc_creation_macos_suspicious_applet_behaviour.yml index 3b5164f6ea0e..38e8911a2a8c 100644 --- a/rules/macos/process_creation/proc_creation_macos_suspicious_applet_behaviour.yml +++ b/rules/macos/process_creation/proc_creation_macos_suspicious_applet_behaviour.yml @@ -1,6 +1,6 @@ title: Osacompile Execution By Potentially Suspicious Applet/Osascript id: a753a6af-3126-426d-8bd0-26ebbcb92254 -status: experimental +status: test description: Detects potential suspicious applet or osascript executing "osacompile". references: - https://redcanary.com/blog/mac-application-bundles/ diff --git a/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml b/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml index 100a907ad775..c44d3ee84912 100644 --- a/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml +++ b/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml @@ -3,7 +3,7 @@ id: 652c098d-dc11-4ba6-8566-c20e89042f2b related: - id: 0c1ffcf9-efa9-436e-ab68-23a9496ebf5b type: obsoletes -status: experimental +status: test description: Detects attempts to create and add an account to the admin group via "sysadminctl" references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos diff --git a/rules/macos/process_creation/proc_creation_macos_sysadminctl_enable_guest_account.yml b/rules/macos/process_creation/proc_creation_macos_sysadminctl_enable_guest_account.yml index 860991f11c1f..a9bfa4c0890a 100644 --- a/rules/macos/process_creation/proc_creation_macos_sysadminctl_enable_guest_account.yml +++ b/rules/macos/process_creation/proc_creation_macos_sysadminctl_enable_guest_account.yml @@ -1,6 +1,6 @@ title: Guest Account Enabled Via Sysadminctl id: d7329412-13bd-44ba-a072-3387f804a106 -status: experimental +status: test description: Detects attempts to enable the guest account using the sysadminctl utility references: - https://ss64.com/osx/sysadminctl.html diff --git a/rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml b/rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml index cb47c973c1d0..c71615765334 100644 --- a/rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml +++ b/rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml @@ -1,6 +1,6 @@ title: Cisco BGP Authentication Failures id: 56fa3cd6-f8d6-4520-a8c7-607292971886 -status: experimental +status: test description: Detects BGP failures which may be indicative of brute force attacks to manipulate routing references: - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf diff --git a/rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml b/rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml index 29296f87c176..10800ba25f80 100644 --- a/rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml +++ b/rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml @@ -1,6 +1,6 @@ title: Cisco LDP Authentication Failures id: 50e606bf-04ce-4ca7-9d54-3449494bbd4b -status: experimental +status: test description: Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels references: - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf diff --git a/rules/network/huawei/bgp/huawei_bgp_auth_failed.yml b/rules/network/huawei/bgp/huawei_bgp_auth_failed.yml index 7f204229cd36..5021d7aed6c4 100644 --- a/rules/network/huawei/bgp/huawei_bgp_auth_failed.yml +++ b/rules/network/huawei/bgp/huawei_bgp_auth_failed.yml @@ -1,6 +1,6 @@ title: Huawei BGP Authentication Failures id: a557ffe6-ac54-43d2-ae69-158027082350 -status: experimental +status: test description: Detects BGP failures which may be indicative of brute force attacks to manipulate routing. references: - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf diff --git a/rules/network/juniper/bgp/juniper_bgp_missing_md5.yml b/rules/network/juniper/bgp/juniper_bgp_missing_md5.yml index 5dee02c5bf86..1982086a1179 100644 --- a/rules/network/juniper/bgp/juniper_bgp_missing_md5.yml +++ b/rules/network/juniper/bgp/juniper_bgp_missing_md5.yml @@ -1,6 +1,6 @@ title: Juniper BGP Missing MD5 id: a7c0ae48-8df8-42bf-91bd-2ea57e2f9d43 -status: experimental +status: test description: Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing. references: - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf diff --git a/rules/web/proxy_generic/proxy_exchange_owassrf_exploitation.yml b/rules/web/proxy_generic/proxy_exchange_owassrf_exploitation.yml index 6d858d7a5f05..fca3b416ad1e 100644 --- a/rules/web/proxy_generic/proxy_exchange_owassrf_exploitation.yml +++ b/rules/web/proxy_generic/proxy_exchange_owassrf_exploitation.yml @@ -1,6 +1,6 @@ title: Potential OWASSRF Exploitation Attempt - Proxy id: 1ddf4596-1908-43c9-add2-1d2c2fcc4797 -status: experimental +status: test description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint references: - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/ diff --git a/rules/web/proxy_generic/proxy_exchange_owassrf_poc_exploitation.yml b/rules/web/proxy_generic/proxy_exchange_owassrf_poc_exploitation.yml index bcd0eb70dbc5..bbfdda302a33 100644 --- a/rules/web/proxy_generic/proxy_exchange_owassrf_poc_exploitation.yml +++ b/rules/web/proxy_generic/proxy_exchange_owassrf_poc_exploitation.yml @@ -1,6 +1,6 @@ title: OWASSRF Exploitation Attempt Using Public POC - Proxy id: fdd7e904-7304-4616-a46a-e32f917c4be4 -status: experimental +status: test description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint references: - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/ diff --git a/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml b/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml index 0222e7bdb423..d776a2950a34 100644 --- a/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml +++ b/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml @@ -1,6 +1,6 @@ title: Suspicious Network Communication With IPFS id: eb6c2004-1cef-427f-8885-9042974e5eb6 -status: experimental +status: test description: Detects connections to interplanetary file system (IPFS) containing a user's email address which mirrors behaviours observed in recent phishing campaigns leveraging IPFS to host credential harvesting webpages. references: - https://blog.talosintelligence.com/ipfs-abuse/ diff --git a/rules/web/proxy_generic/proxy_ua_base64_encoded.yml b/rules/web/proxy_generic/proxy_ua_base64_encoded.yml index 7d90a5ccdde8..124a11a18732 100644 --- a/rules/web/proxy_generic/proxy_ua_base64_encoded.yml +++ b/rules/web/proxy_generic/proxy_ua_base64_encoded.yml @@ -3,7 +3,7 @@ id: d443095b-a221-4957-a2c4-cd1756c9b747 related: - id: 894a8613-cf12-48b3-8e57-9085f54aa0c3 type: derived -status: experimental +status: test description: Detects suspicious encoded User-Agent strings, as seen used by some malware. references: - https://deviceatlas.com/blog/list-of-user-agent-strings#desktop diff --git a/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml b/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml index 33ef7967730a..8f541a58a252 100644 --- a/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml +++ b/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml @@ -1,6 +1,6 @@ title: Bitsadmin to Uncommon TLD id: 9eb68894-7476-4cd6-8752-23b51f5883a7 -status: experimental +status: test description: Detects Bitsadmin connections to domains with uncommon TLDs references: - https://twitter.com/jhencinski/status/1102695118455349248 diff --git a/rules/web/proxy_generic/proxy_ua_susp_base64.yml b/rules/web/proxy_generic/proxy_ua_susp_base64.yml index 45adb63eddcd..7b26ed5b152e 100644 --- a/rules/web/proxy_generic/proxy_ua_susp_base64.yml +++ b/rules/web/proxy_generic/proxy_ua_susp_base64.yml @@ -3,7 +3,7 @@ id: 894a8613-cf12-48b3-8e57-9085f54aa0c3 related: - id: d443095b-a221-4957-a2c4-cd1756c9b747 type: derived -status: experimental +status: test description: Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding. references: - https://blogs.jpcert.or.jp/en/2022/07/yamabot.html diff --git a/rules/web/webserver_generic/web_java_payload_in_access_logs.yml b/rules/web/webserver_generic/web_java_payload_in_access_logs.yml index 362580333c3a..4de443dd8d92 100644 --- a/rules/web/webserver_generic/web_java_payload_in_access_logs.yml +++ b/rules/web/webserver_generic/web_java_payload_in_access_logs.yml @@ -1,6 +1,6 @@ title: Java Payload Strings id: 583aa0a2-30b1-4d62-8bf3-ab73689efe6c -status: experimental +status: test description: Detects possible Java payloads in web access logs references: - https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/ diff --git a/rules/web/webserver_generic/web_susp_useragents.yml b/rules/web/webserver_generic/web_susp_useragents.yml index 31ca5769b5b9..189ba702e13f 100644 --- a/rules/web/webserver_generic/web_susp_useragents.yml +++ b/rules/web/webserver_generic/web_susp_useragents.yml @@ -1,6 +1,6 @@ title: Suspicious User-Agents Related To Recon Tools id: 19aa4f58-94ca-45ff-bc34-92e533c0994a -status: experimental +status: test description: Detects known suspicious (default) user-agents related to scanning/recon tools references: - https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb diff --git a/rules/web/webserver_generic/web_susp_windows_path_uri.yml b/rules/web/webserver_generic/web_susp_windows_path_uri.yml index 3835da11ae6c..f38d7742f9df 100644 --- a/rules/web/webserver_generic/web_susp_windows_path_uri.yml +++ b/rules/web/webserver_generic/web_susp_windows_path_uri.yml @@ -1,6 +1,6 @@ title: Suspicious Windows Strings In URI id: 9f6a34b4-2688-4eb7-a7f5-e39fef573d0e -status: experimental +status: test description: Detects suspicious Windows strings in URI which could indicate possible exfiltration or webshell communication references: - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/ diff --git a/rules/windows/builtin/application/application_error/win_application_msmpeng_crash_error.yml b/rules/windows/builtin/application/application_error/win_application_msmpeng_crash_error.yml index d501b53b0200..66006fdf0e3d 100644 --- a/rules/windows/builtin/application/application_error/win_application_msmpeng_crash_error.yml +++ b/rules/windows/builtin/application/application_error/win_application_msmpeng_crash_error.yml @@ -3,7 +3,7 @@ id: 545a5da6-f103-4919-a519-e9aec1026ee4 related: - id: 6c82cf5c-090d-4d57-9188-533577631108 type: similar -status: experimental +status: test description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine references: - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5 diff --git a/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml b/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml index 0a1e5921374a..d88d265645fd 100644 --- a/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml +++ b/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml @@ -1,6 +1,6 @@ title: Restricted Software Access By SRP id: b4c8da4a-1c12-46b0-8a2b-0a8521d03442 -status: experimental +status: test description: Detects restricted access to applications by the Software Restriction Policies (SRP) policy references: - https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies diff --git a/rules/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer.yml b/rules/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer.yml index e18c75b29367..2a1822b34c13 100644 --- a/rules/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer.yml +++ b/rules/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer.yml @@ -1,6 +1,6 @@ title: Microsoft Malware Protection Engine Crash - WER id: 6c82cf5c-090d-4d57-9188-533577631108 -status: experimental +status: test description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine references: - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5 diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml index f40f96633e03..89a606da371e 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml @@ -1,6 +1,6 @@ title: Deployment AppX Package Was Blocked By AppLocker id: 6ae53108-c3a0-4bee-8f45-c7591a2c337f -status: experimental +status: test description: Detects an appx package deployment that was blocked by AppLocker policy references: - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml index 520a58bf4544..3f25523bf3b9 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml @@ -1,6 +1,6 @@ title: Potential Malicious AppX Package Installation Attempts id: 09d3b48b-be17-47f5-bf4e-94e7e75d09ce -status: experimental +status: test description: Detects potential installation or installation attempts of known malicious appx packages references: - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml index 6cdfef035f83..67f5cdd79288 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml @@ -1,6 +1,6 @@ title: Deployment Of The AppX Package Was Blocked By The Policy id: e021bbb5-407f-41f5-9dc9-1864c45a7a51 -status: experimental +status: test description: Detects an appx package deployment that was blocked by the local computer policy references: - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml index 67fabeac2890..e6e7a0a2a008 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml @@ -1,6 +1,6 @@ title: Suspicious AppX Package Installation Attempt id: 898d5fc9-fbc3-43de-93ad-38e97237c344 -status: experimental +status: test description: Detects an appx package installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements and could be suspicious references: - Internal Research diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml index 19b333749c8b..050c81c624e1 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml @@ -1,6 +1,6 @@ title: Suspicious AppX Package Locations id: 5cdeaf3d-1489-477c-95ab-c318559fc051 -status: experimental +status: test description: Detects an appx package added the pipeline of the "to be processed" packages which is located in suspicious locations references: - Internal Research diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml index dedc37edef68..76767c6bdd69 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml @@ -1,6 +1,6 @@ title: Uncommon AppX Package Locations id: c977cb50-3dff-4a9f-b873-9290f56132f1 -status: experimental +status: test description: Detects an appx package added the pipeline of the "to be processed" packages which is located in uncommon locations references: - Internal Research diff --git a/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml b/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml index af67b285742f..065666b05535 100644 --- a/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml +++ b/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml @@ -1,6 +1,6 @@ title: Suspicious Digital Signature Of AppX Package id: b5aa7d60-c17e-4538-97de-09029d6cd76b -status: experimental +status: test description: Detects execution of AppX packages with known suspicious or malicious signature references: - Internal Research diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_job_via_powershell.yml b/rules/windows/builtin/bits_client/win_bits_client_new_job_via_powershell.yml index 3b29f8fcf94c..9e2463ed36eb 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_job_via_powershell.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_job_via_powershell.yml @@ -1,6 +1,6 @@ title: New BITS Job Created Via PowerShell id: fe3a2d49-f255-4d10-935c-bda7391108eb -status: experimental +status: test description: Detects the creation of a new bits job by PowerShell references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml index 0867b2aeebf5..aefbf76cd99c 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml @@ -1,6 +1,6 @@ title: BITS Transfer Job Downloading File Potential Suspicious Extension id: b85e5894-9b19-4d86-8c87-a2f3b81f0521 -status: experimental +status: test description: Detects new BITS transfer job saving local files with potential suspicious extensions references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml index 66080d0a04c2..240d923a4451 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml @@ -3,7 +3,7 @@ id: 90f138c1-f578-4ac3-8c49-eecfd847c8b7 related: - id: 99c840f2-2012-46fd-9141-c761987550ef type: similar -status: experimental +status: test description: Detects a BITS transfer job downloading file(s) from a direct IP address. references: - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml index d684dad0390f..6af8db014f4b 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml @@ -1,6 +1,6 @@ title: BITS Transfer Job With Uncommon Or Suspicious Remote TLD id: 6d44fb93-e7d2-475c-9d3d-54c9c1e33427 -status: experimental +status: test description: Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yml b/rules/windows/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yml index 72dcb0bec0ec..17c7032ad77b 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yml @@ -1,6 +1,6 @@ title: BITS Transfer Job Download To Potential Suspicious Folder id: f8a56cb7-a363-44ed-a82f-5926bb44cd05 -status: experimental +status: test description: Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md diff --git a/rules/windows/builtin/capi2/win_capi2_acquire_certificate_private_key.yml b/rules/windows/builtin/capi2/win_capi2_acquire_certificate_private_key.yml index 2d8eb6b886dc..2bb76c3f1f8f 100644 --- a/rules/windows/builtin/capi2/win_capi2_acquire_certificate_private_key.yml +++ b/rules/windows/builtin/capi2/win_capi2_acquire_certificate_private_key.yml @@ -1,6 +1,6 @@ title: Certificate Private Key Acquired id: e2b5163d-7deb-4566-9af3-40afea6858c3 -status: experimental +status: test description: Detects when an application acquires a certificate private key references: - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html diff --git a/rules/windows/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yml b/rules/windows/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yml index c221b48978bf..72a7cee60907 100644 --- a/rules/windows/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yml +++ b/rules/windows/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yml @@ -1,6 +1,6 @@ title: Certificate Exported From Local Certificate Store id: 58c0bff0-40a0-46e8-b5e8-b734b84d2017 -status: experimental +status: test description: Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store. references: - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml index a90de90e9221..752880df3fff 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml @@ -1,6 +1,6 @@ title: CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked id: 5daf11c3-022b-4969-adb9-365e6c078c7c -status: experimental +status: test description: Detects block events for files that are disallowed by code integrity for protected processes references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml index fef43209e27a..48028ce3218e 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml @@ -1,6 +1,6 @@ title: CodeIntegrity - Blocked Image/Driver Load For Policy Violation id: e4be5675-4a53-426a-8c81-a8bb2387e947 -status: experimental +status: test description: Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy. references: - https://twitter.com/wdormann/status/1590434950335320065 diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml index 732e52f77ad8..78c6a8308d08 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml @@ -1,6 +1,6 @@ title: CodeIntegrity - Blocked Driver Load With Revoked Certificate id: 9b72b82d-f1c5-4632-b589-187159bc6ec1 -status: experimental +status: test description: Detects blocked load attempts of revoked drivers references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml index e2e4b1235322..77b42a69cd00 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml @@ -1,6 +1,6 @@ title: CodeIntegrity - Revoked Kernel Driver Loaded id: 320fccbf-5e32-4101-82b8-2679c5f007c6 -status: experimental +status: test description: Detects the load of a revoked kernel driver references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml index 6223b7444da1..d415b043aab6 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml @@ -1,6 +1,6 @@ title: CodeIntegrity - Blocked Image Load With Revoked Certificate id: 6f156c48-3894-4952-baf0-16193e9067d2 -status: experimental +status: test description: Detects blocked image load events with revoked certificates by code integrity. references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml index f11b2c28af98..3ea655c289e8 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml @@ -1,6 +1,6 @@ title: CodeIntegrity - Revoked Image Loaded id: 881b7725-47cc-4055-8000-425823344c59 -status: experimental +status: test description: Detects image load events with revoked certificates by code integrity. references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml index 31cc5d201d8d..e72df24588d9 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml @@ -1,6 +1,6 @@ title: CodeIntegrity - Unsigned Kernel Module Loaded id: 951f8d29-f2f6-48a7-859f-0673ff105e6f -status: experimental +status: test description: Detects the presence of a loaded unsigned kernel module on the system. references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml index b2e318d8973f..748cc057eba5 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml @@ -1,6 +1,6 @@ title: CodeIntegrity - Unsigned Image Loaded id: c92c24e7-f595-493f-9c98-53d5142f5c18 -status: experimental +status: test description: Detects loaded unsigned image on the system references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml index fc5f5fe816f4..80b2445fdb11 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml @@ -1,6 +1,6 @@ title: CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module id: 2f8cd7a0-9d5a-4f62-9f8b-2c951aa0dd1f -status: experimental +status: test description: Detects loaded kernel modules that did not meet the WHQL signing requirements. references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations diff --git a/rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml b/rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml index c7e01fa2b5df..6b34ee5bc6ef 100644 --- a/rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml +++ b/rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml @@ -3,7 +3,7 @@ id: 29f171d7-aa47-42c7-9c7b-3c87938164d9 related: - id: 065cceea-77ec-4030-9052-fc0affea7110 type: similar -status: experimental +status: test description: Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes references: - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte diff --git a/rules/windows/builtin/dns_server/win_dns_server_failed_dns_zone_transfer.yml b/rules/windows/builtin/dns_server/win_dns_server_failed_dns_zone_transfer.yml index 2d9095f2fd35..6461916383c2 100644 --- a/rules/windows/builtin/dns_server/win_dns_server_failed_dns_zone_transfer.yml +++ b/rules/windows/builtin/dns_server/win_dns_server_failed_dns_zone_transfer.yml @@ -1,6 +1,6 @@ title: Failed DNS Zone Transfer id: 6d444368-6da1-43fe-b2fc-44202430480e -status: experimental +status: test description: Detects when a DNS zone transfer failed. references: - https://kb.eventtracker.com/evtpass/evtpages/EventId_6004_Microsoft-Windows-DNS-Server-Service_65410.asp diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml index 1d65268cc2a6..d4a64cce8c05 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml @@ -3,7 +3,7 @@ id: 9e2575e7-2cb9-4da1-adc8-ed94221dca5e related: - id: cde0a575-7d3d-4a49-9817-b8004a7bf105 type: derived -status: experimental +status: test description: Detects the addition of a rule to the Windows Firewall exception list where the application resides in a suspicious folder references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml b/rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml index 2a06a1d553dd..32b9016a5834 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml @@ -1,6 +1,6 @@ title: Firewall Rule Modified In The Windows Firewall Exception List id: 5570c4d9-8fdd-4622-965b-403a5a101aa0 -status: experimental +status: test description: Detects when a rule has been modified in the Windows firewall exception list references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml b/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml index df4255c1faab..10282fca7e03 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml @@ -1,6 +1,6 @@ title: All Rules Have Been Deleted From The Windows Firewall Configuration id: 79609c82-a488-426e-abcf-9f341a39365d -status: experimental +status: test description: Detects when a all the rules have been deleted from the Windows Defender Firewall configuration references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml b/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml index fa5a3a3f6059..36d2a7c489be 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml @@ -1,6 +1,6 @@ title: A Rule Has Been Deleted From The Windows Firewall Exception List id: c187c075-bb3e-4c62-b4fa-beae0ffc211f -status: experimental +status: test description: Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml b/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml index 3bd155fc1841..b4993af05d5b 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml @@ -1,6 +1,6 @@ title: The Windows Defender Firewall Service Failed To Load Group Policy id: 7ec15688-fd24-4177-ba43-1a950537ee39 -status: experimental +status: test description: Detects activity when The Windows Defender Firewall service failed to load Group Policy references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml b/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml index e196c2624a58..16dd0de90b09 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml @@ -1,6 +1,6 @@ title: Windows Defender Firewall Has Been Reset To Its Default Configuration id: 04b60639-39c0-412a-9fbe-e82499c881a3 -status: experimental +status: test description: Detects activity when Windows Defender Firewall has been reset to its default configuration references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml b/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml index afd7c90d2211..63749b921779 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml @@ -1,6 +1,6 @@ title: Windows Firewall Settings Have Been Changed id: 00bb5bd5-1379-4fcf-a965-a5b6f7478064 -status: experimental +status: test description: Detects activity when the settings of the Windows firewall have been changed references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) diff --git a/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml b/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml index d005eaeb8e16..afc923b08731 100644 --- a/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml +++ b/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml @@ -1,6 +1,6 @@ title: Standard User In High Privileged Group id: 7ac407cc-0f48-4328-aede-de1d2e6fef41 -status: experimental +status: test description: Detect standard users login that are part of high privileged groups such as the Administrator group references: - https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers diff --git a/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml b/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml index 4d3789169479..77d53ea104bb 100644 --- a/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml +++ b/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml @@ -1,6 +1,6 @@ title: Mailbox Export to Exchange Webserver id: 516376b4-05cd-4122-bae0-ad7641c38d48 -status: experimental +status: test description: Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it references: - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html diff --git a/rules/windows/builtin/security/account_management/win_security_access_token_abuse.yml b/rules/windows/builtin/security/account_management/win_security_access_token_abuse.yml index 588b3189f380..fa1d9ebb0dcb 100644 --- a/rules/windows/builtin/security/account_management/win_security_access_token_abuse.yml +++ b/rules/windows/builtin/security/account_management/win_security_access_token_abuse.yml @@ -1,6 +1,6 @@ title: Potential Access Token Abuse id: 02f7c9c1-1ae8-4c6a-8add-04693807f92f -status: experimental +status: test description: Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag". references: - https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation diff --git a/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml b/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml index d77d9b0531b0..49d21eb74d56 100644 --- a/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml +++ b/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml @@ -3,7 +3,7 @@ id: 259a9cdf-c4dd-4fa2-b243-2269e5ab18a2 related: - id: 78d5cab4-557e-454f-9fb9-a222bd0d5edc type: derived -status: experimental +status: test description: Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port. references: - https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html diff --git a/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml b/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml index fc2200c38387..bc2b8b406bb1 100644 --- a/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml +++ b/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml @@ -3,7 +3,7 @@ id: 78d5cab4-557e-454f-9fb9-a222bd0d5edc related: - id: 259a9cdf-c4dd-4fa2-b243-2269e5ab18a2 type: derived -status: experimental +status: test description: Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port. references: - https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html diff --git a/rules/windows/builtin/security/win_security_password_policy_enumerated.yml b/rules/windows/builtin/security/win_security_password_policy_enumerated.yml index 41237366f91a..e34601b31972 100644 --- a/rules/windows/builtin/security/win_security_password_policy_enumerated.yml +++ b/rules/windows/builtin/security/win_security_password_policy_enumerated.yml @@ -1,6 +1,6 @@ title: Password Policy Enumerated id: 12ba6a38-adb3-4d6b-91ba-a7fb248e3199 -status: experimental +status: test description: Detects when the password policy is enumerated. references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4661 diff --git a/rules/windows/builtin/security/win_security_scheduled_task_deletion.yml b/rules/windows/builtin/security/win_security_scheduled_task_deletion.yml index 4a48af5b0b6e..b6ac720e34fd 100644 --- a/rules/windows/builtin/security/win_security_scheduled_task_deletion.yml +++ b/rules/windows/builtin/security/win_security_scheduled_task_deletion.yml @@ -1,6 +1,6 @@ title: Scheduled Task Deletion id: 4f86b304-3e02-40e3-aa5d-e88a167c9617 -status: experimental +status: test description: Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \TASKNAME references: - https://twitter.com/matthewdunwoody/status/1352356685982146562 diff --git a/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml b/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml index 011232f71a82..228aeb68eb3f 100644 --- a/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml +++ b/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml @@ -3,7 +3,7 @@ id: c8b00925-926c-47e3-beea-298fd563728e related: - id: 1a31b18a-f00c-4061-9900-f735b96c99fc type: similar -status: experimental +status: test description: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform references: - https://redcanary.com/blog/misbehaving-rats/ diff --git a/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml b/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml index 1b087a9891d0..7d1fb21a04fd 100644 --- a/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml +++ b/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml @@ -3,7 +3,7 @@ id: c4e92a97-a9ff-4392-9d2d-7a4c642768ca related: - id: 71c276aa-49cd-43d2-b920-2dcd3e6962d5 type: similar -status: experimental +status: test description: Detects a service installed by a client which has PID 0 or whose parent has PID 0 references: - https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html diff --git a/rules/windows/builtin/security/win_security_susp_computer_name.yml b/rules/windows/builtin/security/win_security_susp_computer_name.yml index 1b7b0338fb2e..dd3ff20708c1 100644 --- a/rules/windows/builtin/security/win_security_susp_computer_name.yml +++ b/rules/windows/builtin/security/win_security_susp_computer_name.yml @@ -1,6 +1,6 @@ title: Win Susp Computer Name Containing Samtheadmin id: 39698b3f-da92-4bc6-bfb5-645a98386e45 -status: experimental +status: test description: Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool references: - https://twitter.com/malmoeb/status/1511760068743766026 diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml index 011f8dd20569..c66270a5b57d 100644 --- a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml @@ -7,7 +7,7 @@ related: type: similar - id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d # TaskScheduler EventLog type: similar -status: experimental +status: test description: Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699 diff --git a/rules/windows/builtin/system/lsasrv/win_system_lsasrv_ntlmv1.yml b/rules/windows/builtin/system/lsasrv/win_system_lsasrv_ntlmv1.yml index dc4cb002b90d..9d36b3efb70a 100644 --- a/rules/windows/builtin/system/lsasrv/win_system_lsasrv_ntlmv1.yml +++ b/rules/windows/builtin/system/lsasrv/win_system_lsasrv_ntlmv1.yml @@ -1,6 +1,6 @@ title: NTLMv1 Logon Between Client and Server id: e9d4ab66-a532-4ef7-a502-66a9e4a34f5d -status: experimental +status: test description: Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware. references: - https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/22H2/W10_22H2_Pro_20230321_19045.2728/WEPExplorer/LsaSrv.xml diff --git a/rules/windows/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml b/rules/windows/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml index dba3cbaf1227..2d0c1e5f30ae 100644 --- a/rules/windows/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml +++ b/rules/windows/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml @@ -1,6 +1,6 @@ title: Local Privilege Escalation Indicator TabTip id: bc2e25ed-b92b-4daa-b074-b502bdd1982b -status: experimental +status: test description: Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode references: - https://github.com/antonioCoco/JuicyPotatoNG diff --git a/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml b/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml index b3d36aeee786..fcaeac680e63 100644 --- a/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml +++ b/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml @@ -7,7 +7,7 @@ related: type: derived - id: 100ef69e-3327-481c-8e5c-6d80d9507556 type: derived -status: experimental +status: test description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution references: - https://twitter.com/deviouspolack/status/832535435960209408 diff --git a/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml b/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml index 2eb70fdd3a5b..a12541c36722 100644 --- a/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml @@ -3,7 +3,7 @@ id: 100ef69e-3327-481c-8e5c-6d80d9507556 related: - id: a62b37e0-45d3-48d9-a517-90c1a1b0186b type: derived -status: experimental +status: test description: Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution references: - https://twitter.com/deviouspolack/status/832535435960209408 diff --git a/rules/windows/builtin/system/microsoft_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml b/rules/windows/builtin/system/microsoft_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml index 2e6c871a87f4..770c1aaf58be 100644 --- a/rules/windows/builtin/system/microsoft_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml +++ b/rules/windows/builtin/system/microsoft_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml @@ -1,6 +1,6 @@ title: Suspicious Usage of CVE_2021_34484 or CVE 2022_21919 id: 52a85084-6989-40c3-8f32-091e12e17692 -status: experimental +status: test description: During exploitation of this vulnerability, two logs (Provider_Name:Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \Users\TEMP is created may be created during the exploitation. Viewed on 2008 Server references: - https://packetstormsecurity.com/files/166692/Windows-User-Profile-Service-Privlege-Escalation.html diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_clip_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_clip_services.yml index 23e92a06c9ee..59e71979882b 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_clip_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_clip_services.yml @@ -1,6 +1,6 @@ title: Invoke-Obfuscation CLIP+ Launcher - System id: f7385ee2-0e0c-11eb-adc1-0242ac120002 -status: experimental +status: test description: Detects Obfuscated use of Clip.exe to execute PowerShell references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 26) diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml index 8e3a5cf40498..547e49c51d6e 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml @@ -3,7 +3,7 @@ id: 1a31b18a-f00c-4061-9900-f735b96c99fc related: - id: c8b00925-926c-47e3-beea-298fd563728e type: similar -status: experimental +status: test description: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform references: - https://redcanary.com/blog/misbehaving-rats/ diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_generic.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_generic.yml index 8edccd725ded..6eb9322bdbc0 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_generic.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_generic.yml @@ -3,7 +3,7 @@ id: acfa2210-0d71-4eeb-b477-afab494d596c related: - id: d6b5520d-3934-48b4-928c-2aa3f92d6963 type: similar -status: experimental +status: test description: Detects Windows services that got terminated for whatever reason references: - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml index f1b8f27f9ba3..d3886e2626e8 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml @@ -3,7 +3,7 @@ id: d6b5520d-3934-48b4-928c-2aa3f92d6963 related: - id: acfa2210-0d71-4eeb-b477-afab494d596c type: similar -status: experimental +status: test description: Detects important or interesting Windows services that got terminated for whatever reason references: - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml index f52e2a9d0129..24ffbd18c3cd 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml @@ -1,6 +1,6 @@ title: Important Windows Service Terminated Unexpectedly id: 56abae0c-6212-4b97-adc0-0b559bb950c3 -status: experimental +status: test description: Detects important or interesting Windows services that got terminated unexpectedly. references: - https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/ diff --git a/rules/windows/builtin/system/service_control_manager/win_system_system_service_installation_by_unusal_client.yml b/rules/windows/builtin/system/service_control_manager/win_system_system_service_installation_by_unusal_client.yml index c9b75f3bdd98..2b505d9ce2b3 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_system_service_installation_by_unusal_client.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_system_service_installation_by_unusal_client.yml @@ -3,7 +3,7 @@ id: 71c276aa-49cd-43d2-b920-2dcd3e6962d5 related: - id: c4e92a97-a9ff-4392-9d2d-7a4c642768ca type: similar -status: experimental +status: test description: Detects a service installed by a client which has PID 0 or whose parent has PID 0 references: - https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html diff --git a/rules/windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml b/rules/windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml index 277a5e9412c0..0ab9f4d9ee27 100644 --- a/rules/windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml +++ b/rules/windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml @@ -1,6 +1,6 @@ title: Scheduled Task Executed From A Suspicious Location id: 424273ea-7cf8-43a6-b712-375f925e481f -status: experimental +status: test description: Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task references: - Internal Research diff --git a/rules/windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml b/rules/windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml index c803159f7c5c..0a6712f81a1e 100644 --- a/rules/windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml +++ b/rules/windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml @@ -1,6 +1,6 @@ title: Scheduled Task Executed Uncommon LOLBIN id: f0767f15-0fb3-44b9-851e-e8d9a6d0005d -status: experimental +status: test description: Detects the execution of Scheduled Tasks where the program being run is located in a suspicious location or where it is an unusual program to be run from a Scheduled Task references: - Internal Research diff --git a/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml b/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml index 91dc8cc96400..b5e8b88903cc 100644 --- a/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml +++ b/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml @@ -5,7 +5,7 @@ related: type: similar - id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad # Security-Audting Eventlog type: similar -status: experimental +status: test description: Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities author: frack113 date: 2023/01/13 diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml b/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml index 6bacc3f50622..566018fe94c7 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml @@ -1,6 +1,6 @@ title: Remote Thread Created In KeePass.EXE id: 77564cc2-7382-438b-a7f6-395c2ae53b9a -status: experimental +status: test description: Detects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity references: - https://www.cisa.gov/uscert/ncas/alerts/aa20-259a diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml b/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml index 0bf112579415..c4492a7ce6ae 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml @@ -3,7 +3,7 @@ id: 99b97608-3e21-4bfe-8217-2a127c396a0e related: - id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50 type: similar -status: experimental +status: test description: Detects the creation of a remote thread from a Powershell process in a rundll32 process references: - https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html diff --git a/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml b/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml index 001a51f465fe..24da21b23d97 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml @@ -1,6 +1,6 @@ title: Creation Of a Suspicious ADS File Outside a Browser Download id: 573df571-a223-43bc-846e-3f98da481eca -status: experimental +status: test description: Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers references: - https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/ diff --git a/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml b/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml index da0f50745f19..a19573eef410 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml @@ -1,6 +1,6 @@ title: Hacktool Download id: 19b041f6-e583-40dc-b842-d6fa8011493f -status: experimental +status: test description: Detects the creation of a file on disk that has an imphash of a well-known hack tool references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015 diff --git a/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml b/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml index d0597644ac46..a2ccea6596c1 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml @@ -1,6 +1,6 @@ title: Unusual File Download from Direct IP Address id: 025bd229-fd1f-4fdb-97ab-20006e1a5368 -status: experimental +status: test description: Detects the download of suspicious file type from URLs with IP references: - https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md diff --git a/rules/windows/create_stream_hash/create_stream_hash_winget_susp_package_source.yml b/rules/windows/create_stream_hash/create_stream_hash_winget_susp_package_source.yml index d6a2b9acbae1..1792faecc26a 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_winget_susp_package_source.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_winget_susp_package_source.yml @@ -1,6 +1,6 @@ title: Potential Suspicious Winget Package Installation id: a3f5c081-e75b-43a0-9f5b-51f26fe5dba2 -status: experimental +status: test description: Detects potential suspicious winget package installation from a suspicious source. references: - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget diff --git a/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml b/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml index 6377385673ad..d7869180a028 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious File Download From ZIP TLD id: 0bb4bbeb-fe52-4044-b40c-430a04577ebe -status: experimental +status: test description: Detects the download of a file with a potentially suspicious extension from a .zip top level domain. references: - https://twitter.com/cyb3rops/status/1659175181695287297 diff --git a/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml b/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml index e170875b29df..65ff6870d939 100644 --- a/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml +++ b/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml @@ -3,7 +3,7 @@ id: 065cceea-77ec-4030-9052-fc0affea7110 related: - id: 29f171d7-aa47-42c7-9c7b-3c87938164d9 type: similar -status: experimental +status: test description: Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes references: - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte diff --git a/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml b/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml index 24719740f820..83c7ade6389d 100644 --- a/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml +++ b/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml @@ -3,7 +3,7 @@ id: 67add051-9ee7-4ad3-93ba-42935615ae8d related: - id: 10cb6535-b31d-4512-9962-513dcbc42cc1 type: similar -status: experimental +status: test description: Detects driver load of the Process Hacker tool references: - https://processhacker.sourceforge.io/ diff --git a/rules/windows/driver_load/driver_load_win_pua_system_informer.yml b/rules/windows/driver_load/driver_load_win_pua_system_informer.yml index f9f2f8b6cce3..8a220bffb078 100644 --- a/rules/windows/driver_load/driver_load_win_pua_system_informer.yml +++ b/rules/windows/driver_load/driver_load_win_pua_system_informer.yml @@ -3,7 +3,7 @@ id: 10cb6535-b31d-4512-9962-513dcbc42cc1 related: - id: 67add051-9ee7-4ad3-93ba-42935615ae8d type: similar -status: experimental +status: test description: Detects driver load of the System Informer tool references: - https://systeminformer.sourceforge.io/ diff --git a/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml b/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml index 8eaee3a5c813..9451c3f517b1 100644 --- a/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml +++ b/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml @@ -1,6 +1,6 @@ title: Potential PrintNightmare Exploitation Attempt id: 5b2bbc47-dead-4ef7-8908-0cf73fcbecbf -status: experimental +status: test description: Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675 references: - https://github.com/hhlxf/PrintNightmare diff --git a/rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml b/rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml index 20f6e2ab433d..413b8e139577 100644 --- a/rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml @@ -1,6 +1,6 @@ title: Backup Files Deleted id: 06125661-3814-4e03-bfa2-1e4411c60ac3 -status: experimental +status: test description: Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-6---windows---delete-backup-files diff --git a/rules/windows/file/file_delete/file_delete_win_delete_event_log_files.yml b/rules/windows/file/file_delete/file_delete_win_delete_event_log_files.yml index a1f9eaa72d60..091244733aae 100644 --- a/rules/windows/file/file_delete/file_delete_win_delete_event_log_files.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_event_log_files.yml @@ -1,6 +1,6 @@ title: EventLog EVTX File Deleted id: 63c779ba-f638-40a0-a593-ddd45e8b1ddc -status: experimental +status: test description: Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence references: - Internal Research diff --git a/rules/windows/file/file_delete/file_delete_win_delete_exchange_powershell_logs.yml b/rules/windows/file/file_delete/file_delete_win_delete_exchange_powershell_logs.yml index 247ab53633c8..37eea57687e1 100644 --- a/rules/windows/file/file_delete/file_delete_win_delete_exchange_powershell_logs.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_exchange_powershell_logs.yml @@ -1,6 +1,6 @@ title: Exchange PowerShell Cmdlet History Deleted id: a55349d8-9588-4c5a-8e3b-1925fe2a4ffe -status: experimental +status: test description: Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence references: - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/ diff --git a/rules/windows/file/file_delete/file_delete_win_delete_iis_access_logs.yml b/rules/windows/file/file_delete/file_delete_win_delete_iis_access_logs.yml index b1e9c3025ce5..7ff51dd6fdc4 100644 --- a/rules/windows/file/file_delete/file_delete_win_delete_iis_access_logs.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_iis_access_logs.yml @@ -1,6 +1,6 @@ title: IIS WebServer Access Logs Deleted id: 3eb8c339-a765-48cc-a150-4364c04652bf -status: experimental +status: test description: Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence references: - https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html diff --git a/rules/windows/file/file_delete/file_delete_win_delete_powershell_command_history.yml b/rules/windows/file/file_delete/file_delete_win_delete_powershell_command_history.yml index d6cd3afca254..6daa4e9e3d04 100644 --- a/rules/windows/file/file_delete/file_delete_win_delete_powershell_command_history.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_powershell_command_history.yml @@ -1,6 +1,6 @@ title: PowerShell Console History Logs Deleted id: ff301988-c231-4bd0-834c-ac9d73b86586 -status: experimental +status: test description: Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence references: - Internal Research diff --git a/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml b/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml index afe5971d4070..2b80ce6553c5 100755 --- a/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml @@ -1,6 +1,6 @@ title: Prefetch File Deleted id: 0a1f9d29-6465-4776-b091-7f43b26e4c89 -status: experimental +status: test description: Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence author: Cedric MAURUGEON date: 2021/09/29 diff --git a/rules/windows/file/file_delete/file_delete_win_delete_tomcat_logs.yml b/rules/windows/file/file_delete/file_delete_win_delete_tomcat_logs.yml index ea2732cfee3c..fdea36cd77ff 100644 --- a/rules/windows/file/file_delete/file_delete_win_delete_tomcat_logs.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_tomcat_logs.yml @@ -1,6 +1,6 @@ title: Tomcat WebServer Logs Deleted id: 270185ff-5f50-4d6d-a27f-24c3b8c9fef8 -status: experimental +status: test description: Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence references: - Internal Research diff --git a/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml b/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml index ed3adc03b1e0..c55ae88bd35e 100644 --- a/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml +++ b/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml @@ -3,7 +3,7 @@ id: 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0 related: - id: 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3 # FileChange version type: similar -status: experimental +status: test description: Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) references: - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html diff --git a/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml b/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml index 850ba967345d..ce90c0b34e30 100644 --- a/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml +++ b/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml @@ -1,6 +1,6 @@ title: BloodHound Collection Files id: 02773bed-83bf-469f-b7ff-e676e7d78bab -status: experimental +status: test description: Detects default file names outputted by the BloodHound collection tool SharpHound references: - https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection diff --git a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml index 83cdb14e7035..e84ff7b2040c 100644 --- a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml +++ b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml @@ -3,7 +3,7 @@ id: df6ecb8b-7822-4f4b-b412-08f524b4576c related: - id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 # ImageLoad rule type: similar -status: experimental +status: test description: Detects the creation of system dlls that are not present on the system. Usually to achieve dll hijacking references: - https://decoded.avast.io/martinchlumecky/png-steganography/ diff --git a/rules/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yml b/rules/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yml index 6c3d9310b40e..b53864c7ef84 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yml @@ -1,6 +1,6 @@ title: Potential Remote Credential Dumping Activity id: 6e2a900a-ced9-4e4a-a9c2-13e706f9518a -status: experimental +status: test description: Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint. references: - https://github.com/Porchetta-Industries/CrackMapExec diff --git a/rules/windows/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml b/rules/windows/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml index 8efb2b2eaa38..395eefc16607 100644 --- a/rules/windows/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml +++ b/rules/windows/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml @@ -5,7 +5,7 @@ related: type: similar - id: 07aa184a-870d-413d-893a-157f317f6f58 # ProcCreation Susp type: similar -status: experimental +status: test description: Detects creation of files which are the results of executing the built-in reconnaissance script "C:\Windows\System32\gatherNetworkInfo.vbs". references: - https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs diff --git a/rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml b/rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml index 00760bb48752..3d8359b3eeae 100644 --- a/rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml +++ b/rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml @@ -1,6 +1,6 @@ title: File Creation In Suspicious Directory By Msdt.EXE id: 318557a5-150c-4c8d-b70e-a9910e199857 -status: experimental +status: test description: Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities references: - https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd diff --git a/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml b/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml index 97262ef5b924..fda85fadcefa 100644 --- a/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml +++ b/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml @@ -5,7 +5,7 @@ related: type: derived - id: e4b63079-6198-405c-abd7-3fe8b0ce3263 type: obsoletes -status: experimental +status: test description: Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context. references: - https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/ diff --git a/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml b/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml index a25dd72999ab..2735b21588f4 100644 --- a/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml +++ b/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml @@ -1,6 +1,6 @@ title: Suspicious File Creation In Uncommon AppData Folder id: d7b50671-d1ad-4871-aa60-5aa5b331fe04 -status: experimental +status: test description: Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs references: - Internal Research diff --git a/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml b/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml index 3ef18e30016a..4f2b40f7b638 100644 --- a/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml +++ b/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via Notepad++ Plugins id: 54127bd4-f541-4ac3-afdb-ea073f63f692 -status: experimental +status: test description: Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence references: - https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/ diff --git a/rules/windows/file/file_event/file_event_win_ntds_dit_creation.yml b/rules/windows/file/file_event/file_event_win_ntds_dit_creation.yml index f4d39dfd6bf0..2828582d32d5 100644 --- a/rules/windows/file/file_event/file_event_win_ntds_dit_creation.yml +++ b/rules/windows/file/file_event/file_event_win_ntds_dit_creation.yml @@ -1,6 +1,6 @@ title: NTDS.DIT Created id: 0b8baa3f-575c-46ee-8715-d6f28cc7d33c -status: experimental +status: test description: Detects creation of a file named "ntds.dit" (Active Directory Database) references: - Internal Research diff --git a/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml b/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml index 30ea4582d5f7..1282361ec393 100644 --- a/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml +++ b/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml @@ -3,7 +3,7 @@ id: 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66 related: - id: 91174a41-dc8f-401b-be89-7bfc140612a0 type: similar -status: experimental +status: test description: Detects the creation of a new office macro files on the systems via an application (browser, mail client). references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md diff --git a/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml b/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml index 5c1c138c9206..f0095b1d8a54 100644 --- a/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml +++ b/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml @@ -1,6 +1,6 @@ title: Office Macro File Creation From Suspicious Process id: b1c50487-1967-4315-a026-6491686d860e -status: experimental +status: test description: Detects the creation of a office macro file from a a suspicious process references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md diff --git a/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml b/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml index 57d4c9c5e456..00a6521a7616 100644 --- a/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml +++ b/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml @@ -1,6 +1,6 @@ title: Suspicious File Created Via OneNote Application id: fcc6d700-68d9-4241-9a1a-06874d621b06 -status: experimental +status: test description: Detects suspicious files created via the OneNote application. This could indicate a potential malicious ".one"/".onepkg" file was executed as seen being used in malware activity in the wild references: - https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/ diff --git a/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml b/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml index 7584c5e49899..2ac2594b7177 100644 --- a/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml +++ b/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via Outlook Form id: c3edc6a5-d9d4-48d8-930e-aab518390917 -status: experimental +status: test description: Detects the creation of a new Outlook form which can contain malicious code references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76 diff --git a/rules/windows/file/file_event/file_event_win_office_publisher_files_in_susp_locations.yml b/rules/windows/file/file_event/file_event_win_office_publisher_files_in_susp_locations.yml index 9be3ad795809..11ef28ccd3b7 100644 --- a/rules/windows/file/file_event/file_event_win_office_publisher_files_in_susp_locations.yml +++ b/rules/windows/file/file_event/file_event_win_office_publisher_files_in_susp_locations.yml @@ -1,6 +1,6 @@ title: Publisher Attachment File Dropped In Suspicious Location id: 3d2a2d59-929c-4b78-8c1a-145dfe9e07b1 -status: experimental +status: test description: Detects creation of files with the ".pub" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents references: - https://twitter.com/EmericNasi/status/1623224526220804098 diff --git a/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml b/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml index 071b27617421..de271fcef413 100644 --- a/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml +++ b/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml @@ -1,6 +1,6 @@ title: File With Uncommon Extension Created By An Office Application id: c7a74c80-ba5a-486e-9974-ab9e682bc5e4 -status: experimental +status: test description: Detects the creation of files with an executable or script extension by an Office application. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ diff --git a/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml b/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml index f94bc1b6359a..ee48d1405955 100644 --- a/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml +++ b/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml @@ -1,6 +1,6 @@ title: Uncommon File Created In Office Startup Folder id: a10a2c40-2c4d-49f8-b557-1a946bc55d9d -status: experimental +status: test description: Detects the creation of a file with an uncommon extension in an Office application startup folder references: - https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/ diff --git a/rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml b/rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml index 3999f8481fb7..dca8c2bb9226 100644 --- a/rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml +++ b/rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml @@ -1,6 +1,6 @@ title: Suspicious File Created In PerfLogs id: bbb7e38c-0b41-4a11-b306-d2a457b7ac2b -status: experimental +status: test description: Detects suspicious file based on their extension being created in "C:\PerfLogs\". Note that this directory mostly contains ".etl" files references: - Internal Research diff --git a/rules/windows/file/file_event/file_event_win_powershell_drop_binary_or_script.yml b/rules/windows/file/file_event/file_event_win_powershell_drop_binary_or_script.yml index b0be4a1985ba..265abe5dac9b 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_drop_binary_or_script.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_drop_binary_or_script.yml @@ -1,6 +1,6 @@ title: Potential Binary Or Script Dropper Via PowerShell id: 7047d730-036f-4f40-b9d8-1c63e36d5e62 -status: experimental +status: test description: Detects PowerShell creating a binary executable or a script file. references: - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution diff --git a/rules/windows/file/file_event/file_event_win_powershell_drop_powershell.yml b/rules/windows/file/file_event/file_event_win_powershell_drop_powershell.yml index e622ef627c18..6bb60c379019 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_drop_powershell.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_drop_powershell.yml @@ -1,6 +1,6 @@ title: PowerShell Script Dropped Via PowerShell.EXE id: 576426ad-0131-4001-ae01-be175da0c108 -status: experimental +status: test description: Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence. references: - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution diff --git a/rules/windows/file/file_event/file_event_win_powershell_module_creation.yml b/rules/windows/file/file_event/file_event_win_powershell_module_creation.yml index dfaa770a8978..98cd38a339d8 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_module_creation.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_module_creation.yml @@ -1,6 +1,6 @@ title: PowerShell Module File Created id: e36941d0-c0f0-443f-bc6f-cb2952eb69ea -status: experimental +status: test description: Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. references: - Internal Research diff --git a/rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml b/rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml index 094d09c106fa..e3ad338f5451 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml @@ -1,6 +1,6 @@ title: Potential Suspicious PowerShell Module File Created id: e8a52bbd-bced-459f-bd93-64db45ce7657 -status: experimental +status: test description: Detects the creation of a new PowerShell module in the first folder of the module directory structure "\WindowsPowerShell\Modules\malware\malware.psm1". This is somewhat an uncommon practice as legitimate modules often includes a version folder. references: - Internal Research diff --git a/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml b/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml index b0d69d9db0de..fb01a98a154e 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml @@ -1,6 +1,6 @@ title: Potential Startup Shortcut Persistence Via PowerShell.EXE id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d -status: experimental +status: test description: | Detects PowerShell writing startup shortcuts. This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. diff --git a/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml b/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml index f5254b05e8f5..d44d34f4750c 100644 --- a/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml +++ b/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml @@ -1,6 +1,6 @@ title: RDP File Creation From Suspicious Application id: fccfb43e-09a7-4bd2-8b37-a5a7df33386d -status: experimental +status: test description: Detects Rclone config file being created references: - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/ diff --git a/rules/windows/file/file_event/file_event_win_ripzip_attack.yml b/rules/windows/file/file_event/file_event_win_ripzip_attack.yml index 4aeb3536e3ad..96e93c58d019 100644 --- a/rules/windows/file/file_event/file_event_win_ripzip_attack.yml +++ b/rules/windows/file/file_event/file_event_win_ripzip_attack.yml @@ -1,6 +1,6 @@ title: Potential RipZip Attack on Startup Folder id: a6976974-ea6f-4e97-818e-ea08625c52cb -status: experimental +status: test description: | Detects a phishing attack which expands a ZIP file containing a malicious shortcut. If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder. diff --git a/rules/windows/file/file_event/file_event_win_sam_dump.yml b/rules/windows/file/file_event/file_event_win_sam_dump.yml index b06fbaabf48c..0f8cc159d229 100644 --- a/rules/windows/file/file_event/file_event_win_sam_dump.yml +++ b/rules/windows/file/file_event/file_event_win_sam_dump.yml @@ -1,6 +1,6 @@ title: Potential SAM Database Dump id: 4e87b8e2-2ee9-4b2a-a715-4727d297ece0 -status: experimental +status: test description: Detects the creation of files that look like exports of the local SAM (Security Account Manager) references: - https://github.com/search?q=CVE-2021-36934 diff --git a/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml b/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml index 2abc355ad0aa..bf7c085233ef 100644 --- a/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml +++ b/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml @@ -1,6 +1,6 @@ title: Windows Shell/Scripting Application File Write to Suspicious Folder id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43 -status: experimental +status: test description: Detects Windows shells and scripting applications that write files to suspicious folders references: - Internal Research diff --git a/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml b/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml index 2255408e8688..111ece628cd2 100644 --- a/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml +++ b/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml @@ -3,7 +3,7 @@ id: b8fd0e93-ff58-4cbd-8f48-1c114e342e62 related: - id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43 type: derived -status: experimental +status: test description: Detects Windows executables that writes files with suspicious extensions references: - Internal Research diff --git a/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml b/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml index 3c9a63ebbe95..70a12e5a2529 100644 --- a/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml +++ b/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml @@ -1,6 +1,6 @@ title: Suspicious Creation with Colorcpl id: e15b518d-b4ce-4410-a9cd-501f23ce4a18 -status: experimental +status: test description: Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\ references: - https://twitter.com/eral4m/status/1480468728324231172?s=20 diff --git a/rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml b/rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml index 46d207875003..c54c39906f7e 100644 --- a/rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml +++ b/rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml @@ -1,6 +1,6 @@ title: Potential Homoglyph Attack Using Lookalike Characters in Filename id: 4f1707b1-b50b-45b4-b5a2-3978b5a5d0d6 -status: experimental +status: test description: | Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that diff --git a/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml index ae9c0297b86e..03fc2f92ef76 100644 --- a/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml +++ b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml @@ -1,6 +1,6 @@ title: Legitimate Application Dropped Executable id: f0540f7e-2db3-4432-b9e0-3965486744bc -status: experimental +status: test description: Detects programs on a Windows system that should not write executables to disk references: - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326 diff --git a/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml index e271d35b5c3b..3642c3a83e15 100644 --- a/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml +++ b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml @@ -1,6 +1,6 @@ title: Legitimate Application Dropped Script id: 7d604714-e071-49ff-8726-edeb95a70679 -status: experimental +status: test description: Detects programs on a Windows system that should not write scripts to disk references: - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326 diff --git a/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml b/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml index ac680022062b..67b11b2ea712 100644 --- a/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml +++ b/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml @@ -3,7 +3,7 @@ id: 28208707-fe31-437f-9a7f-4b1108b94d2e related: - id: 2aa0a6b4-a865-495b-ab51-c28249537b75 type: similar -status: experimental +status: test description: Detects when a file with a suspicious extension is created in the startup folder references: - https://github.com/last-byte/PersistenceSniper diff --git a/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml b/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml index eb023d40df8d..580481f1227a 100644 --- a/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml +++ b/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml @@ -3,7 +3,7 @@ id: 3a9fa2ec-30bc-4ebd-b49e-7c9cff225502 related: - id: b5b78988-486d-4a80-b991-930eff3ff8bf type: similar -status: experimental +status: test description: Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence references: - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2 diff --git a/rules/windows/file/file_event/file_event_win_susp_winsxs_binary_creation.yml b/rules/windows/file/file_event/file_event_win_susp_winsxs_binary_creation.yml index 51ed83617378..3f54ec7bde71 100644 --- a/rules/windows/file/file_event/file_event_win_susp_winsxs_binary_creation.yml +++ b/rules/windows/file/file_event/file_event_win_susp_winsxs_binary_creation.yml @@ -3,7 +3,7 @@ id: 34746e8c-5fb8-415a-b135-0abc167e912a related: - id: 64827580-e4c3-4c64-97eb-c72325d45399 type: derived -status: experimental +status: test description: Detects the creation of binaries in the WinSxS folder by non-system processes references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF diff --git a/rules/windows/file/file_event/file_event_win_sysinternals_livekd_default_dump_name.yml b/rules/windows/file/file_event/file_event_win_sysinternals_livekd_default_dump_name.yml index fa1d013c368b..7c1a3ac1e2e6 100644 --- a/rules/windows/file/file_event/file_event_win_sysinternals_livekd_default_dump_name.yml +++ b/rules/windows/file/file_event/file_event_win_sysinternals_livekd_default_dump_name.yml @@ -1,6 +1,6 @@ title: LiveKD Kernel Memory Dump File Created id: 814ddeca-3d31-4265-8e07-8cc54fb44903 -status: experimental +status: test description: Detects the creation of a file that has the same name as the default LiveKD kernel memory dump. references: - Internal Research diff --git a/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver.yml b/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver.yml index 0d3f5c27f256..9a405099da14 100644 --- a/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver.yml +++ b/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver.yml @@ -1,6 +1,6 @@ title: LiveKD Driver Creation id: 16fe46bb-4f64-46aa-817d-ff7bec4a2352 -status: experimental +status: test description: Detects the creation of the LiveKD driver, which is used for live kernel debugging references: - Internal Research diff --git a/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver_susp_creation.yml b/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver_susp_creation.yml index 7b47f5169e51..e997ad9c53a7 100644 --- a/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver_susp_creation.yml +++ b/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver_susp_creation.yml @@ -3,7 +3,7 @@ id: 059c5af9-5131-4d8d-92b2-de4ad6146712 related: - id: 16fe46bb-4f64-46aa-817d-ff7bec4a2352 type: similar -status: experimental +status: test description: Detects the creation of the LiveKD driver by a process image other than "livekd.exe". references: - Internal Research diff --git a/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml b/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml index 5b3b14352bcc..60e2e7816a37 100644 --- a/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml +++ b/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml @@ -1,6 +1,6 @@ title: Process Explorer Driver Creation By Non-Sysinternals Binary id: de46c52b-0bf8-4936-a327-aace94f94ac6 -status: experimental +status: test description: | Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself. Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards. diff --git a/rules/windows/file/file_event/file_event_win_sysinternals_procmon_driver_susp_creation.yml b/rules/windows/file/file_event/file_event_win_sysinternals_procmon_driver_susp_creation.yml index 6c543a9a4348..8feed78794e7 100644 --- a/rules/windows/file/file_event/file_event_win_sysinternals_procmon_driver_susp_creation.yml +++ b/rules/windows/file/file_event/file_event_win_sysinternals_procmon_driver_susp_creation.yml @@ -1,6 +1,6 @@ title: Process Monitor Driver Creation By Non-Sysinternals Binary id: a05baa88-e922-4001-bc4d-8738135f27de -status: experimental +status: test description: Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself. references: - Internal Research diff --git a/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service_key.yml b/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service_key.yml index 810a735192c2..32facdcd8bdf 100644 --- a/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service_key.yml +++ b/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service_key.yml @@ -1,6 +1,6 @@ title: PSEXEC Remote Execution File Artefact id: 304afd73-55a5-4bb9-8c21-0b1fc84ea9e4 -status: experimental +status: test description: Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system references: - https://aboutdfir.com/the-key-to-identify-psexec/ diff --git a/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml b/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml index 9599195f1be7..3da63d7b03eb 100644 --- a/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml +++ b/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml @@ -1,6 +1,6 @@ title: Wmiexec Default Output File id: 8d5aca11-22b3-4f22-b7ba-90e60533e1fb -status: experimental +status: test description: Detects the creation of the default output filename used by the wmiexec tool references: - https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/ diff --git a/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml b/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml index 2d3b6edcc004..23de6de33344 100644 --- a/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml +++ b/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml @@ -1,6 +1,6 @@ title: Rename Common File to DLL File id: bbfd974c-248e-4435-8de6-1e938c79c5c1 -status: experimental +status: test description: Detects cases in which a file gets renamed to .dll, which often happens to bypass perimeter protection references: - https://twitter.com/ffforward/status/1481672378639912960 diff --git a/rules/windows/file/file_rename/file_rename_win_ransomware.yml b/rules/windows/file/file_rename/file_rename_win_ransomware.yml index 7596ad23e7bb..f0cca6f2cf3e 100644 --- a/rules/windows/file/file_rename/file_rename_win_ransomware.yml +++ b/rules/windows/file/file_rename/file_rename_win_ransomware.yml @@ -1,6 +1,6 @@ title: Suspicious Appended Extension id: e3f673b3-65d1-4d80-9146-466f8b63fa99 -status: experimental +status: test description: Detects file renames where the target filename uses an uncommon double extension. Could indicate potential ransomware activity renaming files and adding a custom extension to the encrypted files, such as ".jpg.crypted", ".docx.locky", etc. references: - https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/ diff --git a/rules/windows/image_load/image_load_cmstp_load_dll_from_susp_location.yml b/rules/windows/image_load/image_load_cmstp_load_dll_from_susp_location.yml index 094936be330a..d29daeb85cb7 100644 --- a/rules/windows/image_load/image_load_cmstp_load_dll_from_susp_location.yml +++ b/rules/windows/image_load/image_load_cmstp_load_dll_from_susp_location.yml @@ -1,6 +1,6 @@ title: DLL Loaded From Suspicious Location Via Cmspt.EXE id: 75e508f7-932d-4ebc-af77-269237a84ce1 -status: experimental +status: test description: Detects cmstp loading "dll" or "ocx" files from suspicious locations references: - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/TTPs/Defense%20Evasion/T1218%20-%20Signed%20Binary%20Proxy%20Execution/T1218.003%20-%20CMSTP/Procedures.yaml diff --git a/rules/windows/image_load/image_load_dll_amsi_uncommon_process.yml b/rules/windows/image_load/image_load_dll_amsi_uncommon_process.yml index 0ce36f1c0217..e603cbae1824 100644 --- a/rules/windows/image_load/image_load_dll_amsi_uncommon_process.yml +++ b/rules/windows/image_load/image_load_dll_amsi_uncommon_process.yml @@ -1,6 +1,6 @@ title: Amsi.DLL Load By Uncommon Process id: facd1549-e416-48e0-b8c4-41d7215eedc8 -status: experimental +status: test description: Detects loading of Amsi.dll by uncommon processes references: - https://infosecwriteups.com/amsi-bypass-new-way-2023-d506345944e9 diff --git a/rules/windows/image_load/image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml b/rules/windows/image_load/image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml index 182b070ecdb7..9449d14fcb98 100644 --- a/rules/windows/image_load/image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml +++ b/rules/windows/image_load/image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml @@ -1,6 +1,6 @@ title: Suspicious Renamed Comsvcs DLL Loaded By Rundll32 id: 8cde342c-ba48-4b74-b615-172c330f2e93 -status: experimental +status: test description: Detects rundll32 loading a renamed comsvcs.dll to dump process memory references: - https://twitter.com/sbousseaden/status/1555200155351228419 diff --git a/rules/windows/image_load/image_load_dll_sdiageng_load_by_msdt.yml b/rules/windows/image_load/image_load_dll_sdiageng_load_by_msdt.yml index 70aac6e449c5..57031a4c98bb 100644 --- a/rules/windows/image_load/image_load_dll_sdiageng_load_by_msdt.yml +++ b/rules/windows/image_load/image_load_dll_sdiageng_load_by_msdt.yml @@ -1,6 +1,6 @@ title: Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE id: ec8c4047-fad9-416a-8c81-0f479353d7f6 -status: experimental +status: test description: Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library references: - https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/ diff --git a/rules/windows/image_load/image_load_dll_system_drawing_load.yml b/rules/windows/image_load/image_load_dll_system_drawing_load.yml index 51324c3207b8..e251ff60b255 100644 --- a/rules/windows/image_load/image_load_dll_system_drawing_load.yml +++ b/rules/windows/image_load/image_load_dll_system_drawing_load.yml @@ -1,6 +1,6 @@ title: System Drawing DLL Load id: 666ecfc7-229d-42b8-821e-1a8f8cb7057c -status: experimental +status: test description: Detects processes loading "System.Drawing.ni.dll". This could be an indicator of potential Screen Capture. references: - https://github.com/OTRF/detection-hackathon-apt29/issues/16 diff --git a/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml b/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml index 6852243b24b9..953d3105c61b 100644 --- a/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml +++ b/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml @@ -5,7 +5,7 @@ related: type: obsoletes - id: fe6e002f-f244-4278-9263-20e4b593827f type: obsoletes -status: experimental +status: test description: Detects loading of essential DLLs used by PowerShell, but not by the process powershell.exe. Detects behaviour similar to meterpreter's "load powershell" extension. references: - https://adsecurity.org/?p=2921 diff --git a/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml b/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml index 81dce59c4518..0437cbe7c8a1 100644 --- a/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml +++ b/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml @@ -5,7 +5,7 @@ related: type: similar - id: 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8 # vssapi.dll type: similar -status: experimental +status: test description: Detects the image load of vss_ps.dll by uncommon executables references: - https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add diff --git a/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml b/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml index 52bf4d10224a..55b5afe0df1f 100644 --- a/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml +++ b/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml @@ -5,7 +5,7 @@ related: type: similar - id: 48bfd177-7cf2-412b-ad77-baf923489e82 # vsstrace.dll type: similar -status: experimental +status: test description: Detects the image load of VSS DLL by uncommon executables references: - https://github.com/ORCx41/DeleteShadowCopies diff --git a/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml b/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml index b8e409e86e32..00b1114d2bcc 100644 --- a/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml +++ b/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml @@ -5,7 +5,7 @@ related: type: similar - id: 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8 # vssapi.dll type: similar -status: experimental +status: test description: Detects the image load of VSS DLL by uncommon executables references: - https://github.com/ORCx41/DeleteShadowCopies diff --git a/rules/windows/image_load/image_load_hktl_sharpevtmute.yml b/rules/windows/image_load/image_load_hktl_sharpevtmute.yml index e9a420ed8946..82bb13b6805c 100644 --- a/rules/windows/image_load/image_load_hktl_sharpevtmute.yml +++ b/rules/windows/image_load/image_load_hktl_sharpevtmute.yml @@ -3,7 +3,7 @@ id: 49329257-089d-46e6-af37-4afce4290685 related: - id: bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c # Process Creation type: similar -status: experimental +status: test description: Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs references: - https://github.com/bats3c/EvtMute diff --git a/rules/windows/image_load/image_load_office_excel_xll_susp_load.yml b/rules/windows/image_load/image_load_office_excel_xll_susp_load.yml index 3754f73df05a..148d0e35407f 100644 --- a/rules/windows/image_load/image_load_office_excel_xll_susp_load.yml +++ b/rules/windows/image_load/image_load_office_excel_xll_susp_load.yml @@ -3,7 +3,7 @@ id: af4c4609-5755-42fe-8075-4effb49f5d44 related: - id: c5f4b5cb-4c25-4249-ba91-aa03626e3185 type: derived -status: experimental +status: test description: Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location references: - https://www.mandiant.com/resources/blog/lnk-between-browsers diff --git a/rules/windows/image_load/image_load_office_powershell_dll_load.yml b/rules/windows/image_load/image_load_office_powershell_dll_load.yml index f99efc47d234..3c2235cb8ada 100644 --- a/rules/windows/image_load/image_load_office_powershell_dll_load.yml +++ b/rules/windows/image_load/image_load_office_powershell_dll_load.yml @@ -1,6 +1,6 @@ title: PowerShell Core DLL Loaded Via Office Application id: bb2ba6fb-95d4-4a25-89fc-30bb736c021a -status: experimental +status: test description: Detects PowerShell core DLL being loaded by an Office Product references: - Internal Research diff --git a/rules/windows/image_load/image_load_side_load_7za.yml b/rules/windows/image_load/image_load_side_load_7za.yml index 7b6804cb4b10..739d1f9cfa95 100644 --- a/rules/windows/image_load/image_load_side_load_7za.yml +++ b/rules/windows/image_load/image_load_side_load_7za.yml @@ -1,6 +1,6 @@ title: Potential 7za.DLL Sideloading id: 4f6edb78-5c21-42ab-a558-fd2a6fc1fd57 -status: experimental +status: test description: Detects potential DLL sideloading of "7za.dll" references: - https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d diff --git a/rules/windows/image_load/image_load_side_load_antivirus.yml b/rules/windows/image_load/image_load_side_load_antivirus.yml index f3b89e3785d4..b5b3a05f458b 100644 --- a/rules/windows/image_load/image_load_side_load_antivirus.yml +++ b/rules/windows/image_load/image_load_side_load_antivirus.yml @@ -1,6 +1,6 @@ title: Potential Antivirus Software DLL Sideloading id: 552b6b65-df37-4d3e-a258-f2fc4771ae54 -status: experimental +status: test description: Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) diff --git a/rules/windows/image_load/image_load_side_load_appverifui.yml b/rules/windows/image_load/image_load_side_load_appverifui.yml index 3d6bac44839b..0e06be8b9db0 100644 --- a/rules/windows/image_load/image_load_side_load_appverifui.yml +++ b/rules/windows/image_load/image_load_side_load_appverifui.yml @@ -1,6 +1,6 @@ title: Potential appverifUI.DLL Sideloading id: ee6cea48-c5b6-4304-a332-10fc6446f484 -status: experimental +status: test description: Detects potential DLL sideloading of "appverifUI.dll" references: - https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/ diff --git a/rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml b/rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml index 0084022098bf..0cc29e9717f8 100644 --- a/rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml +++ b/rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml @@ -1,6 +1,6 @@ title: Aruba Network Service Potential DLL Sideloading id: 90ae0469-0cee-4509-b67f-e5efcef040f7 -status: experimental +status: test description: Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking references: - https://twitter.com/wdormann/status/1616581559892545537?t=XLCBO9BziGzD7Bmbt8oMEQ&s=09 diff --git a/rules/windows/image_load/image_load_side_load_chrome_frame_helper.yml b/rules/windows/image_load/image_load_side_load_chrome_frame_helper.yml index a97267762f87..29a3c5e73ebf 100644 --- a/rules/windows/image_load/image_load_side_load_chrome_frame_helper.yml +++ b/rules/windows/image_load/image_load_side_load_chrome_frame_helper.yml @@ -1,6 +1,6 @@ title: Potential Chrome Frame Helper DLL Sideloading id: 72ca7c75-bf85-45cd-aca7-255d360e423c -status: experimental +status: test description: Detects potential DLL sideloading of "chrome_frame_helper.dll" references: - https://hijacklibs.net/entries/3rd_party/google/chrome_frame_helper.html diff --git a/rules/windows/image_load/image_load_side_load_coregen.yml b/rules/windows/image_load/image_load_side_load_coregen.yml index 9dc7dbeef5ed..454209dd1374 100644 --- a/rules/windows/image_load/image_load_side_load_coregen.yml +++ b/rules/windows/image_load/image_load_side_load_coregen.yml @@ -1,6 +1,6 @@ title: Potential DLL Sideloading Using Coregen.exe id: 0fa66f66-e3f6-4a9c-93f8-4f2610b00171 -status: experimental +status: test description: Detect usage of DLL "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs. references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Coregen/ diff --git a/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml b/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml index 80b1818f6033..c2f9fd7c7ea2 100644 --- a/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml +++ b/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml @@ -1,6 +1,6 @@ title: Potential DLL Sideloading Of DBGCORE.DLL id: 9ca2bf31-0570-44d8-a543-534c47c33ed7 -status: experimental +status: test description: Detects DLL sideloading of "dbgcore.dll" references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) diff --git a/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml b/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml index aca8455ca074..7f2e670b0661 100644 --- a/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml +++ b/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml @@ -1,6 +1,6 @@ title: Potential DLL Sideloading Of DBGHELP.DLL id: 6414b5cd-b19d-447e-bb5e-9f03940b5784 -status: experimental +status: test description: Detects DLL sideloading of "dbghelp.dll" references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) diff --git a/rules/windows/image_load/image_load_side_load_edputil.yml b/rules/windows/image_load/image_load_side_load_edputil.yml index c01ef110298e..68731a236bc1 100644 --- a/rules/windows/image_load/image_load_side_load_edputil.yml +++ b/rules/windows/image_load/image_load_side_load_edputil.yml @@ -1,6 +1,6 @@ title: Potential Edputil.DLL Sideloading id: e4903324-1a10-4ed3-981b-f6fe3be3a2c2 -status: experimental +status: test description: Detects potential DLL sideloading of "edputil.dll" references: - https://alternativeto.net/news/2023/5/cybercriminals-use-wordpad-vulnerability-to-spread-qbot-malware/ diff --git a/rules/windows/image_load/image_load_side_load_goopdate.yml b/rules/windows/image_load/image_load_side_load_goopdate.yml index 0efe6f037a85..9552d33e1251 100644 --- a/rules/windows/image_load/image_load_side_load_goopdate.yml +++ b/rules/windows/image_load/image_load_side_load_goopdate.yml @@ -1,6 +1,6 @@ title: Potential Goopdate.DLL Sideloading id: b6188d2f-b3c4-4d2c-a17d-9706e0851af0 -status: experimental +status: test description: Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf diff --git a/rules/windows/image_load/image_load_side_load_gup_libcurl.yml b/rules/windows/image_load/image_load_side_load_gup_libcurl.yml index b6817ffa8691..dbeeef9cdc08 100644 --- a/rules/windows/image_load/image_load_side_load_gup_libcurl.yml +++ b/rules/windows/image_load/image_load_side_load_gup_libcurl.yml @@ -1,6 +1,6 @@ title: Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE id: e49b5745-1064-4ac1-9a2e-f687bc2dd37e -status: experimental +status: test description: Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers diff --git a/rules/windows/image_load/image_load_side_load_iviewers.yml b/rules/windows/image_load/image_load_side_load_iviewers.yml index e50e6eae260f..15b734624fe0 100644 --- a/rules/windows/image_load/image_load_side_load_iviewers.yml +++ b/rules/windows/image_load/image_load_side_load_iviewers.yml @@ -1,6 +1,6 @@ title: Potential Iviewers.DLL Sideloading id: 4c21b805-4dd7-469f-b47d-7383a8fcb437 -status: experimental +status: test description: Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer) references: - https://www.secureworks.com/research/shadowpad-malware-analysis diff --git a/rules/windows/image_load/image_load_side_load_libvlc.yml b/rules/windows/image_load/image_load_side_load_libvlc.yml index 47c3653ef866..e2c12979a553 100644 --- a/rules/windows/image_load/image_load_side_load_libvlc.yml +++ b/rules/windows/image_load/image_load_side_load_libvlc.yml @@ -1,6 +1,6 @@ title: Potential Libvlc.DLL Sideloading id: bf9808c4-d24f-44a2-8398-b65227d406b6 -status: experimental +status: test description: Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe" references: - https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html diff --git a/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml b/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml index e9ce6fbd254e..0d674de9773a 100644 --- a/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml +++ b/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml @@ -3,7 +3,7 @@ id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 related: - id: df6ecb8b-7822-4f4b-b412-08f524b4576c # FileEvent rule type: similar -status: experimental +status: test description: Detects DLL sideloading of system dlls that are not present on the system by default. Usually to achieve techniques such as UAC bypass and privilege escalation references: - https://decoded.avast.io/martinchlumecky/png-steganography/ diff --git a/rules/windows/image_load/image_load_side_load_office_dlls.yml b/rules/windows/image_load/image_load_side_load_office_dlls.yml index 3ad585cdd80b..494e9718fce4 100644 --- a/rules/windows/image_load/image_load_side_load_office_dlls.yml +++ b/rules/windows/image_load/image_load_side_load_office_dlls.yml @@ -1,6 +1,6 @@ title: Microsoft Office DLL Sideload id: 829a3bdf-34da-4051-9cf4-8ed221a8ae4f -status: experimental +status: test description: Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) diff --git a/rules/windows/image_load/image_load_side_load_rcdll.yml b/rules/windows/image_load/image_load_side_load_rcdll.yml index 869dc89a5845..c7cd048a15a0 100644 --- a/rules/windows/image_load/image_load_side_load_rcdll.yml +++ b/rules/windows/image_load/image_load_side_load_rcdll.yml @@ -1,6 +1,6 @@ title: Potential Rcdll.DLL Sideloading id: 6e78b74f-c762-4800-82ad-f66787f10c8a -status: experimental +status: test description: Detects potential DLL sideloading of rcdll.dll references: - https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html diff --git a/rules/windows/image_load/image_load_side_load_rjvplatform_default_location.yml b/rules/windows/image_load/image_load_side_load_rjvplatform_default_location.yml index 233b693cab67..031f8a2564c8 100644 --- a/rules/windows/image_load/image_load_side_load_rjvplatform_default_location.yml +++ b/rules/windows/image_load/image_load_side_load_rjvplatform_default_location.yml @@ -1,6 +1,6 @@ title: Potential RjvPlatform.DLL Sideloading From Default Location id: 259dda31-b7a3-444f-b7d8-17f96e8a7d0d -status: experimental +status: test description: Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default. references: - https://twitter.com/0gtweet/status/1666716511988330499 diff --git a/rules/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yml b/rules/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yml index 16a2f9478201..9736f91c35ff 100644 --- a/rules/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yml +++ b/rules/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yml @@ -1,6 +1,6 @@ title: Potential RjvPlatform.DLL Sideloading From Non-Default Location id: 0e0bc253-07ed-43f1-816d-e1b220fe8971 -status: experimental +status: test description: Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location. references: - https://twitter.com/0gtweet/status/1666716511988330499 diff --git a/rules/windows/image_load/image_load_side_load_robform.yml b/rules/windows/image_load/image_load_side_load_robform.yml index d1935bd61973..59ae90ce250b 100644 --- a/rules/windows/image_load/image_load_side_load_robform.yml +++ b/rules/windows/image_load/image_load_side_load_robform.yml @@ -1,6 +1,6 @@ title: Potential RoboForm.DLL Sideloading id: f64c9b2d-b0ad-481d-9d03-7fc75020892a -status: experimental +status: test description: Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager references: - https://twitter.com/StopMalvertisin/status/1648604148848549888 diff --git a/rules/windows/image_load/image_load_side_load_shelldispatch.yml b/rules/windows/image_load/image_load_side_load_shelldispatch.yml index 3b2313a4e06e..2893eaa8ece3 100644 --- a/rules/windows/image_load/image_load_side_load_shelldispatch.yml +++ b/rules/windows/image_load/image_load_side_load_shelldispatch.yml @@ -1,6 +1,6 @@ title: Potential ShellDispatch.DLL Sideloading id: 844f8eb2-610b-42c8-89a4-47596e089663 -status: experimental +status: test description: Detects potential DLL sideloading of "ShellDispatch.dll" references: - https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ diff --git a/rules/windows/image_load/image_load_side_load_smadhook.yml b/rules/windows/image_load/image_load_side_load_smadhook.yml index d135bed8ada5..5b6588776062 100644 --- a/rules/windows/image_load/image_load_side_load_smadhook.yml +++ b/rules/windows/image_load/image_load_side_load_smadhook.yml @@ -1,6 +1,6 @@ title: Potential SmadHook.DLL Sideloading id: 24b6cf51-6122-469e-861a-22974e9c1e5b -status: experimental +status: test description: Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus references: - https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/ diff --git a/rules/windows/image_load/image_load_side_load_solidpdfcreator.yml b/rules/windows/image_load/image_load_side_load_solidpdfcreator.yml index 9c9dd392fb11..c0952513125c 100644 --- a/rules/windows/image_load/image_load_side_load_solidpdfcreator.yml +++ b/rules/windows/image_load/image_load_side_load_solidpdfcreator.yml @@ -1,6 +1,6 @@ title: Potential SolidPDFCreator.DLL Sideloading id: a2edbce1-95c8-4291-8676-0d45146862b3 -status: experimental +status: test description: Detects potential DLL sideloading of "SolidPDFCreator.dll" references: - https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/ diff --git a/rules/windows/image_load/image_load_side_load_vmware_xfer.yml b/rules/windows/image_load/image_load_side_load_vmware_xfer.yml index cfe513b7dca8..ce13045665c7 100644 --- a/rules/windows/image_load/image_load_side_load_vmware_xfer.yml +++ b/rules/windows/image_load/image_load_side_load_vmware_xfer.yml @@ -1,6 +1,6 @@ title: Potential DLL Sideloading Via VMware Xfer id: 9313dc13-d04c-46d8-af4a-a930cc55d93b -status: experimental +status: test description: Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL references: - https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/ diff --git a/rules/windows/image_load/image_load_side_load_waveedit.yml b/rules/windows/image_load/image_load_side_load_waveedit.yml index 75619e6bd4df..2caa069bee9e 100644 --- a/rules/windows/image_load/image_load_side_load_waveedit.yml +++ b/rules/windows/image_load/image_load_side_load_waveedit.yml @@ -1,6 +1,6 @@ title: Potential Waveedit.DLL Sideloading id: 71b31e99-9ad0-47d4-aeb5-c0ca3928eeeb -status: experimental +status: test description: Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software. references: - https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html diff --git a/rules/windows/image_load/image_load_side_load_wazuh.yml b/rules/windows/image_load/image_load_side_load_wazuh.yml index fb268f1a7a68..700461cc940b 100644 --- a/rules/windows/image_load/image_load_side_load_wazuh.yml +++ b/rules/windows/image_load/image_load_side_load_wazuh.yml @@ -1,6 +1,6 @@ title: Potential Wazuh Security Platform DLL Sideloading id: db77ce78-7e28-4188-9337-cf30e2b3ba9f -status: experimental +status: test description: Detects potential DLL side loading of DLLs that are part of the Wazuh security platform references: - https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html diff --git a/rules/windows/image_load/image_load_side_load_wwlib.yml b/rules/windows/image_load/image_load_side_load_wwlib.yml index cdd7b1a0e864..7de9b90e1d7f 100644 --- a/rules/windows/image_load/image_load_side_load_wwlib.yml +++ b/rules/windows/image_load/image_load_side_load_wwlib.yml @@ -1,6 +1,6 @@ title: Potential WWlib.DLL Sideloading id: e2e01011-5910-4267-9c3b-4149ed5479cf -status: experimental +status: test description: Detects potential DLL sideloading of "wwlib.dll" references: - https://twitter.com/WhichbufferArda/status/1658829954182774784 diff --git a/rules/windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml b/rules/windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml index 43f12df16f05..17cb4cb364ab 100644 --- a/rules/windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml +++ b/rules/windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml @@ -1,6 +1,6 @@ title: Unsigned Module Loaded by ClickOnce Application id: 060d5ad4-3153-47bb-8382-43e5e29eda92 -status: experimental +status: test description: Detects unsigned module load by ClickOnce application. references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 diff --git a/rules/windows/network_connection/net_connection_win_dfsvc_uncommon_ports.yml b/rules/windows/network_connection/net_connection_win_dfsvc_uncommon_ports.yml index 29f02674ef52..7d38d2a8fd09 100644 --- a/rules/windows/network_connection/net_connection_win_dfsvc_uncommon_ports.yml +++ b/rules/windows/network_connection/net_connection_win_dfsvc_uncommon_ports.yml @@ -1,6 +1,6 @@ title: Dfsvc.EXE Network Connection To Uncommon Ports id: 4c5fba4a-9ef6-4f16-823d-606246054741 -status: experimental +status: test description: Detects network connections from "dfsvc.exe" used to handled ClickOnce applications to uncommon ports references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 diff --git a/rules/windows/network_connection/net_connection_win_google_api_non_browser_access.yml b/rules/windows/network_connection/net_connection_win_google_api_non_browser_access.yml index a87886fd5f00..d22a45e5923a 100644 --- a/rules/windows/network_connection/net_connection_win_google_api_non_browser_access.yml +++ b/rules/windows/network_connection/net_connection_win_google_api_non_browser_access.yml @@ -1,6 +1,6 @@ title: Suspicious Non-Browser Network Communication With Google API id: 7e9cf7b6-e827-11ed-a05b-0242ac120003 -status: experimental +status: test description: Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet) references: - https://github.com/looCiprian/GC2-sheet diff --git a/rules/windows/network_connection/net_connection_win_notion_api_susp_communication.yml b/rules/windows/network_connection/net_connection_win_notion_api_susp_communication.yml index 3850deadd9f0..954d0a76361c 100644 --- a/rules/windows/network_connection/net_connection_win_notion_api_susp_communication.yml +++ b/rules/windows/network_connection/net_connection_win_notion_api_susp_communication.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious Network Connection To Notion API id: 7e9cf7b6-e827-11ed-a05b-15959c120003 -status: experimental +status: test description: Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as "OffensiveNotion C2" references: - https://github.com/mttaggart/OffensiveNotion diff --git a/rules/windows/network_connection/net_connection_win_reddit_api_non_browser_access.yml b/rules/windows/network_connection/net_connection_win_reddit_api_non_browser_access.yml index 14fe0fb50f22..a11cb579721a 100644 --- a/rules/windows/network_connection/net_connection_win_reddit_api_non_browser_access.yml +++ b/rules/windows/network_connection/net_connection_win_reddit_api_non_browser_access.yml @@ -1,6 +1,6 @@ title: Suspicious Non-Browser Network Communication With Reddit API id: d7b09985-95a3-44be-8450-b6eadf49833e -status: experimental +status: test description: Detects an a non-browser process interacting with the Reddit API which could indicate use of a covert C2 such as RedditC2 references: - https://github.com/kleiton0x00/RedditC2 diff --git a/rules/windows/network_connection/net_connection_win_susp_external_ip_lookup.yml b/rules/windows/network_connection/net_connection_win_susp_external_ip_lookup.yml index c3c8d98075a4..a67408af9ac1 100644 --- a/rules/windows/network_connection/net_connection_win_susp_external_ip_lookup.yml +++ b/rules/windows/network_connection/net_connection_win_susp_external_ip_lookup.yml @@ -3,7 +3,7 @@ id: edf3485d-dac4-4d50-90e4-b0e5813f7e60 related: - id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2 type: derived -status: experimental +status: test description: Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity. references: - https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md diff --git a/rules/windows/network_connection/net_connection_win_telegram_api_non_browser_access.yml b/rules/windows/network_connection/net_connection_win_telegram_api_non_browser_access.yml index c4c72a3e43a6..2a97eba532cc 100644 --- a/rules/windows/network_connection/net_connection_win_telegram_api_non_browser_access.yml +++ b/rules/windows/network_connection/net_connection_win_telegram_api_non_browser_access.yml @@ -1,6 +1,6 @@ title: Suspicious Non-Browser Network Communication With Telegram API id: c3dbbc9f-ef1d-470a-a90a-d343448d5875 -status: experimental +status: test description: Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2 references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf diff --git a/rules/windows/network_connection/net_connection_win_winlogon_net_connections.yml b/rules/windows/network_connection/net_connection_win_winlogon_net_connections.yml index cfe3b317c1d1..1131b3efd03c 100644 --- a/rules/windows/network_connection/net_connection_win_winlogon_net_connections.yml +++ b/rules/windows/network_connection/net_connection_win_winlogon_net_connections.yml @@ -1,6 +1,6 @@ title: Outbound Network Connection To Public IP Via Winlogon id: 7610a4ea-c06d-495f-a2ac-0a696abcfd3b -status: experimental +status: test description: Detects a "winlogon.exe" process that initiate network communications with public IP addresses references: - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ diff --git a/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml b/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml index 69cb7347b911..c3a3cb8ede57 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml @@ -5,7 +5,7 @@ related: type: similar - id: 9e620995-f2d8-4630-8430-4afd89f77604 type: similar -status: experimental +status: test description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration. references: - https://github.com/samratashok/ADModule diff --git a/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml b/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml index 6681b9021206..67a3c7e88973 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml @@ -5,7 +5,7 @@ related: type: similar - id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2 type: obsoletes -status: experimental +status: test description: Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance references: - https://github.com/PowerShellMafia/PowerSploit diff --git a/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml b/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml index 49608737f22e..12c523d36c64 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml @@ -1,6 +1,6 @@ title: PowerShell Get Clipboard id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78 -status: experimental +status: test description: A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents. references: - https://github.com/OTRF/detection-hackathon-apt29/issues/16 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml index 4411512e4430..9b235eb1ae22 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml @@ -3,7 +3,7 @@ id: 2f211361-7dce-442d-b78a-c04039677378 related: - id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7 type: derived -status: experimental +status: test description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below references: - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml index 6b1cef4f78b6..5984513a7871 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml @@ -3,7 +3,7 @@ id: 07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb related: - id: e55a5195-4724-480e-a77e-3ebe64bd3759 type: derived -status: experimental +status: test description: Detects Obfuscated Powershell via use MSHTA in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31) diff --git a/rules/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml b/rules/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml index 73cd2f78e8ce..c5b7cae9831b 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml @@ -7,7 +7,7 @@ related: type: similar - id: cacef8fc-9d3d-41f7-956d-455c6e881bc5 # PS ScriptBlock type: similar -status: experimental +status: test description: Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml index 6730552bc73f..66054fa1f2ee 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml @@ -3,7 +3,7 @@ id: de41232e-12e8-49fa-86bc-c05c7e722df9 related: - id: 65531a81-a694-4e31-ae04-f8ba5bc33759 type: derived -status: experimental +status: test description: Detects suspicious PowerShell download command author: Florian Roth (Nextron Systems) date: 2017/03/05 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml index 5628af37b022..5b22d096c4e4 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml @@ -5,7 +5,7 @@ related: type: derived - id: ed965133-513f-41d9-a441-e38076a0798f type: similar -status: experimental +status: test description: Detects suspicious PowerShell invocation command parameters author: Florian Roth (Nextron Systems) date: 2017/03/12 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml index bf4c048020bc..e3e58c6b4916 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml @@ -7,7 +7,7 @@ related: type: similar - id: 536e2947-3729-478c-9903-745aaffe60d2 type: similar -status: experimental +status: test description: Detects suspicious PowerShell invocation command parameters author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro date: 2017/03/05 diff --git a/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml index 30e9e89c19b8..df3893d2b41b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml @@ -3,7 +3,7 @@ id: 91e69562-2426-42ce-a647-711b8152ced6 related: - id: c86500e9-a645-4680-98d7-f882c70c1ea3 type: similar -status: experimental +status: test description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365. references: - https://o365blog.com/aadinternals/ diff --git a/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml b/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml index 51ed8b287d0a..25c9abb2ac67 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml @@ -5,7 +5,7 @@ related: type: similar - id: 74176142-4684-4d8a-8b0a-713257e7df8e type: similar -status: experimental +status: test description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration. references: - https://github.com/samratashok/ADModule diff --git a/rules/windows/powershell/powershell_script/posh_ps_add_windows_capability.yml b/rules/windows/powershell/powershell_script/posh_ps_add_windows_capability.yml index 8180f26f9074..58f21aee39dd 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_add_windows_capability.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_add_windows_capability.yml @@ -3,7 +3,7 @@ id: 155c7fd5-47b4-49b2-bbeb-eb4fab335429 related: - id: b36d01a3-ddaf-4804-be18-18a6247adfcd type: similar -status: experimental +status: test description: Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others. references: - https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell diff --git a/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml b/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml index 1970394e349c..7973d890ca64 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml @@ -3,7 +3,7 @@ id: fa2559c8-1197-471d-9cdd-05a0273d4522 related: - id: 92a974db-ab84-457f-9ec0-55db83d7a825 type: similar -status: experimental +status: test description: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities references: - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi diff --git a/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml b/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml index 987d0f8e92a8..eddd5f9c470a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml @@ -1,6 +1,6 @@ title: Potential Data Exfiltration Via Audio File id: e4f93c99-396f-47c8-bb0f-201b1fa69034 -status: experimental +status: test description: Detects potential exfiltration attempt via audio file using PowerShell references: - https://github.com/gtworek/PSBits/blob/e97cbbb173b31cbc4d37244d3412de0a114dacfb/NoDLP/bin2wav.ps1 diff --git a/rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml b/rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml index fd1f82017891..5560c705ac61 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml @@ -1,6 +1,6 @@ title: Potential In-Memory Execution Using Reflection.Assembly id: ddcd88cb-7f62-4ce5-86f9-1704190feb0a -status: experimental +status: test description: Detects usage of "Reflection.Assembly" load functions to dynamically load assemblies in memory references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50 diff --git a/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml b/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml index 4d15f4b03c45..9b7fcf1e28e3 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml @@ -3,7 +3,7 @@ id: 3c7d1587-3b13-439f-9941-7d14313dbdfe related: - id: 02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf type: similar -status: experimental +status: test description: Detects usage of COM objects that can be abused to download files in PowerShell by CLSID references: - https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0 diff --git a/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml b/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml index feb1f9facedd..1dccc7e51a5c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml @@ -3,7 +3,7 @@ id: 55c925c1-7195-426b-a136-a9396800e29b related: - id: c740d4cf-a1e9-41de-bb16-8a46a4f57918 type: similar -status: experimental +status: test description: | Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images diff --git a/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml b/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml index 13adc62bf7f1..d43feb7e1159 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml @@ -3,7 +3,7 @@ id: df69cb1d-b891-4cd9-90c7-d617d90100ce related: - id: d75d6b6b-adb9-48f7-824b-ac2e786efe1f type: similar -status: experimental +status: test description: Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward. references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43 diff --git a/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml b/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml index 9daa5f3ef44f..60528cd72c78 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml @@ -3,7 +3,7 @@ id: 3245cd30-e015-40ff-a31d-5cadd5f377ec related: - id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18 type: similar -status: experimental +status: test description: Detects the execution of the hacktool Rubeus using specific command line flags references: - https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus diff --git a/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml b/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml index 8bd15a134f6c..2d4a229c4849 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml @@ -3,7 +3,7 @@ id: 21f9162c-5f5d-4b01-89a8-b705bd7d10ab related: - id: c31364f7-8be6-4b77-8483-dd2b5a7b69a3 type: similar -status: experimental +status: test description: Detects powershell scripts that import modules from suspicious directories references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md diff --git a/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml b/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml index 5470e2010725..3a102abf4dca 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml @@ -3,7 +3,7 @@ id: 975b2262-9a49-439d-92a6-0709cccdf0b2 related: - id: 37651c2a-42cd-4a69-ae0d-22a4349aa04a type: similar -status: experimental +status: test description: Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages references: - https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml index 3072d3a9dc67..cb3480643473 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml @@ -1,6 +1,6 @@ title: Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7 -status: experimental +status: test description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 references: - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888 diff --git a/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml index 1da9d4f781ef..e5656f1e9244 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml @@ -1,6 +1,6 @@ title: Malicious Nishang PowerShell Commandlets id: f772cee9-b7c2-4cb2-8f07-49870adc02e0 -status: experimental +status: test description: Detects Commandlet names and arguments from the Nishang exploitation framework references: - https://github.com/samratashok/nishang diff --git a/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml b/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml index 49e612494204..6e30760c71cd 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml @@ -1,6 +1,6 @@ title: PowerShell Remote Session Creation id: a0edd39f-a0c6-4c17-8141-261f958e8d8f -status: experimental +status: test description: | Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system diff --git a/rules/windows/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml b/rules/windows/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml index 224cd89dd257..cccdd23f261f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml @@ -7,7 +7,7 @@ related: type: similar - id: 38a7625e-b2cb-485d-b83d-aff137d859f4 # PS Module type: similar -status: experimental +status: test description: Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md diff --git a/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml b/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml index 68f8133dd631..6e40bbde91c8 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml @@ -1,6 +1,6 @@ title: PowerShell Script With File Hostname Resolving Capabilities id: fbc5e92f-3044-4e73-a5c6-1c4359b539de -status: experimental +status: test description: Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries. references: - https://www.fortypoundhead.com/showcontent.asp?artid=24022 diff --git a/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml b/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml index 47cd9c59d343..398800494710 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml @@ -1,6 +1,6 @@ title: PowerShell Script With File Upload Capabilities id: d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb -status: experimental +status: test description: Detects PowerShell scripts leveraging the "Invoke-WebRequest" cmdlet to send data via either "PUT" or "POST" method. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md diff --git a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml index baed83349c4c..be739c0b4964 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml @@ -7,7 +7,7 @@ related: type: similar - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 # Registry type: similar -status: experimental +status: test description: Detects use of Set-ExecutionPolicy to set insecure policies references: - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml index 4488e2ae15b0..ca6e9f064859 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via Security Descriptors - ScriptBlock id: 2f77047c-e6e9-4c11-b088-a3de399524cd -status: experimental +status: test description: Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project. references: - https://github.com/HarmJ0y/DAMP diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml index 1203f0ab58f4..2e09e11bd8be 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml @@ -3,7 +3,7 @@ id: e8314f79-564d-4f79-bc13-fbc0bf2660d8 related: - id: 96cd126d-f970-49c4-848a-da3a09f55c55 type: derived -status: experimental +status: test description: Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation references: - Internal Research diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml index 8ab4eb08f79a..a1b66299621d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml @@ -7,7 +7,7 @@ related: type: similar - id: 536e2947-3729-478c-9903-745aaffe60d2 type: similar -status: experimental +status: test description: Detects suspicious PowerShell invocation command parameters author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro date: 2017/03/05 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml index 61071b01be49..fcb2b047ab08 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml @@ -1,6 +1,6 @@ title: Change User Agents with WebRequest id: d4488827-73af-4f8d-9244-7b7662ef046e -status: experimental +status: test description: | Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml index 785f036b6db1..f794f04bdc0f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml @@ -1,6 +1,6 @@ title: Potential Keylogger Activity id: 965e2db9-eddb-4cf6-a986-7a967df651e4 -status: experimental +status: test description: Detects PowerShell scripts that contains reference to keystroke capturing functions references: - https://twitter.com/ScumBots/status/1610626724257046529 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml index 4ec7187d4528..cffcb7dfaa38 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml @@ -3,7 +3,7 @@ id: 96cd126d-f970-49c4-848a-da3a09f55c55 related: - id: e8314f79-564d-4f79-bc13-fbc0bf2660d8 type: derived -status: experimental +status: test description: Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts references: - https://github.com/1337Rin/Swag-PSO diff --git a/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml b/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml index 5499f3a0def9..c62ab67ba67f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml @@ -3,7 +3,7 @@ id: 14c71865-6cd3-44ae-adaa-1db923fae5f2 related: - id: ec19ebab-72dc-40e1-9728-4c0b805d722c type: derived -status: experimental +status: test description: Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md diff --git a/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml b/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml index 568b04977c6e..580ee4f7ef51 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml @@ -3,7 +3,7 @@ id: f3a98ce4-6164-4dd4-867c-4d83de7eca51 related: - id: deb9b646-a508-44ee-b7c9-d8965921c6b6 type: similar -status: experimental +status: test description: Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation references: - https://github.com/danielbohannon/Invoke-Obfuscation diff --git a/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml b/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml index 96b56cccc8c6..91e7f0c9a75e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml @@ -1,6 +1,6 @@ title: Veeam Backup Servers Credential Dumping Script Execution id: 976d6e6f-a04b-4900-9713-0134a353e38b -status: experimental +status: test description: Detects execution of a PowerShell script that contains calls to the "Veeam.Backup" class, in order to dump stored credentials. references: - https://www.pwndefend.com/2021/02/15/retrieving-passwords-from-veeam-backup-servers/ diff --git a/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml b/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml index 77d721e972d1..0ac2eb869f96 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml @@ -3,7 +3,7 @@ id: 1139d2e2-84b1-4226-b445-354492eba8ba related: - id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d type: derived -status: experimental +status: test description: Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs references: - https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/ diff --git a/rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml b/rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml index 20df8bdd808d..51dd93bdc8b4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml @@ -3,7 +3,7 @@ id: 03d83090-8cba-44a0-b02f-0b756a050306 related: - id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702 type: similar -status: experimental +status: test description: Detects use of WinAPI functions in PowerShell scripts references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse diff --git a/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml b/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml index a02efba722b7..5b56c82bb207 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml @@ -3,7 +3,7 @@ id: 488b44e7-3781-4a71-888d-c95abfacf44d related: - id: 12f6b752-042d-483e-bf9c-915a6d06ad75 type: similar -status: experimental +status: test description: Detects when a user disables the Windows Firewall via a Profile to help evade defense. references: - https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps diff --git a/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml b/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml index 56b3043b4ed2..abefd5c82160 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml @@ -3,7 +3,7 @@ id: 504d63cb-0dba-4d02-8531-e72981aace2c related: - id: 114de787-4eb2-48cc-abdb-c0b449f93ea4 type: similar -status: experimental +status: test description: Detect use of X509Enrollment references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42 diff --git a/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml b/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml index e8d5a41a73b0..12d6d22135e0 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml @@ -1,6 +1,6 @@ title: Powershell XML Execute Command id: 6c6c6282-7671-4fe9-a0ce-a2dcebdc342b -status: experimental +status: test description: | Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) diff --git a/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml b/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml index 66438bb408a7..d593a5c8ba30 100755 --- a/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml @@ -1,6 +1,6 @@ title: Credential Dumping Tools Accessing LSASS Memory id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d -status: experimental +status: test description: Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools references: - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow diff --git a/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml b/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml index 4f6fa422e58d..a925cec32839 100644 --- a/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml +++ b/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml @@ -1,6 +1,6 @@ title: Potential NT API Stub Patching id: b916cba1-b38a-42da-9223-17114d846fd6 -status: experimental +status: test description: Detects potential NT API stub patching as seen used by the project PatchingAPI references: - https://github.com/D1rkMtr/UnhookingPatch diff --git a/rules/windows/process_access/proc_access_win_invoke_phantom.yml b/rules/windows/process_access/proc_access_win_invoke_phantom.yml index 5cec62e5a235..b1374edb8a86 100755 --- a/rules/windows/process_access/proc_access_win_invoke_phantom.yml +++ b/rules/windows/process_access/proc_access_win_invoke_phantom.yml @@ -1,6 +1,6 @@ title: Potential Svchost Memory Access id: 166e9c50-8cd9-44af-815d-d1f0c0e90dde -status: experimental +status: test description: Detects potential access to svchost process memory such as that used by Invoke-Phantom to kill the winRM Windows event logging service. references: - https://github.com/hlldz/Invoke-Phant0m diff --git a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml index b9d2d0811f0c..be16e7dd824c 100644 --- a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml +++ b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml @@ -3,7 +3,7 @@ id: a18dd26b-6450-46de-8c91-9659150cf088 related: - id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d type: obsoletes -status: experimental +status: test description: Detects process access to LSASS memory with suspicious access flags references: - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights diff --git a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml index 81c4db3def49..1ed13a3df5a8 100644 --- a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml +++ b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml @@ -1,6 +1,6 @@ title: LSASS Access From Program in Potentially Suspicious Folder id: fa34b441-961a-42fa-a100-ecc28c886725 -status: experimental +status: test description: Detects process access to LSASS memory with suspicious access flags and from a potentially suspicious folder references: - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights diff --git a/rules/windows/process_creation/proc_creation_win_7zip_password_extraction.yml b/rules/windows/process_creation/proc_creation_win_7zip_password_extraction.yml index 73fd3a8a6f70..1efaeec02ff8 100644 --- a/rules/windows/process_creation/proc_creation_win_7zip_password_extraction.yml +++ b/rules/windows/process_creation/proc_creation_win_7zip_password_extraction.yml @@ -1,6 +1,6 @@ title: Password Protected Compressed File Extraction Via 7Zip id: b717b8fd-6467-4d7d-b3d3-27f9a463af77 -status: experimental +status: test description: Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files. references: - https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/ diff --git a/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml b/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml index d7d2885b4197..b8baf532dbd5 100644 --- a/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml +++ b/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml @@ -1,6 +1,6 @@ title: Potential Adplus.EXE Abuse id: 2f869d59-7f6a-4931-992c-cce556ff2d53 -status: experimental +status: test description: Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands. references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/ diff --git a/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml b/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml index f99ca8092a16..3d424306a213 100644 --- a/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml @@ -3,7 +3,7 @@ id: 7efd2c8d-8b18-45b7-947d-adfe9ed04f61 related: - id: c0b40568-b1e9-4b03-8d6c-b096da6da9ab type: similar -status: experimental +status: test description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument author: Nasreddine Bencherchali (Nextron Systems), memory-shards references: diff --git a/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml b/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml index 0cbb8cd552a6..2ee4d6d4d37b 100644 --- a/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml @@ -3,7 +3,7 @@ id: c0b40568-b1e9-4b03-8d6c-b096da6da9ab related: - id: 7efd2c8d-8b18-45b7-947d-adfe9ed04f61 type: similar -status: experimental +status: test description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument author: Nasreddine Bencherchali (Nextron Systems), memory-shards references: diff --git a/rules/windows/process_creation/proc_creation_win_attrib_system.yml b/rules/windows/process_creation/proc_creation_win_attrib_system.yml index 6c0b06dbe497..92ce6018c603 100644 --- a/rules/windows/process_creation/proc_creation_win_attrib_system.yml +++ b/rules/windows/process_creation/proc_creation_win_attrib_system.yml @@ -3,7 +3,7 @@ id: bb19e94c-59ae-4c15-8c12-c563d23fe52b related: - id: efec536f-72e8-4656-8960-5e85d091345b type: similar -status: experimental +status: test description: Detects the execution of "attrib" with the "+s" flag to mark files as system files references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib diff --git a/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml b/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml index eb87a1116522..f9bf2a80cfcf 100644 --- a/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml +++ b/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml @@ -3,7 +3,7 @@ id: efec536f-72e8-4656-8960-5e85d091345b related: - id: bb19e94c-59ae-4c15-8c12-c563d23fe52b type: derived -status: experimental +status: test description: | Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs references: diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml index cfb0d8aab938..1ed2acbb9149 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml @@ -3,7 +3,7 @@ id: 99c840f2-2012-46fd-9141-c761987550ef related: - id: 90f138c1-f578-4ac3-8c49-eecfd847c8b7 type: similar -status: experimental +status: test description: Detects usage of bitsadmin downloading a file using an URL that contains an IP references: - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml index 40289c120596..d90c4f3d1e96 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml @@ -1,6 +1,6 @@ title: File With Suspicious Extension Downloaded Via Bitsadmin id: 5b80a791-ad9b-4b75-bcc1-ad4e1e89c200 -status: experimental +status: test description: Detects usage of bitsadmin downloading a file with a suspicious extension references: - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml index 604c2fdd5c5c..1938cbbd12dc 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml @@ -1,6 +1,6 @@ title: File Download Via Bitsadmin To A Suspicious Target Folder id: 2ddef153-167b-4e89-86b6-757a9e65dcac -status: experimental +status: test description: Detects usage of bitsadmin downloading a file to a suspicious target folder references: - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml index 3d34532fe37f..029d092f53df 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml @@ -1,6 +1,6 @@ title: File Download Via Bitsadmin To An Uncommon Target Folder id: 6e30c82f-a9f8-4aab-b79c-7c12bce6f248 -status: experimental +status: test description: Detects usage of bitsadmin downloading a file to uncommon target folder references: - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml index ea8e5507bc6e..557cdcec1308 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml @@ -3,7 +3,7 @@ id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4 related: - id: b3d34dc5-2efd-4ae3-845f-8ec14921f449 type: derived -status: experimental +status: test description: Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control references: - https://github.com/defaultnamehere/cookie_crimes/ diff --git a/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml b/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml index 3bab78783763..94c889d7f560 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml @@ -3,7 +3,7 @@ id: b3d34dc5-2efd-4ae3-845f-8ec14921f449 related: - id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4 type: derived -status: experimental +status: test description: Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks references: - https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf diff --git a/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml b/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml index 8cef809ca31d..ba8468868144 100644 --- a/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml @@ -3,7 +3,7 @@ id: 242301bc-f92f-4476-8718-78004a6efd9f related: - id: 84232095-ecca-4015-b0d7-7726507ee793 type: similar -status: experimental +status: test description: Detects when a user installs certificates by using CertOC.exe to loads the target DLL file. references: - https://twitter.com/sblmsrsn/status/1445758411803480072?s=20 diff --git a/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml b/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml index 49ed6cb4e53d..bb848a4bd8fc 100644 --- a/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml @@ -3,7 +3,7 @@ id: 84232095-ecca-4015-b0d7-7726507ee793 related: - id: 242301bc-f92f-4476-8718-78004a6efd9f type: similar -status: experimental +status: test description: Detects when a user installs certificates by using CertOC.exe to load the target DLL file. references: - https://twitter.com/sblmsrsn/status/1445758411803480072?s=20 diff --git a/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml b/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml index eded0e089d6d..774d0a966a0c 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml @@ -5,7 +5,7 @@ related: type: similar - id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794 # File sharing download type: similar -status: experimental +status: test description: Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil diff --git a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml index db283bb31970..8ea9c5d0376b 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml @@ -3,7 +3,7 @@ id: ea0cdc3e-2239-4f26-a947-4e8f8224e464 related: - id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a type: derived -status: experimental +status: test description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious references: - https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior diff --git a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml index 566347683017..1c8dff03c8f8 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml @@ -3,7 +3,7 @@ id: 82a6714f-4899-4f16-9c1e-9a333544d4c3 related: - id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a type: derived -status: experimental +status: test description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations references: - https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior diff --git a/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml b/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml index 08a7876dbe5f..1e69c0c26db3 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml @@ -1,6 +1,6 @@ title: Potential NTLM Coercion Via Certutil.EXE id: 6c6d9280-e6d0-4b9d-80ac-254701b64916 -status: experimental +status: test description: Detects possible NTLM coercion via certutil using the 'syncwithWU' flag references: - https://github.com/LOLBAS-Project/LOLBAS/issues/243 diff --git a/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml b/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml index 28cdd22c237b..95e57fe5f768 100644 --- a/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml +++ b/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml @@ -1,6 +1,6 @@ title: Console CodePage Lookup Via CHCP id: 7090adee-82e2-4269-bd59-80691e7c6338 -status: experimental +status: test description: Detects use of chcp to look up the system locale value as part of host discovery references: - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/ diff --git a/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml b/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml index 34f6f66a27d2..a47f891713a9 100644 --- a/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml +++ b/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml @@ -1,6 +1,6 @@ title: Deleted Data Overwritten Via Cipher.EXE id: 4b046706-5789-4673-b111-66f25fe99534 -status: experimental +status: test description: | Detects usage of the "cipher" built-in utility in order to overwrite deleted data from disk. Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. diff --git a/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml b/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml index dd9a28ac9ee8..16a8017383af 100644 --- a/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml +++ b/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml @@ -1,6 +1,6 @@ title: Cloudflared Tunnel Connections Cleanup id: 7050bba1-1aed-454e-8f73-3f46f09ce56a -status: experimental +status: test description: Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections. references: - https://github.com/cloudflare/cloudflared diff --git a/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml b/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml index c650c6561ccc..9fe15ed7757a 100644 --- a/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml +++ b/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml @@ -1,6 +1,6 @@ title: Cloudflared Tunnel Execution id: 9a019ffc-3580-4c9d-8d87-079f7e8d3fd4 -status: experimental +status: test description: Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks. references: - https://blog.reconinfosec.com/emergence-of-akira-ransomware-group diff --git a/rules/windows/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml b/rules/windows/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml index a3c1d7651b4f..b8a74a55fb36 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml @@ -3,7 +3,7 @@ id: ae6f14e6-14de-45b0-9f44-c0986f50dc89 related: - id: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061 type: derived -status: experimental +status: test description: | Detects when a program changes the default file association of any extension to an executable. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. diff --git a/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml index 2f56c9d48eb2..48471fc16ad0 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml @@ -1,6 +1,6 @@ title: File Deletion Via Del id: 379fa130-190e-4c3f-b7bc-6c8e834485f3 -status: experimental +status: test description: | Detects execution of the builtin "del"/"erase" commands in order to delete files. Adversaries may delete files left behind by the actions of their intrusion activity. diff --git a/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml index 3b2e6ea8c46f..f242d335e16a 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml @@ -1,6 +1,6 @@ title: Files And Subdirectories Listing Using Dir id: 7c9340a9-e2ee-4e43-94c5-c54ebbea1006 -status: experimental +status: test description: Detects usage of the "dir" command that is part of Windows batch/cmd to collect information about directories references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md diff --git a/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml b/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml index a8afa87fc26a..f81862b0a67d 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml @@ -1,6 +1,6 @@ title: Potential Dosfuscation Activity id: a77c1610-fc73-4019-8e29-0f51efc04a51 -status: experimental +status: test description: Detects possible payload obfuscation via the commandline references: - https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf diff --git a/rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml b/rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml index 1ef55fdeded9..79f44dfeffc3 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml @@ -1,6 +1,6 @@ title: Suspicious File Execution From Internet Hosted WebDav Share id: f0507c0f-a3a2-40f5-acc6-7f543c334993 -status: experimental +status: test description: Detects the execution of the "net use" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files references: - https://twitter.com/ShadowChasing1/status/1552595370961944576 diff --git a/rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml index b8488e0c558a..8af94c79549d 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml @@ -1,6 +1,6 @@ title: Cmd.EXE Missing Space Characters Execution Anomaly id: a16980c2-0c56-4de0-9a79-17971979efdd -status: experimental +status: test description: | Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe. This could be a sign of obfuscation of a fat finger problem (typo by the developer). diff --git a/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml index 7657e3ab4e89..7477513ecd92 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml @@ -1,6 +1,6 @@ title: Suspicious Ping/Del Command Combination id: 54786ddc-5b8a-11ed-9b6a-0242ac120002 -status: experimental +status: test description: Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example references: - https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack diff --git a/rules/windows/process_creation/proc_creation_win_cmd_redirect.yml b/rules/windows/process_creation/proc_creation_win_cmd_redirect.yml index 8ff34b631ca8..db197e0b06fa 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_redirect.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_redirect.yml @@ -3,7 +3,7 @@ id: 4f4eaa9f-5ad4-410c-a4be-bc6132b0175a related: - id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892 type: similar -status: experimental +status: test description: Detects the use of the redirection character ">" to redicrect information in commandline references: - https://ss64.com/nt/syntax-redirection.html diff --git a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml index bf889c045e9c..950d81370cdd 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml @@ -5,7 +5,7 @@ related: type: derived - id: 4f4eaa9f-5ad4-410c-a4be-bc6132b0175a type: similar -status: experimental +status: test description: Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location references: - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ diff --git a/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml index e052f5feb781..13f0a14a4fa7 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml @@ -1,6 +1,6 @@ title: Directory Removal Via Rmdir id: 41ca393d-538c-408a-ac27-cf1e038be80c -status: experimental +status: test description: | Detects execution of the builtin "rmdir" command in order to delete directories. Adversaries may delete files left behind by the actions of their intrusion activity. diff --git a/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml b/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml index 4e7b251f148e..48f0b7638a8a 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml @@ -1,6 +1,6 @@ title: Copy From VolumeShadowCopy Via Cmd.EXE id: c73124a7-3e89-44a3-bdc1-25fe4df754b1 -status: experimental +status: test description: Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use) references: - https://twitter.com/vxunderground/status/1423336151860002816?s=20 diff --git a/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml b/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml index 1dfcc69e8867..e90aba9a10ca 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml @@ -3,7 +3,7 @@ id: 241e802a-b65e-484f-88cd-c2dc10f9206d related: - id: 00a4bacd-6db4-46d5-9258-a7d5ebff4003 type: obsoletes -status: experimental +status: test description: Detect the use of "<" to read and potentially execute a file via cmd.exe references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md diff --git a/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml b/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml index 17f1ddc42f4a..850e973cafe5 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml @@ -1,6 +1,6 @@ title: Persistence Via Sticky Key Backdoor id: 1070db9a-3e5d-412e-8e7b-7183b616e1b3 -status: experimental +status: test description: | By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. When the sticky keys are "activated" the privilleged shell is launched. diff --git a/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml b/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml index 5dab95a0a138..f03cb33ac583 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml @@ -1,6 +1,6 @@ title: Unusual Parent Process For Cmd.EXE id: 4b991083-3d0e-44ce-8fc4-b254025d8d4b -status: experimental +status: test description: Detects suspicious parent process for cmd.exe references: - https://www.elastic.co/guide/en/security/current/unusual-parent-process-for-cmd.exe.html diff --git a/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml b/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml index 1053f50bbdd6..d22f3cb67b17 100644 --- a/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml +++ b/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml @@ -1,6 +1,6 @@ title: New Generic Credentials Added Via Cmdkey.EXE id: b1ec66c6-f4d1-4b5c-96dd-af28ccae7727 -status: experimental +status: test description: Detects usage of cmdkey to add generic credentials. As an example, this has to be used before connecting to an RDP session via command line interface. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol diff --git a/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml b/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml index 87b40ce8d114..d0dcf114c006 100644 --- a/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml @@ -1,6 +1,6 @@ title: Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE id: 07f8bdc2-c9b3-472a-9817-5a670b872f53 -status: experimental +status: test description: Detects usage of cmdkey to look for cached credentials on the system references: - https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation diff --git a/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml index c7abd6b83150..0a18f0c69f62 100644 --- a/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml @@ -1,6 +1,6 @@ title: Uncommon Child Process Of Conhost.EXE id: 7dc2dedd-7603-461a-bc13-15803d132355 -status: experimental +status: test description: Detects uncommon "conhost" child processes. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity. references: - http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ diff --git a/rules/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yml b/rules/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yml index cd0b375b7693..d32235e9941b 100644 --- a/rules/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yml @@ -1,6 +1,6 @@ title: Conhost Spawned By Uncommon Parent Process id: cbb9e3d1-2386-4e59-912e-62f1484f7a89 -status: experimental +status: test description: Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity. references: - https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html diff --git a/rules/windows/process_creation/proc_creation_win_csvde_export.yml b/rules/windows/process_creation/proc_creation_win_csvde_export.yml index 7502db2bea2e..dc8cc918cc82 100644 --- a/rules/windows/process_creation/proc_creation_win_csvde_export.yml +++ b/rules/windows/process_creation/proc_creation_win_csvde_export.yml @@ -1,6 +1,6 @@ title: Active Directory Structure Export Via Csvde.EXE id: e5d36acd-acb4-4c6f-a13f-9eb203d50099 -status: experimental +status: test description: Detects the execution of "csvde.exe" in order to export organizational Active Directory structure. references: - https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms diff --git a/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml b/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml index aa5652161964..5069b28e086d 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml @@ -1,6 +1,6 @@ title: Insecure Transfer Via Curl.EXE id: cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec -status: experimental +status: test description: Detects execution of "curl.exe" with the "--insecure" flag. references: - https://curl.se/docs/manpage.html diff --git a/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml b/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml index 2f3ca8f8c4b4..d29a2bf73f17 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml @@ -5,7 +5,7 @@ related: type: derived - id: 9a517fca-4ba3-4629-9278-a68694697b81 # Curl download type: similar -status: experimental +status: test description: Detects a suspicious curl process start on Windows and outputs the requested document to a local file references: - https://twitter.com/max_mal_/status/1542461200797163522 diff --git a/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml b/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml index b8a206282e35..3fec8ca31c63 100644 --- a/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml +++ b/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml @@ -3,7 +3,7 @@ id: e173ad47-4388-4012-ae62-bd13f71c18a8 related: - id: ee4c5d06-3abc-48cc-8885-77f1c20f4451 type: similar -status: experimental +status: test description: | Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll". Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter diff --git a/rules/windows/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml b/rules/windows/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml index da573abbb40b..a801cacd0b72 100644 --- a/rules/windows/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious Child Process Of ClickOnce Application id: 67bc0e75-c0a9-4cfc-8754-84a505b63c04 -status: experimental +status: test description: Detects potentially suspicious child processes of a ClickOnce deployment application references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 diff --git a/rules/windows/process_creation/proc_creation_win_dirlister_execution.yml b/rules/windows/process_creation/proc_creation_win_dirlister_execution.yml index c5dc889245ba..1d197418c2ad 100644 --- a/rules/windows/process_creation/proc_creation_win_dirlister_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dirlister_execution.yml @@ -1,6 +1,6 @@ title: DirLister Execution id: b4dc61f5-6cce-468e-a608-b48b469feaa2 -status: experimental +status: test description: Detect the usage of "DirLister.exe" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files. references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md diff --git a/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml b/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml index c6d0b7d62c7e..09c74587a44a 100644 --- a/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml @@ -1,6 +1,6 @@ title: Dllhost.EXE Execution Anomaly id: e7888eb1-13b0-4616-bd99-4bc0c2b054b9 -status: experimental +status: test description: Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes. references: - https://redcanary.com/blog/child-processes/ diff --git a/rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml index a5d4bc085dae..2c3ec73f7b55 100644 --- a/rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml @@ -1,6 +1,6 @@ title: Unusual Child Process of dns.exe id: a4e3d776-f12e-42c2-8510-9e6ed1f43ec3 -status: experimental +status: test description: Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) references: - https://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns.exe.html diff --git a/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml b/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml index d3ed4711e5ea..b31f55077c97 100644 --- a/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml @@ -1,6 +1,6 @@ title: Potential Discovery Activity Via Dnscmd.EXE id: b6457d63-d2a2-4e29-859d-4e7affc153d1 -status: experimental +status: test description: Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd diff --git a/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml b/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml index 319b155db9ca..04ebdede8727 100644 --- a/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml +++ b/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml @@ -1,6 +1,6 @@ title: Potentially Over Permissive Permissions Granted Using Dsacls.EXE id: 01c42d3c-242d-4655-85b2-34f1739632f7 -status: experimental +status: test description: Detects usage of Dsacls to grant over permissive permissions references: - https://ss64.com/nt/dsacls.html diff --git a/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml b/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml index 884b3a8c8607..216376d20b8d 100644 --- a/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml +++ b/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml @@ -1,6 +1,6 @@ title: Potential Password Spraying Attempt Using Dsacls.EXE id: bac9fb54-2da7-44e9-988f-11e9a5edbc0c -status: experimental +status: test description: Detects possible password spraying attempts using Dsacls references: - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone diff --git a/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml b/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml index 5b2b08770117..4c370714e7d1 100644 --- a/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml @@ -1,6 +1,6 @@ title: DumpMinitool Execution id: dee0a7a3-f200-4112-a99b-952196d81e42 -status: experimental +status: test description: Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump" references: - https://twitter.com/mrd0x/status/1511415432888131586 diff --git a/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml index c8fca0f7d6cf..aff50762f353 100644 --- a/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml @@ -1,6 +1,6 @@ title: Suspicious DumpMinitool Execution id: eb1c4225-1c23-4241-8dd4-051389fde4ce -status: experimental +status: test description: Detects suspicious ways to use the "DumpMinitool.exe" binary references: - https://twitter.com/mrd0x/status/1511415432888131586 diff --git a/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml b/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml index 859caea95cf4..d70b253fc87d 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml @@ -1,6 +1,6 @@ title: Permission Misconfiguration Reconnaissance Via Findstr.EXE id: 47e4bab7-c626-47dc-967b-255608c9a920 -status: experimental +status: test description: Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This is seen being used in combination with "icacls" to look for misconfigured files or folders permissions references: - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ diff --git a/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml b/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml index 2c55ce3e6ddc..dd1bd8a91585 100644 --- a/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml +++ b/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml @@ -1,6 +1,6 @@ title: Fsutil Behavior Set SymlinkEvaluation id: c0b2768a-dd06-4671-8339-b16ca8d1f27f -status: experimental +status: test description: | A symbolic link is a type of file that contains a reference to another file. This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt diff --git a/rules/windows/process_creation/proc_creation_win_git_susp_clone.yml b/rules/windows/process_creation/proc_creation_win_git_susp_clone.yml index 3db20c367de4..e74fcc261f8a 100644 --- a/rules/windows/process_creation/proc_creation_win_git_susp_clone.yml +++ b/rules/windows/process_creation/proc_creation_win_git_susp_clone.yml @@ -1,6 +1,6 @@ title: Suspicious Git Clone id: aef9d1f1-7396-4e92-a927-4567c7a495c1 -status: experimental +status: test description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious references: - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt diff --git a/rules/windows/process_creation/proc_creation_win_googleupdate_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_googleupdate_susp_child_process.yml index 89b970ea3921..4163f3cdb7e8 100644 --- a/rules/windows/process_creation/proc_creation_win_googleupdate_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_googleupdate_susp_child_process.yml @@ -3,7 +3,7 @@ id: 84b1ecf9-6eff-4004-bafb-bae5c0e251b2 related: - id: bdbab15a-3826-48fa-a1b7-723cd8f32fcc type: derived -status: experimental +status: test description: Detects potentially suspicious child processes of "GoogleUpdate.exe" references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf diff --git a/rules/windows/process_creation/proc_creation_win_gup_arbitrary_binary_execution.yml b/rules/windows/process_creation/proc_creation_win_gup_arbitrary_binary_execution.yml index 8325b2d4ec70..02780e158e00 100644 --- a/rules/windows/process_creation/proc_creation_win_gup_arbitrary_binary_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_gup_arbitrary_binary_execution.yml @@ -1,6 +1,6 @@ title: Arbitrary Binary Execution Using GUP Utility id: d65aee4d-2292-4cea-b832-83accd6cfa43 -status: experimental +status: test description: Detects execution of the Notepad++ updater (gup) to launch other commands or executables references: - https://twitter.com/nas_bench/status/1535322445439180803 diff --git a/rules/windows/process_creation/proc_creation_win_gup_download.yml b/rules/windows/process_creation/proc_creation_win_gup_download.yml index 3426777fb8f0..7c6a789e1f01 100644 --- a/rules/windows/process_creation/proc_creation_win_gup_download.yml +++ b/rules/windows/process_creation/proc_creation_win_gup_download.yml @@ -1,6 +1,6 @@ title: File Download Using Notepad++ GUP Utility id: 44143844-0631-49ab-97a0-96387d6b2d7c -status: experimental +status: test description: Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files. references: - https://twitter.com/nas_bench/status/1535322182863179776 diff --git a/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml b/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml index 804183f55b01..617660a62a03 100644 --- a/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml @@ -1,6 +1,6 @@ title: Remote CHM File Download/Execution Via HH.EXE id: f57c58b3-ee69-4ef5-9041-455bf39aaa89 -status: experimental +status: test description: Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files. references: - https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html diff --git a/rules/windows/process_creation/proc_creation_win_hktl_certify.yml b/rules/windows/process_creation/proc_creation_win_hktl_certify.yml index 66f07058763b..84a39e8dd308 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_certify.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_certify.yml @@ -1,6 +1,6 @@ title: HackTool - Certify Execution id: 762f2482-ff21-4970-8939-0aa317a886bb -status: experimental +status: test description: Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments. references: - https://github.com/GhostPack/Certify diff --git a/rules/windows/process_creation/proc_creation_win_hktl_certipy.yml b/rules/windows/process_creation/proc_creation_win_hktl_certipy.yml index 5fca2ce7189e..caec8a5de72d 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_certipy.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_certipy.yml @@ -1,6 +1,6 @@ title: HackTool - Certipy Execution id: 6938366d-8954-4ddc-baff-c830b3ba8fcd -status: experimental +status: test description: Detects Certipy a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments. references: - https://github.com/ly4k/Certipy diff --git a/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml b/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml index 93d713b1d993..695ef4b2cbfd 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml @@ -3,7 +3,7 @@ id: 647c7b9e-d784-4fda-b9a0-45c565a7b729 related: - id: 4f154fb6-27d1-4813-a759-78b93e0b9c48 type: similar -status: experimental +status: test description: Detects use of Cobalt Strike commands accidentally entered in the CMD shell references: - https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf diff --git a/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml b/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml index 17dc63004f52..f9aed5927b55 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml @@ -3,7 +3,7 @@ id: 4f154fb6-27d1-4813-a759-78b93e0b9c48 related: - id: 647c7b9e-d784-4fda-b9a0-45c565a7b729 type: similar -status: experimental +status: test description: Detects Cobalt Strike module/commands accidentally entered in CMD shell references: - https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf diff --git a/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml b/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml index de94b8360152..694d519b72c1 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml @@ -1,6 +1,6 @@ title: Potential CobaltStrike Process Patterns id: f35c5d71-b489-4e22-a115-f003df287317 -status: experimental +status: test description: Detects potential process patterns related to Cobalt Strike beacon activity references: - https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/ diff --git a/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_patterns.yml b/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_patterns.yml index 5fe7ad342214..369687d93605 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_patterns.yml @@ -1,6 +1,6 @@ title: HackTool - CrackMapExec Process Patterns id: f26307d8-14cd-47e3-a26b-4b4769f24af6 -status: experimental +status: test description: Detects suspicious process patterns found in logs when CrackMapExec is used references: - https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass diff --git a/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml b/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml index ee89630b60e7..a1a52c01656e 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml @@ -1,6 +1,6 @@ title: Suspicious Hacktool Execution - Imphash id: 24e3e58a-646b-4b50-adef-02ef935b9fc8 -status: experimental +status: test description: Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed references: - Internal Research diff --git a/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml b/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml index e00829046ab0..b7064edd9122 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml @@ -1,6 +1,6 @@ title: Suspicious Hacktool Execution - PE Metadata id: 37c1333a-a0db-48be-b64b-7393b2386e3b -status: experimental +status: test description: Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed references: - https://github.com/cube0x0 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_gmer.yml b/rules/windows/process_creation/proc_creation_win_hktl_gmer.yml index eabcb9373eff..c38491eaa66c 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_gmer.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_gmer.yml @@ -1,6 +1,6 @@ title: HackTool - GMER Rootkit Detector and Remover Execution id: 9082ff1f-88ab-4678-a3cc-5bcff99fc74d -status: experimental +status: test description: Detects the execution GMER tool based on image and hash fields. references: - http://www.gmer.net/ diff --git a/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml b/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml index d51c41ec26bf..c4c8064976ee 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml @@ -1,6 +1,6 @@ title: HackTool - HandleKatz LSASS Dumper Execution id: ca621ba5-54ab-4035-9942-d378e6fcde3c -status: experimental +status: test description: Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same references: - https://github.com/codewhitesec/HandleKatz diff --git a/rules/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml b/rules/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml index 64cd45ece083..d69f34f7fd64 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml @@ -1,6 +1,6 @@ title: HackTool - Htran/NATBypass Execution id: f5e3b62f-e577-4e59-931e-0a15b2b94e1e -status: experimental +status: test description: Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass) references: - https://github.com/HiwinCN/HTran diff --git a/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml b/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml index b8c7e3bec6c9..5f1d7cf3b3ca 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml @@ -1,6 +1,6 @@ title: HackTool - Impersonate Execution id: cf0c254b-22f1-4b2b-8221-e137b3c0af94 -status: experimental +status: test description: Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively references: - https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/ diff --git a/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml b/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml index c2e1e91cc91e..a8fbcc375124 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml @@ -1,6 +1,6 @@ title: HackTool - Inveigh Execution id: b99a1518-1ad5-4f65-bc95-1ffff97a8fd0 -status: experimental +status: test description: Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool references: - https://github.com/Kevin-Robertson/Inveigh diff --git a/rules/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml b/rules/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml index ec9edd29333a..d16f4c0f7ae6 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml @@ -1,6 +1,6 @@ title: HackTool - Jlaive In-Memory Assembly Execution id: 0a99eb3e-1617-41bd-b095-13dc767f3def -status: experimental +status: test description: Detects the use of Jlaive to execute assemblies in a copied PowerShell references: - https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool diff --git a/rules/windows/process_creation/proc_creation_win_hktl_krbrelay.yml b/rules/windows/process_creation/proc_creation_win_hktl_krbrelay.yml index 6746a5308e2a..61164e308b66 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_krbrelay.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_krbrelay.yml @@ -1,6 +1,6 @@ title: HackTool - KrbRelay Execution id: e96253b8-6b3b-4f90-9e59-3b24b99cf9b4 -status: experimental +status: test description: Detects the use of KrbRelay, a Kerberos relaying tool references: - https://github.com/cube0x0/KrbRelay diff --git a/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml b/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml index 6f4e18c2cbe1..9d9670d32775 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml @@ -1,6 +1,6 @@ title: HackTool - KrbRelayUp Execution id: 12827a56-61a4-476a-a9cb-f3068f191073 -status: experimental +status: test description: Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced references: - https://github.com/Dec0ne/KrbRelayUp diff --git a/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml b/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml index 3dd224222cd8..e99a0ef71f95 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml @@ -1,6 +1,6 @@ title: HackTool - LocalPotato Execution id: 6bd75993-9888-4f91-9404-e1e4e4e34b77 -status: experimental +status: test description: Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples references: - https://www.localpotato.com/localpotato_html/LocalPotato.html diff --git a/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml b/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml index 3dc568dbbb72..743a3b6ef2b2 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml @@ -1,6 +1,6 @@ title: HackTool - PCHunter Execution id: fca949cc-79ca-446e-8064-01aa7e52ece5 -status: experimental +status: test description: Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff references: - http://www.xuetr.com/ diff --git a/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml b/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml index dd4760d869bd..b5a73187499e 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml @@ -1,6 +1,6 @@ title: HackTool - PowerTool Execution id: a34f79a3-8e5f-4cc3-b765-de00695452c2 -status: experimental +status: test description: Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files references: - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ diff --git a/rules/windows/process_creation/proc_creation_win_hktl_quarks_pwdump.yml b/rules/windows/process_creation/proc_creation_win_hktl_quarks_pwdump.yml index 15851d9bff28..24ffc8da4d66 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_quarks_pwdump.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_quarks_pwdump.yml @@ -1,6 +1,6 @@ title: HackTool - Quarks PwDump Execution id: 0685b176-c816-4837-8e7b-1216f346636b -status: experimental +status: test description: Detects usage of the Quarks PwDump tool via commandline arguments references: - https://github.com/quarkslab/quarkspwdump diff --git a/rules/windows/process_creation/proc_creation_win_hktl_safetykatz.yml b/rules/windows/process_creation/proc_creation_win_hktl_safetykatz.yml index 7826291f5c97..e5518ac0ab97 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_safetykatz.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_safetykatz.yml @@ -1,6 +1,6 @@ title: HackTool - SafetyKatz Execution id: b1876533-4ed5-4a83-90f3-b8645840a413 -status: experimental +status: test description: Detects the execution of the hacktool SafetyKatz via PE information and default Image name references: - https://github.com/GhostPack/SafetyKatz diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharp_chisel.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharp_chisel.yml index 8959f50a90db..598e2f82cdf7 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharp_chisel.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharp_chisel.yml @@ -3,7 +3,7 @@ id: cf93e05e-d798-4d9e-b522-b0248dc61eaf related: - id: 8b0e12da-d3c3-49db-bb4f-256703f380e5 type: similar -status: experimental +status: test description: Detects usage of the Sharp Chisel via the commandline arguments references: - https://github.com/shantanu561993/SharpChisel diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml index 2646ea730071..edef0dfdd86d 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml @@ -3,7 +3,7 @@ id: f89b08d0-77ad-4728-817b-9b16c5a69c7a related: - id: cf0c254b-22f1-4b2b-8221-e137b3c0af94 type: similar -status: experimental +status: test description: Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively references: - https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/ diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharp_ldap_monitor.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharp_ldap_monitor.yml index c7eba3897320..2d3b65c8335b 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharp_ldap_monitor.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharp_ldap_monitor.yml @@ -1,6 +1,6 @@ title: HackTool - SharpLDAPmonitor Execution id: 9f8fc146-1d1a-4dbf-b8fd-dfae15e08541 -status: experimental +status: test description: Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects. references: - https://github.com/p0dalirius/LDAPmonitor diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml index 3aaf738c7095..3058094de2d5 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml @@ -1,6 +1,6 @@ title: HackTool - SharPersist Execution id: 26488ad0-f9fd-4536-876f-52fea846a2e4 -status: experimental +status: test description: Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms references: - https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharpevtmute.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharpevtmute.yml index b2ad94f1010a..65c57c133654 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharpevtmute.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharpevtmute.yml @@ -3,7 +3,7 @@ id: bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c related: - id: 49329257-089d-46e6-af37-4afce4290685 # DLL load type: similar -status: experimental +status: test description: Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs references: - https://github.com/bats3c/EvtMute diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml index 74d93293706f..824ed63e4bb7 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml @@ -1,6 +1,6 @@ title: HackTool - SharpLdapWhoami Execution id: d9367cbb-c2e0-47ce-bdc0-128cb6da898d -status: experimental +status: test description: Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller references: - https://github.com/bugch3ck/SharpLdapWhoami diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml index 92acde4c37ab..05f088c62e91 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml @@ -1,6 +1,6 @@ title: HackTool - SharpUp PrivEsc Tool Execution id: c484e533-ee16-4a93-b6ac-f0ea4868b2f1 -status: experimental +status: test description: Detects the use of SharpUp, a tool for local privilege escalation references: - https://github.com/GhostPack/SharpUp diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml index 1e254e2c0d24..6a0ff8282ec0 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml @@ -3,7 +3,7 @@ id: b2317cfa-4a47-4ead-b3ff-297438c0bc2d related: - id: dcd74b95-3f36-4ed9-9598-0490951643aa type: similar -status: experimental +status: test description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems references: - https://github.com/tevora-threat/SharpView/ diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml b/rules/windows/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml index ce30b7e46fb3..20f72c3f3b9f 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml @@ -1,6 +1,6 @@ title: HackTool - Sliver C2 Implant Activity Pattern id: 42333b2c-b425-441c-b70e-99404a17170f -status: experimental +status: test description: Detects process activity patterns as seen being used by Sliver C2 framework implants references: - https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml b/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml index 1e2c088a370a..bd889915fe50 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml @@ -1,6 +1,6 @@ title: HackTool - Stracciatella Execution id: 7a4d9232-92fc-404d-8ce1-4c92e7caf539 -status: experimental +status: test description: Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics. references: - https://github.com/mgeeky/Stracciatella diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml b/rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml index 278fcb649a19..33bc63019543 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml @@ -1,6 +1,6 @@ title: HackTool - SysmonEOP Execution id: 8a7e90c5-fe6e-45dc-889e-057fe4378bd9 -status: experimental +status: test description: Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120 references: - https://github.com/Wh04m1001/SysmonEoP diff --git a/rules/windows/process_creation/proc_creation_win_hktl_trufflesnout.yml b/rules/windows/process_creation/proc_creation_win_hktl_trufflesnout.yml index 99db403bc253..4b5b5a136662 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_trufflesnout.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_trufflesnout.yml @@ -1,6 +1,6 @@ title: HackTool - TruffleSnout Execution id: 69ca006d-b9a9-47f5-80ff-ecd4d25d481a -status: experimental +status: test description: Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration. references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md diff --git a/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml b/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml index 736eb477de81..081c0c219bcf 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml @@ -1,6 +1,6 @@ title: HackTool - winPEAS Execution id: 98b53e78-ebaf-46f8-be06-421aafd176d9 -status: experimental +status: test description: WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz references: - https://github.com/carlospolop/PEASS-ng diff --git a/rules/windows/process_creation/proc_creation_win_hktl_wmiexec_default_powershell.yml b/rules/windows/process_creation/proc_creation_win_hktl_wmiexec_default_powershell.yml index 588172b4a00f..3b8781a7e324 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_wmiexec_default_powershell.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_wmiexec_default_powershell.yml @@ -1,6 +1,6 @@ title: HackTool - Wmiexec Default Powershell Command id: 022eaba8-f0bf-4dd9-9217-4604b0bb3bb0 -status: experimental +status: test description: Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script references: - https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py diff --git a/rules/windows/process_creation/proc_creation_win_homoglyph_cyrillic_lookalikes.yml b/rules/windows/process_creation/proc_creation_win_homoglyph_cyrillic_lookalikes.yml index dae5610c1d2d..06788d19cae0 100644 --- a/rules/windows/process_creation/proc_creation_win_homoglyph_cyrillic_lookalikes.yml +++ b/rules/windows/process_creation/proc_creation_win_homoglyph_cyrillic_lookalikes.yml @@ -1,6 +1,6 @@ title: Potential Homoglyph Attack Using Lookalike Characters id: 32e280f1-8ad4-46ef-9e80-910657611fbc -status: experimental +status: test description: | Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that diff --git a/rules/windows/process_creation/proc_creation_win_iis_appcmd_http_logging.yml b/rules/windows/process_creation/proc_creation_win_iis_appcmd_http_logging.yml index 8158051e9472..92411156ef5d 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_appcmd_http_logging.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_appcmd_http_logging.yml @@ -1,6 +1,6 @@ title: Disable Windows IIS HTTP Logging id: e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e -status: experimental +status: test description: Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.002/T1562.002.md#atomic-test-1---disable-windows-iis-http-logging diff --git a/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml b/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml index 7487035c8e96..24b8c18b15f5 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml @@ -1,6 +1,6 @@ title: Microsoft IIS Service Account Password Dumped id: 2d3cdeec-c0db-45b4-aa86-082f7eb75701 -status: experimental +status: test description: Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords references: - https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html diff --git a/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml b/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml index b1c60e9fcb42..d51a77ccfd25 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml @@ -1,6 +1,6 @@ title: Suspicious IIS URL GlobalRules Rewrite Via AppCmd id: 7c8af9b2-dcae-41a2-a9db-b28c288b5f08 -status: experimental +status: test description: Detects usage of "appcmd" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells. references: - https://twitter.com/malmoeb/status/1616702107242971144 diff --git a/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml b/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml index 593b33c53d8c..257b4e90bbed 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml @@ -1,6 +1,6 @@ title: Microsoft IIS Connection Strings Decryption id: 97dbf6e2-e436-44d8-abee-4261b24d3e41 -status: experimental +status: test description: Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command. references: - https://www.elastic.co/guide/en/security/current/microsoft-iis-connection-strings-decryption.html diff --git a/rules/windows/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml b/rules/windows/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml index f77f6cafa12f..fcd50fe5470a 100644 --- a/rules/windows/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml +++ b/rules/windows/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml @@ -1,6 +1,6 @@ title: ImagingDevices Unusual Parent/Child Processes id: f11f2808-adb4-46c0-802a-8660db50fa99 -status: experimental +status: test description: Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity references: - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ diff --git a/rules/windows/process_creation/proc_creation_win_java_keytool_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_java_keytool_susp_child_process.yml index 83caf9a7b09d..a5634bbe8570 100644 --- a/rules/windows/process_creation/proc_creation_win_java_keytool_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_java_keytool_susp_child_process.yml @@ -1,6 +1,6 @@ title: Suspicious Shells Spawn by Java Utility Keytool id: 90fb5e62-ca1f-4e22-b42e-cc521874c938 -status: experimental +status: test description: Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation) references: - https://redcanary.com/blog/intelligence-insights-december-2021 diff --git a/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml index 9d556c12dc50..4da39b6881c0 100644 --- a/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml @@ -1,6 +1,6 @@ title: Suspicious Shells Spawned by Java id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d -status: experimental +status: test description: Detects suspicious shell spawned from Java host process (e.g. log4j exploitation) author: Andreas Hunkeler (@Karneades), Florian Roth date: 2021/12/17 diff --git a/rules/windows/process_creation/proc_creation_win_kd_execution.yml b/rules/windows/process_creation/proc_creation_win_kd_execution.yml index 6196c0846bab..e9476b6a45e9 100644 --- a/rules/windows/process_creation/proc_creation_win_kd_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_kd_execution.yml @@ -1,6 +1,6 @@ title: Windows Kernel Debugger Execution id: 27ee9438-90dc-4bef-904b-d3ef927f5e7e -status: experimental +status: test description: Detects execution of the Windows Kernel Debugger "kd.exe". references: - Internal Research diff --git a/rules/windows/process_creation/proc_creation_win_ksetup_password_change_computer.yml b/rules/windows/process_creation/proc_creation_win_ksetup_password_change_computer.yml index f135e827e714..a809225e2115 100644 --- a/rules/windows/process_creation/proc_creation_win_ksetup_password_change_computer.yml +++ b/rules/windows/process_creation/proc_creation_win_ksetup_password_change_computer.yml @@ -1,6 +1,6 @@ title: Computer Password Change Via Ksetup.EXE id: de16d92c-c446-4d53-8938-10aeef41c8b6 -status: experimental +status: test description: Detects password change for the computer's domain account or host principal via "ksetup.exe" references: - https://twitter.com/Oddvarmoe/status/1641712700605513729 diff --git a/rules/windows/process_creation/proc_creation_win_ksetup_password_change_user.yml b/rules/windows/process_creation/proc_creation_win_ksetup_password_change_user.yml index 1aafe059d0ef..1a38722e51aa 100644 --- a/rules/windows/process_creation/proc_creation_win_ksetup_password_change_user.yml +++ b/rules/windows/process_creation/proc_creation_win_ksetup_password_change_user.yml @@ -1,6 +1,6 @@ title: Logged-On User Password Change Via Ksetup.EXE id: c9783e20-4793-4164-ba96-d9ee483992c4 -status: experimental +status: test description: Detects password change for the logged-on user's via "ksetup.exe" references: - https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup diff --git a/rules/windows/process_creation/proc_creation_win_ldifde_export.yml b/rules/windows/process_creation/proc_creation_win_ldifde_export.yml index 258c699c309b..ebdacd3efa28 100644 --- a/rules/windows/process_creation/proc_creation_win_ldifde_export.yml +++ b/rules/windows/process_creation/proc_creation_win_ldifde_export.yml @@ -1,6 +1,6 @@ title: Active Directory Structure Export Via Ldifde.EXE id: 4f7a6757-ff79-46db-9687-66501a02d9ec -status: experimental +status: test description: Detects the execution of "ldifde.exe" in order to export organizational Active Directory structure. references: - https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit diff --git a/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml b/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml index b4692b468be5..619b66d979f0 100644 --- a/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml +++ b/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml @@ -1,6 +1,6 @@ title: Import LDAP Data Interchange Format File Via Ldifde.EXE id: 6f535e01-ca1f-40be-ab8d-45b19c0c8b7f -status: experimental +status: test description: | Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server. references: diff --git a/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml b/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml index 44ab5aaf4039..216d599c982c 100644 --- a/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml +++ b/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml @@ -1,6 +1,6 @@ title: Rebuild Performance Counter Values Via Lodctr.EXE id: cc9d3712-6310-4320-b2df-7cb408274d53 -status: experimental +status: test description: Detects the execution of "lodctr.exe" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions. references: - https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_appvlp.yml b/rules/windows/process_creation/proc_creation_win_lolbin_appvlp.yml index 41509fdacb00..6bd179fffe1f 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_appvlp.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_appvlp.yml @@ -1,6 +1,6 @@ title: Using AppVLP To Circumvent ASR File Path Rule id: 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43 -status: experimental +status: test description: | Application Virtualization Utility is included with Microsoft Office. We are able to abuse "AppVLP" to execute shell commands. Normally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule folder diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml b/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml index 1640f883c46f..baa4e6019c5d 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml @@ -1,6 +1,6 @@ title: Lolbin Defaultpack.exe Use As Proxy id: b2309017-4235-44fe-b5af-b15363011957 -status: experimental +status: test description: Detect usage of the "defaultpack.exe" binary as a proxy to launch other programs references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/ diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_dotnet_dump.yml b/rules/windows/process_creation/proc_creation_win_lolbin_dotnet_dump.yml index b4b668dcde40..a6a8303deb10 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_dotnet_dump.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_dotnet_dump.yml @@ -1,6 +1,6 @@ title: Process Memory Dump Via Dotnet-Dump id: 53d8d3e1-ca33-4012-adf3-e05a4d652e34 -status: experimental +status: test description: Detects the execution of "dotnet-dump" with the "collect" flag. The execution could indicate potential process dumping of critical processes such as LSASS references: - https://learn.microsoft.com/en-us/dotnet/core/diagnostics/dotnet-dump#dotnet-dump-collect diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml b/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml index 208bbcd91111..36d81aad8ca8 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml @@ -1,6 +1,6 @@ title: Gpscript Execution id: 1e59c230-6670-45bf-83b0-98903780607e -status: experimental +status: test description: Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy references: - https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/ diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_mspub_download.yml b/rules/windows/process_creation/proc_creation_win_lolbin_mspub_download.yml index c4f5df0671a1..0fd864f71874 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_mspub_download.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_mspub_download.yml @@ -1,6 +1,6 @@ title: Arbitrary File Download Via MSPUB.EXE id: 3b3c7f55-f771-4dd6-8a6e-08d057a17caf -status: experimental +status: test description: Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files references: - https://github.com/LOLBAS-Project/LOLBAS/pull/238/files diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml index c4cee55c99b1..0c064e3b462b 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml @@ -3,7 +3,7 @@ id: 0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2 related: - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02 type: obsoletes -status: experimental +status: test description: Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting. references: - https://lolbas-project.github.io/lolbas/Binaries/Pcalua/ diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml b/rules/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml index 00bfdeb26e5f..141c60a9eab3 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml @@ -1,6 +1,6 @@ title: File Download Using ProtocolHandler.exe id: 104cdb48-a7a8-4ca7-a453-32942c6e5dcb -status: experimental +status: test description: Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml b/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml index 59ea8ff46b6d..5395baa2c041 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml @@ -1,6 +1,6 @@ title: Lolbin Runexehelper Use As Proxy id: cd71385d-fd9b-4691-9b98-2b1f7e508714 -status: experimental +status: test description: Detect usage of the "runexehelper.exe" binary as a proxy to launch other programs references: - https://twitter.com/0gtweet/status/1206692239839289344 diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml b/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml index 84147ef26b58..f1ab31f75266 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml @@ -3,7 +3,7 @@ id: 45239e6a-b035-4aaf-b339-8ad379fcb67e related: - id: fa4b21c9-0057-4493-b289-2556416ae4d7 type: obsoletes -status: experimental +status: test description: Detects the usage of the "Squirrel.exe" binary as a LOLBIN. This binary is part of multiple software installations (Slack, Teams, Discord, etc.) references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/ diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml b/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml index 8ac6873e338c..b0e2c0d1822d 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml @@ -1,6 +1,6 @@ title: Lolbin Ssh.exe Use As Proxy id: 7d6d30b8-5b91-4b90-a891-46cccaf29598 -status: experimental +status: test description: Detect usage of the "ssh.exe" binary as a proxy to launch other programs references: - https://lolbas-project.github.io/lolbas/Binaries/Ssh/ diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml b/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml index 36ca90da1fd4..77d8793a8d91 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml @@ -1,6 +1,6 @@ title: Lolbin Unregmp2.exe Use As Proxy id: 727454c0-d851-48b0-8b89-385611ab0704 -status: experimental +status: test description: Detect usage of the "unregmp2.exe" binary as a proxy to launch a custom version of "wmpnscfg.exe" references: - https://lolbas-project.github.io/lolbas/Binaries/Unregmp2/ diff --git a/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml b/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml index d1c6e2f00684..b8a802661718 100644 --- a/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml @@ -1,6 +1,6 @@ title: Potential Suspicious Mofcomp Execution id: 1dd05363-104e-4b4a-b963-196a534b03a1 -status: experimental +status: test description: | Detects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline. The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. diff --git a/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml b/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml index 430eb17ec1da..7c9f17a20174 100644 --- a/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml @@ -1,6 +1,6 @@ title: Potential Arbitrary Command Execution Using Msdt.EXE id: 258fc8ce-8352-443a-9120-8a11e4857fa5 -status: experimental +status: test description: Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability references: - https://twitter.com/nao_sec/status/1530196847679401984 diff --git a/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml b/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml index b42e03f9fb7e..a0324731c6ea 100644 --- a/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml +++ b/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml @@ -3,7 +3,7 @@ id: dc4576d4-7467-424f-9eee-fd2b02855fe0 related: - id: 6545ce61-a1bd-4119-b9be-fcbee42c0cf3 type: obsoletes -status: experimental +status: test description: Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190 references: - https://twitter.com/nas_bench/status/1537896324837781506 diff --git a/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml index 48fa77d0454f..26dd9b3173bf 100644 --- a/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml @@ -1,6 +1,6 @@ title: Suspicious MSDT Parent Process id: 7a74da6b-ea76-47db-92cc-874ad90df734 -status: experimental +status: test description: Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation references: - https://twitter.com/nao_sec/status/1530196847679401984 diff --git a/rules/windows/process_creation/proc_creation_win_mshta_http.yml b/rules/windows/process_creation/proc_creation_win_mshta_http.yml index 5c39cfcb361d..4616880dbcbf 100644 --- a/rules/windows/process_creation/proc_creation_win_mshta_http.yml +++ b/rules/windows/process_creation/proc_creation_win_mshta_http.yml @@ -1,6 +1,6 @@ title: Remotely Hosted HTA File Executed Via Mshta.EXE id: b98d0db6-511d-45de-ad02-e82a98729620 -status: experimental +status: test description: Detects execution of the "mshta" utility with an argument containing the "http" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file references: - https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html diff --git a/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml b/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml index 4d24a13ae305..590edb8d3639 100644 --- a/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml +++ b/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml @@ -1,6 +1,6 @@ title: Wscript Shell Run In CommandLine id: 2c28c248-7f50-417a-9186-a85b223010ee -status: experimental +status: test description: Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity references: - https://web.archive.org/web/20220830122045/http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html diff --git a/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml b/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml index e50506d33660..1f3c6e7fe16e 100644 --- a/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml @@ -1,6 +1,6 @@ title: Suspicious Mshta.EXE Execution Patterns id: e32f92d1-523e-49c3-9374-bdb13b46a3ba -status: experimental +status: test description: Detects suspicious mshta process execution patterns references: - https://en.wikipedia.org/wiki/HTML_Application diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml b/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml index e8acd7b8672e..ef35f355ea8b 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml @@ -1,6 +1,6 @@ title: DllUnregisterServer Function Call Via Msiexec.EXE id: 84f52741-8834-4a8c-a413-2eb2269aa6c8 -status: experimental +status: test description: Detects MsiExec loading a DLL and calling its DllUnregisterServer function references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml b/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml index f32368aa646f..f2681ce47ad8 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml @@ -1,6 +1,6 @@ title: Msiexec Quiet Installation id: 79a87aa6-e4bd-42fc-a5bb-5e6fbdcd62f5 -status: experimental +status: test description: | Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) diff --git a/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml b/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml index 5ce66281fd56..958be5ee45e0 100644 --- a/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml +++ b/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml @@ -1,6 +1,6 @@ title: Potential Process Injection Via Msra.EXE id: 744a188b-0415-4792-896f-11ddb0588dbc -status: experimental +status: test description: Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics references: - https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/ diff --git a/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml index 4114b891d665..655d78fde1e3 100644 --- a/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml @@ -3,7 +3,7 @@ id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445 related: - id: 344482e4-a477-436c-aa70-7536d18a48c7 type: obsoletes -status: experimental +status: test description: Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection. author: FPT.EagleEye Team, wagga date: 2020/12/11 diff --git a/rules/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml index ca24ec639b3d..6b1139af9f21 100644 --- a/rules/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml @@ -3,7 +3,7 @@ id: d55b793d-f847-4eea-b59a-5ab09908ac90 related: - id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445 type: similar -status: experimental +status: test description: Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection. references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers diff --git a/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml b/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml index 96dfaa21555c..92a0f6ba0f86 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml @@ -1,6 +1,6 @@ title: New Remote Desktop Connection Initiated Via Mstsc.EXE id: 954f0af7-62dd-418f-b3df-a84bc2c7a774 -status: experimental +status: test description: | Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server. Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. diff --git a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml index 42b946752dee..f3bcbfeeb4e1 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml @@ -1,6 +1,6 @@ title: Mstsc.EXE Execution With Local RDP File id: 5fdce3ac-e7f9-4ecd-a3aa-a4d78ebbf0af -status: experimental +status: test description: Detects potential RDP connection via Mstsc using a local ".rdp" file references: - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/ diff --git a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml index f1baf59d25e1..0b064545d4fe 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml @@ -1,6 +1,6 @@ title: Suspicious Mstsc.EXE Execution With Local RDP File id: 6e22722b-dfb1-4508-a911-49ac840b40f8 -status: experimental +status: test description: Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations. references: - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/ diff --git a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml index 9a48f8a15968..cb1c7ff8d594 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml @@ -1,6 +1,6 @@ title: Mstsc.EXE Execution From Uncommon Parent id: ff3b6b39-e765-42f9-bb2c-ea6761e0e0f6 -status: experimental +status: test description: Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations. references: - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/ diff --git a/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml b/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml index fe0f3401ee51..0404696f9d5a 100644 --- a/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml +++ b/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml @@ -1,6 +1,6 @@ title: Suspicious Manipulation Of Default Accounts Via Net.EXE id: 5b768e71-86f2-4879-b448-81061cbae951 -status: experimental +status: test description: Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc references: - https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html diff --git a/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml b/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml index 86e91dce1a22..8728eb9deef7 100644 --- a/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml @@ -1,6 +1,6 @@ title: Suspicious Group And Account Reconnaissance Activity Using Net.EXE id: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0 -status: experimental +status: test description: Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE references: - https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ diff --git a/rules/windows/process_creation/proc_creation_win_net_network_connections_discovery.yml b/rules/windows/process_creation/proc_creation_win_net_network_connections_discovery.yml index af802b7c916b..acf870c8266c 100644 --- a/rules/windows/process_creation/proc_creation_win_net_network_connections_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_net_network_connections_discovery.yml @@ -1,6 +1,6 @@ title: System Network Connections Discovery Via Net.EXE id: 1c67a717-32ba-409b-a45d-0fb704a73a81 -status: experimental +status: test description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery diff --git a/rules/windows/process_creation/proc_creation_win_net_stop_service.yml b/rules/windows/process_creation/proc_creation_win_net_stop_service.yml index 1699ed5fe060..fd74e1d76d64 100644 --- a/rules/windows/process_creation/proc_creation_win_net_stop_service.yml +++ b/rules/windows/process_creation/proc_creation_win_net_stop_service.yml @@ -3,7 +3,7 @@ id: 88872991-7445-4a22-90b2-a3adadb0e827 related: - id: eb87818d-db5d-49cc-a987-d5da331fbd90 type: obsoletes -status: experimental +status: test description: Detects the stopping of a Windows service author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2023/03/05 diff --git a/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml b/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml index faa499941d14..2e72dfd99f8b 100644 --- a/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml +++ b/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml @@ -3,7 +3,7 @@ id: f117933c-980c-4f78-b384-e3d838111165 related: - id: 3abd6094-7027-475f-9630-8ab9be7b9725 type: similar -status: experimental +status: test description: Detects when a share is mounted using the "net.exe" utility references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_delete_rule.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_delete_rule.yml index 55c851fbd2e4..212f8964352c 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_delete_rule.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_delete_rule.yml @@ -1,6 +1,6 @@ title: Firewall Rule Deleted Via Netsh.EXE id: 1a5fefe6-734f-452e-a07d-fc1c35bce4b2 -status: experimental +status: test description: Detects the removal of a port or application rule in the Windows Firewall configuration using netsh references: - https://app.any.run/tasks/8bbd5b4c-b82d-4e6d-a3ea-d454594a37cc/ diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml index b31de7b8d165..fdf32e9f9aa3 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml @@ -1,6 +1,6 @@ title: Suspicious Firewall Configuration Discovery Via Netsh.EXE id: 0e4164da-94bc-450d-a7be-a4b176179f1f -status: experimental +status: test description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules diff --git a/rules/windows/process_creation/proc_creation_win_nltest_execution.yml b/rules/windows/process_creation/proc_creation_win_nltest_execution.yml index 0d96a410528b..ab92fb09f731 100644 --- a/rules/windows/process_creation/proc_creation_win_nltest_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_nltest_execution.yml @@ -5,7 +5,7 @@ related: type: similar - id: eeb66bbb-3dde-4582-815a-584aee9fe6d1 type: obsoletes -status: experimental +status: test description: Detects nltest commands that can be used for information discovery references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm diff --git a/rules/windows/process_creation/proc_creation_win_nltest_recon.yml b/rules/windows/process_creation/proc_creation_win_nltest_recon.yml index 5bb122233812..28089bffb574 100644 --- a/rules/windows/process_creation/proc_creation_win_nltest_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_nltest_recon.yml @@ -7,7 +7,7 @@ related: type: similar - id: 77815820-246c-47b8-9741-e0def3f57308 type: obsoletes -status: experimental +status: test description: Detects nltest commands that can be used for information discovery references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) diff --git a/rules/windows/process_creation/proc_creation_win_node_abuse.yml b/rules/windows/process_creation/proc_creation_win_node_abuse.yml index 7c3c47414b6a..d5de0328435c 100644 --- a/rules/windows/process_creation/proc_creation_win_node_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_node_abuse.yml @@ -1,6 +1,6 @@ title: Potential Arbitrary Code Execution Via Node.EXE id: 6640f31c-01ad-49b5-beb5-83498a5cd8bd -status: experimental +status: test description: Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc references: - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml index 87209a5ad146..21a46d9cee65 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml @@ -3,7 +3,7 @@ id: 3f5491e2-8db8-496b-9e95-1029fce852d4 related: - id: cb0fe7c5-f3a3-484d-aa25-d350a7912729 type: similar -status: experimental +status: test description: Detects execution of "odbcconf" with "INSTALLDRIVER" which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs. references: - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/ diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml index 301b86713312..0cc790e45eb7 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml @@ -3,7 +3,7 @@ id: cb0fe7c5-f3a3-484d-aa25-d350a7912729 related: - id: 3f5491e2-8db8-496b-9e95-1029fce852d4 type: derived -status: experimental +status: test description: Detects execution of "odbcconf" with the "INSTALLDRIVER" action where the driver doesn't contain a ".dll" extension. This is often used as a defense evasion method. references: - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/ diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml index 8ec5dee90e7a..04cd26a89cdb 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml @@ -1,6 +1,6 @@ title: Odbcconf.EXE Suspicious DLL Location id: 6b65c28e-11f3-46cb-902a-68f2cafaf474 -status: experimental +status: test description: Detects execution of "odbcconf" where the path of the DLL being registered is located in a potentially suspicious location. references: - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml index 48340151f014..3e49b8e29754 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml @@ -3,7 +3,7 @@ id: 9f0a8bf3-a65b-440a-8c1e-5cb1547c8e70 related: - id: ba4cfc11-d0fa-4d94-bf20-7c332c412e76 type: similar -status: experimental +status: test description: Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs. references: - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml index 0440dd860af2..37973aa0b86c 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml @@ -3,7 +3,7 @@ id: ba4cfc11-d0fa-4d94-bf20-7c332c412e76 related: - id: 9f0a8bf3-a65b-440a-8c1e-5cb1547c8e70 type: derived -status: experimental +status: test description: Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses. references: - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml index e212750eef12..6f5416ea95c3 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml @@ -5,7 +5,7 @@ related: type: similar - id: 65d2be45-8600-4042-b4c0-577a1ff8a60e type: obsoletes -status: experimental +status: test description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action. references: - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml index a853b9c70982..b49b496dec63 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml @@ -5,7 +5,7 @@ related: type: derived - id: 65d2be45-8600-4042-b4c0-577a1ff8a60e type: obsoletes -status: experimental +status: test description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension. references: - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml index cf2b81b8f77e..7259f168abc1 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml @@ -1,6 +1,6 @@ title: Uncommon Child Process Spawned By Odbcconf.EXE id: 8e3c7994-131e-4ba5-b6ea-804d49113a26 -status: experimental +status: test description: Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes. references: - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 diff --git a/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml b/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml index 8f093751a202..d903fa06b397 100644 --- a/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml +++ b/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml @@ -3,7 +3,7 @@ id: 4ae3e30b-b03f-43aa-87e3-b622f4048eed related: - id: 0c79148b-118e-472b-bdb7-9b57b444cc19 type: obsoletes -status: experimental +status: test description: Detects potential arbitrary file download using a Microsoft Office application references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/ diff --git a/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml index 12421a51aee3..33e616656f66 100644 --- a/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml @@ -3,7 +3,7 @@ id: c27515df-97a9-4162-8a60-dc0eeb51b775 related: - id: 438025f9-5856-4663-83f7-52f878a70a50 # Generic rule for suspicious office application child processes type: derived -status: experimental +status: test description: Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file. references: - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18 diff --git a/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml b/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml index da5f01b25252..0de29ed4b39e 100644 --- a/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml +++ b/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml @@ -1,6 +1,6 @@ title: Suspicious Binary In User Directory Spawned From Office Application id: aa3a6f94-890e-4e22-b634-ffdfd54792cc -status: experimental +status: test description: Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio) references: - https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign diff --git a/rules/windows/process_creation/proc_creation_win_office_svchost_parent.yml b/rules/windows/process_creation/proc_creation_win_office_svchost_parent.yml index 7f3dfeddd300..c9afa8272628 100644 --- a/rules/windows/process_creation/proc_creation_win_office_svchost_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_office_svchost_parent.yml @@ -1,6 +1,6 @@ title: Suspicious New Instance Of An Office COM Object id: 9bdaf1e9-fdef-443b-8081-4341b74a7e28 -status: experimental +status: test description: | Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc. This can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references) diff --git a/rules/windows/process_creation/proc_creation_win_pdqdeploy_execution.yml b/rules/windows/process_creation/proc_creation_win_pdqdeploy_execution.yml index 5504ade3c2cf..f73876bf2b59 100644 --- a/rules/windows/process_creation/proc_creation_win_pdqdeploy_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_pdqdeploy_execution.yml @@ -3,7 +3,7 @@ id: d679950c-abb7-43a6-80fb-2a480c4fc450 related: - id: 12b8e9f5-96b2-41e1-9a42-8c6779a5c184 type: similar -status: experimental +status: test description: Detect use of PDQ Deploy remote admin tool references: - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md diff --git a/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml b/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml index dbed9f99dde3..6c5a1cd82a5a 100644 --- a/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml @@ -1,6 +1,6 @@ title: Perl Inline Command Execution id: f426547a-e0f7-441a-b63e-854ac5bdf54d -status: experimental +status: test description: Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code. references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet diff --git a/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml b/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml index ae425450b99f..a13cb74d93a7 100644 --- a/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml @@ -1,6 +1,6 @@ title: Php Inline Command Execution id: d81871ef-5738-47ab-9797-7a9c90cd4bfb -status: experimental +status: test description: Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code. references: - https://www.php.net/manual/en/features.commandline.php diff --git a/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml b/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml index 796d5fe48d07..90041f383380 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml @@ -3,7 +3,7 @@ id: c86500e9-a645-4680-98d7-f882c70c1ea3 related: - id: 91e69562-2426-42ce-a647-711b8152ced6 type: similar -status: experimental +status: test description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365. references: - https://o365blog.com/aadinternals/ diff --git a/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml b/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml index a0fe35c9f53c..5cbfd28a7ea8 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml @@ -5,7 +5,7 @@ related: type: similar - id: 74176142-4684-4d8a-8b0a-713257e7df8e type: similar -status: experimental +status: test description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration. references: - https://github.com/samratashok/ADModule diff --git a/rules/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yml b/rules/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yml index 7767ae283271..473f05fa1494 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yml @@ -3,7 +3,7 @@ id: b36d01a3-ddaf-4804-be18-18a6247adfcd related: - id: 155c7fd5-47b4-49b2-bbeb-eb4fab335429 type: similar -status: experimental +status: test description: Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others. references: - https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell diff --git a/rules/windows/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml b/rules/windows/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml index e751c0e37de3..2efc33ed96f1 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml @@ -3,7 +3,7 @@ id: 92a974db-ab84-457f-9ec0-55db83d7a825 related: - id: fa2559c8-1197-471d-9cdd-05a0273d4522 type: similar -status: experimental +status: test description: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities references: - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml index 6c0c147782cf..01cbda7786d6 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml @@ -1,6 +1,6 @@ title: Powershell Base64 Encoded MpPreference Cmdlet id: c6fb44c6-71f5-49e6-9462-1425d328aee3 -status: experimental +status: test description: Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV references: - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml index 21f19606f1e3..45295f7daa1d 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml @@ -3,7 +3,7 @@ id: 1816994b-42e1-4fb1-afd2-134d88184f71 related: - id: 47688f1b-9f51-4656-b013-3cc49a166a36 type: obsoletes -status: experimental +status: test description: Detects calls to base64 encoded WMI class such as "Win32_Shadowcopy", "Win32_ScheduledJob", etc. references: - https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar diff --git a/rules/windows/process_creation/proc_creation_win_powershell_decode_gzip.yml b/rules/windows/process_creation/proc_creation_win_powershell_decode_gzip.yml index 234522a84972..8d76e7d5548a 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_decode_gzip.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_decode_gzip.yml @@ -1,6 +1,6 @@ title: Gzip Archive Decode Via PowerShell id: 98767d61-b2e8-4d71-b661-e36783ee24c1 -status: experimental +status: test description: Detects attempts of decoding encoded Gzip archives via PowerShell. references: - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution diff --git a/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml b/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml index 551845bcd014..590ae4622845 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml @@ -1,6 +1,6 @@ title: PowerShell Execution With Potential Decryption Capabilities id: 434c08ba-8406-4d15-8b24-782cb071a691 -status: experimental +status: test description: Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware. references: - https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/ diff --git a/rules/windows/process_creation/proc_creation_win_powershell_disable_firewall.yml b/rules/windows/process_creation/proc_creation_win_powershell_disable_firewall.yml index b8d1e8ddc230..2440573e39c3 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_disable_firewall.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_disable_firewall.yml @@ -3,7 +3,7 @@ id: 12f6b752-042d-483e-bf9c-915a6d06ad75 related: - id: 488b44e7-3781-4a71-888d-c95abfacf44d type: similar -status: experimental +status: test description: Detects attempts to disable the Windows Firewall using PowerShell references: - https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml index bc0c57874be6..685f4897c36c 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml @@ -3,7 +3,7 @@ id: 02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf related: - id: 3c7d1587-3b13-439f-9941-7d14313dbdfe type: similar -status: experimental +status: test description: Detects usage of COM objects that can be abused to download files in PowerShell by CLSID references: - https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml index f62086100833..030a7abc0f00 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml @@ -1,6 +1,6 @@ title: PowerShell Web Download id: 6e897651-f157-4d8f-aaeb-df8151488385 -status: experimental +status: test description: Detects suspicious ways to download files or content using PowerShell references: - https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_dll.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_dll.yml index 39bcefd1991d..a10e8c9e92a7 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_dll.yml @@ -1,6 +1,6 @@ title: Potential DLL File Download Via PowerShell Invoke-WebRequest id: 0f0450f3-8b47-441e-a31b-15a91dc243e2 -status: experimental +status: test description: Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest cmdlet references: - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml index a792c5e754dc..e129a0565af3 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml @@ -1,6 +1,6 @@ title: PowerShell Download and Execution Cradles id: 85b0b087-eddf-4a2b-b033-d771fa2b9775 -status: experimental +status: test description: Detects PowerShell download and execution cradles. references: - https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd diff --git a/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml b/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml index 2cab5dfc39d8..efaf862a356e 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml @@ -3,7 +3,7 @@ id: c740d4cf-a1e9-41de-bb16-8a46a4f57918 related: - id: 55c925c1-7195-426b-a136-a9396800e29b type: similar -status: experimental +status: test description: | Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images diff --git a/rules/windows/process_creation/proc_creation_win_powershell_encode.yml b/rules/windows/process_creation/proc_creation_win_powershell_encode.yml index 72dcd5a32c08..cdd82e75f6f0 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_encode.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_encode.yml @@ -1,6 +1,6 @@ title: Suspicious Execution of Powershell with Base64 id: fb843269-508c-4b76-8b8d-88679db22ce7 -status: experimental +status: test description: Commandline to launch powershell with a base64 payload references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets diff --git a/rules/windows/process_creation/proc_creation_win_powershell_encoded_cmd_patterns.yml b/rules/windows/process_creation/proc_creation_win_powershell_encoded_cmd_patterns.yml index 73899bb5ffca..6fe238666df8 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_encoded_cmd_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_encoded_cmd_patterns.yml @@ -1,6 +1,6 @@ title: Suspicious PowerShell Encoded Command Patterns id: b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c -status: experimental +status: test description: Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains references: - https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/ diff --git a/rules/windows/process_creation/proc_creation_win_powershell_encoded_obfusc.yml b/rules/windows/process_creation/proc_creation_win_powershell_encoded_obfusc.yml index 2e5b5e0d031d..d40b11730c75 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_encoded_obfusc.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_encoded_obfusc.yml @@ -1,6 +1,6 @@ title: Suspicious Obfuscated PowerShell Code id: 8d01b53f-456f-48ee-90f6-bc28e67d4e35 -status: experimental +status: test description: Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines references: - https://app.any.run/tasks/fcadca91-3580-4ede-aff4-4d2bf809bf99/ diff --git a/rules/windows/process_creation/proc_creation_win_powershell_exec_data_file.yml b/rules/windows/process_creation/proc_creation_win_powershell_exec_data_file.yml index 93be2928fd46..a3f8f4a2c52f 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_exec_data_file.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_exec_data_file.yml @@ -1,6 +1,6 @@ title: Powershell Inline Execution From A File id: ee218c12-627a-4d27-9e30-d6fb2fe22ed2 -status: experimental +status: test description: Detects inline execution of PowerShell code from a file references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml b/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml index 0ad8ddbc4a52..9f158a8ba814 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml @@ -3,7 +3,7 @@ id: 9e716b33-63b2-46da-86a4-bd3c3b9b5dfb related: - id: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c type: similar -status: experimental +status: test description: Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines. references: - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a diff --git a/rules/windows/process_creation/proc_creation_win_powershell_frombase64string_archive.yml b/rules/windows/process_creation/proc_creation_win_powershell_frombase64string_archive.yml index 3d3dc52ea151..2561e26815fe 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_frombase64string_archive.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_frombase64string_archive.yml @@ -3,7 +3,7 @@ id: d75d6b6b-adb9-48f7-824b-ac2e786efe1f related: - id: df69cb1d-b891-4cd9-90c7-d617d90100ce type: similar -status: experimental +status: test description: Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward. references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml b/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml index dd3d5918a21b..402733ae58cf 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml @@ -1,6 +1,6 @@ title: Root Certificate Installed From Susp Locations id: 5f6a601c-2ecb-498b-9c33-660362323afa -status: experimental +status: test description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. references: - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ diff --git a/rules/windows/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yml b/rules/windows/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yml index b7d5035ebc23..329fecd61117 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yml @@ -3,7 +3,7 @@ id: c31364f7-8be6-4b77-8483-dd2b5a7b69a3 related: - id: 21f9162c-5f5d-4b01-89a8-b705bd7d10ab type: similar -status: experimental +status: test description: Detects powershell scripts that import modules from suspicious directories references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md diff --git a/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml b/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml index 7ec726db5439..8525e42073b5 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml @@ -3,7 +3,7 @@ id: 37651c2a-42cd-4a69-ae0d-22a4349aa04a related: - id: 975b2262-9a49-439d-92a6-0709cccdf0b2 type: similar -status: experimental +status: test description: Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages references: - https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package diff --git a/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml b/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml index 79cce4ba63a1..3a676d2ea522 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml @@ -7,7 +7,7 @@ related: type: similar - id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090 type: similar -status: experimental +status: test description: Detects suspicious PowerShell invocation command parameters author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/05 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml b/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml index 96e512c03e27..1ba2ad951146 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml @@ -1,6 +1,6 @@ title: Suspicious Invoke-WebRequest Execution With DirectIP id: 1edff897-9146-48d2-9066-52e8d8f80a2f -status: experimental +status: test description: Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access references: - https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software diff --git a/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml b/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml index bf6cc03c811e..f9604ea97e05 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml @@ -3,7 +3,7 @@ id: 5e3cc4d8-3e68-43db-8656-eaaeefdec9cc related: - id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 type: derived -status: experimental +status: test description: Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/ diff --git a/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml b/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml index be865cd0bfbc..ab5996e33ae5 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml @@ -5,7 +5,7 @@ related: type: derived - id: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c type: similar -status: experimental +status: test description: Detects Commandlet names from well-known PowerShell exploitation frameworks references: - https://adsecurity.org/?p=2921 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_set_service_disabled.yml b/rules/windows/process_creation/proc_creation_win_powershell_set_service_disabled.yml index bcf32e0a242d..5c2534ff00fa 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_set_service_disabled.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_set_service_disabled.yml @@ -1,6 +1,6 @@ title: Service StartupType Change Via PowerShell Set-Service id: 62b20d44-1546-4e61-afce-8e175eb9473c -status: experimental +status: test description: Detects the use of the PowerShell "Set-Service" cmdlet to change the startup type of a service to "disabled" or "manual" references: - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml b/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml index da3e26906a42..b045fe33b598 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml @@ -5,7 +5,7 @@ related: type: derived - id: c1337eb8-921a-4b59-855b-4ba188ddcc42 type: similar -status: experimental +status: test description: Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell diff --git a/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml b/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml index 64c0f98a24b4..69225edada9b 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml @@ -1,6 +1,6 @@ title: Exchange PowerShell Snap-Ins Usage id: 25676e10-2121-446e-80a4-71ff8506af47 -status: experimental +status: test description: Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27 references: - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ diff --git a/rules/windows/process_creation/proc_creation_win_powershell_stop_service.yml b/rules/windows/process_creation/proc_creation_win_powershell_stop_service.yml index 09292748704f..0ffc735fa499 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_stop_service.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_stop_service.yml @@ -3,7 +3,7 @@ id: c49c5062-0966-4170-9efd-9968c913a6cf related: - id: eb87818d-db5d-49cc-a987-d5da331fbd90 type: obsoletes -status: experimental +status: test description: Detects the stopping of a Windows service author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2023/03/05 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml index 62b0471b5f56..dbf7baf8eee9 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious PowerShell Child Processes id: e4b6d2a7-d8a4-4f19-acbd-943c16d90647 -status: experimental +status: test description: Detects potentially suspicious child processes spawned by PowerShell references: - https://twitter.com/ankit_anubhav/status/1518835408502620162 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml b/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml index 89c496f8517a..a1aceed79cbc 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml @@ -3,7 +3,7 @@ id: deb9b646-a508-44ee-b7c9-d8965921c6b6 related: - id: f3a98ce4-6164-4dd4-867c-4d83de7eca51 type: similar -status: experimental +status: test description: Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation references: - https://github.com/danielbohannon/Invoke-Obfuscation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_webclient_casing.yml b/rules/windows/process_creation/proc_creation_win_powershell_webclient_casing.yml index 4523382b21d8..be33964e4b11 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_webclient_casing.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_webclient_casing.yml @@ -1,6 +1,6 @@ title: Net WebClient Casing Anomalies id: c86133ad-4725-4bd0-8170-210788e0a7ba -status: experimental +status: test description: Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques references: - https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/ diff --git a/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml b/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml index 4c039671b2c4..7b47c7d7e4b8 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml @@ -3,7 +3,7 @@ id: 114de787-4eb2-48cc-abdb-c0b449f93ea4 related: - id: 504d63cb-0dba-4d02-8531-e72981aace2c type: similar -status: experimental +status: test description: Detect use of X509Enrollment references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42 diff --git a/rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml b/rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml index 88c4ed5a5991..04638f9f92c1 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml @@ -1,6 +1,6 @@ title: PUA - 3Proxy Execution id: f38a82d2-fba3-4781-b549-525efbec8506 -status: experimental +status: test description: Detects the use of 3proxy, a tiny free proxy server references: - https://github.com/3proxy/3proxy diff --git a/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml b/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml index c681ebe74b47..7a7a6952cde6 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml @@ -3,7 +3,7 @@ id: 455b9d50-15a1-4b99-853f-8d37655a4c1b related: - id: 9a132afa-654e-11eb-ae93-0242ac130002 type: similar -status: experimental +status: test description: Detects active directory enumeration activity using known AdFind CLI flags references: - https://www.joeware.net/freetools/tools/adfind/ diff --git a/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml b/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml index 7761afbeabcf..d04c5ee1039e 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml @@ -1,6 +1,6 @@ title: PUA - Advanced IP Scanner Execution id: bef37fa2-f205-4a7b-b484-0759bfd5f86f -status: experimental +status: test description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups. references: - https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/ diff --git a/rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner.yml b/rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner.yml index 182ee27e39da..a35ff4a83fb3 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner.yml @@ -1,6 +1,6 @@ title: PUA - Advanced Port Scanner Execution id: 54773c5f-f1cc-4703-9126-2f797d96a69d -status: experimental +status: test description: Detects the use of Advanced Port Scanner. references: - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20Port%20Scanner diff --git a/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml b/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml index 46de677f38f6..af649249af9a 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml @@ -3,7 +3,7 @@ id: d2b749ee-4225-417e-b20e-a8d2193cbb84 related: - id: fa00b701-44c6-4679-994d-5a18afa8a707 type: similar -status: experimental +status: test description: Detects the execution of AdvancedRun utility references: - https://twitter.com/splinter_code/status/1483815103279603714 diff --git a/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml b/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml index aa7251a2f0d7..f285dcdb8a94 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml @@ -3,7 +3,7 @@ id: fa00b701-44c6-4679-994d-5a18afa8a707 related: - id: d2b749ee-4225-417e-b20e-a8d2193cbb84 type: similar -status: experimental +status: test description: Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts references: - https://twitter.com/splinter_code/status/1483815103279603714 diff --git a/rules/windows/process_creation/proc_creation_win_pua_chisel.yml b/rules/windows/process_creation/proc_creation_win_pua_chisel.yml index 658f1bac65a1..d4b04ca3177f 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_chisel.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_chisel.yml @@ -3,7 +3,7 @@ id: 8b0e12da-d3c3-49db-bb4f-256703f380e5 related: - id: cf93e05e-d798-4d9e-b522-b0248dc61eaf type: similar -status: experimental +status: test description: Detects usage of the Chisel tunneling tool via the commandline arguments references: - https://github.com/jpillora/chisel/ diff --git a/rules/windows/process_creation/proc_creation_win_pua_cleanwipe.yml b/rules/windows/process_creation/proc_creation_win_pua_cleanwipe.yml index fba27cc49588..d2289e8431dd 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_cleanwipe.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_cleanwipe.yml @@ -1,6 +1,6 @@ title: PUA - CleanWipe Execution id: f44800ac-38ec-471f-936e-3fa7d9c53100 -status: experimental +status: test description: Detects the use of CleanWipe a tool usually used to delete Symantec antivirus. references: - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/CleanWipe diff --git a/rules/windows/process_creation/proc_creation_win_pua_crassus.yml b/rules/windows/process_creation/proc_creation_win_pua_crassus.yml index dde52fca85b3..5af7f9b90aaa 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_crassus.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_crassus.yml @@ -1,6 +1,6 @@ title: PUA - Crassus Execution id: 2c32b543-1058-4808-91c6-5b31b8bed6c5 -status: experimental +status: test description: Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics. references: - https://github.com/vu-ls/Crassus diff --git a/rules/windows/process_creation/proc_creation_win_pua_csexec.yml b/rules/windows/process_creation/proc_creation_win_pua_csexec.yml index 236449fb27ac..a9398da0fa9e 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_csexec.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_csexec.yml @@ -1,6 +1,6 @@ title: PUA - CsExec Execution id: d08a2711-ee8b-4323-bdec-b7d85e892b31 -status: experimental +status: test description: Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative references: - https://github.com/malcomvetter/CSExec diff --git a/rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml b/rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml index 0564835a2ffe..5bed99cfbf5a 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml @@ -1,6 +1,6 @@ title: PUA - DefenderCheck Execution id: f0ca6c24-3225-47d5-b1f5-352bf07ecfa7 -status: experimental +status: test description: Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion. references: - https://github.com/matterpreter/DefenderCheck diff --git a/rules/windows/process_creation/proc_creation_win_pua_frp.yml b/rules/windows/process_creation/proc_creation_win_pua_frp.yml index 9426e44bcb98..9b809012f8e7 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_frp.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_frp.yml @@ -1,6 +1,6 @@ title: PUA - Fast Reverse Proxy (FRP) Execution id: 32410e29-5f94-4568-b6a3-d91a8adad863 -status: experimental +status: test description: Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet. references: - https://asec.ahnlab.com/en/38156/ diff --git a/rules/windows/process_creation/proc_creation_win_pua_iox.yml b/rules/windows/process_creation/proc_creation_win_pua_iox.yml index 72972052ebf6..5fb2df51bd77 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_iox.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_iox.yml @@ -1,6 +1,6 @@ title: PUA- IOX Tunneling Tool Execution id: d7654f02-e04b-4934-9838-65c46f187ebc -status: experimental +status: test description: Detects the use of IOX - a tool for port forwarding and intranet proxy purposes references: - https://github.com/EddieIvan01/iox diff --git a/rules/windows/process_creation/proc_creation_win_pua_netcat.yml b/rules/windows/process_creation/proc_creation_win_pua_netcat.yml index 5fc57befaf33..dc857162653f 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_netcat.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_netcat.yml @@ -1,6 +1,6 @@ title: PUA - Netcat Suspicious Execution id: e31033fc-33f0-4020-9a16-faf9b31cbf08 -status: experimental +status: test description: Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network references: - https://nmap.org/ncat/ diff --git a/rules/windows/process_creation/proc_creation_win_pua_nimgrab.yml b/rules/windows/process_creation/proc_creation_win_pua_nimgrab.yml index 55706f147da6..fd61809361f9 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_nimgrab.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_nimgrab.yml @@ -1,6 +1,6 @@ title: PUA - Nimgrab Execution id: 74a12f18-505c-4114-8d0b-8448dd5485c6 -status: experimental +status: test description: Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files. references: - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md diff --git a/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml b/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml index 6f9f5efcf31a..b4a321a2cf31 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml @@ -1,6 +1,6 @@ title: PUA - NirCmd Execution id: 4e2ed651-1906-4a59-a78a-18220fca1b22 -status: experimental +status: test description: Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity references: - https://www.nirsoft.net/utils/nircmd.html diff --git a/rules/windows/process_creation/proc_creation_win_pua_nps.yml b/rules/windows/process_creation/proc_creation_win_pua_nps.yml index 1e2bad0cc11b..1a5550ff492c 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_nps.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_nps.yml @@ -1,6 +1,6 @@ title: PUA - NPS Tunneling Tool Execution id: 68d37776-61db-42f5-bf54-27e87072d17e -status: experimental +status: test description: Detects the use of NPS, a port forwarding and intranet penetration proxy server references: - https://github.com/ehang-io/nps diff --git a/rules/windows/process_creation/proc_creation_win_pua_nsudo.yml b/rules/windows/process_creation/proc_creation_win_pua_nsudo.yml index 8caff78c942a..390bb712b581 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_nsudo.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_nsudo.yml @@ -1,6 +1,6 @@ title: PUA - NSudo Execution id: 771d1eb5-9587-4568-95fb-9ec44153a012 -status: experimental +status: test description: Detects the use of NSudo tool for command execution references: - https://nsudo.m2team.org/en-us/ diff --git a/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml b/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml index be5017f7500f..cc355a187c23 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml @@ -3,7 +3,7 @@ id: 811e0002-b13b-4a15-9d00-a613fce66e42 related: - id: 5722dff1-4bdd-4949-86ab-fbaf707e767a type: similar -status: experimental +status: test description: Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. Threat actors regularly abuse it to manipulate system processes. references: - https://processhacker.sourceforge.io/ diff --git a/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml b/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml index 3978ecc24dc2..c299fb6008e0 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml @@ -1,6 +1,6 @@ title: PUA - Potential PE Metadata Tamper Using Rcedit id: 0c92f2e6-f08f-4b73-9216-ecb0ca634689 -status: experimental +status: test description: Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion. references: - https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe diff --git a/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml b/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml index 2e470202ffe9..b61912e1b913 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml @@ -5,7 +5,7 @@ related: type: obsoletes - id: cb7286ba-f207-44ab-b9e6-760d82b84253 type: obsoletes -status: experimental +status: test description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc references: - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ diff --git a/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml b/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml index 6432783ae4e6..84559cbd2c81 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml @@ -1,6 +1,6 @@ title: PUA - Seatbelt Execution id: 38646daa-e78f-4ace-9de0-55547b2d30da -status: experimental +status: test description: Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters references: - https://github.com/GhostPack/Seatbelt diff --git a/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml b/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml index ebe83fdc6724..3aaa59f44c5c 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml @@ -3,7 +3,7 @@ id: 5722dff1-4bdd-4949-86ab-fbaf707e767a related: - id: 811e0002-b13b-4a15-9d00-a613fce66e42 type: similar -status: experimental +status: test description: Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations references: - https://github.com/winsiderss/systeminformer diff --git a/rules/windows/process_creation/proc_creation_win_pua_webbrowserpassview.yml b/rules/windows/process_creation/proc_creation_win_pua_webbrowserpassview.yml index 838d2b80d947..b08f5847cb4c 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_webbrowserpassview.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_webbrowserpassview.yml @@ -1,6 +1,6 @@ title: PUA - WebBrowserPassView Execution id: d0dae994-26c6-4d2d-83b5-b3c8b79ae513 -status: experimental +status: test description: Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1555.003/T1555.003.md diff --git a/rules/windows/process_creation/proc_creation_win_pua_wsudo_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_pua_wsudo_susp_execution.yml index 6149712cfeef..e42b3d262233 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_wsudo_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_wsudo_susp_execution.yml @@ -1,6 +1,6 @@ title: PUA - Wsudo Suspicious Execution id: bdeeabc9-ff2a-4a51-be59-bb253aac7891 -status: experimental +status: test description: Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc) references: - https://github.com/M2Team/Privexec/ diff --git a/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml b/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml index 799db7a3ccd4..03929b66077c 100644 --- a/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml @@ -1,6 +1,6 @@ title: Python Inline Command Execution id: 899133d5-4d7c-4a7f-94ee-27355c879d90 -status: experimental +status: test description: Detects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code. references: - https://docs.python.org/3/using/cmdline.html#cmdoption-c diff --git a/rules/windows/process_creation/proc_creation_win_query_session_exfil.yml b/rules/windows/process_creation/proc_creation_win_query_session_exfil.yml index 6b8b2b605a8c..e7928dd1f20c 100644 --- a/rules/windows/process_creation/proc_creation_win_query_session_exfil.yml +++ b/rules/windows/process_creation/proc_creation_win_query_session_exfil.yml @@ -1,6 +1,6 @@ title: Query Usage To Exfil Data id: 53ef0cef-fa24-4f25-a34a-6c72dfa2e6e2 -status: experimental +status: test description: Detects usage of "query.exe" a system binary to exfil information such as "sessions" and "processes" for later use references: - https://twitter.com/MichalKoczwara/status/1553634816016498688 diff --git a/rules/windows/process_creation/proc_creation_win_rar_susp_greedy_compression.yml b/rules/windows/process_creation/proc_creation_win_rar_susp_greedy_compression.yml index a92d678de5c7..9c45be61b1ca 100644 --- a/rules/windows/process_creation/proc_creation_win_rar_susp_greedy_compression.yml +++ b/rules/windows/process_creation/proc_creation_win_rar_susp_greedy_compression.yml @@ -1,6 +1,6 @@ title: Suspicious Greedy Compression Using Rar.EXE id: afe52666-401e-4a02-b4ff-5d128990b8cb -status: experimental +status: test description: Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes references: - https://decoded.avast.io/martinchlumecky/png-steganography diff --git a/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml b/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml index fc1c4ec81f5d..8bbfb03d2fb1 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml @@ -1,6 +1,6 @@ title: Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE id: 48917adc-a28e-4f5d-b729-11e75da8941f -status: experimental +status: test description: Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData. references: - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/ diff --git a/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml b/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml index 6e927e0a8e8f..2b45c02e98ef 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml @@ -3,7 +3,7 @@ id: fc0e89b5-adb0-43c1-b749-c12a10ec37de related: - id: d7662ff6-9e97-4596-a61d-9839e32dee8d type: similar -status: experimental +status: test description: Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products references: - https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html diff --git a/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml b/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml index 7e506c4ba458..6da47889b6c0 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml @@ -1,6 +1,6 @@ title: Service Registry Key Deleted Via Reg.EXE id: 05b2aa93-1210-42c8-8d9a-2fcc13b284f5 -status: experimental +status: test description: Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services references: - https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465 diff --git a/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml b/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml index f71dfabe22b6..d0e7c7917f4f 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml @@ -3,7 +3,7 @@ id: 62e0298b-e994-4189-bc87-bc699aa62d97 related: - id: 73bba97f-a82d-42ce-b315-9182e76c57b1 type: derived -status: experimental +status: test description: Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import diff --git a/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml b/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml index d095234b0eed..38aa56f37396 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml @@ -3,7 +3,7 @@ id: 28ac00d6-22d9-4a3c-927f-bbd770104573 related: - id: d6ce7ebd-260b-4323-9768-a9631c8d4db2 # Registry type: similar -status: experimental +status: test description: | Detect activation of DisableRestrictedAdmin to disable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. diff --git a/rules/windows/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml b/rules/windows/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml index 282327d45539..c281521a14ba 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml @@ -1,6 +1,6 @@ title: LSA PPL Protection Disabled Via Reg.EXE id: 8c0eca51-0f88-4db2-9183-fdfb10c703f9 -status: experimental +status: test description: Detects the usage of the "reg.exe" utility to disable PPL protection on the LSA process references: - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/ diff --git a/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml b/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml index 3eebf8cb9ba2..f0832d4b268a 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml @@ -1,6 +1,6 @@ title: Potential Tampering With RDP Related Registry Keys Via Reg.EXE id: 0d5675be-bc88-4172-86d3-1e96a4476536 -status: experimental +status: test description: Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ diff --git a/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml b/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml index ca933be8387b..c0887bc7d13e 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml @@ -1,6 +1,6 @@ title: Suspicious Windows Defender Registry Key Tampering Via Reg.EXE id: 452bce90-6fb0-43cc-97a5-affc283139b3 -status: experimental +status: test description: Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection references: - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/ diff --git a/rules/windows/process_creation/proc_creation_win_regasm_suspicious_execution.yml b/rules/windows/process_creation/proc_creation_win_regasm_suspicious_execution.yml index 20f82536a731..8235680587ef 100644 --- a/rules/windows/process_creation/proc_creation_win_regasm_suspicious_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_regasm_suspicious_execution.yml @@ -1,6 +1,6 @@ title: Regasm/Regsvcs Suspicious Execution id: cc368ed0-2411-45dc-a222-510ace303cb2 -status: experimental +status: test description: Detects suspicious execution of Regasm/Regsvcs utilities references: - https://www.fortiguard.com/threat-signal-report/4718?s=09 diff --git a/rules/windows/process_creation/proc_creation_win_regini_ads.yml b/rules/windows/process_creation/proc_creation_win_regini_ads.yml index 3f2d587ba110..a7e3579bde33 100644 --- a/rules/windows/process_creation/proc_creation_win_regini_ads.yml +++ b/rules/windows/process_creation/proc_creation_win_regini_ads.yml @@ -3,7 +3,7 @@ id: 77946e79-97f1-45a2-84b4-f37b5c0d8682 related: - id: 5f60740a-f57b-4e76-82a1-15b6ff2cb134 type: derived -status: experimental +status: test description: Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys. references: - https://lolbas-project.github.io/lolbas/Binaries/Regini/ diff --git a/rules/windows/process_creation/proc_creation_win_regini_execution.yml b/rules/windows/process_creation/proc_creation_win_regini_execution.yml index 251f792966d2..1a58c575a622 100644 --- a/rules/windows/process_creation/proc_creation_win_regini_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_regini_execution.yml @@ -3,7 +3,7 @@ id: 5f60740a-f57b-4e76-82a1-15b6ff2cb134 related: - id: 77946e79-97f1-45a2-84b4-f37b5c0d8682 type: derived -status: experimental +status: test description: Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files. references: - https://lolbas-project.github.io/lolbas/Binaries/Regini/ diff --git a/rules/windows/process_creation/proc_creation_win_registry_logon_script.yml b/rules/windows/process_creation/proc_creation_win_registry_logon_script.yml index 2d3ca3f40a75..dd6ed188311f 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_logon_script.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_logon_script.yml @@ -3,7 +3,7 @@ id: 21d856f9-9281-4ded-9377-51a1a6e2a432 related: - id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458 type: derived -status: experimental +status: test description: Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence references: - https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html diff --git a/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml b/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml index 59033fddc1a6..9f3ffc22d0e7 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml @@ -3,7 +3,7 @@ id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77 related: - id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701 type: similar -status: experimental +status: test description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it references: - https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade diff --git a/rules/windows/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yml b/rules/windows/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yml index 2e0c2c18d367..e2ae3a66488a 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yml @@ -7,7 +7,7 @@ related: type: similar - id: 61d0475c-173f-4844-86f7-f3eebae1c66b # PowerShell ScriptBlock type: similar -status: experimental +status: test description: Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine references: - https://learn.microsoft.com/de-de/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3 diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml index d07d11d61ebc..397ae87bcd9d 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious Regsvr32 HTTP IP Pattern id: 2dd2c217-bf68-437a-b57c-fe9fd01d5de8 -status: experimental +status: test description: Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address. references: - https://twitter.com/mrd0x/status/1461041276514623491 diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml index 4f27725b4e49..2a99c64e6cd3 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml @@ -3,7 +3,7 @@ id: 867356ee-9352-41c9-a8f2-1be690d78216 related: - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d type: obsoletes -status: experimental +status: test description: Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers. references: - https://twitter.com/mrd0x/status/1461041276514623491 diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml index b2d1a88fc9d9..27463a9d971f 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml @@ -3,7 +3,7 @@ id: 6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca related: - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d type: obsoletes -status: experimental +status: test description: Detects potentially suspicious child processes of "regsvr32.exe". references: - https://redcanary.com/blog/intelligence-insights-april-2022/ diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml index f3417695657b..75dcf5b0a219 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml @@ -3,7 +3,7 @@ id: 9525dc73-0327-438c-8c04-13c0e037e9da related: - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d type: obsoletes -status: experimental +status: test description: Detects execution of regsvr32 where the DLL is located in a potentially suspicious location. references: - https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml index fe7c1501991b..7cf9cc245d82 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml @@ -1,6 +1,6 @@ title: Regsvr32 Execution From Highly Suspicious Location id: 327ff235-94eb-4f06-b9de-aaee571324be -status: experimental +status: test description: Detects execution of regsvr32 where the DLL is located in a highly suspicious locations references: - Internal Research diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml index 851256ec4886..30f7c594b670 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml @@ -3,7 +3,7 @@ id: 089fc3d2-71e8-4763-a8a5-c97fbb0a403e related: - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d type: obsoletes -status: experimental +status: test description: Detects the execution of REGSVR32.exe with DLL files masquerading as other files references: - https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/ diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml index d0d5927f069f..ccd0f9a82d55 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml @@ -3,7 +3,7 @@ id: ab37a6ec-6068-432b-a64e-2c7bf95b1d22 related: - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d type: obsoletes -status: experimental +status: test description: Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance. references: - https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml index e02eae5c1aab..d68f29661462 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml @@ -1,6 +1,6 @@ title: Remote Access Tool - AnyDesk Piped Password Via CLI id: b1377339-fda6-477a-b455-ac0923f9ec2c -status: experimental +status: test description: Detects piping the password to an anydesk instance via CMD and the '--set-password' flag. references: - https://redcanary.com/blog/misbehaving-rats/ diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.yml index af3921fd2285..a6b1a9e89795 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.yml @@ -3,7 +3,7 @@ id: 065b00ca-5d5c-4557-ac95-64a6d0b64d86 related: - id: b52e84a3-029e-4529-b09b-71d19dd27e94 type: similar -status: experimental +status: test description: | An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport.yml index fb0366f6079e..841c1dbb3c21 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport.yml @@ -1,6 +1,6 @@ title: Remote Access Tool - NetSupport Execution id: 758ff488-18d5-4cbe-8ec4-02b6285a434f -status: experimental +status: test description: | An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml index 5cf9125af8d3..16b03b2601b4 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml @@ -1,6 +1,6 @@ title: Remote Access Tool - NetSupport Execution From Unusual Location id: 37e8d358-6408-4853-82f4-98333fca7014 -status: experimental +status: test description: Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\Program Files') references: - https://redcanary.com/blog/misbehaving-rats/ diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml index aea1ed06ce6a..bc177acf66b8 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml @@ -1,6 +1,6 @@ title: Remote Access Tool - RURAT Execution From Unusual Location id: e01fa958-6893-41d4-ae03-182477c5e77d -status: experimental +status: test description: Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\Program Files') references: - https://redcanary.com/blog/misbehaving-rats/ diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_anomaly.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_anomaly.yml index 222bcce449b4..64ac699b2147 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_anomaly.yml @@ -1,6 +1,6 @@ title: Remote Access Tool - ScreenConnect Backstage Mode Anomaly id: 7b582f1a-b318-4c6a-bf4e-66fe49bf55a5 -status: experimental +status: test description: Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode references: - https://www.mandiant.com/resources/telegram-malware-iranian-espionage diff --git a/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml b/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml index cdfc2195c056..a0e5762c2b48 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml @@ -1,6 +1,6 @@ title: Renamed BrowserCore.EXE Execution id: 8a4519e8-e64a-40b6-ae85-ba8ad2177559 -status: experimental +status: test description: Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens) references: - https://twitter.com/mariuszbit/status/1531631015139102720 diff --git a/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml b/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml index 79679f3b111b..2b3be1eb6cc6 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml @@ -3,7 +3,7 @@ id: 1a1ed54a-2ba4-4221-94d5-01dee560d71e related: - id: 515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48 type: similar -status: experimental +status: test description: Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory references: - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ diff --git a/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml b/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml index 287e327c4238..c4c13d98d6dd 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml @@ -1,6 +1,6 @@ title: Renamed Mavinject.EXE Execution id: e6474a1b-5390-49cd-ab41-8d88655f7394 -status: experimental +status: test description: Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md diff --git a/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml b/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml index 20d1548aa93c..6a5c90b28907 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml @@ -1,6 +1,6 @@ title: Renamed Msdt.EXE Execution id: bd1c6866-65fc-44b2-be51-5588fcff82b9 -status: experimental +status: test description: Detects the execution of a renamed "Msdt.exe" binary references: - https://lolbas-project.github.io/lolbas/Binaries/Msdt/ diff --git a/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml b/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml index 37c38252a3d5..48ae4e590f37 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml @@ -1,6 +1,6 @@ title: Renamed NetSupport RAT Execution id: 0afbd410-de03-4078-8491-f132303cb67d -status: experimental +status: test description: Detects the execution of a renamed "client32.exe" (NetSupport RAT) via Imphash, Product and OriginalFileName strings references: - https://redcanary.com/blog/misbehaving-rats/ diff --git a/rules/windows/process_creation/proc_creation_win_renamed_plink.yml b/rules/windows/process_creation/proc_creation_win_renamed_plink.yml index c2d79235fe7f..6a4d5a33eccf 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_plink.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_plink.yml @@ -1,6 +1,6 @@ title: Renamed Plink Execution id: 1c12727d-02bf-45ff-a9f3-d49806a3cf43 -status: experimental +status: test description: Detects the execution of a renamed version of the Plink binary references: - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/ diff --git a/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml b/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml index a485dd8ba807..6667dda49caa 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml @@ -3,7 +3,7 @@ id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed related: - id: 0ba1da6d-b6ce-4366-828c-18826c9de23e type: derived -status: experimental +status: test description: Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection references: - https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20 diff --git a/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml b/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml index 0f38671712ec..f1e541c2eb4c 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml @@ -1,6 +1,6 @@ title: Renamed Remote Utilities RAT (RURAT) Execution id: 9ef27c24-4903-4192-881a-3adde7ff92a5 -status: experimental +status: test description: Detects execution of renamed Remote Utilities (RURAT) via Product PE header field references: - https://redcanary.com/blog/misbehaving-rats/ diff --git a/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml b/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml index 121ea63fc368..ff78489fab3e 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml @@ -1,6 +1,6 @@ title: Renamed Sysinternals Sdelete Execution id: c1d867fe-8d95-4487-aab4-e53f2d339f90 -status: experimental +status: test description: Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming) references: - https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete diff --git a/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml b/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml index b18156c9e423..c598023335a1 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml @@ -1,6 +1,6 @@ title: Renamed Vmnat.exe Execution id: 7b4f794b-590a-4ad4-ba18-7964a2832205 -status: experimental +status: test description: Detects renamed vmnat.exe or portable version that can be used for DLL side-loading references: - https://twitter.com/malmoeb/status/1525901219247845376 diff --git a/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml b/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml index e34a064cd856..bed8d9241528 100644 --- a/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml @@ -1,6 +1,6 @@ title: Ruby Inline Command Execution id: 20a5ffa1-3848-4584-b6f8-c7c7fd9f69c8 -status: experimental +status: test description: Detects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code. references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_ads_stored_dll_execution.yml b/rules/windows/process_creation/proc_creation_win_rundll32_ads_stored_dll_execution.yml index d7c01a1497f5..83308c35ac97 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_ads_stored_dll_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_ads_stored_dll_execution.yml @@ -1,6 +1,6 @@ title: Potential Rundll32 Execution With DLL Stored In ADS id: 9248c7e1-2bf3-4661-a22c-600a8040b446 -status: experimental +status: test description: Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS). references: - https://lolbas-project.github.io/lolbas/Binaries/Rundll32 diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml b/rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml index 023daafc86bb..811448ab2b6e 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml @@ -1,6 +1,6 @@ title: Suspicious Advpack Call Via Rundll32.EXE id: a1473adb-5338-4a20-b4c3-126763e2d3d3 -status: experimental +status: test description: Detects execution of "rundll32" calling "advpack.dll" with potential obfuscated ordinal calls in order to leverage the "RegisterOCX" function references: - https://twitter.com/Hexacorn/status/1224848930795552769 diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml b/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml index ae2c18bdc8a8..5aec1b61aebb 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml @@ -1,6 +1,6 @@ title: Rundll32 InstallScreenSaver Execution id: 15bd98ea-55f4-4d37-b09a-e7caa0fa2221 -status: experimental +status: test description: An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver references: - https://lolbas-project.github.io/lolbas/Libraries/Desk/ diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_keymgr.yml b/rules/windows/process_creation/proc_creation_win_rundll32_keymgr.yml index 70304a4af7bd..d549c8c35051 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_keymgr.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_keymgr.yml @@ -1,6 +1,6 @@ title: Suspicious Key Manager Access id: a4694263-59a8-4608-a3a0-6f8d3a51664c -status: experimental +status: test description: Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager) references: - https://twitter.com/NinjaParanoid/status/1516442028963659777 diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_ntlmrelay.yml b/rules/windows/process_creation/proc_creation_win_rundll32_ntlmrelay.yml index 9e8a58077710..31db732deb79 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_ntlmrelay.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_ntlmrelay.yml @@ -1,6 +1,6 @@ title: Suspicious NTLM Authentication on the Printer Spooler Service id: bb76d96b-821c-47cf-944b-7ce377864492 -status: experimental +status: test description: Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service references: - https://twitter.com/med0x2e/status/1520402518685200384 diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml b/rules/windows/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml index 3f65c8819606..3209b188dd00 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml @@ -1,6 +1,6 @@ title: Potential Obfuscated Ordinal Call Via Rundll32 id: 43fa5350-db63-4b8f-9a01-789a427074e1 -status: experimental +status: test description: Detects execution of "rundll32" with potential obfuscated ordinal calls references: - Internal Research diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_script_run.yml b/rules/windows/process_creation/proc_creation_win_rundll32_script_run.yml index f7f53f8e556f..827b016b8a49 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_script_run.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_script_run.yml @@ -1,6 +1,6 @@ title: Suspicious Rundll32 Script in CommandLine id: 73fcad2e-ff14-4c38-b11d-4172c8ac86c7 -status: experimental +status: test description: Detects suspicious process related to rundll32 based on arguments references: - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52 diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_shell32_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_rundll32_shell32_susp_execution.yml index 00f3ac8ccbf6..9ea945925abc 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_shell32_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_shell32_susp_execution.yml @@ -1,6 +1,6 @@ title: Shell32 DLL Execution in Suspicious Directory id: 32b96012-7892-429e-b26c-ac2bf46066ff -status: experimental +status: test description: Detects shell32.dll executing a DLL in a suspicious directory references: - https://www.group-ib.com/resources/threat-research/red-curl-2.html diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml b/rules/windows/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml index 38f3a68df2ac..cdec3852b05e 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml @@ -1,6 +1,6 @@ title: Potential ShellDispatch.DLL Functionality Abuse id: 82343930-652f-43f5-ab70-2ee9fdd6d5e9 -status: experimental +status: test description: Detects potential "ShellDispatch.dll" functionality abuse to execute arbitrary binaries via "ShellExecute" references: - https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yml b/rules/windows/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yml index 3b93739373e0..84403e8320db 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yml @@ -3,7 +3,7 @@ id: 4aa6040b-3f28-44e3-a769-9208e5feb5ec related: - id: 089fc3d2-71e8-4763-a8a5-c97fbb0a403e type: similar -status: experimental +status: test description: Detects the execution of Rundll32.exe with DLL files masquerading as image files references: - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml b/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml index ecb2824ead5f..90b7cac650ec 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml @@ -3,7 +3,7 @@ id: d87bd452-6da1-456e-8155-7dc988157b7d related: - id: 36c5146c-d127-4f85-8e21-01bf62355d5a type: obsoletes -status: experimental +status: test description: Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack references: - https://redcanary.com/blog/raspberry-robin/ diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_user32_dll.yml b/rules/windows/process_creation/proc_creation_win_rundll32_user32_dll.yml index 3be4b9ebd1f1..20439b6b8fad 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_user32_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_user32_dll.yml @@ -1,6 +1,6 @@ title: Suspicious Workstation Locking via Rundll32 id: 3b5b0213-0460-4e3f-8937-3abf98ff7dcc -status: experimental +status: test description: Detects a suspicious call to the user32.dll function that locks the user workstation references: - https://app.any.run/tasks/2aef9c63-f944-4763-b3ef-81eee209d128/ diff --git a/rules/windows/process_creation/proc_creation_win_sc_disable_service.yml b/rules/windows/process_creation/proc_creation_win_sc_disable_service.yml index 6c0ca900ab7c..f744201a645e 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_disable_service.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_disable_service.yml @@ -1,6 +1,6 @@ title: Service StartupType Change Via Sc.EXE id: 85c312b7-f44d-4a51-a024-d671c40b49fc -status: experimental +status: test description: Detect the use of "sc.exe" to change the startup type of a service to "disabled" or "demand" references: - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955 diff --git a/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml b/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml index 483867699870..6d13dddb2453 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml @@ -3,7 +3,7 @@ id: 6c8fbee5-dee8-49bc-851d-c3142d02aa47 related: - id: a537cfc3-4297-4789-92b5-345bfd845ad0 # Generic SD tampering type: similar -status: experimental +status: test description: Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs. references: - https://twitter.com/0gtweet/status/1628720819537936386 diff --git a/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml b/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml index 5a5dbc15b7ca..a840e37eb968 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml @@ -5,7 +5,7 @@ related: type: similar - id: a537cfc3-4297-4789-92b5-345bfd845ad0 # Specific Technique type: similar -status: experimental +status: test description: Detection of sc.exe utility adding a new service with special permission which hides that service. references: - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html diff --git a/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml b/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml index b982fdeb4e94..c843dc5037a1 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml @@ -3,7 +3,7 @@ id: 81bcb81b-5b1f-474b-b373-52c871aaa7b1 related: - id: eb87818d-db5d-49cc-a987-d5da331fbd90 type: obsoletes -status: experimental +status: test description: Detects the stopping of a Windows service author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2023/03/05 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml b/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml index 81b371fdfb58..f859f72f1a56 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml @@ -3,7 +3,7 @@ id: 81325ce1-be01-4250-944f-b4789644556f related: - id: 43f487f0-755f-4c2a-bce7-d6d2eec2fcf8 # TODO: Recreate after baseline type: derived -status: experimental +status: test description: Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware references: - https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/ diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml b/rules/windows/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml index c1eae40a6c5f..b5e40bb6f968 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml @@ -1,6 +1,6 @@ title: Uncommon One Time Only Scheduled Task At 00:00 id: 970823b7-273b-460a-8afc-3a6811998529 -status: experimental +status: test description: Detects scheduled task creation events that include suspicious actions, and is run once at 00:00 references: - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml b/rules/windows/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml index 4e129c49ba58..6a3e317d26cd 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml @@ -3,7 +3,7 @@ id: f548a603-c9f2-4c89-b511-b089f7e94549 related: - id: 73a883d0-0348-4be4-a8d8-51031c2564f8 type: derived -status: experimental +status: test description: | Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks. In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key. diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_powershell_persistence.yml b/rules/windows/process_creation/proc_creation_win_schtasks_powershell_persistence.yml index 9c5e2ca66b7f..14869fd6d549 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_powershell_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_powershell_persistence.yml @@ -3,7 +3,7 @@ id: b66474aa-bd92-4333-a16c-298155b120df related: - id: 6e8811ee-90ba-441e-8486-5653e68b2299 type: similar -status: experimental +status: test description: Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader references: - https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/ diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml index c99b4e9a91b2..5efda8a852de 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml @@ -1,6 +1,6 @@ title: Suspicious Scheduled Task Creation via Masqueraded XML File id: dd2a821e-3b07-4d3b-a9ac-929fe4c6ca0c -status: experimental +status: test description: Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence references: - https://docs.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml- diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml b/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml index 94429dda1c63..8ad6361077e2 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml @@ -1,6 +1,6 @@ title: Suspicious Command Patterns In Scheduled Task Creation id: f2c64357-b1d2-41b7-849f-34d2682c0fad -status: experimental +status: test description: Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands references: - https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/ diff --git a/rules/windows/process_creation/proc_creation_win_secedit_execution.yml b/rules/windows/process_creation/proc_creation_win_secedit_execution.yml index fb8279682bd8..1e15aaf74cf8 100644 --- a/rules/windows/process_creation/proc_creation_win_secedit_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_secedit_execution.yml @@ -1,6 +1,6 @@ title: Potential Suspicious Activity Using SeCEdit id: c2c76b77-32be-4d1f-82c9-7e544bdfe0eb -status: experimental +status: test description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy references: - https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d diff --git a/rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml index 993df932ee6a..991912bbd5ad 100644 --- a/rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml @@ -1,6 +1,6 @@ title: Uncommon Child Processes Of SndVol.exe id: ba42babc-0666-4393-a4f7-ceaf5a69191e -status: experimental +status: test description: Detects potentially uncommon child processes of SndVol.exe (the Windows volume mixer) references: - https://twitter.com/Max_Mal_/status/1661322732456353792 diff --git a/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml b/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml index f6fc2cd6f99a..694df2915012 100644 --- a/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml @@ -1,6 +1,6 @@ title: Veeam Backup Database Suspicious Query id: 696bfb54-227e-4602-ac5b-30d9d2053312 -status: experimental +status: test description: Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information. references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers diff --git a/rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml b/rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml index bbb7f74cbd2f..e9c72d990823 100644 --- a/rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml +++ b/rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml @@ -1,6 +1,6 @@ title: SQLite Chromium Profile Data DB Access id: 24c77512-782b-448a-8950-eddb0785fc71 -status: experimental +status: test description: Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing. references: - https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows diff --git a/rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml b/rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml index 012a329dfeee..9192cf12fa2d 100644 --- a/rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml +++ b/rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml @@ -1,6 +1,6 @@ title: SQLite Firefox Profile Data DB Access id: 4833155a-4053-4c9c-a997-777fcea0baa7 -status: experimental +status: test description: Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows diff --git a/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml b/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml index fd3689fca287..3cfa146bd20d 100644 --- a/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml +++ b/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml @@ -1,6 +1,6 @@ title: Port Forwarding Attempt Via SSH id: 327f48c1-a6db-4eb8-875a-f6981f1b0183 -status: experimental +status: test description: Detects suspicious SSH tunnel port forwarding to a local port references: - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ diff --git a/rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml b/rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml index d2ab3821e24d..aede5ee403ac 100644 --- a/rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml +++ b/rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml @@ -3,7 +3,7 @@ id: f7d7ebd5-a016-46e2-9c54-f9932f2d386d related: - id: f38ce0b9-5e97-4b47-a211-7dc8d8b871da # plink.exe type: similar -status: experimental +status: test description: Execution of ssh.exe to perform data exfiltration and tunneling through RDP references: - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ diff --git a/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml b/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml index 0f150cb170f0..33a297dc4ce9 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml @@ -3,7 +3,7 @@ id: ad720b90-25ad-43ff-9b5e-5c841facc8e5 related: - id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e # Remote Desktop groups type: similar -status: experimental +status: test description: Detects suspicious command line that adds an account to the local administrators/administrateurs group references: - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 diff --git a/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml b/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml index c2f9774b902d..275ef2180860 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml @@ -1,6 +1,6 @@ title: Always Install Elevated Windows Installer id: cd951fdc-4b2f-47f5-ba99-a33bf61e3770 -status: experimental +status: test description: Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege references: - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg diff --git a/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml index 70dff26fadfc..5745141b5e17 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml @@ -3,7 +3,7 @@ id: a7c3d773-caef-227e-a7e7-c2f13c622329 related: - id: f5647edc-a7bf-4737-ab50-ef8c60dc3add type: obsoletes -status: experimental +status: test description: | Detects attackers using tooling with bad opsec defaults. E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. diff --git a/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml b/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml index afedd9c18ddc..fca1f14b055d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml @@ -1,6 +1,6 @@ title: Potential Command Line Path Traversal Evasion Attempt id: 1327381e-6ab0-4f38-b583-4c1b8346a56b -status: experimental +status: test description: Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline references: - https://twitter.com/hexacorn/status/1448037865435320323 diff --git a/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml b/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml index a30857f9cf6b..0a14cd5bc0c6 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml @@ -3,7 +3,7 @@ id: 5e6a80c8-2d45-4633-9ef4-fa2671a39c5c related: - id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8 # Image/CommandLine type: derived -status: experimental +status: test description: Detect execution of suspicious double extension files in ParentCommandLine references: - https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior diff --git a/rules/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml b/rules/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml index 9d43fc6ef437..367be4cef602 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml @@ -1,6 +1,6 @@ title: Suspicious Execution From GUID Like Folder Names id: 90b63c33-2b97-4631-a011-ceb0f47b77c3 -status: experimental +status: test description: Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks references: - https://twitter.com/Kostastsale/status/1565257924204986369 diff --git a/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml b/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml index 447bb5775dff..b76a30ae3ed2 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml @@ -1,6 +1,6 @@ title: Execution from Suspicious Folder id: 3dfd06d2-eaf4-4532-9555-68aca59f57c4 -status: experimental +status: test description: Detects a suspicious execution from an uncommon folder references: - https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt diff --git a/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml b/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml index 3c063d250025..c64730414876 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml @@ -3,7 +3,7 @@ id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702 related: - id: 03d83090-8cba-44a0-b02f-0b756a050306 type: derived -status: experimental +status: test description: Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec references: - https://twitter.com/m417z/status/1566674631788007425 diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml index 535d806af4d1..dbb56975c519 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml @@ -3,7 +3,7 @@ id: a96970af-f126-420d-90e1-d37bf25e50e1 related: - id: 349d891d-fef0-4fe4-bc53-eee623a15969 type: similar -status: experimental +status: test description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection references: - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ diff --git a/rules/windows/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml b/rules/windows/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml index 9f581bf0622f..4f2e2ab79b37 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml @@ -3,7 +3,7 @@ id: 9bd04a79-dabe-4f1f-a5ff-92430265c96b related: - id: f35c5d71-b489-4e22-a115-f003df287317 type: derived -status: experimental +status: test description: Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity. references: - https://www.elastic.co/guide/en/security/current/privilege-escalation-via-named-pipe-impersonation.html diff --git a/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml b/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml index 3ea4b6b5d307..c6c597d99134 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml @@ -1,6 +1,6 @@ title: Potential Defense Evasion Via Right-to-Left Override id: ad691d92-15f2-4181-9aa4-723c74f9ddc3 -status: experimental +status: test description: | Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This is used as an obfuscation and masquerading techniques. diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_execution.yml index ddcaeece4dbd..a6cedbca2629 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_execution.yml @@ -3,7 +3,7 @@ id: 9212f354-7775-4e28-9c9f-8f0a4544e664 related: - id: ef61af62-bc74-4f58-b49b-626448227652 type: derived -status: experimental +status: test description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database. references: - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml index 569ab46d8ffb..53d1712a4c15 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml @@ -3,7 +3,7 @@ id: ef61af62-bc74-4f58-b49b-626448227652 related: - id: 9212f354-7775-4e28-9c9f-8f0a4544e664 type: derived -status: experimental +status: test description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory. references: - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml index b020e3df7cf4..69003011edfd 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml @@ -3,7 +3,7 @@ id: 7cccd811-7ae9-4ebe-9afd-cb5c406b824b related: - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 type: derived -status: experimental +status: test description: Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools references: - https://twitter.com/Moti_B/status/1008587936735035392 diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_execution.yml index aff51dc1e558..3f5b55315013 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_execution.yml @@ -1,6 +1,6 @@ title: Potential Memory Dumping Activity Via LiveKD id: a85f7765-698a-4088-afa0-ecfbf8d01fa4 -status: experimental +status: test description: Detects execution of LiveKD based on PE metadata or image name references: - https://learn.microsoft.com/en-us/sysinternals/downloads/livekd diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml index 2ed92160ffa5..7cb9d7b1f4e8 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml @@ -1,6 +1,6 @@ title: Kernel Memory Dump Via LiveKD id: c7746f1c-47d3-43d6-8c45-cd1e54b6b0a2 -status: experimental +status: test description: Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory references: - https://learn.microsoft.com/en-us/sysinternals/downloads/livekd diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml index b62bd7e12f1e..c8c9336129c5 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml @@ -1,6 +1,6 @@ title: Procdump Execution id: 2e65275c-8288-4ab4-aeb7-6274f58b6b20 -status: experimental +status: test description: Detects usage of the SysInternals Procdump utility references: - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml index 20200260f192..c3bb28b0d586 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml @@ -3,7 +3,7 @@ id: 8834e2f7-6b4b-4f09-8906-d2276470ee23 related: - id: 207b0396-3689-42d9-8399-4222658efc99 # Generic rule based on similar cli flags type: similar -status: experimental +status: test description: Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights references: - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml index 7b67c416c535..abb352311d68 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml @@ -1,6 +1,6 @@ title: Potential PsExec Remote Execution id: ea011323-7045-460b-b2d7-0f7442ea6b38 -status: experimental +status: test description: Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility references: - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yml index ffd5a28ad6b5..bd75ae192640 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yml @@ -3,7 +3,7 @@ id: fdfcbd78-48f1-4a4b-90ac-d82241e368c5 related: - id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba type: obsoletes -status: experimental +status: test description: Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution references: - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml index 0b30fe207c38..5ed1f05f341d 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml @@ -3,7 +3,7 @@ id: 7c0dcd3d-acf8-4f71-9570-f448b0034f94 related: - id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba type: similar -status: experimental +status: test description: Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account) references: - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml index b2352c405ccb..930c35e9249e 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml @@ -1,6 +1,6 @@ title: Suspicious Use of PsLogList id: aae1243f-d8af-40d8-ab20-33fc6d0c55bc -status: experimental +status: test description: Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs references: - https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/ diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml index ddd882d16a67..6ab71e6288cc 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml @@ -1,6 +1,6 @@ title: Sysinternals PsService Execution id: 3371f518-5fe3-4cf6-a14b-2a0ae3fd8a4f -status: experimental +status: test description: Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering references: - https://docs.microsoft.com/en-us/sysinternals/downloads/psservice diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml index 8c082115ec80..98fa3c83d1ce 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml @@ -3,7 +3,7 @@ id: 48bbc537-b652-4b4e-bd1d-281172df448f related: - id: 4beb6ae0-f85b-41e2-8f18-8668abc8af78 type: similar -status: experimental +status: test description: Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes references: - https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml index db2af26aeef9..3d72c6b43f43 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml @@ -3,7 +3,7 @@ id: 4beb6ae0-f85b-41e2-8f18-8668abc8af78 related: - id: 48bbc537-b652-4b4e-bd1d-281172df448f # Basic Execution type: similar -status: experimental +status: test description: Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses references: - https://docs.microsoft.com/en-us/sysinternals/downloads/pssuspend diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_sdelete.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_sdelete.yml index ee21021ccbbd..5a88207ac556 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_sdelete.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_sdelete.yml @@ -1,6 +1,6 @@ title: Potential File Overwrite Via Sysinternals SDelete id: a4824fca-976f-4964-b334-0621379e84c4 -status: experimental +status: test description: Detects the use of SDelete to erase a file not the free space references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml index 3d7f7706cd98..53131b483d4c 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml @@ -3,7 +3,7 @@ id: 207b0396-3689-42d9-8399-4222658efc99 related: - id: 8834e2f7-6b4b-4f09-8906-d2276470ee23 # PsExec specific rule type: similar -status: experimental +status: test description: Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges references: - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec diff --git a/rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml b/rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml index ea7421f862ea..a5f2f3b61fb7 100644 --- a/rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml +++ b/rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml @@ -3,7 +3,7 @@ id: a383dec4-deec-4e6e-913b-ed9249670848 related: - id: b110ebaf-697f-4da1-afd5-b536fa27a2c1 type: similar -status: experimental +status: test description: Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages. references: - Internal Research diff --git a/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml b/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml index c10e835bafd1..68137ee03703 100644 --- a/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml +++ b/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml @@ -1,6 +1,6 @@ title: Suspicious Command With Teams Objects Paths id: d2eb17db-1d39-41dc-b57f-301f6512fa75 -status: experimental +status: test description: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application. references: - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/ diff --git a/rules/windows/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml b/rules/windows/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml index 21165f1691a1..78fb7387ad83 100644 --- a/rules/windows/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml +++ b/rules/windows/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml @@ -1,6 +1,6 @@ title: New Virtual Smart Card Created Via TpmVscMgr.EXE id: c633622e-cab9-4eaa-bb13-66a1d68b3e47 -status: experimental +status: test description: Detects execution of "Tpmvscmgr.exe" to create a new virtual smart card. references: - https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr diff --git a/rules/windows/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml b/rules/windows/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml index aa5c0300c31d..d98c795a7f80 100644 --- a/rules/windows/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml +++ b/rules/windows/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml @@ -1,6 +1,6 @@ title: Potential RDP Session Hijacking Activity id: 224f140f-3553-4cd1-af78-13d81bf9f7cc -status: experimental +status: test description: Detects potential RDP Session Hijacking activity on Windows systems references: - https://twitter.com/Moti_B/status/909449115477659651 diff --git a/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml b/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml index 89dcaf75f3a0..2a2c14461239 100644 --- a/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml @@ -3,7 +3,7 @@ id: 7aa4e81a-a65c-4e10-9f81-b200eb229d7d related: - id: 236d8e89-ed95-4789-a982-36f4643738ba type: derived -status: experimental +status: test description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state references: - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/ diff --git a/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml b/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml index af3330d57cc8..65225d628bf4 100644 --- a/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml +++ b/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml @@ -3,7 +3,7 @@ id: 236d8e89-ed95-4789-a982-36f4643738ba related: - id: 7aa4e81a-a65c-4e10-9f81-b200eb229d7d type: derived -status: experimental +status: test description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state references: - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/ diff --git a/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml b/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml index e0e058805a74..53acd9cfb71e 100644 --- a/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml @@ -3,7 +3,7 @@ id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd related: - id: 0cf2e1c6-8d10-4273-8059-738778f981ad type: derived -status: experimental +status: test description: Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow references: - https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html diff --git a/rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml b/rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml index 27a58fde21d5..b8b708556e8a 100644 --- a/rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml @@ -1,6 +1,6 @@ title: Potential Recon Activity Using Wevtutil id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf -status: experimental +status: test description: Detects usage of the wevtutil utility to perform reconnaissance references: - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html diff --git a/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml b/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml index 395246105c39..d50cb06d0a7b 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml @@ -3,7 +3,7 @@ id: 79ce34ca-af29-4d0e-b832-fc1b377020db related: - id: 80167ada-7a12-41ed-b8e9-aa47195c66a1 type: obsoletes -status: experimental +status: test description: Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment diff --git a/rules/windows/process_creation/proc_creation_win_whoami_groups_discovery.yml b/rules/windows/process_creation/proc_creation_win_whoami_groups_discovery.yml index 2d92ba45cb7b..a4866b9979c2 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_groups_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_groups_discovery.yml @@ -1,6 +1,6 @@ title: Group Membership Reconnaissance Via Whoami.EXE id: bd8b828d-0dca-48e1-8a63-8a58ecf2644f -status: experimental +status: test description: Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami diff --git a/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml b/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml index 2d56ef9d69d3..109c3f6e52c0 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml @@ -1,6 +1,6 @@ title: Whoami.EXE Execution Anomaly id: 8de1cbe8-d6f5-496d-8237-5f44a721c7a0 -status: experimental +status: test description: Detects the execution of whoami.exe with suspicious parent processes. references: - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/ diff --git a/rules/windows/process_creation/proc_creation_win_whoami_priv_discovery.yml b/rules/windows/process_creation/proc_creation_win_whoami_priv_discovery.yml index bb770747c511..bbfcd96ae8c1 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_priv_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_priv_discovery.yml @@ -1,6 +1,6 @@ title: Security Privileges Enumeration Via Whoami.EXE id: 97a80ec7-0e2f-4d05-9ef4-65760e634f6b -status: experimental +status: test description: Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami diff --git a/rules/windows/process_creation/proc_creation_win_whoami_susp_flags.yml b/rules/windows/process_creation/proc_creation_win_whoami_susp_flags.yml index d6b55155caa4..2ae6164c73be 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_susp_flags.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_susp_flags.yml @@ -1,6 +1,6 @@ title: Suspicious Whoami.EXE Execution id: c30fb093-1109-4dc8-88a8-b30d11c95a5d -status: experimental +status: test description: Detects the execution of "whoami.exe" with the "/all" flag or with redirection options to export the results to a file for later use. references: - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/ diff --git a/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml b/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml index 0868cf343b9f..c87f477284be 100644 --- a/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml +++ b/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml @@ -1,6 +1,6 @@ title: Suspicious WindowsTerminal Child Processes id: 8de89e52-f6e1-4b5b-afd1-41ecfa300d48 -status: experimental +status: test description: Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section) references: - https://persistence-info.github.io/Data/windowsterminalprofile.html diff --git a/rules/windows/process_creation/proc_creation_win_winget_add_custom_source.yml b/rules/windows/process_creation/proc_creation_win_winget_add_custom_source.yml index f590025cc266..4efffd1d2ed8 100644 --- a/rules/windows/process_creation/proc_creation_win_winget_add_custom_source.yml +++ b/rules/windows/process_creation/proc_creation_win_winget_add_custom_source.yml @@ -5,7 +5,7 @@ related: type: similar - id: c15a46a0-07d4-4c87-b4b6-89207835a83b type: similar -status: experimental +status: test description: Detects usage of winget to add new additional download sources references: - https://learn.microsoft.com/en-us/windows/package-manager/winget/source diff --git a/rules/windows/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml b/rules/windows/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml index 3eff20d90b94..33e3ddd4bbbe 100644 --- a/rules/windows/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml +++ b/rules/windows/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml @@ -5,7 +5,7 @@ related: type: similar - id: c15a46a0-07d4-4c87-b4b6-89207835a83b type: similar -status: experimental +status: test description: | Detects usage of winget to add a new insecure (http) download source. Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos) diff --git a/rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml b/rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml index fa0f7c1f3e5e..bc2d1b3f369b 100644 --- a/rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml +++ b/rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml @@ -5,7 +5,7 @@ related: type: similar - id: 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2 type: similar -status: experimental +status: test description: Detects usage of winget to add new potentially suspicious download sources references: - https://learn.microsoft.com/en-us/windows/package-manager/winget/source diff --git a/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml b/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml index ce25c5c20150..9ffd2a92461b 100644 --- a/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml +++ b/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml @@ -1,6 +1,6 @@ title: Install New Package Via Winget Local Manifest id: 313d6012-51a0-4d93-8dfc-de8553239e25 -status: experimental +status: test description: | Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them. The manifest option enables you to install an application by passing in a YAML file directly to the client. diff --git a/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml b/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml index dff560319b07..d68098874005 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml @@ -1,6 +1,6 @@ title: Potential Windows Defender Tampering Via Wmic.EXE id: 51cbac1e-eee3-4a90-b1b7-358efb81fa0a -status: experimental +status: test description: Detects potential tampering with Windows Defender settings such as adding exclusion using wmic references: - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_computersystem.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_computersystem.yml index 30cb71b78d34..fec41430b4a6 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_computersystem.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_computersystem.yml @@ -1,6 +1,6 @@ title: Computer System Reconnaissance Via Wmic.EXE id: 9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f -status: experimental +status: test description: Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc. references: - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_csproduct.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_csproduct.yml index 69a8be88a97f..c3dd34827667 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_csproduct.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_csproduct.yml @@ -1,6 +1,6 @@ title: Hardware Model Reconnaissance Via Wmic.EXE id: 3e3ceccd-6c06-48b8-b5ff-ab1d25db8c1d -status: experimental +status: test description: Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information references: - https://jonconwayuk.wordpress.com/2014/01/31/wmic-csproduct-using-wmi-to-identify-make-and-model-of-hardware/ diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_group.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_group.yml index bff18ed4fe85..375e35e1b4c9 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_group.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_group.yml @@ -1,6 +1,6 @@ title: Local Groups Reconnaissance Via Wmic.EXE id: 164eda96-11b2-430b-85ff-6a265c15bf32 -status: experimental +status: test description: | Detects the execution of "wmic" with the "group" flag. Adversaries may attempt to find local system groups and permission settings. diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml index 7aa136745180..d1f8c41aef8d 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml @@ -1,6 +1,6 @@ title: Windows Hotfix Updates Reconnaissance Via Wmic.EXE id: dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45 -status: experimental +status: test description: Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts references: - https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml index 4ca49d1f181c..ff92230053b7 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml @@ -1,6 +1,6 @@ title: Process Reconnaissance Via Wmic.EXE id: 221b251a-357a-49a9-920a-271802777cc0 -status: experimental +status: test description: Detects the execution of "wmic" with the "process" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml index 942d53690f3e..07db3fc47f2e 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml @@ -1,6 +1,6 @@ title: Potential Product Reconnaissance Via Wmic.EXE id: 15434e33-5027-4914-88d5-3d4145ec25a9 -status: experimental +status: test description: Detects the execution of WMIC in order to get a list of firewall and antivirus products references: - https://thedfirreport.com/2023/03/06/2022-year-in-review/ diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml index 80d0b3f7d86a..8c61e02a815f 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml @@ -1,6 +1,6 @@ title: Potential Product Class Reconnaissance Via Wmic.EXE id: e568650b-5dcd-4658-8f34-ded0b1e13992 -status: experimental +status: test description: Detects the execution of WMIC in order to get a list of firewall and antivirus products references: - https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml index 6e055ea1ad83..7b6db1f335af 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml @@ -3,7 +3,7 @@ id: 76f55eaa-d27f-4213-9d45-7b0e4b60bbae related: - id: 68bcd73b-37ef-49cb-95fc-edc809730be6 type: similar -status: experimental +status: test description: | An adversary might use WMI to check if a certain remote service is running on a remote device. When the test completes, a service information will be displayed on the screen if it exists. diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_discovery.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_discovery.yml index b5fb17751140..6a8149d71ad6 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_discovery.yml @@ -1,6 +1,6 @@ title: Potential System Information Discovery Via Wmic.EXE id: 9d5a1274-922a-49d0-87f3-8c653483b909 -status: experimental +status: test description: | Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, diff --git a/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml b/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml index 8c05b5f5a279..06bbf697d2d9 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml @@ -5,7 +5,7 @@ related: type: obsoletes - id: 09af397b-c5eb-4811-b2bb-08b3de464ebf type: obsoletes -status: experimental +status: test description: Detects the execution of WMIC to query information on a remote system references: - https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/ diff --git a/rules/windows/process_creation/proc_creation_win_wmic_service_manipulation.yml b/rules/windows/process_creation/proc_creation_win_wmic_service_manipulation.yml index b17833d01b6c..f1ca9fc45b9f 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_service_manipulation.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_service_manipulation.yml @@ -1,6 +1,6 @@ title: Service Started/Stopped Via Wmic.EXE id: 0b7163dc-7eee-4960-af17-c0cd517f92da -status: experimental +status: test description: Detects usage of wmic to start or stop a service references: - https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html diff --git a/rules/windows/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml b/rules/windows/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml index 62d59a1b17e0..2fa2054bd48e 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml @@ -11,7 +11,7 @@ related: type: obsoletes - id: 04f5363a-6bca-42ff-be70-0d28bf629ead type: obsoletes -status: experimental +status: test description: Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin). references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ diff --git a/rules/windows/process_creation/proc_creation_win_wmic_uninstall_application.yml b/rules/windows/process_creation/proc_creation_win_wmic_uninstall_application.yml index 53bec511aefc..414b1ab0037c 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_uninstall_application.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_uninstall_application.yml @@ -3,7 +3,7 @@ id: b53317a0-8acf-4fd1-8de8-a5401e776b96 related: - id: 847d5ff3-8a31-4737-a970-aeae8fe21765 # Uninstall Security Products type: derived -status: experimental +status: test description: Uninstall an application with wmic references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-10---application-uninstall-using-wmic diff --git a/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml index 2b4799250c88..a790fa852155 100644 --- a/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml @@ -1,6 +1,6 @@ title: Cscript/Wscript Suspicious Child Process id: b6676963-0353-4f88-90f5-36c20d443c6a -status: experimental +status: test description: Detects suspicious child processes of Wscript/Cscript author: Nasreddine Bencherchali (Nextron Systems) date: 2023/05/15 diff --git a/rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml b/rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml index 10be020863ab..8944a9f5accc 100644 --- a/rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml @@ -1,6 +1,6 @@ title: Cscript/Wscript Uncommon Script Extension Execution id: 99b7460d-c9f1-40d7-a316-1f36f61d52ee -status: experimental +status: test description: Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension author: Nasreddine Bencherchali (Nextron Systems) date: 2023/05/15 diff --git a/rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml b/rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml index abb571644d89..23f5d26a727a 100644 --- a/rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml @@ -1,6 +1,6 @@ title: Windows Binary Executed From WSL id: ed825c86-c009-4014-b413-b76003e33d35 -status: experimental +status: test description: Detects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships references: - Internal Research diff --git a/rules/windows/registry/registry_add/registry_add_malware_netwire.yml b/rules/windows/registry/registry_add/registry_add_malware_netwire.yml index 91b79089a9dd..f643eaff8684 100644 --- a/rules/windows/registry/registry_add/registry_add_malware_netwire.yml +++ b/rules/windows/registry/registry_add/registry_add_malware_netwire.yml @@ -1,6 +1,6 @@ title: Potential NetWire RAT Activity - Registry id: 1d218616-71b0-4c40-855b-9dbe75510f7f -status: experimental +status: test description: Detects registry keys related to NetWire RAT references: - https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing diff --git a/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml b/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml index e84fd2d5eafa..dad041dcaa75 100644 --- a/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml +++ b/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via New AMSI Providers - Registry id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f705 -status: experimental +status: test description: Detects when an attacker registers a new AMSI provider in order to achieve persistence references: - https://persistence-info.github.io/Data/amsi.html diff --git a/rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml b/rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml index 5d3f45221066..55f067b45ed3 100644 --- a/rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml +++ b/rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml @@ -1,6 +1,6 @@ title: Potential COM Object Hijacking Via TreatAs Subkey - Registry id: 9b0f8a61-91b2-464f-aceb-0527e0a45020 -status: experimental +status: test description: Detects COM object hijacking via TreatAs subkey references: - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ diff --git a/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml b/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml index 09192a552c90..0b5db516bed5 100644 --- a/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml +++ b/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via Disk Cleanup Handler - Registry id: d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a -status: experimental +status: test description: | Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence. The disk cleanup manager is part of the operating system. It displays the dialog box […] diff --git a/rules/windows/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml index 4706b5d675fe..96fe42dfa408 100644 --- a/rules/windows/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml +++ b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml @@ -1,6 +1,6 @@ title: PUA - Sysinternal Tool Execution - Registry id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 -status: experimental +status: test description: Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key references: - https://twitter.com/Moti_B/status/1008587936735035392 diff --git a/rules/windows/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml index 1e2a436e64c1..d8cdebdedf8f 100644 --- a/rules/windows/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml +++ b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml @@ -5,7 +5,7 @@ related: type: derived - id: 8023f872-3f1d-4301-a384-801889917ab4 type: similar -status: experimental +status: test description: Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool) references: - Internal Research diff --git a/rules/windows/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml index 180da7c631a4..cf22352087be 100644 --- a/rules/windows/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml +++ b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml @@ -5,7 +5,7 @@ related: type: derived - id: 9841b233-8df8-4ad7-9133-b0b4402a9014 type: obsoletes -status: experimental +status: test description: Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key. references: - https://twitter.com/Moti_B/status/1008587936735035392 diff --git a/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml b/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml index 37fffeeaef5a..fa66851298da 100644 --- a/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml +++ b/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml @@ -1,6 +1,6 @@ title: Folder Removed From Exploit Guard ProtectedFolders List - Registry id: 272e55a4-9e6b-4211-acb6-78f51f0b1b40 -status: experimental +status: test description: Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder references: - https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ diff --git a/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml b/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml index 04f68324fc37..ec2b9d20cc05 100644 --- a/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml +++ b/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml @@ -5,7 +5,7 @@ related: type: similar - id: 5b16df71-8615-4f7f-ac9b-6c43c0509e61 type: similar -status: experimental +status: test description: Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query" references: - https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments diff --git a/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml b/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml index 4cb5739aa21e..4272a303677c 100644 --- a/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml +++ b/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml @@ -3,7 +3,7 @@ id: acd74772-5f88-45c7-956b-6a7b36c294d2 related: - id: 526cc8bc-1cdc-48ad-8b26-f19bff969cec type: similar -status: experimental +status: test description: Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware references: - https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/ diff --git a/rules/windows/registry/registry_event/registry_event_malware_qakbot_registry.yml b/rules/windows/registry/registry_event/registry_event_malware_qakbot_registry.yml index 7abdbde39b58..d56a0e722455 100644 --- a/rules/windows/registry/registry_event/registry_event_malware_qakbot_registry.yml +++ b/rules/windows/registry/registry_event/registry_event_malware_qakbot_registry.yml @@ -1,6 +1,6 @@ title: Potential Qakbot Registry Activity id: 1c8e96cd-2bed-487d-9de0-b46c90cade56 -status: experimental +status: test description: Detects a registry key used by IceID in a campaign that distributes malicious OneNote files references: - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution diff --git a/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml b/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml index 11fdecf909a6..a30a328ef84f 100644 --- a/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml +++ b/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml @@ -1,6 +1,6 @@ title: Atbroker Registry Change id: 9577edbb-851f-4243-8c91-1d5b50c1a39b -status: experimental +status: test description: Detects creation/modification of Assistive Technology applications and persistence with usage of 'at' references: - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ diff --git a/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml b/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml index 321b592fcb7c..a4e9bc50658e 100644 --- a/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml @@ -1,6 +1,6 @@ title: Hypervisor Enforced Code Integrity Disabled id: 8b7273a4-ba5d-4d8a-b04f-11f2900d043a -status: experimental +status: test description: Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel references: - https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/ diff --git a/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml b/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml index 3f8b35c967bf..a5e9ca1038a3 100644 --- a/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml +++ b/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml @@ -1,6 +1,6 @@ title: Change User Account Associated with the FAX Service id: e3fdf743-f05b-4051-990a-b66919be1743 -status: experimental +status: test description: Detect change of the user account associated with the FAX service to avoid the escalation problem. references: - https://twitter.com/dottor_morte/status/1544652325570191361 diff --git a/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml b/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml index adf10c8fc135..d3d44b9c6c37 100644 --- a/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml +++ b/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml @@ -1,6 +1,6 @@ title: Change the Fax Dll id: 9e3357ba-09d4-4fbd-a7c5-ad6386314513 -status: experimental +status: test description: Detect possible persistence using Fax DLL load when service restart references: - https://twitter.com/dottor_morte/status/1544652325570191361 diff --git a/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml b/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml index 5090b01265d3..5cd432a87bd0 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via Custom Protocol Handler id: fdbf0b9d-0182-4c43-893b-a1eaab92d085 -status: experimental +status: test description: Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism. references: - https://ladydebug.com/blog/2019/06/21/custom-protocol-handler-cph/ diff --git a/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml b/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml index 791736e43657..0be6813dbf27 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml @@ -3,7 +3,7 @@ id: 0cf2e1c6-8d10-4273-8059-738778f981ad related: - id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd type: derived -status: experimental +status: test description: Detects potential WerFault "ReflectDebugger" registry value abuse for persistence. references: - https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html diff --git a/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml b/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml index aba450b50628..bc9f4cd92adf 100644 --- a/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml @@ -1,6 +1,6 @@ title: Potential PendingFileRenameOperations Tamper id: 4eec988f-7bf0-49f1-8675-1e6a510b3a2a -status: experimental +status: test description: Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images lcoations to stage currently used files for rename after reboot. references: - https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6