diff --git a/rules-emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml b/rules-emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml index adb1e30fc31..0860e557ca5 100644 --- a/rules-emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml +++ b/rules-emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml @@ -1,6 +1,6 @@ title: Rejetto HTTP File Server RCE id: a133193c-2daa-4a29-8022-018695fcf0ae -status: experimental +status: test description: Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287 references: - https://vk9-sec.com/hfs-code-execution-cve-2014-6287/ diff --git a/rules-emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml b/rules-emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml index 855303ca773..67c8c5d5fdd 100644 --- a/rules-emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml +++ b/rules-emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml @@ -7,7 +7,7 @@ related: type: similar - id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06 # ProcessCreation type: similar -status: experimental +status: test description: Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report references: - https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf diff --git a/rules-emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml b/rules-emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml index c88a5c934f5..d14cb8f9618 100644 --- a/rules-emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml +++ b/rules-emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml @@ -1,6 +1,6 @@ title: Potential EmpireMonkey Activity id: 10152a7b-b566-438f-a33c-390b607d1c8d -status: experimental +status: test description: Detects potential EmpireMonkey APT activity references: - https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/ diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-26084/web_cve_2021_26084_confluence_rce_exploit.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-26084/web_cve_2021_26084_confluence_rce_exploit.yml index b9d335b7a98..20f54c14b65 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-26084/web_cve_2021_26084_confluence_rce_exploit.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-26084/web_cve_2021_26084_confluence_rce_exploit.yml @@ -1,7 +1,7 @@ title: Potential CVE-2021-26084 Exploitation Attempt id: 38825179-3c78-4fed-b222-2e2166b926b1 description: Detects potential exploitation of CVE-2021-260841 a Confluence RCE using OGNL injection -status: experimental +status: test references: - https://github.com/TesterCC/exp_poc_library/blob/master/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md - https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-27905/web_cve_2021_27905_apache_solr_exploit.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-27905/web_cve_2021_27905_apache_solr_exploit.yml index 3caa867879c..137cb1afc0b 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-27905/web_cve_2021_27905_apache_solr_exploit.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-27905/web_cve_2021_27905_apache_solr_exploit.yml @@ -1,6 +1,6 @@ title: Potential CVE-2021-27905 Exploitation Attempt id: 0bbcd74b-0596-41a4-94a0-4e88a76ffdb3 -status: experimental +status: test description: Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1. references: - https://twitter.com/Al1ex4/status/1382981479727128580 diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-40444/file_event_win_exploit_cve_2021_40444.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-40444/file_event_win_exploit_cve_2021_40444.yml index e1518fc5596..5a93cde8583 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-40444/file_event_win_exploit_cve_2021_40444.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-40444/file_event_win_exploit_cve_2021_40444.yml @@ -1,6 +1,6 @@ title: Suspicious Word Cab File Write CVE-2021-40444 id: 60c0a111-787a-4e8a-9262-ee485f3ef9d5 -status: experimental +status: test description: Detects file creation patterns noticeable during the exploitation of CVE-2021-40444 references: - https://twitter.com/RonnyTNL/status/1436334640617373699?s=20 diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml index 1d4be35ab19..286d33c8301 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml @@ -1,6 +1,6 @@ title: Potential Exploitation Attempt From Office Application id: 868955d9-697e-45d4-a3da-360cefd7c216 -status: experimental +status: test description: Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE) references: - https://twitter.com/sbousseaden/status/1531653369546301440 diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-41773/web_cve_2021_41773_apache_path_traversal.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-41773/web_cve_2021_41773_apache_path_traversal.yml index 682e43579d6..b9bec4de812 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-41773/web_cve_2021_41773_apache_path_traversal.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-41773/web_cve_2021_41773_apache_path_traversal.yml @@ -1,6 +1,6 @@ title: CVE-2021-41773 Exploitation Attempt id: 3007fec6-e761-4319-91af-e32e20ac43f5 -status: experimental +status: test description: | Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j_fields.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j_fields.yml index 69786555243..4a2ef9565d7 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j_fields.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j_fields.yml @@ -1,6 +1,6 @@ title: Log4j RCE CVE-2021-44228 in Fields id: 9be472ed-893c-4ec0-94da-312d2765f654 -status: experimental +status: test description: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell) references: - https://www.lunasec.io/docs/blog/log4j-zero-day/ diff --git a/rules-emerging-threats/2021/Exploits/ProxyShell-Exploit/web_exchange_proxyshell.yml b/rules-emerging-threats/2021/Exploits/ProxyShell-Exploit/web_exchange_proxyshell.yml index c1145049dff..b7ac162c2f2 100644 --- a/rules-emerging-threats/2021/Exploits/ProxyShell-Exploit/web_exchange_proxyshell.yml +++ b/rules-emerging-threats/2021/Exploits/ProxyShell-Exploit/web_exchange_proxyshell.yml @@ -1,6 +1,6 @@ title: Exchange ProxyShell Pattern id: 23eee45e-933b-49f9-ae1b-df706d2d52ef -status: experimental +status: test description: Detects URL patterns that could be found in ProxyShell exploitation attempts against Exchange servers (failed and successful) references: - https://youtu.be/5mqid-7zp8k?t=2231 diff --git a/rules-emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml b/rules-emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml index 14b69260cf7..5f241efdc07 100644 --- a/rules-emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/rules-emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml @@ -1,6 +1,6 @@ title: CVE-2021-31979 CVE-2021-33771 Exploits id: 32b5db62-cb5f-4266-9639-0fa48376ac00 -status: experimental +status: test description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum references: - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ diff --git a/rules-emerging-threats/2021/Malware/Devil-Bait/file_event_win_malware_devil_bait_script_drop.yml b/rules-emerging-threats/2021/Malware/Devil-Bait/file_event_win_malware_devil_bait_script_drop.yml index c64f8175cb9..63368bd53f0 100644 --- a/rules-emerging-threats/2021/Malware/Devil-Bait/file_event_win_malware_devil_bait_script_drop.yml +++ b/rules-emerging-threats/2021/Malware/Devil-Bait/file_event_win_malware_devil_bait_script_drop.yml @@ -1,6 +1,6 @@ title: Potential Devil Bait Related Indicator id: 93d5f1b4-36df-45ed-8680-f66f242b8415 -status: experimental +status: test description: Detects the creation of ".xml" and ".txt" files in folders of the "\AppData\Roaming\Microsoft" directory by uncommon processes. This behavior was seen common across different Devil Bait samples and stages as described by the NCSC references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf diff --git a/rules-emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml b/rules-emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml index bbfa00cca78..36048b04297 100644 --- a/rules-emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml +++ b/rules-emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml @@ -3,7 +3,7 @@ id: e8954be4-b2b8-4961-be18-da1a5bda709c related: - id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892 type: derived -status: experimental +status: test description: Detects specific process behavior observed with Devil Bait samples references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf diff --git a/rules-emerging-threats/2021/Malware/Devil-Bait/proxy_malware_devil_bait_c2_communication.yml b/rules-emerging-threats/2021/Malware/Devil-Bait/proxy_malware_devil_bait_c2_communication.yml index fcffda7b351..a741e1530cf 100644 --- a/rules-emerging-threats/2021/Malware/Devil-Bait/proxy_malware_devil_bait_c2_communication.yml +++ b/rules-emerging-threats/2021/Malware/Devil-Bait/proxy_malware_devil_bait_c2_communication.yml @@ -1,6 +1,6 @@ title: Devil Bait Potential C2 Communication Traffic id: 514c50c9-373a-46e5-9012-f0327c526c8f -status: experimental +status: test description: Detects potential C2 communication related to Devil Bait malware references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf diff --git a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/file_event_win_malware_goofy_guineapig_file_indicators.yml b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/file_event_win_malware_goofy_guineapig_file_indicators.yml index a43f7f96ad6..a011d515529 100644 --- a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/file_event_win_malware_goofy_guineapig_file_indicators.yml +++ b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/file_event_win_malware_goofy_guineapig_file_indicators.yml @@ -1,6 +1,6 @@ title: Goofy Guineapig Backdoor IOC id: f0bafe60-1240-4798-9e60-4364b97e6bad -status: experimental +status: test description: Detects malicious indicators seen used by the Goofy Guineapig malware references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf diff --git a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml index d97e464f7bd..1b60f29cf72 100644 --- a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml +++ b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml @@ -1,6 +1,6 @@ title: Potential Goofy Guineapig Backdoor Activity id: 477a5ed3-a374-4282-9f3b-ed94e159a108 -status: experimental +status: test description: Detects a specific broken command that was used by Goofy-Guineapig as described by the NCSC report. references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf diff --git a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml index c5611d4b504..b01465ca713 100644 --- a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml +++ b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml @@ -1,6 +1,6 @@ title: Potential Goofy Guineapig GoolgeUpdate Process Anomaly id: bdbab15a-3826-48fa-a1b7-723cd8f32fcc -status: experimental +status: test description: Detects "GoogleUpdate.exe" spawning a new instance of itself in an uncommon location as seen used by the Goofy Guineapig backdoor references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf diff --git a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proxy_malware_goofy_gunieapig_c2_communication.yml b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proxy_malware_goofy_gunieapig_c2_communication.yml index 0a30cb20471..56a12c8c75b 100644 --- a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proxy_malware_goofy_gunieapig_c2_communication.yml +++ b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proxy_malware_goofy_gunieapig_c2_communication.yml @@ -1,6 +1,6 @@ title: Goofy Guineapig Backdoor Potential C2 Communication id: 4f573bb6-701a-4b8d-91db-87ae106e9a61 -status: experimental +status: test description: Detects potential C2 communication related to Goofy Guineapig backdoor references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf diff --git a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/win_system_malware_goofy_guineapig_service_persistence.yml b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/win_system_malware_goofy_guineapig_service_persistence.yml index f33537d0812..a4f6d9eef59 100644 --- a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/win_system_malware_goofy_guineapig_service_persistence.yml +++ b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/win_system_malware_goofy_guineapig_service_persistence.yml @@ -1,6 +1,6 @@ title: Goofy Guineapig Backdoor Service Creation id: 8c15dd74-9570-4f48-80b2-29996fd91ee6 -status: experimental +status: test description: Detects service creation persistence used by the Goofy Guineapig backdoor references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf diff --git a/rules-emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml b/rules-emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml index 90ab872bfe4..ad9a1165aa5 100644 --- a/rules-emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml +++ b/rules-emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml @@ -5,7 +5,7 @@ related: type: similar - id: b2400ffb-7680-47c0-b08a-098a7de7e7a9 # Process Creation type: similar -status: experimental +status: test description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel diff --git a/rules-emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml b/rules-emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml index b449d2d952c..69b13e62a02 100644 --- a/rules-emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml +++ b/rules-emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml @@ -1,6 +1,6 @@ title: Small Sieve Malware File Indicator Creation id: 39466c42-c189-476a-989f-8cdb135c163a -status: experimental +status: test description: Detects filename indicators that contain a specific typo seen used by the Small Sieve malware. references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf diff --git a/rules-emerging-threats/2021/Malware/Small-Sieve/proxy_malware_small_sieve_telegram_communication.yml b/rules-emerging-threats/2021/Malware/Small-Sieve/proxy_malware_small_sieve_telegram_communication.yml index d2bb906ac78..45e49e8d3ed 100644 --- a/rules-emerging-threats/2021/Malware/Small-Sieve/proxy_malware_small_sieve_telegram_communication.yml +++ b/rules-emerging-threats/2021/Malware/Small-Sieve/proxy_malware_small_sieve_telegram_communication.yml @@ -1,6 +1,6 @@ title: Small Sieve Malware Potential C2 Communication id: b0422664-37a4-4e78-949a-4a139309eaf0 -status: experimental +status: test description: Detects potential C2 communication related to Small Sieve malware references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf diff --git a/rules-emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml b/rules-emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml index ccc1a92352d..43c0d8a9f61 100644 --- a/rules-emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml +++ b/rules-emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml @@ -1,6 +1,6 @@ title: Small Sieve Malware Registry Persistence id: 65c6e3c1-fb28-4c03-a51e-84919d8185f1 -status: experimental +status: test description: Detects registry value with specific intentional typo and strings seen used by the Small Sieve malware references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-21554/proc_creation_win_exploit_cve_2023_21554_queuejumper.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-21554/proc_creation_win_exploit_cve_2023_21554_queuejumper.yml index 879387907c9..30168bc4ff5 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-21554/proc_creation_win_exploit_cve_2023_21554_queuejumper.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-21554/proc_creation_win_exploit_cve_2023_21554_queuejumper.yml @@ -1,6 +1,6 @@ title: Potential CVE-2023-21554 QueueJumper Exploitation id: 53207cc2-0745-4c19-bc72-80be1cc16b3f -status: experimental +status: test description: Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper) references: - https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/ diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-21587/web_cve_2022_21587_oracle_ebs.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-21587/web_cve_2022_21587_oracle_ebs.yml index 82e3f69c27f..346fdb0d2bc 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-21587/web_cve_2022_21587_oracle_ebs.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-21587/web_cve_2022_21587_oracle_ebs.yml @@ -1,6 +1,6 @@ title: Potential CVE-2022-21587 Exploitation Attempt id: d033cb8a-8669-4a8e-a974-48d4185a8503 -status: experimental +status: test description: Detects potential exploitation attempts of CVE-2022-21587 an arbitrary file upload vulnerability impacting Oracle E-Business Suite (EBS). CVE-2022-21587 can lead to unauthenticated remote code execution. references: - https://www.rapid7.com/blog/post/2023/02/07/etr-cve-2022-21587-rapid7-observed-exploitation-of-oracle-e-business-suite-vulnerability/ diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-26809/proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-26809/proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml index 153ec50860b..5c46a52bbec 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-26809/proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-26809/proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml @@ -1,6 +1,6 @@ title: Potential CVE-2022-26809 Exploitation Attempt id: a7cd7306-df8b-4398-b711-6f3e4935cf16 -status: experimental +status: test description: Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809) references: - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809 diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-27925/web_cve_2022_27925_exploit.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-27925/web_cve_2022_27925_exploit.yml index b542a5370d4..49746fb1130 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-27925/web_cve_2022_27925_exploit.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-27925/web_cve_2022_27925_exploit.yml @@ -1,6 +1,6 @@ title: Zimbra Collaboration Suite Email Server Unauthenticated RCE id: dd218fb6-4d02-42dc-85f0-a0a376072efd -status: experimental +status: test description: Detects an attempt to leverage the vulnerable servlet "mboximport" for an unauthenticated remote command injection references: - https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/ diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml index 88b3a5d0367..8cd0fe17492 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml @@ -1,6 +1,6 @@ title: Potential CVE-2022-29072 Exploitation Attempt id: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3 -status: experimental +status: test description: | Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability. 7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-31656/web_cve_2022_31656_auth_bypass.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-31656/web_cve_2022_31656_auth_bypass.yml index b94d97cb0fe..051ba454096 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-31656/web_cve_2022_31656_auth_bypass.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-31656/web_cve_2022_31656_auth_bypass.yml @@ -1,6 +1,6 @@ title: CVE-2022-31656 VMware Workspace ONE Access Auth Bypass id: fcf1101d-07c9-49b2-ad81-7e421ff96d80 -status: experimental +status: test description: | Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656 VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-31659/web_cve_2022_31659_vmware_rce.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-31659/web_cve_2022_31659_vmware_rce.yml index 0950724767b..01ef72fc07d 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-31659/web_cve_2022_31659_vmware_rce.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-31659/web_cve_2022_31659_vmware_rce.yml @@ -1,6 +1,6 @@ title: CVE-2022-31659 VMware Workspace ONE Access RCE id: efdb2003-a922-48aa-8f37-8b80021a9706 -status: experimental +status: test description: Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659 references: - https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-33891/web_cve_2022_33891_spark_shell_command_injection.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-33891/web_cve_2022_33891_spark_shell_command_injection.yml index 1cf72efe274..ec4286e571c 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-33891/web_cve_2022_33891_spark_shell_command_injection.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-33891/web_cve_2022_33891_spark_shell_command_injection.yml @@ -1,6 +1,6 @@ title: Apache Spark Shell Command Injection - Weblogs id: 1a9a04fd-02d1-465c-abad-d733fd409f9c -status: experimental +status: test description: Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective references: - https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-36804/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-36804/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml index b8dd2926f88..161dd5a6a5c 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-36804/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-36804/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml @@ -1,6 +1,6 @@ title: Atlassian Bitbucket Command Injection Via Archive API id: 65c0a0ab-d675-4441-bd6b-d3db226a2685 -status: experimental +status: test description: Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804 references: - https://twitter.com/_0xf4n9x_/status/1572052954538192901 diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml index 0b02f74d85f..efd7cf86a46 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml @@ -1,6 +1,6 @@ title: Suspicious Sysmon as Execution Parent id: 6d1058a4-407e-4f3a-a144-1968c11dc5c3 -status: experimental +status: test description: Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120) references: - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120 diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-44877/web_cve_2022_44877_exploitation_attempt.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-44877/web_cve_2022_44877_exploitation_attempt.yml index d7bb5eb9e66..9c1ef9ed6b1 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-44877/web_cve_2022_44877_exploitation_attempt.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-44877/web_cve_2022_44877_exploitation_attempt.yml @@ -1,6 +1,6 @@ title: Potential Centos Web Panel Exploitation Attempt - CVE-2022-44877 id: 1b2eeb27-949b-4704-8bfa-d8e5cfa045a1 -status: experimental +status: test description: Detects potential exploitation attempts that target the Centos Web Panel 7 Unauthenticated Remote Code Execution CVE-2022-44877 references: - https://seclists.org/fulldisclosure/2023/Jan/1 diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-46169/web_cve_2022_46169_cacti_exploitation_attempt.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-46169/web_cve_2022_46169_cacti_exploitation_attempt.yml index a7180e1b320..649685829f5 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-46169/web_cve_2022_46169_cacti_exploitation_attempt.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-46169/web_cve_2022_46169_cacti_exploitation_attempt.yml @@ -1,6 +1,6 @@ title: Potential CVE-2022-46169 Exploitation Attempt id: 738cb115-881f-4df3-82cc-56ab02fc5192 -status: experimental +status: test description: Detects potential exploitation attempts that target the Cacti Command Injection CVE-2022-46169 references: - https://github.com/0xf4n9x/CVE-2022-46169 diff --git a/rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_exploitation.yml b/rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_exploitation.yml index bc6d0776ff9..9b05e9bf3a9 100644 --- a/rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_exploitation.yml +++ b/rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_exploitation.yml @@ -1,6 +1,6 @@ title: Potential OWASSRF Exploitation Attempt - Webserver id: 181f49fa-0b21-4665-a98c-a57025ebb8c7 -status: experimental +status: test description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint references: - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/ diff --git a/rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_poc_exploitation.yml b/rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_poc_exploitation.yml index 3377316b7a0..af04159771c 100644 --- a/rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_poc_exploitation.yml +++ b/rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_poc_exploitation.yml @@ -1,6 +1,6 @@ title: OWASSRF Exploitation Attempt Using Public POC - Webserver id: 92d78c63-5a5c-4c40-9b60-463810ffb082 -status: experimental +status: test description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint references: - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/ diff --git a/rules-emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml b/rules-emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml index 487eed77406..e4c1f2d2600 100644 --- a/rules-emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml +++ b/rules-emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml @@ -1,6 +1,6 @@ title: BlueSky Ransomware Artefacts id: eee8311f-a752-44f0-bf2f-6b007db16300 -status: experimental +status: test description: Detect access to files and shares with names and extensions used by BlueSky ransomware which could indicate a current or previous encryption attempt. references: - https://unit42.paloaltonetworks.com/bluesky-ransomware/ diff --git a/rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml b/rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml index 76b8049a9a4..e8800536468 100644 --- a/rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml +++ b/rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml @@ -1,6 +1,6 @@ title: Potential Raspberry Robin Dot Ending File id: a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a -status: experimental +status: test description: Detects commandline containing reference to files ending with a "." This scheme has been seen used by raspberry-robin author: Nasreddine Bencherchali (Nextron Systems) references: diff --git a/rules-emerging-threats/2022/TA/MERCURY/proc_creation_win_apt_mercury.yml b/rules-emerging-threats/2022/TA/MERCURY/proc_creation_win_apt_mercury.yml index 1bcdafd0738..da5e708848a 100644 --- a/rules-emerging-threats/2022/TA/MERCURY/proc_creation_win_apt_mercury.yml +++ b/rules-emerging-threats/2022/TA/MERCURY/proc_creation_win_apt_mercury.yml @@ -1,6 +1,6 @@ title: MERCURY APT Activity id: a62298a3-1fe0-422f-9a68-ffbcbc5a123d -status: experimental +status: test description: Detects suspicious command line patterns seen being used by MERCURY APT references: - https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/ diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-20198/cisco_syslog_cve_2023_20198_ios_xe_web_ui.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-20198/cisco_syslog_cve_2023_20198_ios_xe_web_ui.yml index 751e476b51d..e5b801bc986 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-20198/cisco_syslog_cve_2023_20198_ios_xe_web_ui.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-20198/cisco_syslog_cve_2023_20198_ios_xe_web_ui.yml @@ -1,6 +1,6 @@ title: Exploitation Indicators Of CVE-2023-20198 id: 2ece8816-b7a0-4d9b-b0e8-ae7ad18bc02b -status: experimental +status: test description: Detecting exploitation indicators of CVE-2023-20198 a privilege escalation vulnerability in Cisco IOS XE Software Web UI. references: - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml index 634bb0c9fc1..cc8c4871a88 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml @@ -1,6 +1,6 @@ title: Potential CVE-2023-2283 Exploitation id: 8b244735-5833-4517-a45b-28d8c63924c0 -status: experimental +status: test description: Detects potential exploitation attempt of CVE-2023-2283 an authentication bypass in libSSH. The exploitation method causes an error message stating that keys for curve25519 could not be generated. It is an error message that is a sign of an exploitation attempt. It is not a sign of a successful exploitation. references: - https://twitter.com/kevin_backhouse/status/1666459308941357056?s=20 diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml index 042932982e6..0fa291b5da9 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml @@ -1,6 +1,6 @@ title: Outlook Task/Note Reminder Received id: fc06e655-d98c-412f-ac76-05c2698b1cb2 -status: experimental +status: test description: Detects changes to the registry values related to outlook that indicates that a reminder was triggered for a Note or Task item. This could be a sign of exploitation of CVE-2023-23397. Further investigation is required to determine the success of an exploitation. references: - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/ diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml index 751644b8814..339cf4adaa4 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml @@ -1,6 +1,6 @@ title: CVE-2023-23397 Exploitation Attempt id: 73c59189-6a6d-4b9f-a748-8f6f9bbed75c -status: experimental +status: test description: Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation. author: Robert Lee @quantum_cookie date: 2023/03/16 diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml index 05364218155..bfdec81c434 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml @@ -1,6 +1,6 @@ title: Potential CVE-2023-23397 Exploitation Attempt - SMB id: de96b824-02b0-4241-9356-7e9b47f04bac -status: experimental +status: test description: Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397. references: - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/ diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-23752/web_cve_2023_23752_joomla_exploit_attempt.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-23752/web_cve_2023_23752_joomla_exploit_attempt.yml index 9709ad6a344..013f7bf3384 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-23752/web_cve_2023_23752_joomla_exploit_attempt.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-23752/web_cve_2023_23752_joomla_exploit_attempt.yml @@ -1,6 +1,6 @@ title: Potential CVE-2023-23752 Exploitation Attempt id: 0e1ebc5a-15d0-4bf6-8199-b2535397433a -status: experimental +status: test description: Detects the potential exploitation attempt of CVE-2023-23752 an Improper access check, in web service endpoints in Joomla references: - https://xz.aliyun.com/t/12175 diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-25157/web_cve_2023_25157_geoserver_sql_injection.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-25157/web_cve_2023_25157_geoserver_sql_injection.yml index f22ec5abff6..f925b9797df 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-25157/web_cve_2023_25157_geoserver_sql_injection.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-25157/web_cve_2023_25157_geoserver_sql_injection.yml @@ -1,6 +1,6 @@ title: Potential CVE-2023-25157 Exploitation Attempt id: c0341543-5ed0-4475-aabc-7eea8c52aa66 -status: experimental +status: test description: Detects a potential exploitation attempt of CVE-2023-25157 a SQL injection in GeoServer references: - https://github.com/win3zz/CVE-2023-25157 diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-25717/web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-25717/web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yml index 9b36d3f1c1b..511b3e0cdbf 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-25717/web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-25717/web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yml @@ -1,6 +1,6 @@ title: Potential CVE-2023-25717 Exploitation Attempt id: 043c1609-0e32-4462-a6f2-5a0c2da3fafe -status: experimental +status: test description: Detects a potential exploitation attempt of CVE-2023-25717 a Remote Code Execution via an unauthenticated HTTP GET Request, in Ruckus Wireless Admin references: - https://cybir.com/2023/cve/proof-of-concept-ruckus-wireless-admin-10-4-unauthenticated-remote-code-execution-csrf-ssrf/ diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-27363/file_event_win_cve_2023_27363_foxit_rce.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-27363/file_event_win_cve_2023_27363_foxit_rce.yml index 730fecf86da..bf8862a9483 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-27363/file_event_win_cve_2023_27363_foxit_rce.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-27363/file_event_win_cve_2023_27363_foxit_rce.yml @@ -1,6 +1,6 @@ title: Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader id: 9cae055f-e1d2-4f81-b8a5-1986a68cdd84 -status: experimental +status: test description: Detects suspicious ".hta" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation. references: - https://github.com/j00sean/SecBugs/tree/ff72d553f75d93e1a0652830c0f74a71b3f19c46/CVEs/CVE-2023-27363 diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-27997/web_cve_2023_27997_pre_authentication_rce.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-27997/web_cve_2023_27997_pre_authentication_rce.yml index f542f55bdf8..2aea39b1520 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-27997/web_cve_2023_27997_pre_authentication_rce.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-27997/web_cve_2023_27997_pre_authentication_rce.yml @@ -1,6 +1,6 @@ title: Potential CVE-2023-27997 Exploitation Indicators id: 31e4e649-7394-4fd2-9ae7-dbc61eebb550 -status: experimental +status: test description: | Detects indicators of potential exploitation of CVE-2023-27997 in Frotigate weblogs. To avoid false positives it is best to look for successive requests to the endpoints mentioned as well as weird values of the "enc" parameter diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml index 0ce87ec1107..d4a4760be1d 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml @@ -1,6 +1,6 @@ title: Potential MOVEit Transfer CVE-2023-34362 Exploitation id: c3b2a774-3152-4989-83c1-7afc48fd1599 -status: experimental +status: test description: Detects file indicators of potential exploitation of MOVEit CVE-2023-34362. references: - https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/ diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/web_cve_2023_34362_known_payload_request.yml.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/web_cve_2023_34362_known_payload_request.yml.yml index 6032d2de3f1..b445db95cee 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/web_cve_2023_34362_known_payload_request.yml.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/web_cve_2023_34362_known_payload_request.yml.yml @@ -1,6 +1,6 @@ title: MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request id: 435e41f2-48eb-4c95-8a2b-ed24b50ec30b -status: experimental +status: test description: Detects get requests to specific files used during the exploitation of MOVEit CVE-2023-34362 references: - https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023 diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_report_creation.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_report_creation.yml index a4c2d5a6ac2..f965e14bb59 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_report_creation.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_report_creation.yml @@ -1,6 +1,6 @@ title: Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location id: 92389a99-5215-43b0-a09f-e334453b2ed3 -status: experimental +status: test description: Detects the creation of a "Report.wer" file in an uncommon folder structure. This could be a sign of potential exploitation of CVE-2023-36874. references: - https://github.com/Wh04m1001/CVE-2023-36874 diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml index 74a0f7cc8d4..7af974357b3 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml @@ -1,6 +1,6 @@ title: Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation id: ad0960eb-0015-4d16-be13-b3d9f18f1342 -status: experimental +status: test description: Detects the creation of a file named "wermgr.exe" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874. references: - https://github.com/Wh04m1001/CVE-2023-36874 diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36874/proc_creation_win_exploit_cve_2023_36874_fake_wermgr.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36874/proc_creation_win_exploit_cve_2023_36874_fake_wermgr.yml index 1daaf827a1f..f1715309151 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36874/proc_creation_win_exploit_cve_2023_36874_fake_wermgr.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36874/proc_creation_win_exploit_cve_2023_36874_fake_wermgr.yml @@ -1,6 +1,6 @@ title: Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution id: 50dbc08b-60ce-40f1-a6b6-346497e34c88 -status: experimental +status: test description: Detects the execution of a renamed "cmd", "powershell" or "powershell_ise" binary. Attackers were seen using these binaries in a renamed form as "wermgr.exe" in exploitation of CVE-2023-36874 references: - https://github.com/Wh04m1001/CVE-2023-36874 diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml index 0bbdda52467..34a52fafcb9 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml @@ -1,6 +1,6 @@ title: Potential CVE-2023-36884 Exploitation Dropped File id: 8023d3a2-dcdc-44da-8fa9-5c7906e55b38 -status: experimental +status: test description: Detects a specific file being created in the recent folder of Office. These files have been seen being dropped during potential exploitations of CVE-2023-36884 references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce.yml index 4987cd723c8..50d2ed37735 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce.yml @@ -1,6 +1,6 @@ title: Potential CVE-2023-36884 Exploitation Pattern id: 0066d244-c277-4c3e-88ec-9e7b777cc8bc -status: experimental +status: test description: Detects a unique pattern seen being used by RomCom potentially exploiting CVE-2023-36884 references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_extenstion_ip_pattern_traffic.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_extenstion_ip_pattern_traffic.yml index 660ae5e9b25..302f27643e6 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_extenstion_ip_pattern_traffic.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_extenstion_ip_pattern_traffic.yml @@ -1,6 +1,6 @@ title: Potential CVE-2303-36884 URL Request Pattern Traffic id: d9365e39-febd-4a4b-8441-3ca91bb9d333 -status: experimental +status: test description: Detects a specific URL pattern containing a specific extension and parameters pointing to an IP address. This pattern was seen being used by RomCOM potentially exploiting CVE-2023-36884 references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_traffic.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_traffic.yml index 97ff7e6efb8..17582b026ad 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_traffic.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_traffic.yml @@ -1,6 +1,6 @@ title: Potential CVE-2023-36884 Exploitation - File Downloads id: 6af1617f-c179-47e3-bd66-b28034a1052d -status: experimental +status: test description: Detects files seen being requested by RomCom while potentially exploiting CVE-2023-36884 references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_url_marker_traffic.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_url_marker_traffic.yml index 3d705dff8ba..a0423c78b6e 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_url_marker_traffic.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_url_marker_traffic.yml @@ -1,6 +1,6 @@ title: Potential CVE-2023-36884 Exploitation - URL Marker id: e59f71ff-c042-4f7a-8a82-8f53beea817e -status: experimental +status: test description: Detects a unique URL marker seen being used by RomCom potentially exploiting CVE-2023-36884 references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml index 98359f4d7c8..ba5cc73c9c1 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml @@ -1,6 +1,6 @@ title: Potential CVE-2023-36884 Exploitation - Share Access id: 3df95076-9e78-4e63-accb-16699c3b74f8 -status: experimental +status: test description: Detects access to a file share with a naming schema seen being used during exploitation of CVE-2023-36884 references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-38831/file_event_win_exploit_cve_2023_38331_winrar_susp_double_ext.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-38831/file_event_win_exploit_cve_2023_38331_winrar_susp_double_ext.yml index ec61e1c75d9..11f214495db 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-38831/file_event_win_exploit_cve_2023_38331_winrar_susp_double_ext.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-38831/file_event_win_exploit_cve_2023_38331_winrar_susp_double_ext.yml @@ -3,7 +3,7 @@ id: e4556676-fc5c-4e95-8c39-5ef27791541f related: - id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343 type: similar -status: experimental +status: test description: Detects the creation of a file with a double extension and a space by WinRAR. This could be a sign of exploitation of CVE-2023-38331 references: - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml index 8921fb994f5..675a40d7184 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml @@ -3,7 +3,7 @@ id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343 related: - id: e4556676-fc5c-4e95-8c39-5ef27791541f type: similar -status: experimental +status: test description: Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries. references: - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-40477/file_event_win_exploit_cve_2023_40477_winrar_rev_file_abuse.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-40477/file_event_win_exploit_cve_2023_40477_winrar_rev_file_abuse.yml index 7cf5ccc31fb..dc4e8d698c5 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-40477/file_event_win_exploit_cve_2023_40477_winrar_rev_file_abuse.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-40477/file_event_win_exploit_cve_2023_40477_winrar_rev_file_abuse.yml @@ -1,6 +1,6 @@ title: CVE-2023-40477 Potential Exploitation - .REV File Creation id: c3bd6c55-d495-4c34-918e-e03e8828c074 -status: experimental +status: test description: Detects the creation of ".rev" files by WinRAR. Could be indicative of potential exploitation of CVE-2023-40477. Look for a suspicious execution shortly after creation or a WinRAR application crash. references: - https://wildptr.io/winrar-cve-2023-40477-poc-new-vulnerability-winrar-security-research/ diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-40477/win_application_exploit_cve_2023_40477_winrar_crash.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-40477/win_application_exploit_cve_2023_40477_winrar_crash.yml index a006293c034..753faf9dd2a 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-40477/win_application_exploit_cve_2023_40477_winrar_crash.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-40477/win_application_exploit_cve_2023_40477_winrar_crash.yml @@ -1,6 +1,6 @@ title: CVE-2023-40477 Potential Exploitation - WinRAR Application Crash id: e5a29b54-6fe7-4258-8a23-82960e31231a -status: experimental +status: test description: Detects a crash of "WinRAR.exe" where the version is lower than 6.23. This could indicate potential exploitation of CVE-2023-40477 references: - https://wildptr.io/winrar-cve-2023-40477-poc-new-vulnerability-winrar-security-research/ diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-43261/proxy_cve_2023_43261_milesight_information_disclosure.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-43261/proxy_cve_2023_43261_milesight_information_disclosure.yml index bcaa1f9ba7f..11cd435416f 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-43261/proxy_cve_2023_43261_milesight_information_disclosure.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-43261/proxy_cve_2023_43261_milesight_information_disclosure.yml @@ -3,7 +3,7 @@ id: f48f5368-355c-4a1b-8bf5-11c13d589eaa related: - id: a2bcca38-9f3a-4d5e-b603-0c587e8569d7 type: similar -status: experimental +status: test description: | Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in proxy logs. references: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-43261/web_cve_2023_43261_milesight_information_disclosure.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-43261/web_cve_2023_43261_milesight_information_disclosure.yml index cc2996048fa..94e9032aa50 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-43261/web_cve_2023_43261_milesight_information_disclosure.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-43261/web_cve_2023_43261_milesight_information_disclosure.yml @@ -3,7 +3,7 @@ id: a2bcca38-9f3a-4d5e-b603-0c587e8569d7 related: - id: f48f5368-355c-4a1b-8bf5-11c13d589eaa type: similar -status: experimental +status: test description: | Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in access logs. references: diff --git a/rules-emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/proc_creation_win_exploit_other_win_server_undocumented_rce.yml b/rules-emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/proc_creation_win_exploit_other_win_server_undocumented_rce.yml index 08fd3e661eb..2febe5e8b1a 100644 --- a/rules-emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/proc_creation_win_exploit_other_win_server_undocumented_rce.yml +++ b/rules-emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/proc_creation_win_exploit_other_win_server_undocumented_rce.yml @@ -1,6 +1,6 @@ title: Potential Exploitation Attempt Of Undocumented WindowsServer RCE id: 6d5b8176-d87d-4402-8af4-53aee9db7b5d -status: experimental +status: test description: Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE) references: - https://github.com/SigmaHQ/sigma/pull/3946 diff --git a/rules-emerging-threats/2023/Exploits/win_msmq_corrupted_packet.yml b/rules-emerging-threats/2023/Exploits/win_msmq_corrupted_packet.yml index 0c3408e6609..43a2e2704ee 100644 --- a/rules-emerging-threats/2023/Exploits/win_msmq_corrupted_packet.yml +++ b/rules-emerging-threats/2023/Exploits/win_msmq_corrupted_packet.yml @@ -1,6 +1,6 @@ title: MSMQ Corrupted Packet Encountered id: ae94b10d-fee9-4767-82bb-439b309d5a27 -status: experimental +status: test description: Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation references: - https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/ diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_renamed_cmd.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_renamed_cmd.yml index 0684adff58a..41b37aa3756 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_renamed_cmd.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_renamed_cmd.yml @@ -1,6 +1,6 @@ title: Potential COLDSTEEL RAT File Indicators id: c708a93f-46b4-4674-a5b8-54aa6219c5fa -status: experimental +status: test description: Detects the creation of a file named "dllhost.exe" in the "C:\users\public\Documents\" directory. Seen being used by the COLDSTEEL RAT in some of its variants. references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_service_dll_creation.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_service_dll_creation.yml index 095322bc188..f148f5f4254 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_service_dll_creation.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_service_dll_creation.yml @@ -1,6 +1,6 @@ title: Potential COLDSTEEL Persistence Service DLL Creation id: 1fea93a2-1524-4a3c-9828-3aa0c2414e27 -status: experimental +status: test description: Detects the creation of a file in a specific location and with a specific name related to COLDSTEEL RAT references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/image_load_malware_coldsteel_persistence_service_dll.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/image_load_malware_coldsteel_persistence_service_dll.yml index c61a57cb931..de1b29d530e 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/image_load_malware_coldsteel_persistence_service_dll.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/image_load_malware_coldsteel_persistence_service_dll.yml @@ -1,6 +1,6 @@ title: Potential COLDSTEEL Persistence Service DLL Load id: 1d7a57da-02e0-4f7f-92b1-c7b486ccfed5 -status: experimental +status: test description: | Detects a suspicious DLL load by an "svchost" process based on location and name that might be related to ColdSteel RAT. This DLL location and name has been seen used by ColdSteel as the service DLL for its persistence mechanism references: diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml index 8512127ccb2..ced5e608d53 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml @@ -1,6 +1,6 @@ title: COLDSTEEL RAT Anonymous User Process Execution id: e01b6eb5-1eb4-4465-a165-85d40d874add -status: experimental +status: test description: Detects the creation of a process executing as user called "ANONYMOUS" seen used by the "MileStone2016" variant of COLDSTEEL references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_cleanup.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_cleanup.yml index 10f4bba171d..904cd08149e 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_cleanup.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_cleanup.yml @@ -1,6 +1,6 @@ title: COLDSTEEL RAT Cleanup Command Execution id: 88516f06-ebe0-47ad-858e-ae9fd060ddea -status: experimental +status: test description: Detects the creation of a "rundll32" process from the ColdSteel persistence service to initiate the cleanup command by calling one of its own exports. This functionality is not present in "MileStone2017" and some "MileStone2016" samples references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml index be9c89b69f2..3f68e1c21b0 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml @@ -1,6 +1,6 @@ title: COLDSTEEL RAT Service Persistence Execution id: 9f9cd389-cea0-4142-bf1a-a3fd424abedd -status: experimental +status: test description: Detects the creation of an "svchost" process with specific command line flags, that were seen present and used by ColdSteel RAT references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yml index 06ea51ed82f..3a5ccd60164 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yml @@ -1,6 +1,6 @@ title: Potential COLDSTEEL RAT Windows User Creation id: 95214813-4c7a-4a50-921b-ee5c538e1d16 -status: experimental +status: test description: Detects creation of a new user profile with a specific username, seen being used by some variants of the COLDSTEEL RAT. references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf diff --git a/rules-emerging-threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml b/rules-emerging-threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml index 47840068341..049d6d2d8c9 100644 --- a/rules-emerging-threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml +++ b/rules-emerging-threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml @@ -1,6 +1,6 @@ title: DarkGate - Autoit3.EXE File Creation By Uncommon Process id: 1a433e1d-03d2-47a6-8063-ece992cf4e73 -status: experimental +status: test description: | Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe. This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs diff --git a/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml b/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml index efe050924bf..1dd908667af 100644 --- a/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml +++ b/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml @@ -1,6 +1,6 @@ title: DarkGate - Autoit3.EXE Execution Parameters id: f8e9aa1c-14f2-4dbd-aa59-b98968ed650d -status: experimental +status: test description: | Detects execution of the legitimate Autoit3 utility from a suspicious parent process. AutoIt3.exe is used within the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate diff --git a/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml b/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml index 25677494056..5d6a1165422 100644 --- a/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml +++ b/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml @@ -1,6 +1,6 @@ title: DarkGate - User Created Via Net.EXE id: bf906d7b-7070-4642-8383-e404cf26eba5 -status: experimental +status: test description: Detects creation of local users via the net.exe command with the name of "DarkGate" references: - Internal Research diff --git a/rules-emerging-threats/2023/Malware/Griffon/proc_creation_win_malware_griffon_patterns.yml b/rules-emerging-threats/2023/Malware/Griffon/proc_creation_win_malware_griffon_patterns.yml index 03bad8008d7..5704ee15534 100644 --- a/rules-emerging-threats/2023/Malware/Griffon/proc_creation_win_malware_griffon_patterns.yml +++ b/rules-emerging-threats/2023/Malware/Griffon/proc_creation_win_malware_griffon_patterns.yml @@ -1,6 +1,6 @@ title: Griffon Malware Attack Pattern id: bcc6f179-11cd-4111-a9a6-0fab68515cf7 -status: experimental +status: test description: Detects process execution patterns related to Griffon malware as reported by Kaspersky references: - https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/ diff --git a/rules-emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml b/rules-emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml index afe5f7d8036..8e62c81b525 100644 --- a/rules-emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml +++ b/rules-emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml @@ -1,6 +1,6 @@ title: IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32 id: 2bd8e100-5b3b-4b6a-bbb5-b129d3ddddc5 -status: experimental +status: test description: Detects RunDLL32.exe executing a single digit DLL named "1.dll" with the export function "DllRegisterServer". This behaviour was often seen used by malware and especially IcedID references: - https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/ diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml index ae9419fbd1c..a2108191302 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml @@ -1,6 +1,6 @@ title: Qakbot Regsvr32 Calc Pattern id: 0033cf83-fb87-446d-9cac-43d63ad4d5a9 -status: experimental +status: test description: Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot references: - https://github.com/pr0xylife/Qakbot/ diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml index 91b42fddbef..e5c57fe7b3e 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml @@ -1,6 +1,6 @@ title: Potential Qakbot Rundll32 Execution id: cf879ffb-793a-4753-9a14-bc8f37cc90df -status: experimental +status: test description: Detects specific process tree behavior of a "rundll32" execution often linked with potential Qakbot activity. references: - https://github.com/pr0xylife/Qakbot/ diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml index 964552aa403..24689638426 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml @@ -1,6 +1,6 @@ title: Qakbot Rundll32 Exports Execution id: 339ed3d6-5490-46d0-96a7-8abe33078f58 -status: experimental +status: test description: Detects specific process tree behavior of a "rundll32" execution with exports linked with Qakbot activity. references: - https://github.com/pr0xylife/Qakbot/ diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml index d545e79e49f..710a5c5b10c 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml @@ -1,6 +1,6 @@ title: Qakbot Rundll32 Fake DLL Extension Execution id: bfd34392-c591-4009-b938-9fd985a28b85 -status: experimental +status: test description: Detects specific process tree behavior of a "rundll32" execution where the DLL doesn't have the ".dll" extension. This is often linked with potential Qakbot activity. references: - https://github.com/pr0xylife/Qakbot/ diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml index 53850ee2529..f5a066ee698 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml @@ -1,6 +1,6 @@ title: Qakbot Uninstaller Execution id: bc309b7a-3c29-4937-a4a3-e232473f9168 -status: experimental +status: test description: Detects the execution of the Qakbot uninstaller file mentioned in the USAO-CDCA document on the disruption of the Qakbot malware and botnet references: - https://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources diff --git a/rules-emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml b/rules-emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml index 93139d4792b..4ecc9b1098a 100644 --- a/rules-emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml +++ b/rules-emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml @@ -1,6 +1,6 @@ title: Rhadamanthys Stealer Module Launch Via Rundll32.EXE id: 5cdbc2e8-86dd-43df-9a1a-200d4745fba5 -status: experimental +status: test description: Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023 references: - https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88 diff --git a/rules-emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml b/rules-emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml index 24f24928799..a180ce93495 100644 --- a/rules-emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml +++ b/rules-emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml @@ -1,6 +1,6 @@ title: Rorschach Ransomware Execution Activity id: 0e9e6c63-1350-48c4-9fa1-7ccb235edc68 -status: experimental +status: test description: Detects Rorschach ransomware execution activity references: - https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/ diff --git a/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_encrypted_payload_ioc.yml b/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_encrypted_payload_ioc.yml index 081111fd9d4..d29e486f37f 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_encrypted_payload_ioc.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_encrypted_payload_ioc.yml @@ -1,6 +1,6 @@ title: SNAKE Malware Kernel Driver File Indicator id: d6d9d23f-69c1-41b5-8305-fa8250bd027f -status: experimental +status: test description: Detects SNAKE malware kernel driver file indicator references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF diff --git a/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_installers_ioc.yml b/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_installers_ioc.yml index 3f9600b7ec6..879097f9e42 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_installers_ioc.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_installers_ioc.yml @@ -1,6 +1,6 @@ title: SNAKE Malware Installer Name Indicators id: 99eccc2b-7182-442f-8806-b76cc36d866b -status: experimental +status: test description: Detects filename indicators associated with the SNAKE malware as reported by CISA in their report references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF diff --git a/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_werfault_creation.yml b/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_werfault_creation.yml index 09c2d1c7204..1c4baed9fa0 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_werfault_creation.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_werfault_creation.yml @@ -1,6 +1,6 @@ title: SNAKE Malware WerFault Persistence File Creation id: 64827580-e4c3-4c64-97eb-c72325d45399 -status: experimental +status: test description: Detects the creation of a file named "WerFault.exe" in the WinSxS directory by a non-system process, which can be indicative of potential SNAKE malware activity references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF diff --git a/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_cli_args.yml b/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_cli_args.yml index 542a864b2bf..1983488b525 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_cli_args.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_cli_args.yml @@ -1,6 +1,6 @@ title: Potential SNAKE Malware Installation CLI Arguments Indicator id: 02cbc035-b390-49fe-a9ff-3bb402c826db -status: experimental +status: test description: Detects a specific command line arguments sequence seen used by SNAKE malware during its installation as described by CISA in their report references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF diff --git a/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_exec.yml b/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_exec.yml index a4b89dffb0f..0d8c2309408 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_exec.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_exec.yml @@ -1,6 +1,6 @@ title: Potential SNAKE Malware Installation Binary Indicator id: d91ff53f-fd0c-419d-a6b8-ae038d5c3733 -status: experimental +status: test description: Detects a specific binary name seen used by SNAKE malware during its installation as described by CISA in their report references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF diff --git a/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_service_execution.yml b/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_service_execution.yml index f9a6b6a5806..6041bf8a868 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_service_execution.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_service_execution.yml @@ -1,6 +1,6 @@ title: Potential SNAKE Malware Persistence Service Execution id: f7536642-4a08-4dd9-b6d5-c3286d8975ed -status: experimental +status: test description: Detects a specific child/parent process relationship indicative of a "WerFault" process running from the "WinSxS" as a service. This could be indicative of potential SNAKE malware activity as reported by CISA. references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF diff --git a/rules-emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml b/rules-emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml index 3b8b9ea18a7..ceb6ccb75d8 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml @@ -1,6 +1,6 @@ title: SNAKE Malware Covert Store Registry Key id: d0fa35db-0e92-400e-aa16-d32ae2521618 -status: experimental +status: test description: Detects any registry event that targets the key 'SECURITY\Policy\Secrets\n' which is a key related to SNAKE malware as described by CISA references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF diff --git a/rules-emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml b/rules-emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml index ed264fa43c7..6641eb5bcf3 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml @@ -1,6 +1,6 @@ title: Potential Encrypted Registry Blob Related To SNAKE Malware id: 7e163e96-b9a5-45d6-b2cd-d7d87b13c60b -status: experimental +status: test description: Detects the creation of a registry value in the ".wav\OpenWithProgIds" key with an uncommon name. This could be related to SNAKE Malware as reported by CISA references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF diff --git a/rules-emerging-threats/2023/Malware/SNAKE/win_system_malware_snake_persistence_service.yml b/rules-emerging-threats/2023/Malware/SNAKE/win_system_malware_snake_persistence_service.yml index 5aa9f3bed0e..c6788a232ba 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/win_system_malware_snake_persistence_service.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/win_system_malware_snake_persistence_service.yml @@ -1,6 +1,6 @@ title: SNAKE Malware Service Persistence id: b2e60816-96b2-45bd-ba91-b63578c03ef6 -status: experimental +status: test description: Detects the creation of a service named "WerFaultSvc" which seems to be used by the SNAKE malware as a persistence mechanism as described by CISA in their report references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF diff --git a/rules-emerging-threats/2023/Malware/dns_query_win_malware_socgholish_second_stage_c2.yml b/rules-emerging-threats/2023/Malware/dns_query_win_malware_socgholish_second_stage_c2.yml index 1a6e420192a..b9df2c515a4 100644 --- a/rules-emerging-threats/2023/Malware/dns_query_win_malware_socgholish_second_stage_c2.yml +++ b/rules-emerging-threats/2023/Malware/dns_query_win_malware_socgholish_second_stage_c2.yml @@ -1,6 +1,6 @@ title: Potential SocGholish Second Stage C2 DNS Query id: 70761fe8-6aa2-4f80-98c1-a57049c08e66 -status: experimental +status: test description: Detects a DNS query initiated from a "wscript" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic references: - https://www.virustotal.com/gui/file/0e2854753d17b1bb534de8e765d5813c9fb584a745978b3d92bc6ca78e3e7735/relations diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/dns_query_win_malware_3cx_compromise.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/dns_query_win_malware_3cx_compromise.yml index a83f11b4f09..c2f3cf3d95c 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/dns_query_win_malware_3cx_compromise.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/dns_query_win_malware_3cx_compromise.yml @@ -15,7 +15,7 @@ related: type: similar - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad type: similar -status: experimental +status: test description: Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise references: - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml index 6f1f5d6b51d..bc018e9a87b 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml @@ -15,7 +15,7 @@ related: type: similar - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update type: similar -status: experimental +status: test description: Detects DLL load activity of known compromised DLLs used in by the compromised 3CXDesktopApp references: - https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/ diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/net_connection_win_malware_3cx_compromise_beaconing_activity.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/net_connection_win_malware_3cx_compromise_beaconing_activity.yml index 5aff60374cd..bc4c7360b09 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/net_connection_win_malware_3cx_compromise_beaconing_activity.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/net_connection_win_malware_3cx_compromise_beaconing_activity.yml @@ -15,7 +15,7 @@ related: type: similar - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad type: similar -status: experimental +status: test description: Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise references: - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml index a0fda2d7f26..6c87274d4f7 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml @@ -15,7 +15,7 @@ related: type: similar - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad type: similar -status: experimental +status: test description: Detects execution of known compromised version of 3CXDesktopApp references: - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml index e5efa9b6a68..30679a9b6eb 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml @@ -15,7 +15,7 @@ related: type: similar - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad type: similar -status: experimental +status: test description: Detects potential suspicious child processes of "3CXDesktopApp.exe". Which could be related to the 3CXDesktopApp supply chain compromise references: - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_update.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_update.yml index 5f27a12967b..ea8e3ef0151 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_update.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_update.yml @@ -15,7 +15,7 @@ related: type: similar - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad type: similar -status: experimental +status: test description: Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software references: - https://www.linkedin.com/feed/update/urn:li:activity:7047435754834198529/ diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_c2_beacon_activity.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_c2_beacon_activity.yml index ea73ef90157..4e915b81f18 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_c2_beacon_activity.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_c2_beacon_activity.yml @@ -15,7 +15,7 @@ related: type: similar - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad type: similar -status: experimental +status: test description: Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise references: - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_susp_ico_requests.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_susp_ico_requests.yml index 7d2cd5e0e19..08f6fa5a93d 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_susp_ico_requests.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_susp_ico_requests.yml @@ -15,7 +15,7 @@ related: type: similar - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad type: similar -status: experimental +status: test description: Detects potential malicious .ICO files download from a compromised 3CXDesktopApp via web requests to the the malicious Github repository references: - https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/ diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/dns_query_win_apt_diamond_steel_indicators.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/dns_query_win_apt_diamond_steel_indicators.yml index dd8eea66367..1ab52caacd4 100644 --- a/rules-emerging-threats/2023/TA/Diamond-Sleet/dns_query_win_apt_diamond_steel_indicators.yml +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/dns_query_win_apt_diamond_steel_indicators.yml @@ -1,6 +1,6 @@ title: Diamond Sleet APT DNS Communication Indicators id: fba38e0f-4607-4344-bb8f-a4b50cdeef7f -status: experimental +status: test description: Detects DNS queries related to Diamond Sleet APT activity references: - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/file_event_win_apt_diamond_sleet_indicators.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/file_event_win_apt_diamond_sleet_indicators.yml index 6c3bc997cc8..0c6a56ba98a 100644 --- a/rules-emerging-threats/2023/TA/Diamond-Sleet/file_event_win_apt_diamond_sleet_indicators.yml +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/file_event_win_apt_diamond_sleet_indicators.yml @@ -1,6 +1,6 @@ title: Diamond Sleet APT File Creation Indicators id: e1212b32-55ff-4dfb-a595-62b572248056 -status: experimental +status: test description: Detects file creation activity that is related to Diamond Sleet APT activity references: - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml index feed15f302b..60c4cc2e28a 100644 --- a/rules-emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml @@ -1,6 +1,6 @@ title: Diamond Sleet APT DLL Sideloading Indicators id: d1b65d98-37d7-4ff6-b139-2d87c1af3042 -status: experimental +status: test description: Detects DLL sideloading activity seen used by Diamond Sleet APT references: - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml index c1bbf8fb41f..e5dc3e15fa2 100644 --- a/rules-emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml @@ -1,6 +1,6 @@ title: Diamond Sleet APT Process Activity Indicators id: b5495d8d-24ad-4a44-8caf-ceae9a07a5c2 -status: experimental +status: test description: Detects process creation activity indicators related to Diamond Sleet APT references: - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml index 583e61a8a76..f40857af771 100644 --- a/rules-emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml @@ -1,6 +1,6 @@ title: Diamond Sleet APT Scheduled Task Creation - Registry id: 9f9f92ba-5300-43a4-b435-87d1ee571688 -status: experimental +status: test description: | Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability references: diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/win_security_apt_diamond_sleet_scheduled_task.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/win_security_apt_diamond_sleet_scheduled_task.yml index 7f9df765bd0..2a3ac1d5197 100644 --- a/rules-emerging-threats/2023/TA/Diamond-Sleet/win_security_apt_diamond_sleet_scheduled_task.yml +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/win_security_apt_diamond_sleet_scheduled_task.yml @@ -1,6 +1,6 @@ title: Diamond Sleet APT Scheduled Task Creation id: 3b8e5084-4de9-449a-a40d-0e11014f2e2d -status: experimental +status: test description: | Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability references: diff --git a/rules-emerging-threats/2023/TA/EquationGroup/net_dns_apt_equation_group_triangulation_c2_coms.yml b/rules-emerging-threats/2023/TA/EquationGroup/net_dns_apt_equation_group_triangulation_c2_coms.yml index 913d4f9f53a..5e7a8cc1c4c 100644 --- a/rules-emerging-threats/2023/TA/EquationGroup/net_dns_apt_equation_group_triangulation_c2_coms.yml +++ b/rules-emerging-threats/2023/TA/EquationGroup/net_dns_apt_equation_group_triangulation_c2_coms.yml @@ -3,7 +3,7 @@ id: 7fc30d63-728d-48d9-ad6f-14d14f4accf7 related: - id: aa03c712-75c6-438b-8d42-de88f2427e09 # Proxy C2 type: similar -status: experimental +status: test description: Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB references: - https://securelist.com/operation-triangulation/109842/ diff --git a/rules-emerging-threats/2023/TA/EquationGroup/proxy_apt_equation_group_triangulation_c2_coms.yml b/rules-emerging-threats/2023/TA/EquationGroup/proxy_apt_equation_group_triangulation_c2_coms.yml index da3dfcd3570..be5f12946ba 100644 --- a/rules-emerging-threats/2023/TA/EquationGroup/proxy_apt_equation_group_triangulation_c2_coms.yml +++ b/rules-emerging-threats/2023/TA/EquationGroup/proxy_apt_equation_group_triangulation_c2_coms.yml @@ -3,7 +3,7 @@ id: aa03c712-75c6-438b-8d42-de88f2427e09 related: - id: 7fc30d63-728d-48d9-ad6f-14d14f4accf7 # DNS C2 type: similar -status: experimental +status: test description: Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB references: - https://securelist.com/operation-triangulation/109842/ diff --git a/rules-emerging-threats/2023/TA/FIN7/file_event_win_apt_fin7_powershell_scripts_naming_convention.yml b/rules-emerging-threats/2023/TA/FIN7/file_event_win_apt_fin7_powershell_scripts_naming_convention.yml index e130d292fb6..d266dc0d626 100644 --- a/rules-emerging-threats/2023/TA/FIN7/file_event_win_apt_fin7_powershell_scripts_naming_convention.yml +++ b/rules-emerging-threats/2023/TA/FIN7/file_event_win_apt_fin7_powershell_scripts_naming_convention.yml @@ -1,6 +1,6 @@ title: Potential APT FIN7 Related PowerShell Script Created id: a88d9f45-ec8a-4b0e-85ee-c9f6a65e9128 -status: experimental +status: test description: Detects PowerShell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers diff --git a/rules-emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml b/rules-emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml index 8a5118dfaf8..36f7cdaca5a 100644 --- a/rules-emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml +++ b/rules-emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml @@ -1,6 +1,6 @@ title: Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity id: 911389c7-5ae3-43ea-bab3-a947ebdeb85e -status: experimental +status: test description: Detects specific command line execution used by FIN7 as reported by WithSecureLabs for reconnaissance and POWERTRASH execution references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers diff --git a/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml b/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml index 680ed7a9330..8ddc6ccf918 100644 --- a/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml +++ b/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml @@ -1,6 +1,6 @@ title: Lazarus APT DLL Sideloading Activity id: 24007168-a26b-4049-90d0-ce138e13a5cf -status: experimental +status: test description: Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company references: - https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/ diff --git a/rules-emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml b/rules-emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml index 4d4c002d16f..a988bf3c413 100644 --- a/rules-emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml +++ b/rules-emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml @@ -1,6 +1,6 @@ title: Potential APT Mustang Panda Activity Against Australian Gov id: 7806bb49-f653-48d3-a915-5115c1a85234 -status: experimental +status: test description: Detects specific command line execution used by Mustang Panda in a targeted attack against the Australian government as reported by Lab52 references: - https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/ diff --git a/rules-emerging-threats/2023/TA/Okta-Support-System-Breach/okta_apt_suspicious_user_creation.yml b/rules-emerging-threats/2023/TA/Okta-Support-System-Breach/okta_apt_suspicious_user_creation.yml index b7fa0d1b57e..4195c6156b7 100644 --- a/rules-emerging-threats/2023/TA/Okta-Support-System-Breach/okta_apt_suspicious_user_creation.yml +++ b/rules-emerging-threats/2023/TA/Okta-Support-System-Breach/okta_apt_suspicious_user_creation.yml @@ -1,6 +1,6 @@ title: Okta 2023 Breach Indicator Of Compromise id: 00a8e92a-776b-425f-80f2-82d8f8fab2e5 -status: experimental +status: test description: | Detects new user account creation or activation with specific names related to the Okta Support System 2023 breach. This rule can be enhanced by filtering out known and legitimate username used in your environnement. diff --git a/rules-emerging-threats/2023/TA/Onyx-Sleet/file_event_win_apt_onyx_sleet_indicators.yml b/rules-emerging-threats/2023/TA/Onyx-Sleet/file_event_win_apt_onyx_sleet_indicators.yml index 078b4e92ba2..c40f39d2b34 100644 --- a/rules-emerging-threats/2023/TA/Onyx-Sleet/file_event_win_apt_onyx_sleet_indicators.yml +++ b/rules-emerging-threats/2023/TA/Onyx-Sleet/file_event_win_apt_onyx_sleet_indicators.yml @@ -1,6 +1,6 @@ title: Onyx Sleet APT File Creation Indicators id: 2fef4fd9-7206-40d1-b4f5-ad6441d0cd9b -status: experimental +status: test description: Detects file creation activity that is related to Onyx Sleet APT activity references: - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_exfil_mail_pattern.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_exfil_mail_pattern.yml index f8e96747daf..d9679eec399 100644 --- a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_exfil_mail_pattern.yml +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_exfil_mail_pattern.yml @@ -1,6 +1,6 @@ title: UNC4841 - Email Exfiltration File Pattern id: 0785f462-60b0-4031-9ff4-b4f3a0ba589a -status: experimental +status: test description: Detects filename pattern of email related data used by UNC4841 for staging and exfiltration references: - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_file_indicators.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_file_indicators.yml index 04d1cd61a95..03a3fc7e7b7 100644 --- a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_file_indicators.yml +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_file_indicators.yml @@ -1,6 +1,6 @@ title: UNC4841 - Barracuda ESG Exploitation Indicators id: 5627c337-a9b2-407a-a82d-5fd97035ff39 -status: experimental +status: test description: Detects file indicators as seen used by UNC4841 during their Barracuda ESG zero day exploitation. references: - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_openssl_connection.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_openssl_connection.yml index 7079ee0b22c..8d310102575 100644 --- a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_openssl_connection.yml +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_openssl_connection.yml @@ -1,6 +1,6 @@ title: UNC4841 - SSL Certificate Exfiltration Via Openssl id: 60911c07-f989-4362-84af-c609828ef829 -status: experimental +status: test description: Detects the execution of "openssl" to connect to an IP address. This techniques was used by UNC4841 to exfiltrate SSL certificates and as a C2 channel with named pipes. Investigate commands executed in the temporal vicinity of this command. references: - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_compressed_file_tmep_sh.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_compressed_file_tmep_sh.yml index 1bf081ed8e0..797ffe90f9a 100644 --- a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_compressed_file_tmep_sh.yml +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_compressed_file_tmep_sh.yml @@ -1,6 +1,6 @@ title: UNC4841 - Download Compressed Files From Temp.sh Using Wget id: 60d050c4-e253-4d9a-b673-5ac100cfddfb -status: experimental +status: test description: Detects execution of "wget" to download a ".zip" or ".rar" files from "temp.sh". As seen used by UNC4841 during their Barracuda ESG zero day exploitation. references: - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml index 3f5d5e8d82e..d66d14c1ef7 100644 --- a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml @@ -1,6 +1,6 @@ title: UNC4841 - Download Tar File From Untrusted Direct IP Via Wget id: 23835beb-ec38-4e74-a5d4-b99af6684e91 -status: experimental +status: test description: Detects execution of "wget" to download a "tar" from an IP address that doesn't have a trusted certificate. As seen used by UNC4841 during their Barracuda ESG zero day exploitation. references: - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_atp_unc4841_seaspy_execution.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_atp_unc4841_seaspy_execution.yml index a9dbb5d263d..26a0081f9f5 100644 --- a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_atp_unc4841_seaspy_execution.yml +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_atp_unc4841_seaspy_execution.yml @@ -1,6 +1,6 @@ title: UNC4841 - Potential SEASPY Execution id: f6a711f3-d032-4f9e-890b-bbe776236c84 -status: experimental +status: test description: Detects execution of specific named binaries which were used by UNC4841 to deploy their SEASPY backdoor references: - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally diff --git a/rules-placeholder/windows/builtin/security/win_security_exploit_cve_2020_1472.yml b/rules-placeholder/windows/builtin/security/win_security_exploit_cve_2020_1472.yml index 317ef0b71ff..7d557a63ad7 100644 --- a/rules-placeholder/windows/builtin/security/win_security_exploit_cve_2020_1472.yml +++ b/rules-placeholder/windows/builtin/security/win_security_exploit_cve_2020_1472.yml @@ -1,6 +1,6 @@ title: Potential Zerologon (CVE-2020-1472) Exploitation id: dd7876d8-0f09-11eb-adc1-0242ac120002 -status: experimental +status: test description: Detects potential Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472) references: - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 diff --git a/rules-placeholder/windows/process_creation/proc_creation_win_userdomain_variable_enumeration.yml b/rules-placeholder/windows/process_creation/proc_creation_win_userdomain_variable_enumeration.yml index 6d9abac3eb8..26bbc586f2c 100644 --- a/rules-placeholder/windows/process_creation/proc_creation_win_userdomain_variable_enumeration.yml +++ b/rules-placeholder/windows/process_creation/proc_creation_win_userdomain_variable_enumeration.yml @@ -1,6 +1,6 @@ title: Userdomain Variable Enumeration id: 43311e65-84d8-42a5-b3d4-c94d9b67038f -status: experimental +status: test description: Detects suspicious enumeration of the domain the user is associated with. references: - https://www.arxiv-vanity.com/papers/2008.04676/ diff --git a/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_forwarding_activity.yml b/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_forwarding_activity.yml index 9f11571c9d3..d4fabe7f054 100644 --- a/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_forwarding_activity.yml +++ b/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_forwarding_activity.yml @@ -1,6 +1,6 @@ title: Mail Forwarding/Redirecting Activity In O365 id: c726e007-2cd0-4a55-abfb-79730fbedee5 -status: experimental +status: test description: Detects email forwarding or redirecting acitivty in O365 Audit logs. references: - https://redcanary.com/blog/email-forwarding-rules/ diff --git a/rules-threat-hunting/cloud/okta/okta_password_health_report_query.yml b/rules-threat-hunting/cloud/okta/okta_password_health_report_query.yml index 66a7163e071..8287fbe0353 100644 --- a/rules-threat-hunting/cloud/okta/okta_password_health_report_query.yml +++ b/rules-threat-hunting/cloud/okta/okta_password_health_report_query.yml @@ -1,6 +1,6 @@ title: Okta Password Health Report Query id: 0d58814b-1660-4d31-8c93-d1086ed24cba -status: experimental +status: test description: | Detects all activities against the endpoint "/reports/password-health/*" which should only be accessed via OKTA Admin Console UI. Use this rule to hunt for potential suspicious requests. Correlate this event with "admin console" login and alert on requests without any corresponding admin console login diff --git a/rules-threat-hunting/windows/file/file_delete/file_delete_win_zone_identifier_ads.yml b/rules-threat-hunting/windows/file/file_delete/file_delete_win_zone_identifier_ads.yml index d20897dc3b5..b2a1b53419f 100644 --- a/rules-threat-hunting/windows/file/file_delete/file_delete_win_zone_identifier_ads.yml +++ b/rules-threat-hunting/windows/file/file_delete/file_delete_win_zone_identifier_ads.yml @@ -3,7 +3,7 @@ id: 7eac0a16-5832-4e81-865f-0268a6d19e4b related: - id: 3109530e-ab47-4cc6-a953-cac5ebcc93ae type: similar -status: experimental +status: test description: Detects the deletion of the "Zone.Identifier" ADS. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps. references: - https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/ diff --git a/rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml b/rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml index a48ca7ab03e..8e2bc896e90 100644 --- a/rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml +++ b/rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml @@ -1,6 +1,6 @@ title: Creation of an Executable by an Executable id: 297afac9-5d02-4138-8c58-b977bac60556 -status: experimental +status: test description: Detects the creation of an executable by another executable references: - Malware Sandbox diff --git a/rules-threat-hunting/windows/file/file_event/file_event_win_vscode_tunnel_indicators.yml b/rules-threat-hunting/windows/file/file_event/file_event_win_vscode_tunnel_indicators.yml index b535650171c..967e8b61604 100644 --- a/rules-threat-hunting/windows/file/file_event/file_event_win_vscode_tunnel_indicators.yml +++ b/rules-threat-hunting/windows/file/file_event/file_event_win_vscode_tunnel_indicators.yml @@ -1,6 +1,6 @@ title: VsCode Code Tunnel Execution File Indicator id: 9661ec9d-4439-4a7a-abed-d9be4ca43b6d -status: experimental +status: test description: | Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility. Attackers can abuse this functionality to establish a C2 channel references: diff --git a/rules-threat-hunting/windows/file/file_event/file_event_win_webdav_tmpfile_creation.yml b/rules-threat-hunting/windows/file/file_event/file_event_win_webdav_tmpfile_creation.yml index 0d5fe0d9f6b..a5435dd6649 100644 --- a/rules-threat-hunting/windows/file/file_event/file_event_win_webdav_tmpfile_creation.yml +++ b/rules-threat-hunting/windows/file/file_event/file_event_win_webdav_tmpfile_creation.yml @@ -1,6 +1,6 @@ title: WebDAV Temporary Local File Creation id: 4c55738d-72d8-490e-a2db-7969654e375f -status: experimental +status: test description: Detects the creation of WebDAV temporary files with potentially suspicious extensions references: - https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html diff --git a/rules-threat-hunting/windows/image_load/image_load_office_excel_xll_load.yml b/rules-threat-hunting/windows/image_load/image_load_office_excel_xll_load.yml index 1272d93aeb8..aeb45f6b292 100644 --- a/rules-threat-hunting/windows/image_load/image_load_office_excel_xll_load.yml +++ b/rules-threat-hunting/windows/image_load/image_load_office_excel_xll_load.yml @@ -1,6 +1,6 @@ title: Microsoft Excel Add-In Loaded id: c5f4b5cb-4c25-4249-ba91-aa03626e3185 -status: experimental +status: test description: Detects Microsoft Excel loading an Add-In (.xll) file references: - https://www.mandiant.com/resources/blog/lnk-between-browsers diff --git a/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_suspicious_ip.yml b/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_suspicious_ip.yml index 6c46d2ac710..ba3fc34acb2 100644 --- a/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_suspicious_ip.yml +++ b/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_suspicious_ip.yml @@ -1,6 +1,6 @@ title: Dfsvc.EXE Network Connection To Non-Local IPs id: 3c21219b-49b5-4268-bce6-c914ed50f09c -status: experimental +status: test description: Detects network connections from "dfsvc.exe" used to handled ClickOnce applications to non-local IPs references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 diff --git a/rules-threat-hunting/windows/powershell/powershell_module/posh_pm_susp_netfirewallrule_recon.yml b/rules-threat-hunting/windows/powershell/powershell_module/posh_pm_susp_netfirewallrule_recon.yml index 50b32bc54cb..26f140e6631 100644 --- a/rules-threat-hunting/windows/powershell/powershell_module/posh_pm_susp_netfirewallrule_recon.yml +++ b/rules-threat-hunting/windows/powershell/powershell_module/posh_pm_susp_netfirewallrule_recon.yml @@ -1,6 +1,6 @@ title: Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet id: ea207a23-b441-4a17-9f76-ad5be47d51d3 -status: experimental +status: test description: Detects execution of "Get-NetFirewallRule" or "Show-NetFirewallRule" to enumerate the local firewall rules on a host. references: - https://learn.microsoft.com/en-us/powershell/module/netsecurity/get-netfirewallrule?view=windowsserver2022-ps diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_mailbox_access.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_mailbox_access.yml index 2ef3a4d9bfe..3ee22df0d29 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_mailbox_access.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_mailbox_access.yml @@ -1,6 +1,6 @@ title: Windows Mail App Mailbox Access Via PowerShell Script id: 4e485d01-e18a-43f6-a46b-ef20496fa9d3 -status: experimental +status: test description: Detects PowerShell scripts that try to access the default Windows MailApp MailBox. This indicates manipulation of or access to the stored emails of a user. E.g. this could be used by an attacker to exfiltrate or delete the content of the emails. references: - https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1070.008/T1070.008.md diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_new_smbmapping_quic.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_new_smbmapping_quic.yml index f38fd704ccd..ffb78320303 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_new_smbmapping_quic.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_new_smbmapping_quic.yml @@ -3,7 +3,7 @@ id: 6df07c3b-8456-4f8b-87bb-fe31ec964cae related: - id: 2238d337-42fb-4971-9a68-63570f2aede4 type: similar -status: experimental +status: test description: Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments references: - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1570/T1570.md diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml index 3369c27b556..e1c0d42dc99 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml @@ -3,7 +3,7 @@ id: 064060aa-09fb-4636-817f-020a32aa7e9e related: - id: 970007b7-ce32-49d0-a4a4-fbef016950bd type: similar -status: experimental +status: test description: Detects PowerShell scripts with potential registry reconnaissance capabilities. Adversaries may interact with the Windows registry to gather information about the system credentials, configuration, and installed software. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_functions_access.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_functions_access.yml index 279a17a36f0..0c77e186ae1 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_functions_access.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_functions_access.yml @@ -7,7 +7,7 @@ related: type: similar - id: 9f22ccd5-a435-453b-af96-bf99cbb594d4 type: similar -status: experimental +status: test description: Detects calls to WinAPI libraries from PowerShell scripts. Attackers can often leverage these APIs to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts. references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_library_access.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_library_access.yml index ad78be0485e..1cda9898eff 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_library_access.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_library_access.yml @@ -7,7 +7,7 @@ related: type: similar - id: 19d65a1c-8540-4140-8062-8eb00db0bba5 type: similar -status: experimental +status: test description: Detects calls to WinAPI functions from PowerShell scripts. Attackers can often leverage these APIs to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts. references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_csc_compilation.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_csc_compilation.yml index 3bd43b9913a..bfcd0d25495 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_csc_compilation.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_csc_compilation.yml @@ -3,7 +3,7 @@ id: acf2807c-805b-4042-aab9-f86b6ba9cb2b related: - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4 type: derived -status: experimental +status: test description: Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages. references: - https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/ diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_download.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_download.yml index 330497255eb..ae6d38c1586 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_download.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_download.yml @@ -5,7 +5,7 @@ related: type: derived - id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 # Suspicious curl execution type: derived -status: experimental +status: test description: Detects file download using curl.exe references: - https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464 diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_dfsvc_child_processes.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_dfsvc_child_processes.yml index 4eb3db3c8bd..c9a79e1f3fd 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_dfsvc_child_processes.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_dfsvc_child_processes.yml @@ -1,6 +1,6 @@ title: ClickOnce Deployment Execution - Dfsvc.EXE Child Process id: 241d52b5-eee0-49d0-ac8a-8b9c15c7221c -status: experimental +status: test description: Detects child processes of "dfsvc" which indicates a ClickOnce deployment execution. references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_child_process.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_child_process.yml index 9a57c9125d6..186d9e0e20e 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_child_process.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_child_process.yml @@ -9,7 +9,7 @@ related: type: similar - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution type: similar -status: experimental +status: test description: Detects any child process spawning from "Diskshadow.exe". This could be due to executing Diskshadow in interpreter mode or script mode and using the "exec" flag to launch other applications. references: - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_findstr_password_recon.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_findstr_password_recon.yml index 6f0b30e3ff8..ad3536933bd 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_findstr_password_recon.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_findstr_password_recon.yml @@ -1,6 +1,6 @@ title: Potential Password Reconnaissance Via Findstr.EXE id: 1a0f6f16-2099-4753-9a02-43b6ac7a1fa5 -status: experimental +status: test description: Detects command line usage of "findstr" to search for the "passwords" keyword in a variety of different languages references: - https://steflan-security.com/windows-privilege-escalation-credential-harvesting/ diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_net_quic.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_net_quic.yml index 1ebb8ae2737..3dc27858d88 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_net_quic.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_net_quic.yml @@ -3,7 +3,7 @@ id: 2238d337-42fb-4971-9a68-63570f2aede4 related: - id: 6df07c3b-8456-4f8b-87bb-fe31ec964cae type: similar -status: experimental +status: test description: Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments. references: - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1570/T1570.md diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml index 299dec08e99..f20e51ddffc 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml @@ -1,6 +1,6 @@ title: Import New Module Via PowerShell CommandLine id: 4ad74d01-f48c-42d0-b88c-b31efa4d2262 -status: experimental +status: test description: Detects usage of the "Import-Module" cmdlet in order to add new Cmdlets to the current PowerShell session references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/import-module?view=powershell-7.3 diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml index 12abe2b93db..4e580f4a071 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml @@ -3,7 +3,7 @@ id: ce2c44b5-a6ac-412a-afba-9e89326fa972 related: - id: 0ba1da6d-b6ce-4366-828c-18826c9de23e type: similar -status: experimental +status: test description: | Detects execution of regsvr32 with the silent flag and no other flags on a DLL located in an uncommon or potentially suspicious location. When Regsvr32 is called in such a way, it implicitly calls the DLL export function 'DllRegisterServer'. diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_dllregisterserver.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_dllregisterserver.yml index 556d1bf323b..262e1cd3cd7 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_dllregisterserver.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_dllregisterserver.yml @@ -3,7 +3,7 @@ id: d81a9fc6-55db-4461-b962-0e78fea5b0ad related: - id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed # Renamed rundll32 type: similar -status: experimental +status: test description: | Detects when the DLL export function 'DllRegisterServer' is called in the commandline by Rundll32 explicitly where the DLL is located in a non-standard path. references: diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml index ef94d449692..e4f724dd347 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml @@ -1,6 +1,6 @@ title: Process Terminated Via Taskkill id: 86085955-ea48-42a2-9dd3-85d4c36b167d -status: experimental +status: test description: | Detects execution of "taskkill.exe" in order to stop a service or a process. Look for suspicious parents executing this command in order to hunt for potential malicious activity. Attackers might leverage this in order to conduct data destruction or data encrypted for impact on the data stores of services like Exchange and SQL Server. diff --git a/rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml b/rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml index 98097b8beb8..aae279cb70e 100644 --- a/rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml +++ b/rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml @@ -3,7 +3,7 @@ id: a0bed973-45fa-4625-adb5-6ecdf9be70ac related: - id: f742bde7-9528-42e5-bd82-84f51a8387d2 type: similar -status: experimental +status: test description: Detects changes to the registry keys related to "Trusted Location" of Microsoft Office. Attackers might add additional trusted locations to avoid macro security restrictions. references: - https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01 diff --git a/rules/application/jvm/java_jndi_injection_exploitation_attempt.yml b/rules/application/jvm/java_jndi_injection_exploitation_attempt.yml index cbe9ce0dc5b..7a2cc3b397e 100644 --- a/rules/application/jvm/java_jndi_injection_exploitation_attempt.yml +++ b/rules/application/jvm/java_jndi_injection_exploitation_attempt.yml @@ -1,6 +1,6 @@ title: Potential JNDI Injection Exploitation In JVM Based Application id: bb0e9cec-d4da-46f5-997f-22efc59f3dca -status: experimental +status: test description: Detects potential JNDI Injection exploitation. Often coupled with Log4Shell exploitation. references: - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs diff --git a/rules/application/jvm/java_local_file_read.yml b/rules/application/jvm/java_local_file_read.yml index ce63649eb17..c271a0fe2a2 100644 --- a/rules/application/jvm/java_local_file_read.yml +++ b/rules/application/jvm/java_local_file_read.yml @@ -1,6 +1,6 @@ title: Potential Local File Read Vulnerability In JVM Based Application id: e032f5bc-4563-4096-ae3b-064bab588685 -status: experimental +status: test description: | Detects potential local file read vulnerability in JVM based apps. If the exceptions are caused due to user input and contain path traversal payloads then it's a red flag. diff --git a/rules/application/jvm/java_ognl_injection_exploitation_attempt.yml b/rules/application/jvm/java_ognl_injection_exploitation_attempt.yml index fa109bcf23f..9154fb000da 100644 --- a/rules/application/jvm/java_ognl_injection_exploitation_attempt.yml +++ b/rules/application/jvm/java_ognl_injection_exploitation_attempt.yml @@ -1,6 +1,6 @@ title: Potential OGNL Injection Exploitation In JVM Based Application id: 4d0af518-828e-4a04-a751-a7d03f3046ad -status: experimental +status: test description: | Detects potential OGNL Injection exploitation, which may lead to RCE. OGNL is an expression language that is supported in many JVM based systems. diff --git a/rules/application/jvm/java_rce_exploitation_attempt.yml b/rules/application/jvm/java_rce_exploitation_attempt.yml index c350a2e7030..3d122585c71 100644 --- a/rules/application/jvm/java_rce_exploitation_attempt.yml +++ b/rules/application/jvm/java_rce_exploitation_attempt.yml @@ -1,6 +1,6 @@ title: Process Execution Error In JVM Based Application id: d65f37da-a26a-48f8-8159-3dde96680ad2 -status: experimental +status: test description: Detects process execution related exceptions in JVM based apps, often relates to RCE references: - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs diff --git a/rules/application/jvm/java_xxe_exploitation_attempt.yml b/rules/application/jvm/java_xxe_exploitation_attempt.yml index 8e294073746..95689d5aa3e 100644 --- a/rules/application/jvm/java_xxe_exploitation_attempt.yml +++ b/rules/application/jvm/java_xxe_exploitation_attempt.yml @@ -1,6 +1,6 @@ title: Potential XXE Exploitation Attempt In JVM Based Application id: c4e06896-e27c-4583-95ac-91ce2279345d -status: experimental +status: test description: Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely. references: - https://rules.sonarsource.com/java/RSPEC-2755 diff --git a/rules/application/ldap_firewall/ldap_firewall_bloodhound.yml b/rules/application/ldap_firewall/ldap_firewall_bloodhound.yml index 57f15a82c1b..d65633614b3 100644 --- a/rules/application/ldap_firewall/ldap_firewall_bloodhound.yml +++ b/rules/application/ldap_firewall/ldap_firewall_bloodhound.yml @@ -1,6 +1,6 @@ title: BloodHound Collector id: 43f5e083-333c-494a-964c-6f80478a89e9 -status: experimental +status: test description: Detects BloodHound data collection references: - https://bloodhound.readthedocs.io/en/latest/index.html diff --git a/rules/application/ldap_firewall/ldap_firewall_laps.yml b/rules/application/ldap_firewall/ldap_firewall_laps.yml index e83be1fa543..25d1d85a1a2 100644 --- a/rules/application/ldap_firewall/ldap_firewall_laps.yml +++ b/rules/application/ldap_firewall/ldap_firewall_laps.yml @@ -1,6 +1,6 @@ title: LAPS Password Harvesting id: 144cad53-25b8-43f1-8ec8-a0ef42335476 -status: experimental +status: test description: Detects attempts to access LAPS computer passwords references: - https://github.com/zeronetworks/ldapfw diff --git a/rules/application/ldap_firewall/ldap_firewall_name_impersonation.yml b/rules/application/ldap_firewall/ldap_firewall_name_impersonation.yml index 74c2586c2af..a4c68b706cd 100644 --- a/rules/application/ldap_firewall/ldap_firewall_name_impersonation.yml +++ b/rules/application/ldap_firewall/ldap_firewall_name_impersonation.yml @@ -1,6 +1,6 @@ title: Computer Name Impersonation id: db821bd8-4f82-436b-841a-c6999a7da671 -status: experimental +status: test description: Detects LDAP Add operations of computer accounts without a trailing '$', which could indicate Name Impersonation for sAMAccountName spoofing references: - https://www.thehacker.recipes/a-d/movement/kerberos/samaccountname-spoofing diff --git a/rules/application/nodejs/nodejs_rce_exploitation_attempt.yml b/rules/application/nodejs/nodejs_rce_exploitation_attempt.yml index a5426932c76..95f812860ac 100644 --- a/rules/application/nodejs/nodejs_rce_exploitation_attempt.yml +++ b/rules/application/nodejs/nodejs_rce_exploitation_attempt.yml @@ -1,6 +1,6 @@ title: Potential RCE Exploitation Attempt In NodeJS id: 97661d9d-2beb-4630-b423-68985291a8af -status: experimental +status: test description: Detects process execution related errors in NodeJS. If the exceptions are caused due to user input then they may suggest an RCE vulnerability. references: - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs diff --git a/rules/application/spring/spring_spel_injection.yml b/rules/application/spring/spring_spel_injection.yml index 6176cb5176a..4f021ab7e40 100644 --- a/rules/application/spring/spring_spel_injection.yml +++ b/rules/application/spring/spring_spel_injection.yml @@ -1,6 +1,6 @@ title: Potential SpEL Injection In Spring Framework id: e9edd087-89d8-48c9-b0b4-5b9bb10896b8 -status: experimental +status: test description: Detects potential SpEL Injection exploitation, which may lead to RCE. references: - https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection diff --git a/rules/application/velocity/velocity_ssti_injection.yml b/rules/application/velocity/velocity_ssti_injection.yml index 70373fb24a0..b8dbea1c7b8 100644 --- a/rules/application/velocity/velocity_ssti_injection.yml +++ b/rules/application/velocity/velocity_ssti_injection.yml @@ -1,6 +1,6 @@ title: Potential Server Side Template Injection In Velocity id: 16c86189-b556-4ee8-b4c7-7e350a195a4f -status: experimental +status: test description: Detects exceptions in velocity template renderer, this most likely happens due to dynamic rendering of user input and may lead to RCE. references: - https://antgarsil.github.io/posts/velocity/ diff --git a/rules/category/database/db_anomalous_query.yml b/rules/category/database/db_anomalous_query.yml index 3b0ef70270b..2810e8541a4 100644 --- a/rules/category/database/db_anomalous_query.yml +++ b/rules/category/database/db_anomalous_query.yml @@ -1,6 +1,6 @@ title: Suspicious SQL Query id: d84c0ded-edd7-4123-80ed-348bb3ccc4d5 -status: experimental +status: test description: Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields author: '@juju4' date: 2022/12/27 diff --git a/rules/cloud/aws/cloudtrail/aws_delete_identity.yml b/rules/cloud/aws/cloudtrail/aws_delete_identity.yml index fc4f7caf4b9..c52d5975b10 100644 --- a/rules/cloud/aws/cloudtrail/aws_delete_identity.yml +++ b/rules/cloud/aws/cloudtrail/aws_delete_identity.yml @@ -1,6 +1,6 @@ title: SES Identity Has Been Deleted id: 20f754db-d025-4a8f-9d74-e0037e999a9a -status: experimental +status: test description: Detects an instance of an SES identity being deleted via the "DeleteIdentity" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities references: - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ diff --git a/rules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml b/rules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml index e3694277be0..2843e7a6bdc 100644 --- a/rules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml +++ b/rules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml @@ -1,6 +1,6 @@ title: AWS S3 Bucket Versioning Disable id: a136ac98-b2bc-4189-a14d-f0d0388e57a7 -status: experimental +status: test description: Detects when S3 bucket versioning is disabled. Threat actors use this technique during AWS ransomware incidents prior to deleting S3 objects. references: - https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82 diff --git a/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml b/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml index 257b7f62661..09eac93acd0 100644 --- a/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml +++ b/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml @@ -1,6 +1,6 @@ title: AWS ECS Task Definition That Queries The Credential Endpoint id: b94bf91e-c2bf-4047-9c43-c6810f43baad -status: experimental +status: test description: | Detects when an Elastic Container Service (ECS) Task Definition includes a command to query the credential endpoint. This can indicate a potential adversary adding a backdoor to establish persistence or escalate privileges. diff --git a/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml b/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml index ae7f84a06a9..9b14c04d348 100644 --- a/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml +++ b/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml @@ -3,7 +3,7 @@ id: f305fd62-beca-47da-ad95-7690a0620084 related: - id: 4723218f-2048-41f6-bcb0-417f2d784f61 type: similar -status: experimental +status: test description: Looks for potential enumeration of AWS buckets via ListBuckets. references: - https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md diff --git a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml index 6755f3547a7..d21df2190e4 100644 --- a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml +++ b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml @@ -1,6 +1,6 @@ title: AWS IAM S3Browser LoginProfile Creation id: db014773-b1d3-46bd-ba26-133337c0ffee -status: experimental +status: test description: Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile. references: - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor diff --git a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml index 3f38039a203..abb9586eabe 100644 --- a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml +++ b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml @@ -1,6 +1,6 @@ title: AWS IAM S3Browser Templated S3 Bucket Policy Creation id: db014773-7375-4f4e-b83b-133337c0ffee -status: experimental +status: test description: Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "". references: - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor diff --git a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml index e4e9323a4d3..1fd5582964c 100644 --- a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml +++ b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml @@ -1,6 +1,6 @@ title: AWS IAM S3Browser User or AccessKey Creation id: db014773-d9d9-4792-91e5-133337c0ffee -status: experimental +status: test description: Detects S3 Browser utility creating IAM User or AccessKey. references: - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor diff --git a/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml b/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml index b299af75d82..b9963f627b8 100644 --- a/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml +++ b/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml @@ -1,6 +1,6 @@ title: AWS Identity Center Identity Provider Change id: d3adb3ef-b7e7-4003-9092-1924c797db35 -status: experimental +status: test description: | Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider. A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation. diff --git a/rules/cloud/azure/audit_logs/azure_app_privileged_permissions.yml b/rules/cloud/azure/audit_logs/azure_app_privileged_permissions.yml index b235c2eced0..18ad0b8b341 100644 --- a/rules/cloud/azure/audit_logs/azure_app_privileged_permissions.yml +++ b/rules/cloud/azure/audit_logs/azure_app_privileged_permissions.yml @@ -3,7 +3,7 @@ id: 5aecf3d5-f8a0-48e7-99be-3a759df7358f related: - id: ba2a7c80-027b-460f-92e2-57d113897dbc type: obsoletes -status: experimental +status: test description: Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_token.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_token.yml index 7e28e03371a..2b0bd1316ee 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_token.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_token.yml @@ -1,6 +1,6 @@ title: Anomalous Token id: 6555754e-5e7f-4a67-ad1c-4041c413a007 -status: experimental +status: test description: Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location. references: - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anomalous-token diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml index 2ca44a9efd7..f083499b8b1 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml @@ -1,6 +1,6 @@ title: Anomalous User Activity id: 258b6593-215d-4a26-a141-c8e31c1299a6 -status: experimental +status: test description: Indicates that there are anomalous patterns of behavior like suspicious changes to the directory. references: - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anomalous-user-activity diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml index 28dc4530378..b2a370d87c3 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml @@ -1,6 +1,6 @@ title: Activity From Anonymous IP Address id: be4d9c86-d702-4030-b52e-c7859110e5e8 -status: experimental +status: test description: Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address. references: - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml index cecd0cb48aa..5d6097fd6ac 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml @@ -1,6 +1,6 @@ title: Anonymous IP Address id: 53acd925-2003-440d-a1f3-71a5253fe237 -status: experimental +status: test description: Indicates sign-ins from an anonymous IP address, for example, using an anonymous browser or VPN. references: - https://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0 diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml index 3c5738586d1..493635128a2 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml @@ -1,6 +1,6 @@ title: Atypical Travel id: 1a41023f-1e70-4026-921a-4d9341a9038e -status: experimental +status: test description: Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior. references: - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#atypical-travel diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml index 23899ccdb56..4f9cce10803 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml @@ -1,6 +1,6 @@ title: Impossible Travel id: b2572bf9-e20a-4594-b528-40bde666525a -status: experimental +status: test description: Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second. references: - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#impossible-travel diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml index 565003619aa..ef61496dbcb 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml @@ -1,6 +1,6 @@ title: Suspicious Inbox Forwarding Identity Protection id: 27e4f1d6-ae72-4ea0-8a67-77a73a289c3d -status: experimental +status: test description: Indicates suspicious rules such as an inbox rule that forwards a copy of all emails to an external address references: - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-forwarding diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml index 5bc55b6679f..08b7cd01f1e 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml @@ -1,6 +1,6 @@ title: Suspicious Inbox Manipulation Rules id: ceb55fd0-726e-4656-bf4e-b585b7f7d572 -status: experimental +status: test description: Detects suspicious rules that delete or move messages or folders are set on a user's inbox. references: - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml index 17c116f1d9c..2ad40720216 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml @@ -1,6 +1,6 @@ title: Azure AD Account Credential Leaked id: 19128e5e-4743-48dc-bd97-52e5775af817 -status: experimental +status: test description: Indicates that the user's valid credentials have been leaked. references: - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#leaked-credentials diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml index 11b94259231..7dfa03d55fc 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml @@ -1,6 +1,6 @@ title: Malicious IP Address Sign-In Failure Rate id: a3f55ebd-0c01-4ed6-adc0-8fb76d8cd3cd -status: experimental +status: test description: Indicates sign-in from a malicious IP address based on high failure rates. references: - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malicious-ip-address diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml index 961202f937c..03752a91cf8 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml @@ -1,6 +1,6 @@ title: Malicious IP Address Sign-In Suspicious id: 36440e1c-5c22-467a-889b-593e66498472 -status: experimental +status: test description: Indicates sign-in from a malicious IP address known to be malicious at time of sign-in. references: - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malicious-ip-address diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml index 7ed25642163..8b2e301b4b0 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml @@ -1,6 +1,6 @@ title: Sign-In From Malware Infected IP id: 821b4dc3-1295-41e7-b157-39ab212dd6bd -status: experimental +status: test description: Indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server. references: - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml index 791d237e8d5..3563ce2b96a 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml @@ -1,6 +1,6 @@ title: New Country id: adf9f4d2-559e-4f5c-95be-c28dff0b1476 -status: experimental +status: test description: Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations. references: - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#new-country diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_password_spray.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_password_spray.yml index a477ec6c32f..50f1ab346d9 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_password_spray.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_password_spray.yml @@ -1,6 +1,6 @@ title: Password Spray Activity id: 28ecba0a-c743-4690-ad29-9a8f6f25a6f9 -status: experimental +status: test description: Indicates that a password spray attack has been successfully performed. references: - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#password-spray diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml index c2c1dbdb79b..0bc727be8f8 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml @@ -1,6 +1,6 @@ title: Primary Refresh Token Access Attempt id: a84fc3b1-c9ce-4125-8e74-bdcdb24021f1 -status: experimental +status: test description: Indicates access attempt to the PRT resource which can be used to move laterally into an organization or perform credential theft references: - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml index 1d39a814acb..66ee1881919 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml @@ -1,6 +1,6 @@ title: Suspicious Browser Activity id: 944f6adb-7a99-4c69-80c1-b712579e93e6 -status: experimental +status: test description: Indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser references: - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-browser diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml index c094c31382a..c860e3662b9 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml @@ -1,6 +1,6 @@ title: Azure AD Threat Intelligence id: a2cb56ff-4f46-437a-a0fa-ffa4d1303cba -status: experimental +status: test description: Indicates user activity that is unusual for the user or consistent with known attack patterns. references: - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml index 38ca23aabd1..3d1a71ead33 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml @@ -1,6 +1,6 @@ title: SAML Token Issuer Anomaly id: e3393cba-31f0-4207-831e-aef90ab17a8c -status: experimental +status: test description: Indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns references: - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#token-issuer-anomaly diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml index d9dbd1c9c4d..654579875b6 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml @@ -1,6 +1,6 @@ title: Unfamiliar Sign-In Properties id: 128faeef-79dd-44ca-b43c-a9e236a60f49 -status: experimental +status: test description: Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins. references: - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml index f544b80e639..2bcec687422 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml @@ -1,6 +1,6 @@ title: Stale Accounts In A Privileged Role id: e402c26a-267a-45bd-9615-bd9ceda6da85 -status: experimental +status: test description: Identifies when an account hasn't signed in during the past n number of days. references: - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml index 240624f6e85..b0c278eddce 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml @@ -1,6 +1,6 @@ title: Invalid PIM License id: 58af08eb-f9e1-43c8-9805-3ad9b0482bd8 -status: experimental +status: test description: Identifies when an organization doesn't have the proper license for PIM and is out of compliance. references: - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#the-organization-doesnt-have-microsoft-entra-premium-p2-or-microsoft-entra-id-governance diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml index c36f8d16f0e..fa07f36f4f9 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml @@ -1,6 +1,6 @@ title: Roles Assigned Outside PIM id: b1bc08d1-8224-4758-a0e6-fbcfc98c73bb -status: experimental +status: test description: Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack. references: - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml index 279cae7f010..57c61581f4b 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml @@ -1,6 +1,6 @@ title: Roles Activated Too Frequently id: 645fd80d-6c07-435b-9e06-7bc1b5656cba -status: experimental +status: test description: Identifies when the same privilege role has multiple activations by the same user. references: - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml index 3a02084021a..3dda29cdb57 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml @@ -1,6 +1,6 @@ title: Roles Activation Doesn't Require MFA id: 94a66f46-5b64-46ce-80b2-75dcbe627cc0 -status: experimental +status: test description: Identifies when a privilege role can be activated without performing mfa. references: - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml index cc1cd00d11d..a01d60c8c3d 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml @@ -1,6 +1,6 @@ title: Roles Are Not Being Used id: 8c6ec464-4ae4-43ac-936a-291da66ed13d -status: experimental +status: test description: Identifies when a user has been assigned a privilege role and are not using that role. references: - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml index dd24c9ab20f..d0c571cf7f0 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml @@ -1,6 +1,6 @@ title: Too Many Global Admins id: 7bbc309f-e2b1-4eb1-8369-131a367d67d3 -status: experimental +status: test description: Identifies an event where there are there are too many accounts assigned the Global Administrator role. references: - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators diff --git a/rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml b/rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml index d8a495a7d16..dee8102defe 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml @@ -1,6 +1,6 @@ title: Suspicious SignIns From A Non Registered Device id: 572b12d4-9062-11ed-a1eb-0242ac120002 -status: experimental +status: test description: Detects risky authencaition from a non AD registered device without MFA being required. references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in diff --git a/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml b/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml index 7a663533d3b..f5bdb20e125 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml @@ -1,6 +1,6 @@ title: Potential MFA Bypass Using Legacy Client Authentication id: 53bb4f7f-48a8-4475-ac30-5a82ddfdf6fc -status: experimental +status: test description: Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack. references: - https://blooteem.com/march-2022 diff --git a/rules/cloud/github/github_delete_action_invoked.yml b/rules/cloud/github/github_delete_action_invoked.yml index 50fb5e72cba..e0d8f584782 100644 --- a/rules/cloud/github/github_delete_action_invoked.yml +++ b/rules/cloud/github/github_delete_action_invoked.yml @@ -1,6 +1,6 @@ title: Github Delete Action Invoked id: 16a71777-0b2e-4db7-9888-9d59cb75200b -status: experimental +status: test description: Detects delete action in the Github audit logs for codespaces, environment, project and repo. author: Muhammad Faisal date: 2023/01/19 diff --git a/rules/cloud/github/github_disable_high_risk_configuration.yml b/rules/cloud/github/github_disable_high_risk_configuration.yml index 02c00f418c1..fbe4fa23b3b 100644 --- a/rules/cloud/github/github_disable_high_risk_configuration.yml +++ b/rules/cloud/github/github_disable_high_risk_configuration.yml @@ -1,6 +1,6 @@ title: Github High Risk Configuration Disabled id: 8622c92d-c00e-463c-b09d-fd06166f6794 -status: experimental +status: test description: Detects when a user disables a critical security feature for an organization. author: Muhammad Faisal date: 2023/01/29 diff --git a/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml b/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml index 02052af786d..5ad33bcf317 100644 --- a/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml +++ b/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml @@ -1,6 +1,6 @@ title: Outdated Dependency Or Vulnerability Alert Disabled id: 34e1c7d4-0cd5-419d-9f1b-1dad3f61018d -status: experimental +status: test description: | Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts. This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories. diff --git a/rules/cloud/github/github_new_org_member.yml b/rules/cloud/github/github_new_org_member.yml index a23d3a98beb..505626f1d8c 100644 --- a/rules/cloud/github/github_new_org_member.yml +++ b/rules/cloud/github/github_new_org_member.yml @@ -1,6 +1,6 @@ title: New Github Organization Member Added id: 3908d64a-3c06-4091-b503-b3a94424533b -status: experimental +status: test description: Detects when a new member is added or invited to a github organization. author: Muhammad Faisal date: 2023/01/29 diff --git a/rules/cloud/github/github_new_secret_created.yml b/rules/cloud/github/github_new_secret_created.yml index 96767ef8931..7daa5cc37be 100644 --- a/rules/cloud/github/github_new_secret_created.yml +++ b/rules/cloud/github/github_new_secret_created.yml @@ -1,6 +1,6 @@ title: Github New Secret Created id: f9405037-bc97-4eb7-baba-167dad399b83 -status: experimental +status: test description: Detects when a user creates action secret for the organization, environment, codespaces or repository. author: Muhammad Faisal date: 2023/01/20 diff --git a/rules/cloud/github/github_outside_collaborator_detected.yml b/rules/cloud/github/github_outside_collaborator_detected.yml index fbd16b49e5c..6127829674f 100644 --- a/rules/cloud/github/github_outside_collaborator_detected.yml +++ b/rules/cloud/github/github_outside_collaborator_detected.yml @@ -1,6 +1,6 @@ title: Github Outside Collaborator Detected id: eaa9ac35-1730-441f-9587-25767bde99d7 -status: experimental +status: test description: | Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA. author: Muhammad Faisal diff --git a/rules/cloud/github/github_self_hosted_runner_changes_detected.yml b/rules/cloud/github/github_self_hosted_runner_changes_detected.yml index 7dc420524d8..23f9b0cb41b 100644 --- a/rules/cloud/github/github_self_hosted_runner_changes_detected.yml +++ b/rules/cloud/github/github_self_hosted_runner_changes_detected.yml @@ -1,6 +1,6 @@ title: Github Self Hosted Runner Changes Detected id: f8ed0e8f-7438-4b79-85eb-f358ef2fbebd -status: experimental +status: test description: | A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, diff --git a/rules/cloud/m365/audit/microsoft365_disabling_mfa.yml b/rules/cloud/m365/audit/microsoft365_disabling_mfa.yml index f1516794b19..f2c9c39d29e 100644 --- a/rules/cloud/m365/audit/microsoft365_disabling_mfa.yml +++ b/rules/cloud/m365/audit/microsoft365_disabling_mfa.yml @@ -1,6 +1,6 @@ title: Disabling Multi Factor Authentication id: 60de9b57-dc4d-48b9-a6a0-b39e0469f876 -status: experimental +status: test description: Detects disabling of Multi Factor Authentication. references: - https://research.splunk.com/cloud/c783dd98-c703-4252-9e8a-f19d9f5c949e/ diff --git a/rules/cloud/m365/audit/microsoft365_new_federated_domain_added_audit.yml b/rules/cloud/m365/audit/microsoft365_new_federated_domain_added_audit.yml index 44c6a49161c..15a46cb76df 100644 --- a/rules/cloud/m365/audit/microsoft365_new_federated_domain_added_audit.yml +++ b/rules/cloud/m365/audit/microsoft365_new_federated_domain_added_audit.yml @@ -3,7 +3,7 @@ id: 58f88172-a73d-442b-94c9-95eaed3cbb36 related: - id: 42127bdd-9133-474f-a6f1-97b6c08a4339 type: similar -status: experimental +status: test description: Detects the addition of a new Federated Domain. references: - https://research.splunk.com/cloud/e155876a-6048-11eb-ae93-0242ac130002/ diff --git a/rules/cloud/okta/okta_admin_activity_from_proxy_query.yml b/rules/cloud/okta/okta_admin_activity_from_proxy_query.yml index dd6a9957a21..ce45d2a7b5b 100644 --- a/rules/cloud/okta/okta_admin_activity_from_proxy_query.yml +++ b/rules/cloud/okta/okta_admin_activity_from_proxy_query.yml @@ -1,6 +1,6 @@ title: Okta Admin Functions Access Through Proxy id: 9058ca8b-f397-4fd1-a9fa-2b7aad4d6309 -status: experimental +status: test description: Detects access to Okta admin functions through proxy. references: - https://www.beyondtrust.com/blog/entry/okta-support-unit-breach diff --git a/rules/cloud/okta/okta_admin_role_assignment_created.yml b/rules/cloud/okta/okta_admin_role_assignment_created.yml index f8fa2039186..e16a60c69f6 100644 --- a/rules/cloud/okta/okta_admin_role_assignment_created.yml +++ b/rules/cloud/okta/okta_admin_role_assignment_created.yml @@ -1,6 +1,6 @@ title: Okta Admin Role Assignment Created id: 139bdd4b-9cd7-49ba-a2f4-744d0a8f5d8c -status: experimental +status: test description: Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence references: - https://developer.okta.com/docs/reference/api/system-log/ diff --git a/rules/cloud/okta/okta_fastpass_phishing_detection.yml b/rules/cloud/okta/okta_fastpass_phishing_detection.yml index 0149ef7a3e0..1928185e8eb 100644 --- a/rules/cloud/okta/okta_fastpass_phishing_detection.yml +++ b/rules/cloud/okta/okta_fastpass_phishing_detection.yml @@ -1,6 +1,6 @@ title: Okta FastPass Phishing Detection id: ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e -status: experimental +status: test description: Detects when Okta FastPass prevents a known phishing site. references: - https://sec.okta.com/fastpassphishingdetection diff --git a/rules/cloud/okta/okta_identity_provider_created.yml b/rules/cloud/okta/okta_identity_provider_created.yml index c21a195a5f9..03bb1d9257e 100644 --- a/rules/cloud/okta/okta_identity_provider_created.yml +++ b/rules/cloud/okta/okta_identity_provider_created.yml @@ -1,6 +1,6 @@ title: Okta Identity Provider Created id: 969c7590-8c19-4797-8c1b-23155de6e7ac -status: experimental +status: test description: Detects when a new identity provider is created for Okta. references: - https://developer.okta.com/docs/reference/api/system-log/ diff --git a/rules/cloud/okta/okta_new_behaviours_admin_console.yml b/rules/cloud/okta/okta_new_behaviours_admin_console.yml index d980057dcad..43629f98e7a 100644 --- a/rules/cloud/okta/okta_new_behaviours_admin_console.yml +++ b/rules/cloud/okta/okta_new_behaviours_admin_console.yml @@ -1,6 +1,6 @@ title: Okta New Admin Console Behaviours id: a0b38b70-3cb5-484b-a4eb-c4d8e7bcc0a9 -status: experimental +status: test description: Detects when Okta identifies new activity in the Admin Console. references: - https://developer.okta.com/docs/reference/api/system-log/ diff --git a/rules/cloud/okta/okta_password_in_alternateid_field.yml b/rules/cloud/okta/okta_password_in_alternateid_field.yml index 6328e5e3ea4..92ab6986e2b 100644 --- a/rules/cloud/okta/okta_password_in_alternateid_field.yml +++ b/rules/cloud/okta/okta_password_in_alternateid_field.yml @@ -1,6 +1,6 @@ title: Potential Okta Password in AlternateID Field id: 91b76b84-8589-47aa-9605-c837583b82a9 -status: experimental +status: test description: | Detects when a user has potentially entered their password into the username field, which will cause the password to be retained in log files. diff --git a/rules/cloud/okta/okta_suspicious_activity_enduser_report.yml b/rules/cloud/okta/okta_suspicious_activity_enduser_report.yml index 6db72dea19c..75e09e6a91b 100644 --- a/rules/cloud/okta/okta_suspicious_activity_enduser_report.yml +++ b/rules/cloud/okta/okta_suspicious_activity_enduser_report.yml @@ -1,6 +1,6 @@ title: Okta Suspicious Activity Reported by End-user id: 07e97cc6-aed1-43ae-9081-b3470d2367f1 -status: experimental +status: test description: Detects when an Okta end-user reports activity by their account as being potentially suspicious. references: - https://developer.okta.com/docs/reference/api/system-log/ diff --git a/rules/cloud/okta/okta_user_created.yml b/rules/cloud/okta/okta_user_created.yml index 7f29524c2f2..de480baf109 100644 --- a/rules/cloud/okta/okta_user_created.yml +++ b/rules/cloud/okta/okta_user_created.yml @@ -1,6 +1,6 @@ title: New Okta User Created id: b6c718dd-8f53-4b9f-98d8-93fdca966969 -status: experimental +status: test description: Detects new user account creation author: Nasreddine Bencherchali (Nextron Systems) date: 2023/10/25 diff --git a/rules/cloud/okta/okta_user_session_start_via_anonymised_proxy.yml b/rules/cloud/okta/okta_user_session_start_via_anonymised_proxy.yml index 8cf095fc7b5..37cb9e1045f 100644 --- a/rules/cloud/okta/okta_user_session_start_via_anonymised_proxy.yml +++ b/rules/cloud/okta/okta_user_session_start_via_anonymised_proxy.yml @@ -1,6 +1,6 @@ title: Okta User Session Start Via An Anonymising Proxy Service id: bde30855-5c53-4c18-ae90-1ff79ebc9578 -status: experimental +status: test description: Detects when an Okta user session starts where the user is behind an anonymising proxy service. references: - https://developer.okta.com/docs/reference/api/system-log/ diff --git a/rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml b/rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml index 8e13c18dd8c..ea5f53b8d00 100644 --- a/rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml +++ b/rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml @@ -3,7 +3,7 @@ id: 9e1bef8d-0fff-46f6-8465-9aa54e128c1e related: - id: d08722cd-3d09-449a-80b4-83ea2d9d4616 type: similar -status: experimental +status: test description: Detects calls to hidden files or files located in hidden directories in NIX systems. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md diff --git a/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml b/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml index 9328341cce1..3a042511c1d 100644 --- a/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml +++ b/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml @@ -3,7 +3,7 @@ id: 323ff3f5-0013-4847-bbd4-250b5edb62cc related: - id: 53059bc0-1472-438b-956a-7508a94a91f0 type: similar -status: experimental +status: test description: | Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access. Detection rules that match only on the disabling of firewalls will miss this. diff --git a/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml b/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml index 67bbb29040c..5c76b3f5bdf 100644 --- a/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml +++ b/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml @@ -3,7 +3,7 @@ id: a94cdd87-6c54-4678-a6cc-2814ffe5a13d related: - id: e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9 type: obsoletes -status: experimental +status: test description: Detect unix shell configuration modification. Adversaries may establish persistence through executing malicious commands triggered when a new shell is opened. references: - https://objective-see.org/blog/blog_0x68.html diff --git a/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml b/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml index a4f894a3c13..27829b53931 100644 --- a/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml +++ b/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml @@ -1,6 +1,6 @@ title: PwnKit Local Privilege Escalation id: 0506a799-698b-43b4-85a1-ac4c84c720e9 -status: experimental +status: test description: Detects potential PwnKit exploitation CVE-2021-4034 in auth logs references: - https://twitter.com/wdormann/status/1486161836961579020 diff --git a/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml b/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml index 6b91e609630..91ef302ee22 100644 --- a/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml +++ b/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml @@ -1,6 +1,6 @@ title: Nimbuspwn Exploitation id: 7ba05b43-adad-4c02-b5e9-c8c35cdf9fa8 -status: experimental +status: test description: Detects exploitation of Nimbuspwn privilege escalation vulnerability (CVE-2022-29799 and CVE-2022-29800) references: - https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/ diff --git a/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml b/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml index 5df2269909b..624efdca8ca 100644 --- a/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml +++ b/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml @@ -1,6 +1,6 @@ title: Potential Suspicious BPF Activity - Linux id: 0fadd880-6af3-4610-b1e5-008dc3a11b8a -status: experimental +status: test description: Detects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system. references: - https://redcanary.com/blog/ebpf-malware/ diff --git a/rules/linux/builtin/lnx_susp_dev_tcp.yml b/rules/linux/builtin/lnx_susp_dev_tcp.yml index 32412662001..d8f68a34fc6 100644 --- a/rules/linux/builtin/lnx_susp_dev_tcp.yml +++ b/rules/linux/builtin/lnx_susp_dev_tcp.yml @@ -1,6 +1,6 @@ title: Suspicious Use of /dev/tcp id: 6cc5fceb-9a71-4c23-aeeb-963abe0b279c -status: experimental +status: test description: Detects suspicious command with /dev/tcp references: - https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/ diff --git a/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml b/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml index 6788ea84437..1ba00ab8ec1 100644 --- a/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml +++ b/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml @@ -1,6 +1,6 @@ title: Persistence Via Sudoers Files id: ddb26b76-4447-4807-871f-1b035b2bfa5d -status: experimental +status: test description: Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user. references: - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh diff --git a/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml b/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml index 533c0c4eddc..02764040e45 100644 --- a/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml +++ b/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious Shell Script Creation in Profile Folder id: 13f08f54-e705-4498-91fd-cce9d9cee9f1 -status: experimental +status: test description: Detects the creation of shell scripts under the "profile.d" path. references: - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html diff --git a/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml b/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml index 66311708c1d..4c56cf49f65 100644 --- a/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml +++ b/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml @@ -1,6 +1,6 @@ title: Triple Cross eBPF Rootkit Default LockFile id: c0239255-822c-4630-b7f1-35362bcb8f44 -status: experimental +status: test description: Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running. references: - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L33 diff --git a/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml b/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml index e07e3570690..81fc28ec889 100644 --- a/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml +++ b/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml @@ -1,6 +1,6 @@ title: Triple Cross eBPF Rootkit Default Persistence id: 1a2ea919-d11d-4d1e-8535-06cda13be20f -status: experimental +status: test description: Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method references: - https://github.com/h3xduck/TripleCross/blob/12629558b8b0a27a5488a0b98f1ea7042e76f8ab/apps/deployer.sh diff --git a/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml b/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml index facf55864d2..14d61ef7f1a 100644 --- a/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml +++ b/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml @@ -1,6 +1,6 @@ title: Wget Creating Files in Tmp Directory id: 35a05c60-9012-49b6-a11f-6bab741c9f74 -status: experimental +status: test description: Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp" references: - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html diff --git a/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml b/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml index 02cd87e731c..c3ea5de42ad 100644 --- a/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml @@ -1,6 +1,6 @@ title: Linux Base64 Encoded Pipe to Shell id: ba592c6d-6888-43c3-b8c6-689b8fe47337 -status: experimental +status: test description: Detects suspicious process command line that uses base64 encoded input for execution with a shell references: - https://github.com/arget13/DDexec diff --git a/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml b/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml index f91f893d610..5867934c307 100644 --- a/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml @@ -1,6 +1,6 @@ title: Bash Interactive Shell id: 6104e693-a7d6-4891-86cb-49a258523559 -status: experimental +status: test description: Detects execution of the bash shell with the interactive flag "-i". references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet diff --git a/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml b/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml index f3bff8bb7d1..eb6839b7bfe 100644 --- a/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml +++ b/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml @@ -1,6 +1,6 @@ title: Enable BPF Kprobes Tracing id: 7692f583-bd30-4008-8615-75dab3f08a99 -status: experimental +status: test description: Detects common command used to enable bpf kprobes tracing references: - https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/ diff --git a/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml index 5e7c45d954a..f8d78e67687 100644 --- a/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml @@ -1,6 +1,6 @@ title: Capabilities Discovery - Linux id: d8d97d51-122d-4cdd-9e2f-01b4b4933530 -status: experimental +status: test description: Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other. references: - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes diff --git a/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml b/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml index 09f4affa66e..585d63236b1 100644 --- a/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml +++ b/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml @@ -1,6 +1,6 @@ title: Copy Passwd Or Shadow From TMP Path id: fa4aaed5-4fe0-498d-bbc0-08e3346387ba -status: experimental +status: test description: Detects when the file "passwd" or "shadow" is copied from tmp path references: - https://blogs.blackberry.com/ diff --git a/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml b/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml index 15f24392aa3..f92b908ab73 100644 --- a/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml +++ b/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml @@ -1,6 +1,6 @@ title: Crontab Enumeration id: 403ed92c-b7ec-4edd-9947-5b535ee12d46 -status: experimental +status: test description: Detects usage of crontab to list the tasks of the user references: - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html diff --git a/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml b/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml index 3282ade1359..f99cf647cbd 100644 --- a/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml +++ b/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml @@ -1,6 +1,6 @@ title: Ufw Force Stop Using Ufw-Init id: 84c9e83c-599a-458a-a0cb-0ecce44e807a -status: experimental +status: test description: Detects attempts to force stop the ufw using ufw-init references: - https://blogs.blackberry.com/ diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml index 5d1caec2508..c41dc38f2e9 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml @@ -1,6 +1,6 @@ title: ESXi Network Configuration Discovery Via ESXCLI id: 33e814e0-1f00-4e43-9c34-31fb7ae2b174 -status: experimental +status: test description: Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration. references: - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/ diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml index fbcfc431142..dfc63fc1cf2 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml @@ -1,6 +1,6 @@ title: ESXi Admin Permission Assigned To Account Via ESXCLI id: 9691f58d-92c1-4416-8bf3-2edd753ec9cf -status: experimental +status: test description: Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account. references: - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml index d2436ef0f11..af6e9829d22 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml @@ -1,6 +1,6 @@ title: ESXi Storage Information Discovery Via ESXCLI id: f41dada5-3f56-4232-8503-3fb7f9cf2d60 -status: experimental +status: test description: Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit. references: - https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml index bdbb0d9b491..845319727e7 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml @@ -1,6 +1,6 @@ title: ESXi Syslog Configuration Change Via ESXCLI id: 38eb1dbb-011f-40b1-a126-cf03a0210563 -status: experimental +status: test description: Detects changes to the ESXi syslog configuration via "esxcli" references: - https://support.solarwinds.com/SuccessCenter/s/article/Configure-ESXi-Syslog-to-LEM?language=en_US diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml index d08272019a8..eee3487fc8b 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml @@ -1,6 +1,6 @@ title: ESXi System Information Discovery Via ESXCLI id: e80273e1-9faf-40bc-bd85-dbaff104c4e9 -status: experimental +status: test description: Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc. references: - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/ diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_user_account_creation.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_user_account_creation.yml index addf67f9b42..0b5069ed56b 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_user_account_creation.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_user_account_creation.yml @@ -1,6 +1,6 @@ title: ESXi Account Creation Via ESXCLI id: b28e4eb3-8bbc-4f0c-819f-edfe8e2f25db -status: experimental +status: test description: Detects user account creation on ESXi system via esxcli references: - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml index 0bdd6fe880a..b93f97ad0d4 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml @@ -1,6 +1,6 @@ title: ESXi VM List Discovery Via ESXCLI id: 5f1573a7-363b-4114-9208-ad7a61de46eb -status: experimental +status: test description: Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs. references: - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/ diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml index 5e69c617b26..42df2b18703 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml @@ -1,6 +1,6 @@ title: ESXi VM Kill Via ESXCLI id: 2992ac4d-31e9-4325-99f2-b18a73221bb2 -status: experimental +status: test description: Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM. references: - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/ diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml index c7ebfe228a1..2eede884801 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml @@ -1,6 +1,6 @@ title: ESXi VSAN Information Discovery Via ESXCLI id: d54c2f06-aca9-4e2b-81c9-5317858f4b79 -status: experimental +status: test description: Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide. references: - https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html diff --git a/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml index 73eaf0076a0..ea1e5b0c9ec 100644 --- a/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml @@ -1,6 +1,6 @@ title: OS Architecture Discovery Via Grep id: d27ab432-2199-483f-a297-03633c05bae6 -status: experimental +status: test description: | Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo" references: diff --git a/rules/linux/process_creation/proc_creation_lnx_groupdel.yml b/rules/linux/process_creation/proc_creation_lnx_groupdel.yml index fb8f9b8caee..6d10e5a4f6b 100644 --- a/rules/linux/process_creation/proc_creation_lnx_groupdel.yml +++ b/rules/linux/process_creation/proc_creation_lnx_groupdel.yml @@ -1,6 +1,6 @@ title: Group Has Been Deleted Via Groupdel id: 8a46f16c-8c4c-82d1-b121-0fdd3ba70a84 -status: experimental +status: test description: Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks references: - https://linuxize.com/post/how-to-delete-group-in-linux/ diff --git a/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml b/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml index e65fede776e..2ef7e1b58d2 100644 --- a/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml +++ b/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml @@ -1,6 +1,6 @@ title: Apt GTFOBin Abuse - Linux id: bb382fd5-b454-47ea-a264-1828e4c766d6 -status: experimental +status: test description: Detects usage of "apt" and "apt-get" as a GTFOBin to execute and proxy command and binary execution references: - https://gtfobins.github.io/gtfobins/apt/ diff --git a/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml b/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml index c61ab6526b8..de4f854c365 100644 --- a/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml +++ b/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml @@ -1,6 +1,6 @@ title: Vim GTFOBin Abuse - Linux id: 7ab8f73a-fcff-428b-84aa-6a5ff7877dea -status: experimental +status: test description: Detects usage of "vim" and it's siblings as a GTFOBin to execute and proxy command and binary execution references: - https://gtfobins.github.io/gtfobins/vim/ diff --git a/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml b/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml index 0975b798b44..48712c358db 100644 --- a/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml +++ b/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml @@ -1,6 +1,6 @@ title: Suspicious Package Installed - Linux id: 700fb7e8-2981-401c-8430-be58e189e741 -status: experimental +status: test description: Detects installation of suspicious packages using system installation utilities references: - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt diff --git a/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml b/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml index dde4d2f5a1d..7c13288f271 100644 --- a/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml +++ b/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml @@ -1,6 +1,6 @@ title: Flush Iptables Ufw Chain id: 3be619f4-d9ec-4ea8-a173-18fdd01996ab -status: experimental +status: test description: Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic references: - https://blogs.blackberry.com/ diff --git a/rules/linux/process_creation/proc_creation_lnx_kill_process.yml b/rules/linux/process_creation/proc_creation_lnx_kill_process.yml index 2504e3cff41..1ebfc0e5c98 100644 --- a/rules/linux/process_creation/proc_creation_lnx_kill_process.yml +++ b/rules/linux/process_creation/proc_creation_lnx_kill_process.yml @@ -1,6 +1,6 @@ title: Terminate Linux Process Via Kill id: 64c41342-6b27-523b-5d3f-c265f3efcdb3 -status: experimental +status: test description: Detects usage of command line tools such as "kill", "pkill" or "killall" to terminate or signal a running process. references: - https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html diff --git a/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml index 5b618f296a0..eabb5c08beb 100644 --- a/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml @@ -1,6 +1,6 @@ title: Potential GobRAT File Discovery Via Grep id: e34cfa0c-0a50-4210-9cb3-5632d08eb041 -status: experimental +status: test description: Detects the use of grep to discover specific files created by the GobRAT malware references: - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html diff --git a/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml b/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml index d60f1cb6e0c..737e41af771 100644 --- a/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml +++ b/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml @@ -1,6 +1,6 @@ title: Named Pipe Created Via Mkfifo id: 9d779ce8-5256-4b13-8b6f-b91c602b43f4 -status: experimental +status: test description: Detects the creation of a new named pipe using the "mkfifo" utility references: - https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk diff --git a/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml b/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml index 4f773c3d95f..250cba342db 100644 --- a/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml +++ b/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml @@ -3,7 +3,7 @@ id: 999c3b12-0a8c-40b6-8e13-dd7d62b75c7a related: - id: 9d779ce8-5256-4b13-8b6f-b91c602b43f4 type: derived -status: experimental +status: test description: Detects the creation of a new named pipe using the "mkfifo" utility in a potentially suspicious location references: - https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk diff --git a/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml b/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml index 4aff5147505..2629345c566 100644 --- a/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml +++ b/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml @@ -1,6 +1,6 @@ title: Mount Execution With Hidepid Parameter id: ec52985a-d024-41e3-8ff6-14169039a0b3 -status: experimental +status: test description: Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system references: - https://blogs.blackberry.com/ diff --git a/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml b/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml index 4324459a794..2e43b72af9f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml @@ -1,6 +1,6 @@ title: Potential Netcat Reverse Shell Execution id: 7f734ed0-4f47-46c0-837f-6ee62505abd9 -status: experimental +status: test description: Detects execution of netcat with the "-e" flag followed by common shells. This could be a sign of a potential reverse shell setup. references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet diff --git a/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml b/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml index 5359bdca92b..03af205e6fb 100644 --- a/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml @@ -3,7 +3,7 @@ id: 457df417-8b9d-4912-85f3-9dbda39c3645 related: - id: e4ffe466-6ff8-48d4-94bd-e32d1a6061e2 type: derived -status: experimental +status: test description: Detects execution of binaries located in potentially suspicious locations via "nohup" references: - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html diff --git a/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml b/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml index 51ae4c429d0..54d39c73038 100644 --- a/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml @@ -1,6 +1,6 @@ title: Potential Perl Reverse Shell Execution id: 259df6bc-003f-4306-9f54-4ff1a08fa38e -status: experimental +status: test description: Detects execution of the perl binary with the "-e" flag and common strings related to potential reverse shell activity references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet diff --git a/rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml b/rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml index 37c588ba60d..4dc456108d2 100644 --- a/rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml @@ -1,6 +1,6 @@ title: Potential PHP Reverse Shell id: c6714a24-d7d5-4283-a36b-3ffd091d5f7e -status: experimental +status: test description: | Detects usage of the PHP CLI with the "-r" flag which allows it to run inline PHP code. The rule looks for calls to the "fsockopen" function which allows the creation of sockets. Attackers often leverage this in combination with functions such as "exec" or "fopen" to initiate a reverse shell connection. diff --git a/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml b/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml index add5b3a117a..d42e55c0a72 100644 --- a/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml +++ b/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml @@ -3,7 +3,7 @@ id: c4042d54-110d-45dd-a0e1-05c47822c937 related: - id: 32e62bc7-3de0-4bb1-90af-532978fe42c0 type: similar -status: experimental +status: test description: Detects python spawning a pretty tty which could be indicative of potential reverse shell activity references: - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/ diff --git a/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml b/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml index 32e41d206f7..b138ebc9e0f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml @@ -3,7 +3,7 @@ id: 32e62bc7-3de0-4bb1-90af-532978fe42c0 related: - id: c4042d54-110d-45dd-a0e1-05c47822c937 type: similar -status: experimental +status: test description: Detects executing python with keywords related to network activity that could indicate a potential reverse shell references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet diff --git a/rules/linux/process_creation/proc_creation_lnx_remove_package.yml b/rules/linux/process_creation/proc_creation_lnx_remove_package.yml index 969bc480c00..06346824c76 100644 --- a/rules/linux/process_creation/proc_creation_lnx_remove_package.yml +++ b/rules/linux/process_creation/proc_creation_lnx_remove_package.yml @@ -1,6 +1,6 @@ title: Linux Package Uninstall id: 95d61234-7f56-465c-6f2d-b562c6fedbc4 -status: experimental +status: test description: Detects linux package removal using builtin tools such as "yum", "apt", "apt-get" or "dpkg". references: - https://sysdig.com/blog/mitre-defense-evasion-falco diff --git a/rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml b/rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml index 2aad0ebf374..6bacb829c38 100644 --- a/rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml @@ -1,6 +1,6 @@ title: Potential Ruby Reverse Shell id: b8bdac18-c06e-4016-ac30-221553e74f59 -status: experimental +status: test description: Detects execution of ruby with the "-e" flag and calls to "socket" related functions. This could be an indication of a potential attempt to setup a reverse shell references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet diff --git a/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml b/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml index 86183047beb..b50cf0f0822 100644 --- a/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml +++ b/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml @@ -1,6 +1,6 @@ title: Potential Linux Amazon SSM Agent Hijacking id: f9b3edc5-3322-4fc7-8aa3-245d646cc4b7 -status: experimental +status: test description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report. references: - https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_container_residence_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_susp_container_residence_discovery.yml index 0a5d36c4f85..fa82f89141f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_container_residence_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_container_residence_discovery.yml @@ -1,6 +1,6 @@ title: Container Residence Discovery Via Proc Virtual FS id: 746c86fb-ccda-4816-8997-01386263acc4 -status: experimental +status: test description: Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem references: - https://blog.skyplabs.net/posts/container-detection/ diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml b/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml index 4e882da0b51..13629815405 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml @@ -3,7 +3,7 @@ id: 00b90cc1-17ec-402c-96ad-3a8117d7a582 related: - id: 00bca14a-df4e-4649-9054-3f2aa676bc04 type: derived -status: experimental +status: test description: Detects a suspicious curl process start the adds a file to a web request references: - https://twitter.com/d1r4c/status/1279042657508081664 diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_dockerenv_recon.yml b/rules/linux/process_creation/proc_creation_lnx_susp_dockerenv_recon.yml index 22b41e675f7..2e4c41830bc 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_dockerenv_recon.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_dockerenv_recon.yml @@ -1,6 +1,6 @@ title: Docker Container Discovery Via Dockerenv Listing id: 11701de9-d5a5-44aa-8238-84252f131895 -status: experimental +status: test description: Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery references: - https://blog.skyplabs.net/posts/container-detection/ diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml b/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml index c0ac903fab8..98d0b807449 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious Execution From Tmp Folder id: 312b42b1-bded-4441-8b58-163a3af58775 -status: experimental +status: test description: Detects a potentially suspicious execution of a process located in the '/tmp/' folder references: - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_find_execution.yml b/rules/linux/process_creation/proc_creation_lnx_susp_find_execution.yml index c24d14e0048..7c15f0efb51 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_find_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_find_execution.yml @@ -3,7 +3,7 @@ id: 8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf related: - id: 85de3a19-b675-4a51-bfc6-b11a5186c971 type: similar -status: experimental +status: test description: Detects usage of "find" binary in a suspicious manner to perform discovery references: - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml b/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml index 50f15fe25fa..8abc41bc303 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml @@ -1,6 +1,6 @@ title: Suspicious Git Clone - Linux id: cfec9d29-64ec-4a0f-9ffe-0fdb856d5446 -status: experimental +status: test description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious references: - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml b/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml index 32f9da31bd3..5779e0cdbff 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml @@ -1,6 +1,6 @@ title: Linux HackTool Execution id: a015e032-146d-4717-8944-7a1884122111 -status: experimental +status: test description: Detects known hacktool execution based on image name. references: - https://github.com/Gui774ume/ebpfkit diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_inod_listing.yml b/rules/linux/process_creation/proc_creation_lnx_susp_inod_listing.yml index 0b288ba2464..9e052d5454c 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_inod_listing.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_inod_listing.yml @@ -1,6 +1,6 @@ title: Potential Container Discovery Via Inodes Listing id: 43e26eb5-cd58-48d1-8ce9-a273f5d298d8 -status: experimental +status: test description: Detects listing of the inodes of the "/" directory to determine if the we are running inside of a container. references: - https://blog.skyplabs.net/posts/container-detection/ diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml b/rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml index 7d5a91f8663..cf0ec3e1955 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml @@ -1,6 +1,6 @@ title: Potential Suspicious Change To Sensitive/Critical Files id: 86157017-c2b1-4d4a-8c33-93b8e67e4af4 -status: experimental +status: test description: Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system. references: - https://docs.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml b/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml index 64236d73d0f..600a994ff1b 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml @@ -1,6 +1,6 @@ title: Shell Execution Of Process Located In Tmp Directory id: 2fade0b6-7423-4835-9d4f-335b39b83867 -status: experimental +status: test description: Detects execution of shells from a parent process located in a temporary (/tmp) directory references: - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml b/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml index 71eedc0df00..514239ba619 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml @@ -1,6 +1,6 @@ title: Execution Of Script Located In Potentially Suspicious Directory id: 30bcce26-51c5-49f2-99c8-7b59e3af36c7 -status: experimental +status: test description: Detects executions of scripts located in potentially suspicious locations such as "/tmp" via a shell such as "bash", "sh", etc. references: - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html diff --git a/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml b/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml index 1c0389fff02..ac6b07c9c02 100644 --- a/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml +++ b/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml @@ -1,6 +1,6 @@ title: Touch Suspicious Service File id: 31545105-3444-4584-bebf-c466353230d2 -status: experimental +status: test description: Detects usage of the "touch" process in service file. references: - https://blogs.blackberry.com/ diff --git a/rules/linux/process_creation/proc_creation_lnx_userdel.yml b/rules/linux/process_creation/proc_creation_lnx_userdel.yml index f226f649b42..eed85d3c1d3 100644 --- a/rules/linux/process_creation/proc_creation_lnx_userdel.yml +++ b/rules/linux/process_creation/proc_creation_lnx_userdel.yml @@ -1,6 +1,6 @@ title: User Has Been Deleted Via Userdel id: 08f26069-6f80-474b-8d1f-d971c6fedea0 -status: experimental +status: test description: Detects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks references: - https://linuxize.com/post/how-to-delete-group-in-linux/ diff --git a/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml b/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml index d4da8acbc43..8cf0416cf31 100644 --- a/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml +++ b/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml @@ -1,6 +1,6 @@ title: Linux Webshell Indicators id: 818f7b24-0fba-4c49-a073-8b755573b9c7 -status: experimental +status: test description: Detects suspicious sub processes of web server processes references: - https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/ diff --git a/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml b/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml index 87af0ce34f8..1b4668243bd 100644 --- a/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml +++ b/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml @@ -1,6 +1,6 @@ title: Download File To Potentially Suspicious Directory Via Wget id: cf610c15-ed71-46e1-bdf8-2bd1a99de6c4 -status: experimental +status: test description: Detects the use of wget to download content to a suspicious directory references: - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html diff --git a/rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml b/rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml index 6c3ece2e126..85a089c1188 100644 --- a/rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml @@ -1,6 +1,6 @@ title: Potential Xterm Reverse Shell id: 4e25af4b-246d-44ea-8563-e42aacab006b -status: experimental +status: test description: Detects usage of "xterm" as a potential reverse shell tunnel references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet diff --git a/rules/macos/process_creation/proc_creation_macos_clipboard_data_via_osascript.yml b/rules/macos/process_creation/proc_creation_macos_clipboard_data_via_osascript.yml index 2ba57121101..4e7ef66d7a8 100644 --- a/rules/macos/process_creation/proc_creation_macos_clipboard_data_via_osascript.yml +++ b/rules/macos/process_creation/proc_creation_macos_clipboard_data_via_osascript.yml @@ -3,7 +3,7 @@ id: 7794fa3c-edea-4cff-bec7-267dd4770fd7 related: - id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55 type: derived -status: experimental +status: test description: Detects possible collection of data from the clipboard via execution of the osascript binary references: - https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/ diff --git a/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml b/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml index 0ab60194090..b847f32c748 100644 --- a/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml +++ b/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml @@ -3,7 +3,7 @@ id: b743623c-2776-40e0-87b1-682b975d0ca5 related: - id: 0c1ffcf9-efa9-436e-ab68-23a9496ebf5b type: obsoletes -status: experimental +status: test description: Detects attempts to create and add an account to the admin group via "dscl" references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-2---create-local-account-with-admin-privileges---macos diff --git a/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml b/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml index cdb55c7d21d..1835065729a 100644 --- a/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml +++ b/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml @@ -1,6 +1,6 @@ title: User Added To Admin Group Via DseditGroup id: 5d0fdb62-f225-42fb-8402-3dfe64da468a -status: experimental +status: test description: Detects attempts to create and/or add an account to the admin group, thus granting admin privileges. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-5---add-a-newexisting-user-to-the-admin-group-using-dseditgroup-utility---macos diff --git a/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml b/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml index f898962cc1d..6329028d797 100644 --- a/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml +++ b/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml @@ -1,6 +1,6 @@ title: Root Account Enable Via Dsenableroot id: 821bcf4d-46c7-4b87-bc57-9509d3ba7c11 -status: experimental +status: test description: Detects attempts to enable the root account via "dsenableroot" references: - https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1078.003/T1078.003.md diff --git a/rules/macos/process_creation/proc_creation_macos_installer_susp_child_process.yml b/rules/macos/process_creation/proc_creation_macos_installer_susp_child_process.yml index e4b5b8bdd02..c0104c9ec61 100644 --- a/rules/macos/process_creation/proc_creation_macos_installer_susp_child_process.yml +++ b/rules/macos/process_creation/proc_creation_macos_installer_susp_child_process.yml @@ -1,6 +1,6 @@ title: Suspicious Installer Package Child Process id: e0cfaecd-602d-41af-988d-f6ccebb2af26 -status: experimental +status: test description: Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters references: - https://redcanary.com/blog/clipping-silver-sparrows-wings/ diff --git a/rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml b/rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml index 98bbae5fd79..9d326c3a9e0 100644 --- a/rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml +++ b/rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml @@ -1,6 +1,6 @@ title: JAMF MDM Potential Suspicious Child Process id: 2316929c-01aa-438c-970f-099145ab1ee6 -status: experimental +status: test description: Detects potential suspicious child processes of "jamf". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent. references: - https://github.com/MythicAgents/typhon/ diff --git a/rules/macos/process_creation/proc_creation_macos_jamf_usage.yml b/rules/macos/process_creation/proc_creation_macos_jamf_usage.yml index 8f5b3d13eec..414ef823603 100644 --- a/rules/macos/process_creation/proc_creation_macos_jamf_usage.yml +++ b/rules/macos/process_creation/proc_creation_macos_jamf_usage.yml @@ -1,6 +1,6 @@ title: JAMF MDM Execution id: be2e3a5c-9cc7-4d02-842a-68e9cb26ec49 -status: experimental +status: test description: | Detects execution of the "jamf" binary to create user accounts and run commands. For example, the binary can be abused by attackers on the system in order to bypass security controls or remove application control polices. references: diff --git a/rules/macos/process_creation/proc_creation_macos_jxa_in_memory_execution.yml b/rules/macos/process_creation/proc_creation_macos_jxa_in_memory_execution.yml index c2d03215267..d17fb3ffd98 100644 --- a/rules/macos/process_creation/proc_creation_macos_jxa_in_memory_execution.yml +++ b/rules/macos/process_creation/proc_creation_macos_jxa_in_memory_execution.yml @@ -3,7 +3,7 @@ id: f1408a58-0e94-4165-b80a-da9f96cf6fc3 related: - id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55 type: derived -status: experimental +status: test description: Detects possible malicious execution of JXA in-memory via OSAScript references: - https://redcanary.com/blog/applescript/ diff --git a/rules/macos/process_creation/proc_creation_macos_office_susp_child_processes.yml b/rules/macos/process_creation/proc_creation_macos_office_susp_child_processes.yml index 7e26acd3fdb..84af621ca79 100644 --- a/rules/macos/process_creation/proc_creation_macos_office_susp_child_processes.yml +++ b/rules/macos/process_creation/proc_creation_macos_office_susp_child_processes.yml @@ -1,6 +1,6 @@ title: Suspicious Microsoft Office Child Process - MacOS id: 69483748-1525-4a6c-95ca-90dc8d431b68 -status: experimental +status: test description: Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution references: - https://redcanary.com/blog/applescript/ diff --git a/rules/macos/process_creation/proc_creation_macos_osacompile_runonly_execution.yml b/rules/macos/process_creation/proc_creation_macos_osacompile_runonly_execution.yml index b0df25c9d18..ed9df6e6a6c 100644 --- a/rules/macos/process_creation/proc_creation_macos_osacompile_runonly_execution.yml +++ b/rules/macos/process_creation/proc_creation_macos_osacompile_runonly_execution.yml @@ -1,6 +1,6 @@ title: OSACompile Run-Only Execution id: b9d9b652-d8ed-4697-89a2-a1186ee680ac -status: experimental +status: test description: Detects potential suspicious run-only executions compiled using OSACompile references: - https://redcanary.com/blog/applescript/ diff --git a/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml b/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml index ed6a1f53de8..9ea30486925 100644 --- a/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml +++ b/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via PlistBuddy id: 65d506d3-fcfe-4071-b4b2-bcefe721bbbb -status: experimental +status: test description: Detects potential persistence activity using LaunchAgents or LaunchDaemons via the PlistBuddy utility references: - https://redcanary.com/blog/clipping-silver-sparrows-wings/ diff --git a/rules/macos/process_creation/proc_creation_macos_susp_browser_child_process.yml b/rules/macos/process_creation/proc_creation_macos_susp_browser_child_process.yml index 2da82ca85b4..20424bbdc65 100644 --- a/rules/macos/process_creation/proc_creation_macos_susp_browser_child_process.yml +++ b/rules/macos/process_creation/proc_creation_macos_susp_browser_child_process.yml @@ -1,6 +1,6 @@ title: Suspicious Browser Child Process - MacOS id: 0250638a-2b28-4541-86fc-ea4c558fa0c6 -status: experimental +status: test description: Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation. references: - https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang diff --git a/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml b/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml index 0a7ba1c0378..9590d7a9226 100644 --- a/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml +++ b/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml @@ -1,6 +1,6 @@ title: Suspicious Execution via macOS Script Editor id: 6e4dcdd1-e48b-42f7-b2d8-3b413fc58cb4 -status: experimental +status: test description: Detects when the macOS Script Editor utility spawns an unusual child process. author: Tim Rauch (rule), Elastic (idea) references: diff --git a/rules/macos/process_creation/proc_creation_macos_susp_find_execution.yml b/rules/macos/process_creation/proc_creation_macos_susp_find_execution.yml index 9d94cc951ed..9aebe117cfa 100644 --- a/rules/macos/process_creation/proc_creation_macos_susp_find_execution.yml +++ b/rules/macos/process_creation/proc_creation_macos_susp_find_execution.yml @@ -3,7 +3,7 @@ id: 85de3a19-b675-4a51-bfc6-b11a5186c971 related: - id: 8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf type: similar -status: experimental +status: test description: Detects usage of "find" binary in a suspicious manner to perform discovery references: - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes diff --git a/rules/macos/process_creation/proc_creation_macos_susp_in_memory_download_and_compile.yml b/rules/macos/process_creation/proc_creation_macos_susp_in_memory_download_and_compile.yml index c8c1040f6de..30e7de4628b 100644 --- a/rules/macos/process_creation/proc_creation_macos_susp_in_memory_download_and_compile.yml +++ b/rules/macos/process_creation/proc_creation_macos_susp_in_memory_download_and_compile.yml @@ -1,6 +1,6 @@ title: Potential In-Memory Download And Compile Of Payloads id: 13db8d2e-7723-4c2c-93c1-a4d36994f7ef -status: experimental +status: test description: Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware references: - https://redcanary.com/blog/mac-application-bundles/ diff --git a/rules/macos/process_creation/proc_creation_macos_suspicious_applet_behaviour.yml b/rules/macos/process_creation/proc_creation_macos_suspicious_applet_behaviour.yml index 3b5164f6ea0..38e8911a2a8 100644 --- a/rules/macos/process_creation/proc_creation_macos_suspicious_applet_behaviour.yml +++ b/rules/macos/process_creation/proc_creation_macos_suspicious_applet_behaviour.yml @@ -1,6 +1,6 @@ title: Osacompile Execution By Potentially Suspicious Applet/Osascript id: a753a6af-3126-426d-8bd0-26ebbcb92254 -status: experimental +status: test description: Detects potential suspicious applet or osascript executing "osacompile". references: - https://redcanary.com/blog/mac-application-bundles/ diff --git a/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml b/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml index 100a907ad77..c44d3ee8491 100644 --- a/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml +++ b/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml @@ -3,7 +3,7 @@ id: 652c098d-dc11-4ba6-8566-c20e89042f2b related: - id: 0c1ffcf9-efa9-436e-ab68-23a9496ebf5b type: obsoletes -status: experimental +status: test description: Detects attempts to create and add an account to the admin group via "sysadminctl" references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos diff --git a/rules/macos/process_creation/proc_creation_macos_sysadminctl_enable_guest_account.yml b/rules/macos/process_creation/proc_creation_macos_sysadminctl_enable_guest_account.yml index 860991f11c1..a9bfa4c0890 100644 --- a/rules/macos/process_creation/proc_creation_macos_sysadminctl_enable_guest_account.yml +++ b/rules/macos/process_creation/proc_creation_macos_sysadminctl_enable_guest_account.yml @@ -1,6 +1,6 @@ title: Guest Account Enabled Via Sysadminctl id: d7329412-13bd-44ba-a072-3387f804a106 -status: experimental +status: test description: Detects attempts to enable the guest account using the sysadminctl utility references: - https://ss64.com/osx/sysadminctl.html diff --git a/rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml b/rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml index cb47c973c1d..c7161576533 100644 --- a/rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml +++ b/rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml @@ -1,6 +1,6 @@ title: Cisco BGP Authentication Failures id: 56fa3cd6-f8d6-4520-a8c7-607292971886 -status: experimental +status: test description: Detects BGP failures which may be indicative of brute force attacks to manipulate routing references: - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf diff --git a/rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml b/rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml index 29296f87c17..10800ba25f8 100644 --- a/rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml +++ b/rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml @@ -1,6 +1,6 @@ title: Cisco LDP Authentication Failures id: 50e606bf-04ce-4ca7-9d54-3449494bbd4b -status: experimental +status: test description: Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels references: - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf diff --git a/rules/network/huawei/bgp/huawei_bgp_auth_failed.yml b/rules/network/huawei/bgp/huawei_bgp_auth_failed.yml index 7f204229cd3..5021d7aed6c 100644 --- a/rules/network/huawei/bgp/huawei_bgp_auth_failed.yml +++ b/rules/network/huawei/bgp/huawei_bgp_auth_failed.yml @@ -1,6 +1,6 @@ title: Huawei BGP Authentication Failures id: a557ffe6-ac54-43d2-ae69-158027082350 -status: experimental +status: test description: Detects BGP failures which may be indicative of brute force attacks to manipulate routing. references: - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf diff --git a/rules/network/juniper/bgp/juniper_bgp_missing_md5.yml b/rules/network/juniper/bgp/juniper_bgp_missing_md5.yml index 5dee02c5bf8..1982086a117 100644 --- a/rules/network/juniper/bgp/juniper_bgp_missing_md5.yml +++ b/rules/network/juniper/bgp/juniper_bgp_missing_md5.yml @@ -1,6 +1,6 @@ title: Juniper BGP Missing MD5 id: a7c0ae48-8df8-42bf-91bd-2ea57e2f9d43 -status: experimental +status: test description: Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing. references: - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf diff --git a/rules/web/proxy_generic/proxy_exchange_owassrf_exploitation.yml b/rules/web/proxy_generic/proxy_exchange_owassrf_exploitation.yml index 6d858d7a5f0..fca3b416ad1 100644 --- a/rules/web/proxy_generic/proxy_exchange_owassrf_exploitation.yml +++ b/rules/web/proxy_generic/proxy_exchange_owassrf_exploitation.yml @@ -1,6 +1,6 @@ title: Potential OWASSRF Exploitation Attempt - Proxy id: 1ddf4596-1908-43c9-add2-1d2c2fcc4797 -status: experimental +status: test description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint references: - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/ diff --git a/rules/web/proxy_generic/proxy_exchange_owassrf_poc_exploitation.yml b/rules/web/proxy_generic/proxy_exchange_owassrf_poc_exploitation.yml index bcd0eb70dbc..bbfdda302a3 100644 --- a/rules/web/proxy_generic/proxy_exchange_owassrf_poc_exploitation.yml +++ b/rules/web/proxy_generic/proxy_exchange_owassrf_poc_exploitation.yml @@ -1,6 +1,6 @@ title: OWASSRF Exploitation Attempt Using Public POC - Proxy id: fdd7e904-7304-4616-a46a-e32f917c4be4 -status: experimental +status: test description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint references: - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/ diff --git a/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml b/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml index 0222e7bdb42..d776a2950a3 100644 --- a/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml +++ b/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml @@ -1,6 +1,6 @@ title: Suspicious Network Communication With IPFS id: eb6c2004-1cef-427f-8885-9042974e5eb6 -status: experimental +status: test description: Detects connections to interplanetary file system (IPFS) containing a user's email address which mirrors behaviours observed in recent phishing campaigns leveraging IPFS to host credential harvesting webpages. references: - https://blog.talosintelligence.com/ipfs-abuse/ diff --git a/rules/web/proxy_generic/proxy_ua_base64_encoded.yml b/rules/web/proxy_generic/proxy_ua_base64_encoded.yml index 7d90a5ccdde..124a11a1873 100644 --- a/rules/web/proxy_generic/proxy_ua_base64_encoded.yml +++ b/rules/web/proxy_generic/proxy_ua_base64_encoded.yml @@ -3,7 +3,7 @@ id: d443095b-a221-4957-a2c4-cd1756c9b747 related: - id: 894a8613-cf12-48b3-8e57-9085f54aa0c3 type: derived -status: experimental +status: test description: Detects suspicious encoded User-Agent strings, as seen used by some malware. references: - https://deviceatlas.com/blog/list-of-user-agent-strings#desktop diff --git a/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml b/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml index 33ef7967730..8f541a58a25 100644 --- a/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml +++ b/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml @@ -1,6 +1,6 @@ title: Bitsadmin to Uncommon TLD id: 9eb68894-7476-4cd6-8752-23b51f5883a7 -status: experimental +status: test description: Detects Bitsadmin connections to domains with uncommon TLDs references: - https://twitter.com/jhencinski/status/1102695118455349248 diff --git a/rules/web/proxy_generic/proxy_ua_susp_base64.yml b/rules/web/proxy_generic/proxy_ua_susp_base64.yml index 45adb63eddc..7b26ed5b152 100644 --- a/rules/web/proxy_generic/proxy_ua_susp_base64.yml +++ b/rules/web/proxy_generic/proxy_ua_susp_base64.yml @@ -3,7 +3,7 @@ id: 894a8613-cf12-48b3-8e57-9085f54aa0c3 related: - id: d443095b-a221-4957-a2c4-cd1756c9b747 type: derived -status: experimental +status: test description: Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding. references: - https://blogs.jpcert.or.jp/en/2022/07/yamabot.html diff --git a/rules/web/proxy_generic/proxy_webdav_search_ms.yml b/rules/web/proxy_generic/proxy_webdav_search_ms.yml index 0588badeceb..a0efc9005f6 100644 --- a/rules/web/proxy_generic/proxy_webdav_search_ms.yml +++ b/rules/web/proxy_generic/proxy_webdav_search_ms.yml @@ -1,6 +1,6 @@ title: Search-ms and WebDAV Suspicious Indicators in URL id: 5039f3d2-406a-4c1a-9350-7a5a85dc84c2 -status: experimental +status: test description: Detects URL pattern used by search(-ms)/WebDAV initial access campaigns. references: - https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html diff --git a/rules/web/webserver_generic/web_java_payload_in_access_logs.yml b/rules/web/webserver_generic/web_java_payload_in_access_logs.yml index 362580333c3..4de443dd8d9 100644 --- a/rules/web/webserver_generic/web_java_payload_in_access_logs.yml +++ b/rules/web/webserver_generic/web_java_payload_in_access_logs.yml @@ -1,6 +1,6 @@ title: Java Payload Strings id: 583aa0a2-30b1-4d62-8bf3-ab73689efe6c -status: experimental +status: test description: Detects possible Java payloads in web access logs references: - https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/ diff --git a/rules/web/webserver_generic/web_susp_useragents.yml b/rules/web/webserver_generic/web_susp_useragents.yml index 31ca5769b5b..189ba702e13 100644 --- a/rules/web/webserver_generic/web_susp_useragents.yml +++ b/rules/web/webserver_generic/web_susp_useragents.yml @@ -1,6 +1,6 @@ title: Suspicious User-Agents Related To Recon Tools id: 19aa4f58-94ca-45ff-bc34-92e533c0994a -status: experimental +status: test description: Detects known suspicious (default) user-agents related to scanning/recon tools references: - https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb diff --git a/rules/web/webserver_generic/web_susp_windows_path_uri.yml b/rules/web/webserver_generic/web_susp_windows_path_uri.yml index 3835da11ae6..f38d7742f9d 100644 --- a/rules/web/webserver_generic/web_susp_windows_path_uri.yml +++ b/rules/web/webserver_generic/web_susp_windows_path_uri.yml @@ -1,6 +1,6 @@ title: Suspicious Windows Strings In URI id: 9f6a34b4-2688-4eb7-a7f5-e39fef573d0e -status: experimental +status: test description: Detects suspicious Windows strings in URI which could indicate possible exfiltration or webshell communication references: - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/ diff --git a/rules/windows/builtin/application/application_error/win_application_msmpeng_crash_error.yml b/rules/windows/builtin/application/application_error/win_application_msmpeng_crash_error.yml index d501b53b020..66006fdf0e3 100644 --- a/rules/windows/builtin/application/application_error/win_application_msmpeng_crash_error.yml +++ b/rules/windows/builtin/application/application_error/win_application_msmpeng_crash_error.yml @@ -3,7 +3,7 @@ id: 545a5da6-f103-4919-a519-e9aec1026ee4 related: - id: 6c82cf5c-090d-4d57-9188-533577631108 type: similar -status: experimental +status: test description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine references: - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5 diff --git a/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml b/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml index 0a1e5921374..d88d265645f 100644 --- a/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml +++ b/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml @@ -1,6 +1,6 @@ title: Restricted Software Access By SRP id: b4c8da4a-1c12-46b0-8a2b-0a8521d03442 -status: experimental +status: test description: Detects restricted access to applications by the Software Restriction Policies (SRP) policy references: - https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies diff --git a/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon.yml b/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon.yml index 1ec65dee75d..1e72af96575 100644 --- a/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon.yml +++ b/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon.yml @@ -3,7 +3,7 @@ id: 218d2855-2bba-4f61-9c85-81d0ea63ac71 related: - id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d type: similar -status: experimental +status: test description: Detects failed logon attempts from clients to MSSQL server. author: Nasreddine Bencherchali (Nextron Systems), j4son date: 2023/10/11 diff --git a/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml b/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml index 966e3e6957c..132c53f92de 100644 --- a/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml +++ b/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml @@ -3,7 +3,7 @@ id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d related: - id: 218d2855-2bba-4f61-9c85-81d0ea63ac71 type: similar -status: experimental +status: test description: Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack. author: j4son date: 2023/10/11 diff --git a/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml b/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml index 7ff83280ebe..fb34bbcabd4 100644 --- a/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml +++ b/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml @@ -3,7 +3,7 @@ id: 076ebe48-cc05-4d8f-9d41-89245cd93a14 related: - id: b1f73849-6329-4069-bc8f-78a604bb8b23 type: similar -status: experimental +status: test description: Detects command execution via ScreenConnect RMM references: - https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling diff --git a/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml b/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml index e7d582b5ee3..2f354b9e8e0 100644 --- a/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml +++ b/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml @@ -3,7 +3,7 @@ id: 5d19eb78-5b5b-4ef2-a9f0-4bfa94d58a13 related: - id: b1f73849-6329-4069-bc8f-78a604bb8b23 type: similar -status: experimental +status: test description: Detects file being transferred via ScreenConnect RMM references: - https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling diff --git a/rules/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer.yml b/rules/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer.yml index e18c75b2936..2a1822b34c1 100644 --- a/rules/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer.yml +++ b/rules/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer.yml @@ -1,6 +1,6 @@ title: Microsoft Malware Protection Engine Crash - WER id: 6c82cf5c-090d-4d57-9188-533577631108 -status: experimental +status: test description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine references: - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5 diff --git a/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml b/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml index 3b45dc52304..e7145460a01 100644 --- a/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml +++ b/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml @@ -1,6 +1,6 @@ title: Sysinternals Tools AppX Versions Execution id: d29a20b2-be4b-4827-81f2-3d8a59eab5fc -status: experimental +status: test description: Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths references: - Internal Research diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml index f40f96633e0..89a606da371 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml @@ -1,6 +1,6 @@ title: Deployment AppX Package Was Blocked By AppLocker id: 6ae53108-c3a0-4bee-8f45-c7591a2c337f -status: experimental +status: test description: Detects an appx package deployment that was blocked by AppLocker policy references: - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml index 520a58bf454..3f25523bf3b 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml @@ -1,6 +1,6 @@ title: Potential Malicious AppX Package Installation Attempts id: 09d3b48b-be17-47f5-bf4e-94e7e75d09ce -status: experimental +status: test description: Detects potential installation or installation attempts of known malicious appx packages references: - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml index 6cdfef035f8..67f5cdd7928 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml @@ -1,6 +1,6 @@ title: Deployment Of The AppX Package Was Blocked By The Policy id: e021bbb5-407f-41f5-9dc9-1864c45a7a51 -status: experimental +status: test description: Detects an appx package deployment that was blocked by the local computer policy references: - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml index 67fabeac289..e6e7a0a2a00 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml @@ -1,6 +1,6 @@ title: Suspicious AppX Package Installation Attempt id: 898d5fc9-fbc3-43de-93ad-38e97237c344 -status: experimental +status: test description: Detects an appx package installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements and could be suspicious references: - Internal Research diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml index c0c2e1b1e31..0f470c657a2 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml @@ -1,6 +1,6 @@ title: Suspicious Remote AppX Package Locations id: 8b48ad89-10d8-4382-a546-50588c410f0d -status: experimental +status: test description: Detects an appx package added the pipeline of the "to be processed" packages which is downloaded from a suspicious domain references: - Internal Research diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml index 19b333749c8..050c81c624e 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml @@ -1,6 +1,6 @@ title: Suspicious AppX Package Locations id: 5cdeaf3d-1489-477c-95ab-c318559fc051 -status: experimental +status: test description: Detects an appx package added the pipeline of the "to be processed" packages which is located in suspicious locations references: - Internal Research diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml index dedc37edef6..76767c6bdd6 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml @@ -1,6 +1,6 @@ title: Uncommon AppX Package Locations id: c977cb50-3dff-4a9f-b873-9290f56132f1 -status: experimental +status: test description: Detects an appx package added the pipeline of the "to be processed" packages which is located in uncommon locations references: - Internal Research diff --git a/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml b/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml index af67b285742..065666b0553 100644 --- a/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml +++ b/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml @@ -1,6 +1,6 @@ title: Suspicious Digital Signature Of AppX Package id: b5aa7d60-c17e-4538-97de-09029d6cd76b -status: experimental +status: test description: Detects execution of AppX packages with known suspicious or malicious signature references: - Internal Research diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_job_via_powershell.yml b/rules/windows/builtin/bits_client/win_bits_client_new_job_via_powershell.yml index 3b29f8fcf94..9e2463ed36e 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_job_via_powershell.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_job_via_powershell.yml @@ -1,6 +1,6 @@ title: New BITS Job Created Via PowerShell id: fe3a2d49-f255-4d10-935c-bda7391108eb -status: experimental +status: test description: Detects the creation of a new bits job by PowerShell references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml index 0867b2aeebf..aefbf76cd99 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml @@ -1,6 +1,6 @@ title: BITS Transfer Job Downloading File Potential Suspicious Extension id: b85e5894-9b19-4d86-8c87-a2f3b81f0521 -status: experimental +status: test description: Detects new BITS transfer job saving local files with potential suspicious extensions references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml index c13e5ade7e4..d1dbcd4d2bf 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml @@ -1,6 +1,6 @@ title: BITS Transfer Job Download From File Sharing Domains id: d635249d-86b5-4dad-a8c7-d7272b788586 -status: experimental +status: test description: Detects BITS transfer job downloading files from a file sharing domain. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml index 66080d0a04c..240d923a445 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml @@ -3,7 +3,7 @@ id: 90f138c1-f578-4ac3-8c49-eecfd847c8b7 related: - id: 99c840f2-2012-46fd-9141-c761987550ef type: similar -status: experimental +status: test description: Detects a BITS transfer job downloading file(s) from a direct IP address. references: - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml index d684dad0390..6af8db014f4 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml @@ -1,6 +1,6 @@ title: BITS Transfer Job With Uncommon Or Suspicious Remote TLD id: 6d44fb93-e7d2-475c-9d3d-54c9c1e33427 -status: experimental +status: test description: Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yml b/rules/windows/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yml index 72dcb0bec0e..17c7032ad77 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yml @@ -1,6 +1,6 @@ title: BITS Transfer Job Download To Potential Suspicious Folder id: f8a56cb7-a363-44ed-a82f-5926bb44cd05 -status: experimental +status: test description: Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md diff --git a/rules/windows/builtin/capi2/win_capi2_acquire_certificate_private_key.yml b/rules/windows/builtin/capi2/win_capi2_acquire_certificate_private_key.yml index 2d8eb6b886d..2bb76c3f1f8 100644 --- a/rules/windows/builtin/capi2/win_capi2_acquire_certificate_private_key.yml +++ b/rules/windows/builtin/capi2/win_capi2_acquire_certificate_private_key.yml @@ -1,6 +1,6 @@ title: Certificate Private Key Acquired id: e2b5163d-7deb-4566-9af3-40afea6858c3 -status: experimental +status: test description: Detects when an application acquires a certificate private key references: - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html diff --git a/rules/windows/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yml b/rules/windows/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yml index c221b48978b..72a7cee6090 100644 --- a/rules/windows/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yml +++ b/rules/windows/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yml @@ -1,6 +1,6 @@ title: Certificate Exported From Local Certificate Store id: 58c0bff0-40a0-46e8-b5e8-b734b84d2017 -status: experimental +status: test description: Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store. references: - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml index b7d49c81249..ba63ba24f51 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml @@ -1,6 +1,6 @@ title: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation id: f8931561-97f5-4c46-907f-0a4a592e47a7 -status: experimental +status: test description: | Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired. This event is best correlated with EID 3089 to determine the error of the validation. diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml index a90de90e922..752880df3ff 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml @@ -1,6 +1,6 @@ title: CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked id: 5daf11c3-022b-4969-adb9-365e6c078c7c -status: experimental +status: test description: Detects block events for files that are disallowed by code integrity for protected processes references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml index fef43209e27..48028ce3218 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml @@ -1,6 +1,6 @@ title: CodeIntegrity - Blocked Image/Driver Load For Policy Violation id: e4be5675-4a53-426a-8c81-a8bb2387e947 -status: experimental +status: test description: Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy. references: - https://twitter.com/wdormann/status/1590434950335320065 diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml index 732e52f77ad..78c6a8308d0 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml @@ -1,6 +1,6 @@ title: CodeIntegrity - Blocked Driver Load With Revoked Certificate id: 9b72b82d-f1c5-4632-b589-187159bc6ec1 -status: experimental +status: test description: Detects blocked load attempts of revoked drivers references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml index e2e4b123532..77b42a69cd0 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml @@ -1,6 +1,6 @@ title: CodeIntegrity - Revoked Kernel Driver Loaded id: 320fccbf-5e32-4101-82b8-2679c5f007c6 -status: experimental +status: test description: Detects the load of a revoked kernel driver references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml index 6223b7444da..d415b043aab 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml @@ -1,6 +1,6 @@ title: CodeIntegrity - Blocked Image Load With Revoked Certificate id: 6f156c48-3894-4952-baf0-16193e9067d2 -status: experimental +status: test description: Detects blocked image load events with revoked certificates by code integrity. references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml index f11b2c28af9..3ea655c289e 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml @@ -1,6 +1,6 @@ title: CodeIntegrity - Revoked Image Loaded id: 881b7725-47cc-4055-8000-425823344c59 -status: experimental +status: test description: Detects image load events with revoked certificates by code integrity. references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml index 31cc5d201d8..e72df24588d 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml @@ -1,6 +1,6 @@ title: CodeIntegrity - Unsigned Kernel Module Loaded id: 951f8d29-f2f6-48a7-859f-0673ff105e6f -status: experimental +status: test description: Detects the presence of a loaded unsigned kernel module on the system. references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml index b2e318d8973..748cc057eba 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml @@ -1,6 +1,6 @@ title: CodeIntegrity - Unsigned Image Loaded id: c92c24e7-f595-493f-9c98-53d5142f5c18 -status: experimental +status: test description: Detects loaded unsigned image on the system references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml index fc5f5fe816f..80b2445fdb1 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml @@ -1,6 +1,6 @@ title: CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module id: 2f8cd7a0-9d5a-4f62-9f8b-2c951aa0dd1f -status: experimental +status: test description: Detects loaded kernel modules that did not meet the WHQL signing requirements. references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations diff --git a/rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml b/rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml index c7e01fa2b5d..6b34ee5bc6e 100644 --- a/rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml +++ b/rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml @@ -3,7 +3,7 @@ id: 29f171d7-aa47-42c7-9c7b-3c87938164d9 related: - id: 065cceea-77ec-4030-9052-fc0affea7110 type: similar -status: experimental +status: test description: Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes references: - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte diff --git a/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml b/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml index fc80250ee3b..e5622c0cdf6 100644 --- a/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml +++ b/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml @@ -3,7 +3,7 @@ id: 090ffaad-c01a-4879-850c-6d57da98452d related: - id: 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b type: similar -status: experimental +status: test description: Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration references: - https://thedfirreport.com/2021/12/13/diavol-ransomware/ diff --git a/rules/windows/builtin/dns_server/win_dns_server_failed_dns_zone_transfer.yml b/rules/windows/builtin/dns_server/win_dns_server_failed_dns_zone_transfer.yml index 2d9095f2fd3..6461916383c 100644 --- a/rules/windows/builtin/dns_server/win_dns_server_failed_dns_zone_transfer.yml +++ b/rules/windows/builtin/dns_server/win_dns_server_failed_dns_zone_transfer.yml @@ -1,6 +1,6 @@ title: Failed DNS Zone Transfer id: 6d444368-6da1-43fe-b2fc-44202430480e -status: experimental +status: test description: Detects when a DNS zone transfer failed. references: - https://kb.eventtracker.com/evtpass/evtpages/EventId_6004_Microsoft-Windows-DNS-Server-Service_65410.asp diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml index 41af7402cab..50cf68232c5 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml @@ -1,6 +1,6 @@ title: New Firewall Rule Added In Windows Firewall Exception List id: cde0a575-7d3d-4a49-9817-b8004a7bf105 -status: experimental +status: test description: Detects when a rule has been added to the Windows Firewall exception list references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml index 1d65268cc2a..d4a64cce8c0 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml @@ -3,7 +3,7 @@ id: 9e2575e7-2cb9-4da1-adc8-ed94221dca5e related: - id: cde0a575-7d3d-4a49-9817-b8004a7bf105 type: derived -status: experimental +status: test description: Detects the addition of a rule to the Windows Firewall exception list where the application resides in a suspicious folder references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml b/rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml index 2a06a1d553d..32b9016a583 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml @@ -1,6 +1,6 @@ title: Firewall Rule Modified In The Windows Firewall Exception List id: 5570c4d9-8fdd-4622-965b-403a5a101aa0 -status: experimental +status: test description: Detects when a rule has been modified in the Windows firewall exception list references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml b/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml index df4255c1faa..10282fca7e0 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml @@ -1,6 +1,6 @@ title: All Rules Have Been Deleted From The Windows Firewall Configuration id: 79609c82-a488-426e-abcf-9f341a39365d -status: experimental +status: test description: Detects when a all the rules have been deleted from the Windows Defender Firewall configuration references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml b/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml index fa5a3a3f605..36d2a7c489b 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml @@ -1,6 +1,6 @@ title: A Rule Has Been Deleted From The Windows Firewall Exception List id: c187c075-bb3e-4c62-b4fa-beae0ffc211f -status: experimental +status: test description: Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml b/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml index 3bd155fc184..b4993af05d5 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml @@ -1,6 +1,6 @@ title: The Windows Defender Firewall Service Failed To Load Group Policy id: 7ec15688-fd24-4177-ba43-1a950537ee39 -status: experimental +status: test description: Detects activity when The Windows Defender Firewall service failed to load Group Policy references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml b/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml index e196c2624a5..16dd0de90b0 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml @@ -1,6 +1,6 @@ title: Windows Defender Firewall Has Been Reset To Its Default Configuration id: 04b60639-39c0-412a-9fbe-e82499c881a3 -status: experimental +status: test description: Detects activity when Windows Defender Firewall has been reset to its default configuration references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml b/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml index afd7c90d221..63749b92177 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml @@ -1,6 +1,6 @@ title: Windows Firewall Settings Have Been Changed id: 00bb5bd5-1379-4fcf-a965-a5b6f7478064 -status: experimental +status: test description: Detects activity when the settings of the Windows firewall have been changed references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) diff --git a/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml b/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml index d005eaeb8e1..afc923b0873 100644 --- a/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml +++ b/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml @@ -1,6 +1,6 @@ title: Standard User In High Privileged Group id: 7ac407cc-0f48-4328-aede-de1d2e6fef41 -status: experimental +status: test description: Detect standard users login that are part of high privileged groups such as the Administrator group references: - https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers diff --git a/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml b/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml index 4d378916947..77d53ea104b 100644 --- a/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml +++ b/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml @@ -1,6 +1,6 @@ title: Mailbox Export to Exchange Webserver id: 516376b4-05cd-4122-bae0-ad7641c38d48 -status: experimental +status: test description: Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it references: - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html diff --git a/rules/windows/builtin/security/account_management/win_security_access_token_abuse.yml b/rules/windows/builtin/security/account_management/win_security_access_token_abuse.yml index 588b3189f38..fa1d9ebb0dc 100644 --- a/rules/windows/builtin/security/account_management/win_security_access_token_abuse.yml +++ b/rules/windows/builtin/security/account_management/win_security_access_token_abuse.yml @@ -1,6 +1,6 @@ title: Potential Access Token Abuse id: 02f7c9c1-1ae8-4c6a-8add-04693807f92f -status: experimental +status: test description: Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag". references: - https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation diff --git a/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml b/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml index d77d9b0531b..49d21eb74d5 100644 --- a/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml +++ b/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml @@ -3,7 +3,7 @@ id: 259a9cdf-c4dd-4fa2-b243-2269e5ab18a2 related: - id: 78d5cab4-557e-454f-9fb9-a222bd0d5edc type: derived -status: experimental +status: test description: Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port. references: - https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html diff --git a/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml b/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml index fc2200c3838..bc2b8b406bb 100644 --- a/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml +++ b/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml @@ -3,7 +3,7 @@ id: 78d5cab4-557e-454f-9fb9-a222bd0d5edc related: - id: 259a9cdf-c4dd-4fa2-b243-2269e5ab18a2 type: derived -status: experimental +status: test description: Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port. references: - https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html diff --git a/rules/windows/builtin/security/win_security_password_policy_enumerated.yml b/rules/windows/builtin/security/win_security_password_policy_enumerated.yml index 41237366f91..e34601b3197 100644 --- a/rules/windows/builtin/security/win_security_password_policy_enumerated.yml +++ b/rules/windows/builtin/security/win_security_password_policy_enumerated.yml @@ -1,6 +1,6 @@ title: Password Policy Enumerated id: 12ba6a38-adb3-4d6b-91ba-a7fb248e3199 -status: experimental +status: test description: Detects when the password policy is enumerated. references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4661 diff --git a/rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml b/rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml index c1bbd97709a..4e74565af40 100644 --- a/rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml +++ b/rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml @@ -1,6 +1,6 @@ title: Service Registry Key Read Access Request id: 11d00fff-5dc3-428c-8184-801f292faec0 -status: experimental +status: test description: | Detects "read access" requests on the services registry key. Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. diff --git a/rules/windows/builtin/security/win_security_scheduled_task_deletion.yml b/rules/windows/builtin/security/win_security_scheduled_task_deletion.yml index 4a48af5b0b6..b6ac720e34f 100644 --- a/rules/windows/builtin/security/win_security_scheduled_task_deletion.yml +++ b/rules/windows/builtin/security/win_security_scheduled_task_deletion.yml @@ -1,6 +1,6 @@ title: Scheduled Task Deletion id: 4f86b304-3e02-40e3-aa5d-e88a167c9617 -status: experimental +status: test description: Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \TASKNAME references: - https://twitter.com/matthewdunwoody/status/1352356685982146562 diff --git a/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml b/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml index 011232f71a8..228aeb68eb3 100644 --- a/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml +++ b/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml @@ -3,7 +3,7 @@ id: c8b00925-926c-47e3-beea-298fd563728e related: - id: 1a31b18a-f00c-4061-9900-f735b96c99fc type: similar -status: experimental +status: test description: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform references: - https://redcanary.com/blog/misbehaving-rats/ diff --git a/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml b/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml index 1b087a9891d..7d1fb21a04f 100644 --- a/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml +++ b/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml @@ -3,7 +3,7 @@ id: c4e92a97-a9ff-4392-9d2d-7a4c642768ca related: - id: 71c276aa-49cd-43d2-b920-2dcd3e6962d5 type: similar -status: experimental +status: test description: Detects a service installed by a client which has PID 0 or whose parent has PID 0 references: - https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html diff --git a/rules/windows/builtin/security/win_security_susp_computer_name.yml b/rules/windows/builtin/security/win_security_susp_computer_name.yml index 1b7b0338fb2..dd3ff20708c 100644 --- a/rules/windows/builtin/security/win_security_susp_computer_name.yml +++ b/rules/windows/builtin/security/win_security_susp_computer_name.yml @@ -1,6 +1,6 @@ title: Win Susp Computer Name Containing Samtheadmin id: 39698b3f-da92-4bc6-bfb5-645a98386e45 -status: experimental +status: test description: Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool references: - https://twitter.com/malmoeb/status/1511760068743766026 diff --git a/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml b/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml index c8707996755..fb64d6da3c8 100644 --- a/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml +++ b/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious AccessMask Requested From LSASS id: 4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76 -status: experimental +status: test description: Detects process handle on LSASS process with certain access mask references: - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml index 011f8dd2056..c66270a5b57 100644 --- a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml @@ -7,7 +7,7 @@ related: type: similar - id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d # TaskScheduler EventLog type: similar -status: experimental +status: test description: Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699 diff --git a/rules/windows/builtin/system/lsasrv/win_system_lsasrv_ntlmv1.yml b/rules/windows/builtin/system/lsasrv/win_system_lsasrv_ntlmv1.yml index dc4cb002b90..9d36b3efb70 100644 --- a/rules/windows/builtin/system/lsasrv/win_system_lsasrv_ntlmv1.yml +++ b/rules/windows/builtin/system/lsasrv/win_system_lsasrv_ntlmv1.yml @@ -1,6 +1,6 @@ title: NTLMv1 Logon Between Client and Server id: e9d4ab66-a532-4ef7-a502-66a9e4a34f5d -status: experimental +status: test description: Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware. references: - https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/22H2/W10_22H2_Pro_20230321_19045.2728/WEPExplorer/LsaSrv.xml diff --git a/rules/windows/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml b/rules/windows/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml index dba3cbaf122..2d0c1e5f30a 100644 --- a/rules/windows/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml +++ b/rules/windows/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml @@ -1,6 +1,6 @@ title: Local Privilege Escalation Indicator TabTip id: bc2e25ed-b92b-4daa-b074-b502bdd1982b -status: experimental +status: test description: Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode references: - https://github.com/antonioCoco/JuicyPotatoNG diff --git a/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml b/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml index b3d36aeee78..fcaeac680e6 100644 --- a/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml +++ b/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml @@ -7,7 +7,7 @@ related: type: derived - id: 100ef69e-3327-481c-8e5c-6d80d9507556 type: derived -status: experimental +status: test description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution references: - https://twitter.com/deviouspolack/status/832535435960209408 diff --git a/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml b/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml index 2eb70fdd3a5..a12541c3672 100644 --- a/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml @@ -3,7 +3,7 @@ id: 100ef69e-3327-481c-8e5c-6d80d9507556 related: - id: a62b37e0-45d3-48d9-a517-90c1a1b0186b type: derived -status: experimental +status: test description: Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution references: - https://twitter.com/deviouspolack/status/832535435960209408 diff --git a/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_cert_use_no_strong_mapping.yml b/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_cert_use_no_strong_mapping.yml index f1621267096..a09745c8a3e 100644 --- a/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_cert_use_no_strong_mapping.yml +++ b/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_cert_use_no_strong_mapping.yml @@ -1,6 +1,6 @@ title: Certificate Use With No Strong Mapping id: 993c2665-e6ef-40e3-a62a-e1a97686af79 -status: experimental +status: test description: | Detects a user certificate that was valid but could not be mapped to a user in a strong way (such as via explicit mapping, key trust mapping, or a SID) This could be a sign of exploitation of the elevation of privilege vulnerabilities (CVE-2022-34691, CVE-2022-26931, CVE-2022-26923) that can occur when the KDC allows certificate spoofing by not requiring a strong mapping. diff --git a/rules/windows/builtin/system/microsoft_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml b/rules/windows/builtin/system/microsoft_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml index 2e6c871a87f..770c1aaf58b 100644 --- a/rules/windows/builtin/system/microsoft_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml +++ b/rules/windows/builtin/system/microsoft_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml @@ -1,6 +1,6 @@ title: Suspicious Usage of CVE_2021_34484 or CVE 2022_21919 id: 52a85084-6989-40c3-8f32-091e12e17692 -status: experimental +status: test description: During exploitation of this vulnerability, two logs (Provider_Name:Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \Users\TEMP is created may be created during the exploitation. Viewed on 2008 Server references: - https://packetstormsecurity.com/files/166692/Windows-User-Profile-Service-Privlege-Escalation.html diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_clip_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_clip_services.yml index 23e92a06c9e..59e71979882 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_clip_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_clip_services.yml @@ -1,6 +1,6 @@ title: Invoke-Obfuscation CLIP+ Launcher - System id: f7385ee2-0e0c-11eb-adc1-0242ac120002 -status: experimental +status: test description: Detects Obfuscated use of Clip.exe to execute PowerShell references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 26) diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml index e4333da732f..baf83193713 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml @@ -1,6 +1,6 @@ title: CSExec Service Installation id: a27e5fa9-c35e-4e3d-b7e0-1ce2af66ad12 -status: experimental +status: test description: Detects CSExec service installation and execution events references: - https://github.com/malcomvetter/CSExec diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_remcom.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_remcom.yml index 44590237d6a..0cafdc5b2fc 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_remcom.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_remcom.yml @@ -1,6 +1,6 @@ title: RemCom Service Installation id: 9e36ed87-4986-482e-8e3b-5c23ffff11bf -status: experimental +status: test description: Detects RemCom service installation and execution events references: - https://github.com/kavika13/RemCom/ diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml index 8e3a5cf4049..547e49c51d6 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml @@ -3,7 +3,7 @@ id: 1a31b18a-f00c-4061-9900-f735b96c99fc related: - id: c8b00925-926c-47e3-beea-298fd563728e type: similar -status: experimental +status: test description: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform references: - https://redcanary.com/blog/misbehaving-rats/ diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml index 1c1bee909ae..bcd9b1bbcce 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml @@ -1,6 +1,6 @@ title: PsExec Service Installation id: 42c575ea-e41e-41f1-b248-8093c3e82a28 -status: experimental +status: test description: Detects PsExec service installation and execution events references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_generic.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_generic.yml index 8edccd725de..6eb9322bdbc 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_generic.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_generic.yml @@ -3,7 +3,7 @@ id: acfa2210-0d71-4eeb-b477-afab494d596c related: - id: d6b5520d-3934-48b4-928c-2aa3f92d6963 type: similar -status: experimental +status: test description: Detects Windows services that got terminated for whatever reason references: - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml index f1b8f27f9ba..d3886e2626e 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml @@ -3,7 +3,7 @@ id: d6b5520d-3934-48b4-928c-2aa3f92d6963 related: - id: acfa2210-0d71-4eeb-b477-afab494d596c type: similar -status: experimental +status: test description: Detects important or interesting Windows services that got terminated for whatever reason references: - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml index f52e2a9d012..24ffbd18c3c 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml @@ -1,6 +1,6 @@ title: Important Windows Service Terminated Unexpectedly id: 56abae0c-6212-4b97-adc0-0b559bb950c3 -status: experimental +status: test description: Detects important or interesting Windows services that got terminated unexpectedly. references: - https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/ diff --git a/rules/windows/builtin/system/service_control_manager/win_system_system_service_installation_by_unusal_client.yml b/rules/windows/builtin/system/service_control_manager/win_system_system_service_installation_by_unusal_client.yml index c9b75f3bdd9..2b505d9ce2b 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_system_service_installation_by_unusal_client.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_system_service_installation_by_unusal_client.yml @@ -3,7 +3,7 @@ id: 71c276aa-49cd-43d2-b920-2dcd3e6962d5 related: - id: c4e92a97-a9ff-4392-9d2d-7a4c642768ca type: similar -status: experimental +status: test description: Detects a service installed by a client which has PID 0 or whose parent has PID 0 references: - https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html diff --git a/rules/windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml b/rules/windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml index 277a5e9412c..0ab9f4d9ee2 100644 --- a/rules/windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml +++ b/rules/windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml @@ -1,6 +1,6 @@ title: Scheduled Task Executed From A Suspicious Location id: 424273ea-7cf8-43a6-b712-375f925e481f -status: experimental +status: test description: Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task references: - Internal Research diff --git a/rules/windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml b/rules/windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml index c803159f7c5..0a6712f81a1 100644 --- a/rules/windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml +++ b/rules/windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml @@ -1,6 +1,6 @@ title: Scheduled Task Executed Uncommon LOLBIN id: f0767f15-0fb3-44b9-851e-e8d9a6d0005d -status: experimental +status: test description: Detects the execution of Scheduled Tasks where the program being run is located in a suspicious location or where it is an unusual program to be run from a Scheduled Task references: - Internal Research diff --git a/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml b/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml index 91dc8cc9640..b5e8b88903c 100644 --- a/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml +++ b/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml @@ -5,7 +5,7 @@ related: type: similar - id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad # Security-Audting Eventlog type: similar -status: experimental +status: test description: Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities author: frack113 date: 2023/01/13 diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml b/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml index 6bacc3f5062..566018fe94c 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml @@ -1,6 +1,6 @@ title: Remote Thread Created In KeePass.EXE id: 77564cc2-7382-438b-a7f6-395c2ae53b9a -status: experimental +status: test description: Detects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity references: - https://www.cisa.gov/uscert/ncas/alerts/aa20-259a diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_mstsc_susp_location.yml b/rules/windows/create_remote_thread/create_remote_thread_win_mstsc_susp_location.yml index 542b9183af7..7efdf056896 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_mstsc_susp_location.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_mstsc_susp_location.yml @@ -1,6 +1,6 @@ title: Remote Thread Creation In Mstsc.Exe From Suspicious Location id: c0aac16a-b1e7-4330-bab0-3c27bb4987c7 -status: experimental +status: test description: | Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location. This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials. diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml b/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml index 0bf11257941..c4492a7ce6a 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml @@ -3,7 +3,7 @@ id: 99b97608-3e21-4bfe-8217-2a127c396a0e related: - id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50 type: similar -status: experimental +status: test description: Detects the creation of a remote thread from a Powershell process in a rundll32 process references: - https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml b/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml index 321e57290f2..cd80353aaf5 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml @@ -1,6 +1,6 @@ title: Remote Thread Creation By Uncommon Source Image id: 66d31e5f-52d6-40a4-9615-002d3789a119 -status: experimental +status: test description: Detects uncommon processes creating remote threads references: - Personal research, statistical analysis diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml b/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml index d240d2edefe..ffccc3780c8 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml @@ -3,7 +3,7 @@ id: a1a144b7-5c9b-4853-a559-2172be8d4a03 related: - id: f016c716-754a-467f-a39e-63c06f773987 type: obsoletes -status: experimental +status: test description: Detects uncommon target processes for remote thread creation references: - https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection diff --git a/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml b/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml index 001a51f465f..24da21b23d9 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml @@ -1,6 +1,6 @@ title: Creation Of a Suspicious ADS File Outside a Browser Download id: 573df571-a223-43bc-846e-3f98da481eca -status: experimental +status: test description: Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers references: - https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/ diff --git a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml index 9ae7511869f..ec34ddbd092 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml @@ -3,7 +3,7 @@ id: 52182dfb-afb7-41db-b4bc-5336cb29b464 related: - id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99 type: similar -status: experimental +status: test description: Detects the download of suspicious file type from a well-known file and paste sharing domain references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015 diff --git a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml index 7e7f9a16c87..3f9a07819a2 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml @@ -3,7 +3,7 @@ id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99 related: - id: 52182dfb-afb7-41db-b4bc-5336cb29b464 type: similar -status: experimental +status: test description: Detects the download of suspicious file type from a well-known file and paste sharing domain references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015 diff --git a/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml b/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml index da0f50745f1..a19573eef41 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml @@ -1,6 +1,6 @@ title: Hacktool Download id: 19b041f6-e583-40dc-b842-d6fa8011493f -status: experimental +status: test description: Detects the creation of a file on disk that has an imphash of a well-known hack tool references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015 diff --git a/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml b/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml index d0597644ac4..a2ccea6596c 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml @@ -1,6 +1,6 @@ title: Unusual File Download from Direct IP Address id: 025bd229-fd1f-4fdb-97ab-20006e1a5368 -status: experimental +status: test description: Detects the download of suspicious file type from URLs with IP references: - https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md diff --git a/rules/windows/create_stream_hash/create_stream_hash_winget_susp_package_source.yml b/rules/windows/create_stream_hash/create_stream_hash_winget_susp_package_source.yml index d6a2b9acbae..1792faecc26 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_winget_susp_package_source.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_winget_susp_package_source.yml @@ -1,6 +1,6 @@ title: Potential Suspicious Winget Package Installation id: a3f5c081-e75b-43a0-9f5b-51f26fe5dba2 -status: experimental +status: test description: Detects potential suspicious winget package installation from a suspicious source. references: - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget diff --git a/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml b/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml index 6377385673a..d7869180a02 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious File Download From ZIP TLD id: 0bb4bbeb-fe52-4044-b40c-430a04577ebe -status: experimental +status: test description: Detects the download of a file with a potentially suspicious extension from a .zip top level domain. references: - https://twitter.com/cyb3rops/status/1659175181695287297 diff --git a/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml b/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml index e170875b29d..65ff6870d93 100644 --- a/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml +++ b/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml @@ -3,7 +3,7 @@ id: 065cceea-77ec-4030-9052-fc0affea7110 related: - id: 29f171d7-aa47-42c7-9c7b-3c87938164d9 type: similar -status: experimental +status: test description: Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes references: - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte diff --git a/rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml b/rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml index 260c77a4aa4..160adb3f6f8 100644 --- a/rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml +++ b/rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml @@ -1,6 +1,6 @@ title: DNS Server Discovery Via LDAP Query id: a21bcd7e-38ec-49ad-b69a-9ea17e69509e -status: experimental +status: test description: Detects DNS server discovery via LDAP query requests from uncommon applications references: - https://github.com/redcanaryco/atomic-red-team/blob/980f3f83fd81f37c1ca9c02dccfd1c3d9f9d0841/atomics/T1016/T1016.md#atomic-test-9---dns-server-discovery-using-nslookup diff --git a/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml b/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml index ac8617682d7..42656d7f212 100644 --- a/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml +++ b/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml @@ -7,7 +7,7 @@ related: type: obsoletes - id: ed785237-70fa-46f3-83b6-d264d1dc6eb4 type: obsoletes -status: experimental +status: test description: | An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. diff --git a/rules/windows/dns_query/dns_query_win_tor_onion_domain_query.yml b/rules/windows/dns_query/dns_query_win_tor_onion_domain_query.yml index 430e8c1da24..046b352420f 100644 --- a/rules/windows/dns_query/dns_query_win_tor_onion_domain_query.yml +++ b/rules/windows/dns_query/dns_query_win_tor_onion_domain_query.yml @@ -3,7 +3,7 @@ id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544 related: - id: 8384bd26-bde6-4da9-8e5d-4174a7a47ca2 type: similar -status: experimental +status: test description: Detects DNS queries to an ".onion" address related to Tor routing networks references: - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/ diff --git a/rules/windows/dns_query/dns_query_win_ufile_io_query.yml b/rules/windows/dns_query/dns_query_win_ufile_io_query.yml index 1ef60ac954e..3890fad5025 100644 --- a/rules/windows/dns_query/dns_query_win_ufile_io_query.yml +++ b/rules/windows/dns_query/dns_query_win_ufile_io_query.yml @@ -3,7 +3,7 @@ id: 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b related: - id: 090ffaad-c01a-4879-850c-6d57da98452d type: similar -status: experimental +status: test description: Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration references: - https://thedfirreport.com/2021/12/13/diavol-ransomware/ diff --git a/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml b/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml index aa898fb474b..55c44131e85 100644 --- a/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml +++ b/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml @@ -1,6 +1,6 @@ title: DNS Query To Devtunnels And VsCode Tunnels id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 -status: experimental +status: test description: | Detects DNS query to Devtunnels and Visual Studio Code tunnel domains. Attackers can be abuse these features to establish a reverse shell. references: diff --git a/rules/windows/driver_load/driver_load_win_mal_drivers.yml b/rules/windows/driver_load/driver_load_win_mal_drivers.yml index 4204d724905..cf5ba2f7a48 100644 --- a/rules/windows/driver_load/driver_load_win_mal_drivers.yml +++ b/rules/windows/driver_load/driver_load_win_mal_drivers.yml @@ -1,6 +1,6 @@ title: Malicious Driver Load id: 05296024-fe8a-4baf-8f3d-9a5f5624ceb2 -status: experimental +status: test description: Detects the load of known malicious drivers by hash value references: - https://loldrivers.io/ diff --git a/rules/windows/driver_load/driver_load_win_mal_drivers_names.yml b/rules/windows/driver_load/driver_load_win_mal_drivers_names.yml index 9d875f79343..9348ffabe8d 100644 --- a/rules/windows/driver_load/driver_load_win_mal_drivers_names.yml +++ b/rules/windows/driver_load/driver_load_win_mal_drivers_names.yml @@ -1,6 +1,6 @@ title: Malicious Driver Load By Name id: 39b64854-5497-4b57-a448-40977b8c9679 -status: experimental +status: test description: Detects the load of known malicious drivers via their names only. references: - https://loldrivers.io/ diff --git a/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml b/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml index 24719740f82..83c7ade6389 100644 --- a/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml +++ b/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml @@ -3,7 +3,7 @@ id: 67add051-9ee7-4ad3-93ba-42935615ae8d related: - id: 10cb6535-b31d-4512-9962-513dcbc42cc1 type: similar -status: experimental +status: test description: Detects driver load of the Process Hacker tool references: - https://processhacker.sourceforge.io/ diff --git a/rules/windows/driver_load/driver_load_win_pua_system_informer.yml b/rules/windows/driver_load/driver_load_win_pua_system_informer.yml index f9f2f8b6cce..8a220bffb07 100644 --- a/rules/windows/driver_load/driver_load_win_pua_system_informer.yml +++ b/rules/windows/driver_load/driver_load_win_pua_system_informer.yml @@ -3,7 +3,7 @@ id: 10cb6535-b31d-4512-9962-513dcbc42cc1 related: - id: 67add051-9ee7-4ad3-93ba-42935615ae8d type: similar -status: experimental +status: test description: Detects driver load of the System Informer tool references: - https://systeminformer.sourceforge.io/ diff --git a/rules/windows/driver_load/driver_load_win_vuln_drivers.yml b/rules/windows/driver_load/driver_load_win_vuln_drivers.yml index 91bd42d7eae..3cca1bf9fbd 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_drivers.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_drivers.yml @@ -1,6 +1,6 @@ title: Vulnerable Driver Load id: 7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8 -status: experimental +status: test description: Detects the load of known vulnerable drivers by hash value references: - https://loldrivers.io/ diff --git a/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml b/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml index be3d4a7fc34..05780394656 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml @@ -1,6 +1,6 @@ title: Vulnerable Driver Load By Name id: 72cd00d6-490c-4650-86ff-1d11f491daa1 -status: experimental +status: test description: Detects the load of known vulnerable drivers via their names only. references: - https://loldrivers.io/ diff --git a/rules/windows/file/file_access/file_access_win_browser_credential_access.yml b/rules/windows/file/file_access/file_access_win_browser_credential_access.yml index ec43f0855db..1b6a4f130a1 100644 --- a/rules/windows/file/file_access/file_access_win_browser_credential_access.yml +++ b/rules/windows/file/file_access/file_access_win_browser_credential_access.yml @@ -1,6 +1,6 @@ title: Access To Browser Credential Files By Uncommon Application id: 91cb43db-302a-47e3-b3c8-7ede481e27bf -status: experimental +status: test description: | Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing. diff --git a/rules/windows/file/file_access/file_access_win_credential_manager_access.yml b/rules/windows/file/file_access/file_access_win_credential_manager_access.yml index 3d4f4b26592..7ddc7b9d8fd 100644 --- a/rules/windows/file/file_access/file_access_win_credential_manager_access.yml +++ b/rules/windows/file/file_access/file_access_win_credential_manager_access.yml @@ -1,6 +1,6 @@ title: Credential Manager Access By Uncommon Application id: 407aecb1-e762-4acf-8c7b-d087bcff3bb6 -status: experimental +status: test description: | Detects suspicious processes based on name and location that access the windows credential manager and vault. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function diff --git a/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml b/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml index 140505507c1..4e0db3dba7d 100644 --- a/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml +++ b/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml @@ -1,6 +1,6 @@ title: Access To Windows DPAPI Master Keys By Uncommon Application id: 46612ae6-86be-4802-bc07-39b59feb1309 -status: experimental +status: test description: | Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function diff --git a/rules/windows/file/file_access/file_access_win_reg_and_hive_access.yml b/rules/windows/file/file_access/file_access_win_reg_and_hive_access.yml index dea4215eb8d..3229f4683bd 100644 --- a/rules/windows/file/file_access/file_access_win_reg_and_hive_access.yml +++ b/rules/windows/file/file_access/file_access_win_reg_and_hive_access.yml @@ -1,6 +1,6 @@ title: Access To .Reg/.Hive Files By Uncommon Application id: 337a31c6-46c4-46be-886a-260d7aa78cac -status: experimental +status: test description: Detects file access requests to files ending with either the ".hive"/".reg" extension, usually associated with Windows Registry backups. references: - https://github.com/tccontre/Reg-Restore-Persistence-Mole diff --git a/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml b/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml index 696f077d6ea..f3d75071785 100644 --- a/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml +++ b/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml @@ -1,6 +1,6 @@ title: Access To Windows Credential History File By Uncommon Application id: 7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2 -status: experimental +status: test description: | Detects file access requests to the Windows Credential History File by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function diff --git a/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml b/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml index 8eaee3a5c81..9451c3f517b 100644 --- a/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml +++ b/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml @@ -1,6 +1,6 @@ title: Potential PrintNightmare Exploitation Attempt id: 5b2bbc47-dead-4ef7-8908-0cf73fcbecbf -status: experimental +status: test description: Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675 references: - https://github.com/hhlxf/PrintNightmare diff --git a/rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml b/rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml index 20f6e2ab433..413b8e13957 100644 --- a/rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml @@ -1,6 +1,6 @@ title: Backup Files Deleted id: 06125661-3814-4e03-bfa2-1e4411c60ac3 -status: experimental +status: test description: Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-6---windows---delete-backup-files diff --git a/rules/windows/file/file_delete/file_delete_win_delete_event_log_files.yml b/rules/windows/file/file_delete/file_delete_win_delete_event_log_files.yml index a1f9eaa72d6..091244733aa 100644 --- a/rules/windows/file/file_delete/file_delete_win_delete_event_log_files.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_event_log_files.yml @@ -1,6 +1,6 @@ title: EventLog EVTX File Deleted id: 63c779ba-f638-40a0-a593-ddd45e8b1ddc -status: experimental +status: test description: Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence references: - Internal Research diff --git a/rules/windows/file/file_delete/file_delete_win_delete_exchange_powershell_logs.yml b/rules/windows/file/file_delete/file_delete_win_delete_exchange_powershell_logs.yml index 247ab53633c..37eea57687e 100644 --- a/rules/windows/file/file_delete/file_delete_win_delete_exchange_powershell_logs.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_exchange_powershell_logs.yml @@ -1,6 +1,6 @@ title: Exchange PowerShell Cmdlet History Deleted id: a55349d8-9588-4c5a-8e3b-1925fe2a4ffe -status: experimental +status: test description: Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence references: - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/ diff --git a/rules/windows/file/file_delete/file_delete_win_delete_iis_access_logs.yml b/rules/windows/file/file_delete/file_delete_win_delete_iis_access_logs.yml index b1e9c3025ce..7ff51dd6fdc 100644 --- a/rules/windows/file/file_delete/file_delete_win_delete_iis_access_logs.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_iis_access_logs.yml @@ -1,6 +1,6 @@ title: IIS WebServer Access Logs Deleted id: 3eb8c339-a765-48cc-a150-4364c04652bf -status: experimental +status: test description: Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence references: - https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html diff --git a/rules/windows/file/file_delete/file_delete_win_delete_powershell_command_history.yml b/rules/windows/file/file_delete/file_delete_win_delete_powershell_command_history.yml index d6cd3afca25..6daa4e9e3d0 100644 --- a/rules/windows/file/file_delete/file_delete_win_delete_powershell_command_history.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_powershell_command_history.yml @@ -1,6 +1,6 @@ title: PowerShell Console History Logs Deleted id: ff301988-c231-4bd0-834c-ac9d73b86586 -status: experimental +status: test description: Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence references: - Internal Research diff --git a/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml b/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml index afe5971d407..2b80ce6553c 100755 --- a/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml @@ -1,6 +1,6 @@ title: Prefetch File Deleted id: 0a1f9d29-6465-4776-b091-7f43b26e4c89 -status: experimental +status: test description: Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence author: Cedric MAURUGEON date: 2021/09/29 diff --git a/rules/windows/file/file_delete/file_delete_win_delete_tomcat_logs.yml b/rules/windows/file/file_delete/file_delete_win_delete_tomcat_logs.yml index ea2732cfee3..fdea36cd77f 100644 --- a/rules/windows/file/file_delete/file_delete_win_delete_tomcat_logs.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_tomcat_logs.yml @@ -1,6 +1,6 @@ title: Tomcat WebServer Logs Deleted id: 270185ff-5f50-4d6d-a27f-24c3b8c9fef8 -status: experimental +status: test description: Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence references: - Internal Research diff --git a/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml b/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml index ed3adc03b1e..c55ae88bd35 100644 --- a/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml +++ b/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml @@ -3,7 +3,7 @@ id: 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0 related: - id: 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3 # FileChange version type: similar -status: experimental +status: test description: Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) references: - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html diff --git a/rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml b/rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml index 4591128a81d..4123fac8c13 100644 --- a/rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml +++ b/rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml @@ -3,7 +3,7 @@ id: 3109530e-ab47-4cc6-a953-cac5ebcc93ae related: - id: 7eac0a16-5832-4e81-865f-0268a6d19e4b type: similar -status: experimental +status: test description: Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps. references: - https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/ diff --git a/rules/windows/file/file_event/file_event_win_aspnet_temp_files.yml b/rules/windows/file/file_event/file_event_win_aspnet_temp_files.yml index 4862e6b4fd7..2807616395c 100644 --- a/rules/windows/file/file_event/file_event_win_aspnet_temp_files.yml +++ b/rules/windows/file/file_event/file_event_win_aspnet_temp_files.yml @@ -7,7 +7,7 @@ related: type: similar - id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec type: similar -status: experimental +status: test description: | Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider. references: diff --git a/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml b/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml index 850ba967345..ce90c0b34e3 100644 --- a/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml +++ b/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml @@ -1,6 +1,6 @@ title: BloodHound Collection Files id: 02773bed-83bf-469f-b7ff-e676e7d78bab -status: experimental +status: test description: Detects default file names outputted by the BloodHound collection tool SharpHound references: - https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection diff --git a/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml b/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml index 9e973c66e76..7896ebf61dd 100644 --- a/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml +++ b/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml @@ -1,6 +1,6 @@ title: EVTX Created In Uncommon Location id: 65236ec7-ace0-4f0c-82fd-737b04fd4dcb -status: experimental +status: test description: Detects the creation of new files with the ".evtx" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls references: - https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key diff --git a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml index 83cdb14e703..e84ff7b2040 100644 --- a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml +++ b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml @@ -3,7 +3,7 @@ id: df6ecb8b-7822-4f4b-b412-08f524b4576c related: - id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 # ImageLoad rule type: similar -status: experimental +status: test description: Detects the creation of system dlls that are not present on the system. Usually to achieve dll hijacking references: - https://decoded.avast.io/martinchlumecky/png-steganography/ diff --git a/rules/windows/file/file_event/file_event_win_dump_file_creation.yml b/rules/windows/file/file_event/file_event_win_dump_file_creation.yml index ea64b6d79e7..e4675f6d239 100644 --- a/rules/windows/file/file_event/file_event_win_dump_file_creation.yml +++ b/rules/windows/file/file_event/file_event_win_dump_file_creation.yml @@ -1,6 +1,6 @@ title: DMP/HDMP File Creation id: 3a525307-d100-48ae-b3b9-0964699d7f97 -status: experimental +status: test description: Detects the creation of a file with the ".dmp"/".hdmp" extension. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash. references: - https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps diff --git a/rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml b/rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml index 64756bc1864..c689dba2dfd 100644 --- a/rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml +++ b/rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml @@ -3,7 +3,7 @@ id: aba15bdd-657f-422a-bab3-ac2d2a0d6f1c related: - id: 3a525307-d100-48ae-b3b9-0964699d7f97 type: similar -status: experimental +status: test description: Detects the creation of a file with the ".dmp"/".hdmp" extension by a shell or scripting application such as "cmd", "powershell", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash. references: - https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps diff --git a/rules/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yml b/rules/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yml index 6c3d9310b40..b53864c7ef8 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yml @@ -1,6 +1,6 @@ title: Potential Remote Credential Dumping Activity id: 6e2a900a-ced9-4e4a-a9c2-13e706f9518a -status: experimental +status: test description: Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint. references: - https://github.com/Porchetta-Industries/CrackMapExec diff --git a/rules/windows/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml b/rules/windows/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml index 8efb2b2eaa3..395eefc1660 100644 --- a/rules/windows/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml +++ b/rules/windows/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml @@ -5,7 +5,7 @@ related: type: similar - id: 07aa184a-870d-413d-893a-157f317f6f58 # ProcCreation Susp type: similar -status: experimental +status: test description: Detects creation of files which are the results of executing the built-in reconnaissance script "C:\Windows\System32\gatherNetworkInfo.vbs". references: - https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs diff --git a/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml b/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml index 526eaa2eb51..b113fd1fa94 100644 --- a/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml +++ b/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml @@ -5,7 +5,7 @@ related: type: obsoletes - id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a type: obsoletes -status: experimental +status: test description: Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials. references: - https://www.google.com/search?q=procdump+lsass diff --git a/rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml b/rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml index 00760bb4875..3d8359b3eea 100644 --- a/rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml +++ b/rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml @@ -1,6 +1,6 @@ title: File Creation In Suspicious Directory By Msdt.EXE id: 318557a5-150c-4c8d-b70e-a9910e199857 -status: experimental +status: test description: Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities references: - https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd diff --git a/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml b/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml index 97262ef5b92..fda85fadcef 100644 --- a/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml +++ b/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml @@ -5,7 +5,7 @@ related: type: derived - id: e4b63079-6198-405c-abd7-3fe8b0ce3263 type: obsoletes -status: experimental +status: test description: Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context. references: - https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/ diff --git a/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml b/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml index a25dd72999a..2735b21588f 100644 --- a/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml +++ b/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml @@ -1,6 +1,6 @@ title: Suspicious File Creation In Uncommon AppData Folder id: d7b50671-d1ad-4871-aa60-5aa5b331fe04 -status: experimental +status: test description: Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs references: - Internal Research diff --git a/rules/windows/file/file_event/file_event_win_new_scr_file.yml b/rules/windows/file/file_event/file_event_win_new_scr_file.yml index 7b277774e89..ba8026ec718 100644 --- a/rules/windows/file/file_event/file_event_win_new_scr_file.yml +++ b/rules/windows/file/file_event/file_event_win_new_scr_file.yml @@ -1,6 +1,6 @@ title: SCR File Write Event id: c048f047-7e2a-4888-b302-55f509d4a91d -status: experimental +status: test description: Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example. references: - https://lolbas-project.github.io/lolbas/Libraries/Desk/ diff --git a/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml b/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml index 3ef18e30016..4f2b40f7b63 100644 --- a/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml +++ b/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via Notepad++ Plugins id: 54127bd4-f541-4ac3-afdb-ea073f63f692 -status: experimental +status: test description: Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence references: - https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/ diff --git a/rules/windows/file/file_event/file_event_win_ntds_dit_creation.yml b/rules/windows/file/file_event/file_event_win_ntds_dit_creation.yml index f4d39dfd6bf..2828582d32d 100644 --- a/rules/windows/file/file_event/file_event_win_ntds_dit_creation.yml +++ b/rules/windows/file/file_event/file_event_win_ntds_dit_creation.yml @@ -1,6 +1,6 @@ title: NTDS.DIT Created id: 0b8baa3f-575c-46ee-8715-d6f28cc7d33c -status: experimental +status: test description: Detects creation of a file named "ntds.dit" (Active Directory Database) references: - Internal Research diff --git a/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml b/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml index 30ea4582d5f..1282361ec39 100644 --- a/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml +++ b/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml @@ -3,7 +3,7 @@ id: 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66 related: - id: 91174a41-dc8f-401b-be89-7bfc140612a0 type: similar -status: experimental +status: test description: Detects the creation of a new office macro files on the systems via an application (browser, mail client). references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md diff --git a/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml b/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml index 5c1c138c920..f0095b1d8a5 100644 --- a/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml +++ b/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml @@ -1,6 +1,6 @@ title: Office Macro File Creation From Suspicious Process id: b1c50487-1967-4315-a026-6491686d860e -status: experimental +status: test description: Detects the creation of a office macro file from a a suspicious process references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md diff --git a/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml b/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml index 90502e03333..dce7b494af3 100644 --- a/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml +++ b/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml @@ -1,6 +1,6 @@ title: OneNote Attachment File Dropped In Suspicious Location id: 7fd164ba-126a-4d9c-9392-0d4f7c243df0 -status: experimental +status: test description: Detects creation of files with the ".one"/".onepkg" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments references: - https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/ diff --git a/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml b/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml index 57d4c9c5e45..00a6521a761 100644 --- a/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml +++ b/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml @@ -1,6 +1,6 @@ title: Suspicious File Created Via OneNote Application id: fcc6d700-68d9-4241-9a1a-06874d621b06 -status: experimental +status: test description: Detects suspicious files created via the OneNote application. This could indicate a potential malicious ".one"/".onepkg" file was executed as seen being used in malware activity in the wild references: - https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/ diff --git a/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml b/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml index 7584c5e4989..2ac2594b717 100644 --- a/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml +++ b/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via Outlook Form id: c3edc6a5-d9d4-48d8-930e-aab518390917 -status: experimental +status: test description: Detects the creation of a new Outlook form which can contain malicious code references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76 diff --git a/rules/windows/file/file_event/file_event_win_office_publisher_files_in_susp_locations.yml b/rules/windows/file/file_event/file_event_win_office_publisher_files_in_susp_locations.yml index 9be3ad79580..11ef28ccd3b 100644 --- a/rules/windows/file/file_event/file_event_win_office_publisher_files_in_susp_locations.yml +++ b/rules/windows/file/file_event/file_event_win_office_publisher_files_in_susp_locations.yml @@ -1,6 +1,6 @@ title: Publisher Attachment File Dropped In Suspicious Location id: 3d2a2d59-929c-4b78-8c1a-145dfe9e07b1 -status: experimental +status: test description: Detects creation of files with the ".pub" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents references: - https://twitter.com/EmericNasi/status/1623224526220804098 diff --git a/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml b/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml index 071b2761742..de271fcef41 100644 --- a/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml +++ b/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml @@ -1,6 +1,6 @@ title: File With Uncommon Extension Created By An Office Application id: c7a74c80-ba5a-486e-9974-ab9e682bc5e4 -status: experimental +status: test description: Detects the creation of files with an executable or script extension by an Office application. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ diff --git a/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml b/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml index f94bc1b6359..ee48d140595 100644 --- a/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml +++ b/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml @@ -1,6 +1,6 @@ title: Uncommon File Created In Office Startup Folder id: a10a2c40-2c4d-49f8-b557-1a946bc55d9d -status: experimental +status: test description: Detects the creation of a file with an uncommon extension in an Office application startup folder references: - https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/ diff --git a/rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml b/rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml index 3999f8481fb..dca8c2bb922 100644 --- a/rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml +++ b/rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml @@ -1,6 +1,6 @@ title: Suspicious File Created In PerfLogs id: bbb7e38c-0b41-4a11-b306-d2a457b7ac2b -status: experimental +status: test description: Detects suspicious file based on their extension being created in "C:\PerfLogs\". Note that this directory mostly contains ".etl" files references: - Internal Research diff --git a/rules/windows/file/file_event/file_event_win_powershell_drop_binary_or_script.yml b/rules/windows/file/file_event/file_event_win_powershell_drop_binary_or_script.yml index b0be4a1985b..265abe5dac9 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_drop_binary_or_script.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_drop_binary_or_script.yml @@ -1,6 +1,6 @@ title: Potential Binary Or Script Dropper Via PowerShell id: 7047d730-036f-4f40-b9d8-1c63e36d5e62 -status: experimental +status: test description: Detects PowerShell creating a binary executable or a script file. references: - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution diff --git a/rules/windows/file/file_event/file_event_win_powershell_drop_powershell.yml b/rules/windows/file/file_event/file_event_win_powershell_drop_powershell.yml index e622ef627c1..6bb60c37901 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_drop_powershell.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_drop_powershell.yml @@ -1,6 +1,6 @@ title: PowerShell Script Dropped Via PowerShell.EXE id: 576426ad-0131-4001-ae01-be175da0c108 -status: experimental +status: test description: Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence. references: - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution diff --git a/rules/windows/file/file_event/file_event_win_powershell_module_creation.yml b/rules/windows/file/file_event/file_event_win_powershell_module_creation.yml index dfaa770a897..98cd38a339d 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_module_creation.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_module_creation.yml @@ -1,6 +1,6 @@ title: PowerShell Module File Created id: e36941d0-c0f0-443f-bc6f-cb2952eb69ea -status: experimental +status: test description: Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. references: - Internal Research diff --git a/rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml b/rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml index 094d09c106f..e3ad338f545 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml @@ -1,6 +1,6 @@ title: Potential Suspicious PowerShell Module File Created id: e8a52bbd-bced-459f-bd93-64db45ce7657 -status: experimental +status: test description: Detects the creation of a new PowerShell module in the first folder of the module directory structure "\WindowsPowerShell\Modules\malware\malware.psm1". This is somewhat an uncommon practice as legitimate modules often includes a version folder. references: - Internal Research diff --git a/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml b/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml index 1495dbf22c1..d351e677c55 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml @@ -1,6 +1,6 @@ title: PowerShell Module File Created By Non-PowerShell Process id: e3845023-ca9a-4024-b2b2-5422156d5527 -status: experimental +status: test description: Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. by a non-PowerShell process references: - Internal Research diff --git a/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml b/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml index b0d69d9db0d..fb01a98a154 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml @@ -1,6 +1,6 @@ title: Potential Startup Shortcut Persistence Via PowerShell.EXE id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d -status: experimental +status: test description: | Detects PowerShell writing startup shortcuts. This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. diff --git a/rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml b/rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml index 9d1dffd77ef..446de019ce3 100644 --- a/rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml +++ b/rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml @@ -1,6 +1,6 @@ title: PSScriptPolicyTest Creation By Uncommon Process id: 1027d292-dd87-4a1a-8701-2abe04d7783c -status: experimental +status: test description: Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker. references: - https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/ diff --git a/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml b/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml index f5254b05e8f..d44d34f4750 100644 --- a/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml +++ b/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml @@ -1,6 +1,6 @@ title: RDP File Creation From Suspicious Application id: fccfb43e-09a7-4bd2-8b37-a5a7df33386d -status: experimental +status: test description: Detects Rclone config file being created references: - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/ diff --git a/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_remote_file.yml b/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_remote_file.yml index 6f4067d1aba..614b897e954 100644 --- a/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_remote_file.yml +++ b/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_remote_file.yml @@ -3,7 +3,7 @@ id: 0afecb6e-6223-4a82-99fb-bf5b981e92a5 related: - id: b1f73849-6329-4069-bc8f-78a604bb8b23 type: similar -status: experimental +status: test description: | Detects the creation of files in a specific location by ScreenConnect RMM. ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\\Documents\ConnectWiseControl\Temp\" before execution. diff --git a/rules/windows/file/file_event/file_event_win_ripzip_attack.yml b/rules/windows/file/file_event/file_event_win_ripzip_attack.yml index 4aeb3536e3a..96e93c58d01 100644 --- a/rules/windows/file/file_event/file_event_win_ripzip_attack.yml +++ b/rules/windows/file/file_event/file_event_win_ripzip_attack.yml @@ -1,6 +1,6 @@ title: Potential RipZip Attack on Startup Folder id: a6976974-ea6f-4e97-818e-ea08625c52cb -status: experimental +status: test description: | Detects a phishing attack which expands a ZIP file containing a malicious shortcut. If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder. diff --git a/rules/windows/file/file_event/file_event_win_sam_dump.yml b/rules/windows/file/file_event/file_event_win_sam_dump.yml index b06fbaabf48..0f8cc159d22 100644 --- a/rules/windows/file/file_event/file_event_win_sam_dump.yml +++ b/rules/windows/file/file_event/file_event_win_sam_dump.yml @@ -1,6 +1,6 @@ title: Potential SAM Database Dump id: 4e87b8e2-2ee9-4b2a-a715-4727d297ece0 -status: experimental +status: test description: Detects the creation of files that look like exports of the local SAM (Security Account Manager) references: - https://github.com/search?q=CVE-2021-36934 diff --git a/rules/windows/file/file_event/file_event_win_scheduled_task_creation.yml b/rules/windows/file/file_event/file_event_win_scheduled_task_creation.yml index dbcd9f762fe..66b57b2afad 100644 --- a/rules/windows/file/file_event/file_event_win_scheduled_task_creation.yml +++ b/rules/windows/file/file_event/file_event_win_scheduled_task_creation.yml @@ -1,6 +1,6 @@ title: Scheduled Task Created - FileCreation id: a762e74f-4dce-477c-b023-4ed81df600f9 -status: experimental +status: test description: Detects the creation of a scheduled task via file creation. references: - https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/task_scheduling/ diff --git a/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml b/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml index 2abc355ad0a..bf7c085233e 100644 --- a/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml +++ b/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml @@ -1,6 +1,6 @@ title: Windows Shell/Scripting Application File Write to Suspicious Folder id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43 -status: experimental +status: test description: Detects Windows shells and scripting applications that write files to suspicious folders references: - Internal Research diff --git a/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml b/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml index 2255408e868..111ece628cd 100644 --- a/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml +++ b/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml @@ -3,7 +3,7 @@ id: b8fd0e93-ff58-4cbd-8f48-1c114e342e62 related: - id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43 type: derived -status: experimental +status: test description: Detects Windows executables that writes files with suspicious extensions references: - Internal Research diff --git a/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml b/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml index 3c9a63ebbe9..70a12e5a252 100644 --- a/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml +++ b/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml @@ -1,6 +1,6 @@ title: Suspicious Creation with Colorcpl id: e15b518d-b4ce-4410-a9cd-501f23ce4a18 -status: experimental +status: test description: Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\ references: - https://twitter.com/eral4m/status/1480468728324231172?s=20 diff --git a/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml b/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml index 9c942db5f6b..68b29e78f92 100644 --- a/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml +++ b/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml @@ -3,7 +3,7 @@ id: a8f866e1-bdd4-425e-a27a-37619238d9c7 related: - id: 0900463c-b33b-49a8-be1d-552a3b553dae type: similar -status: experimental +status: test description: | Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe" references: diff --git a/rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml b/rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml index 46d20787500..c54c39906f7 100644 --- a/rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml +++ b/rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml @@ -1,6 +1,6 @@ title: Potential Homoglyph Attack Using Lookalike Characters in Filename id: 4f1707b1-b50b-45b4-b5a2-3978b5a5d0d6 -status: experimental +status: test description: | Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that diff --git a/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml index ae9c0297b86..03fc2f92ef7 100644 --- a/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml +++ b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml @@ -1,6 +1,6 @@ title: Legitimate Application Dropped Executable id: f0540f7e-2db3-4432-b9e0-3965486744bc -status: experimental +status: test description: Detects programs on a Windows system that should not write executables to disk references: - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326 diff --git a/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml index e271d35b5c3..3642c3a83e1 100644 --- a/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml +++ b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml @@ -1,6 +1,6 @@ title: Legitimate Application Dropped Script id: 7d604714-e071-49ff-8726-edeb95a70679 -status: experimental +status: test description: Detects programs on a Windows system that should not write scripts to disk references: - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326 diff --git a/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml b/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml index a70fa7bfbb6..4cf91ba39f0 100644 --- a/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml +++ b/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml @@ -3,7 +3,7 @@ id: 3215aa19-f060-4332-86d5-5602511f3ca8 related: - id: b4926b47-a9d7-434c-b3a0-adc3fa0bd13e type: derived -status: experimental +status: test description: | Detects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default. references: diff --git a/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml b/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml index 9d7dddc176c..e3aff371df4 100644 --- a/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml +++ b/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml @@ -3,7 +3,7 @@ id: cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca related: - id: 5ce0f04e-3efc-42af-839d-5b3a543b76c0 type: derived -status: experimental +status: test description: Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware references: - https://www.mandiant.com/resources/blog/infected-usb-steal-secrets diff --git a/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml b/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml index ac680022062..67b11b2ea71 100644 --- a/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml +++ b/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml @@ -3,7 +3,7 @@ id: 28208707-fe31-437f-9a7f-4b1108b94d2e related: - id: 2aa0a6b4-a865-495b-ab51-c28249537b75 type: similar -status: experimental +status: test description: Detects when a file with a suspicious extension is created in the startup folder references: - https://github.com/last-byte/PersistenceSniper diff --git a/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml b/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml index eb023d40df8..580481f1227 100644 --- a/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml +++ b/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml @@ -3,7 +3,7 @@ id: 3a9fa2ec-30bc-4ebd-b49e-7c9cff225502 related: - id: b5b78988-486d-4a80-b991-930eff3ff8bf type: similar -status: experimental +status: test description: Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence references: - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2 diff --git a/rules/windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml b/rules/windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml index c5cbca4ce3f..25dcc3ed117 100644 --- a/rules/windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml +++ b/rules/windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml @@ -1,6 +1,6 @@ title: Windows Terminal Profile Settings Modification By Uncommon Process id: 9b64de98-9db3-4033-bd7a-f51430105f00 -status: experimental +status: test description: Detects the creation or modification of the Windows Terminal Profile settings file "settings.json" by an uncommon process. references: - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1547.015/T1547.015.md#atomic-test-1---persistence-by-modifying-windows-terminal-profile diff --git a/rules/windows/file/file_event/file_event_win_susp_winsxs_binary_creation.yml b/rules/windows/file/file_event/file_event_win_susp_winsxs_binary_creation.yml index 51ed8361737..3f54ec7bde7 100644 --- a/rules/windows/file/file_event/file_event_win_susp_winsxs_binary_creation.yml +++ b/rules/windows/file/file_event/file_event_win_susp_winsxs_binary_creation.yml @@ -3,7 +3,7 @@ id: 34746e8c-5fb8-415a-b135-0abc167e912a related: - id: 64827580-e4c3-4c64-97eb-c72325d45399 type: derived -status: experimental +status: test description: Detects the creation of binaries in the WinSxS folder by non-system processes references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF diff --git a/rules/windows/file/file_event/file_event_win_sysinternals_livekd_default_dump_name.yml b/rules/windows/file/file_event/file_event_win_sysinternals_livekd_default_dump_name.yml index fa1d013c368..7c1a3ac1e2e 100644 --- a/rules/windows/file/file_event/file_event_win_sysinternals_livekd_default_dump_name.yml +++ b/rules/windows/file/file_event/file_event_win_sysinternals_livekd_default_dump_name.yml @@ -1,6 +1,6 @@ title: LiveKD Kernel Memory Dump File Created id: 814ddeca-3d31-4265-8e07-8cc54fb44903 -status: experimental +status: test description: Detects the creation of a file that has the same name as the default LiveKD kernel memory dump. references: - Internal Research diff --git a/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver.yml b/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver.yml index 0d3f5c27f25..9a405099da1 100644 --- a/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver.yml +++ b/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver.yml @@ -1,6 +1,6 @@ title: LiveKD Driver Creation id: 16fe46bb-4f64-46aa-817d-ff7bec4a2352 -status: experimental +status: test description: Detects the creation of the LiveKD driver, which is used for live kernel debugging references: - Internal Research diff --git a/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver_susp_creation.yml b/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver_susp_creation.yml index 7b47f5169e5..e997ad9c53a 100644 --- a/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver_susp_creation.yml +++ b/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver_susp_creation.yml @@ -3,7 +3,7 @@ id: 059c5af9-5131-4d8d-92b2-de4ad6146712 related: - id: 16fe46bb-4f64-46aa-817d-ff7bec4a2352 type: similar -status: experimental +status: test description: Detects the creation of the LiveKD driver by a process image other than "livekd.exe". references: - Internal Research diff --git a/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml b/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml index 5b3b14352bc..60e2e7816a3 100644 --- a/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml +++ b/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml @@ -1,6 +1,6 @@ title: Process Explorer Driver Creation By Non-Sysinternals Binary id: de46c52b-0bf8-4936-a327-aace94f94ac6 -status: experimental +status: test description: | Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself. Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards. diff --git a/rules/windows/file/file_event/file_event_win_sysinternals_procmon_driver_susp_creation.yml b/rules/windows/file/file_event/file_event_win_sysinternals_procmon_driver_susp_creation.yml index 6c543a9a434..8feed78794e 100644 --- a/rules/windows/file/file_event/file_event_win_sysinternals_procmon_driver_susp_creation.yml +++ b/rules/windows/file/file_event/file_event_win_sysinternals_procmon_driver_susp_creation.yml @@ -1,6 +1,6 @@ title: Process Monitor Driver Creation By Non-Sysinternals Binary id: a05baa88-e922-4001-bc4d-8738135f27de -status: experimental +status: test description: Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself. references: - Internal Research diff --git a/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service_key.yml b/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service_key.yml index 810a735192c..32facdcd8bd 100644 --- a/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service_key.yml +++ b/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service_key.yml @@ -1,6 +1,6 @@ title: PSEXEC Remote Execution File Artefact id: 304afd73-55a5-4bb9-8c21-0b1fc84ea9e4 -status: experimental +status: test description: Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system references: - https://aboutdfir.com/the-key-to-identify-psexec/ diff --git a/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump.yml b/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump.yml index 0fbc2c3c9a0..28736649e9e 100644 --- a/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump.yml +++ b/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump.yml @@ -1,6 +1,6 @@ title: LSASS Process Memory Dump Creation Via Taskmgr.EXE id: 69ca12af-119d-44ed-b50f-a47af0ebc364 -status: experimental +status: test description: Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager. author: Swachchhanda Shrawan Poudel date: 2023/10/19 diff --git a/rules/windows/file/file_event/file_event_win_vscode_tunnel_remote_creation_artefacts.yml b/rules/windows/file/file_event/file_event_win_vscode_tunnel_remote_creation_artefacts.yml index 99ade0380b0..0f1e97f311b 100644 --- a/rules/windows/file/file_event/file_event_win_vscode_tunnel_remote_creation_artefacts.yml +++ b/rules/windows/file/file_event/file_event_win_vscode_tunnel_remote_creation_artefacts.yml @@ -1,6 +1,6 @@ title: Visual Studio Code Tunnel Remote File Creation id: 56e05d41-ce99-4ecd-912d-93f019ee0b71 -status: experimental +status: test description: | Detects the creation of file by the "node.exe" process in the ".vscode-server" directory. Could be a sign of remote file creation via VsCode tunnel feature references: diff --git a/rules/windows/file/file_event/file_event_win_vscode_tunnel_renamed_execution.yml b/rules/windows/file/file_event/file_event_win_vscode_tunnel_renamed_execution.yml index 5bd3aeeb692..c5b2e80bb8d 100644 --- a/rules/windows/file/file_event/file_event_win_vscode_tunnel_renamed_execution.yml +++ b/rules/windows/file/file_event/file_event_win_vscode_tunnel_renamed_execution.yml @@ -1,6 +1,6 @@ title: Renamed VsCode Code Tunnel Execution - File Indicator id: d102b8f5-61dc-4e68-bd83-9a3187c67377 -status: experimental +status: test description: | Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility by an "Image" or "Process" other than VsCode. references: diff --git a/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml b/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml index 9599195f1be..3da63d7b03e 100644 --- a/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml +++ b/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml @@ -1,6 +1,6 @@ title: Wmiexec Default Output File id: 8d5aca11-22b3-4f22-b7ba-90e60533e1fb -status: experimental +status: test description: Detects the creation of the default output filename used by the wmiexec tool references: - https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/ diff --git a/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml b/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml index 2d3b6edcc00..23de6de3334 100644 --- a/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml +++ b/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml @@ -1,6 +1,6 @@ title: Rename Common File to DLL File id: bbfd974c-248e-4435-8de6-1e938c79c5c1 -status: experimental +status: test description: Detects cases in which a file gets renamed to .dll, which often happens to bypass perimeter protection references: - https://twitter.com/ffforward/status/1481672378639912960 diff --git a/rules/windows/file/file_rename/file_rename_win_ransomware.yml b/rules/windows/file/file_rename/file_rename_win_ransomware.yml index 7596ad23e7b..f0cca6f2cf3 100644 --- a/rules/windows/file/file_rename/file_rename_win_ransomware.yml +++ b/rules/windows/file/file_rename/file_rename_win_ransomware.yml @@ -1,6 +1,6 @@ title: Suspicious Appended Extension id: e3f673b3-65d1-4d80-9146-466f8b63fa99 -status: experimental +status: test description: Detects file renames where the target filename uses an uncommon double extension. Could indicate potential ransomware activity renaming files and adding a custom extension to the encrypted files, such as ".jpg.crypted", ".docx.locky", etc. references: - https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/ diff --git a/rules/windows/image_load/image_load_cmstp_load_dll_from_susp_location.yml b/rules/windows/image_load/image_load_cmstp_load_dll_from_susp_location.yml index 094936be330..d29daeb85cb 100644 --- a/rules/windows/image_load/image_load_cmstp_load_dll_from_susp_location.yml +++ b/rules/windows/image_load/image_load_cmstp_load_dll_from_susp_location.yml @@ -1,6 +1,6 @@ title: DLL Loaded From Suspicious Location Via Cmspt.EXE id: 75e508f7-932d-4ebc-af77-269237a84ce1 -status: experimental +status: test description: Detects cmstp loading "dll" or "ocx" files from suspicious locations references: - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/TTPs/Defense%20Evasion/T1218%20-%20Signed%20Binary%20Proxy%20Execution/T1218.003%20-%20CMSTP/Procedures.yaml diff --git a/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml b/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml index 419cded28cc..b8bb326b611 100644 --- a/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml +++ b/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml @@ -1,6 +1,6 @@ title: Amsi.DLL Loaded Via LOLBIN Process id: 6ec86d9e-912e-4726-91a2-209359b999b9 -status: experimental +status: test description: Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack references: - Internal Research diff --git a/rules/windows/image_load/image_load_dll_amsi_uncommon_process.yml b/rules/windows/image_load/image_load_dll_amsi_uncommon_process.yml index 0ce36f1c021..e603cbae182 100644 --- a/rules/windows/image_load/image_load_dll_amsi_uncommon_process.yml +++ b/rules/windows/image_load/image_load_dll_amsi_uncommon_process.yml @@ -1,6 +1,6 @@ title: Amsi.DLL Load By Uncommon Process id: facd1549-e416-48e0-b8c4-41d7215eedc8 -status: experimental +status: test description: Detects loading of Amsi.dll by uncommon processes references: - https://infosecwriteups.com/amsi-bypass-new-way-2023-d506345944e9 diff --git a/rules/windows/image_load/image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml b/rules/windows/image_load/image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml index 182b070ecdb..9449d14fcb9 100644 --- a/rules/windows/image_load/image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml +++ b/rules/windows/image_load/image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml @@ -1,6 +1,6 @@ title: Suspicious Renamed Comsvcs DLL Loaded By Rundll32 id: 8cde342c-ba48-4b74-b615-172c330f2e93 -status: experimental +status: test description: Detects rundll32 loading a renamed comsvcs.dll to dump process memory references: - https://twitter.com/sbousseaden/status/1555200155351228419 diff --git a/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml b/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml index 9934ec077d8..bf9f49625fc 100644 --- a/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml +++ b/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml @@ -1,6 +1,6 @@ title: CredUI.DLL Loaded By Uncommon Process id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784 -status: experimental +status: test description: Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW". references: - https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html diff --git a/rules/windows/image_load/image_load_dll_sdiageng_load_by_msdt.yml b/rules/windows/image_load/image_load_dll_sdiageng_load_by_msdt.yml index 70aac6e449c..57031a4c98b 100644 --- a/rules/windows/image_load/image_load_dll_sdiageng_load_by_msdt.yml +++ b/rules/windows/image_load/image_load_dll_sdiageng_load_by_msdt.yml @@ -1,6 +1,6 @@ title: Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE id: ec8c4047-fad9-416a-8c81-0f479353d7f6 -status: experimental +status: test description: Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library references: - https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/ diff --git a/rules/windows/image_load/image_load_dll_system_drawing_load.yml b/rules/windows/image_load/image_load_dll_system_drawing_load.yml index 51324c3207b..e251ff60b25 100644 --- a/rules/windows/image_load/image_load_dll_system_drawing_load.yml +++ b/rules/windows/image_load/image_load_dll_system_drawing_load.yml @@ -1,6 +1,6 @@ title: System Drawing DLL Load id: 666ecfc7-229d-42b8-821e-1a8f8cb7057c -status: experimental +status: test description: Detects processes loading "System.Drawing.ni.dll". This could be an indicator of potential Screen Capture. references: - https://github.com/OTRF/detection-hackathon-apt29/issues/16 diff --git a/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml b/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml index 6852243b24b..953d3105c61 100644 --- a/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml +++ b/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml @@ -5,7 +5,7 @@ related: type: obsoletes - id: fe6e002f-f244-4278-9263-20e4b593827f type: obsoletes -status: experimental +status: test description: Detects loading of essential DLLs used by PowerShell, but not by the process powershell.exe. Detects behaviour similar to meterpreter's "load powershell" extension. references: - https://adsecurity.org/?p=2921 diff --git a/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml b/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml index 81dce59c451..0437cbe7c8a 100644 --- a/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml +++ b/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml @@ -5,7 +5,7 @@ related: type: similar - id: 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8 # vssapi.dll type: similar -status: experimental +status: test description: Detects the image load of vss_ps.dll by uncommon executables references: - https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add diff --git a/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml b/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml index 52bf4d10224..55b5afe0df1 100644 --- a/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml +++ b/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml @@ -5,7 +5,7 @@ related: type: similar - id: 48bfd177-7cf2-412b-ad77-baf923489e82 # vsstrace.dll type: similar -status: experimental +status: test description: Detects the image load of VSS DLL by uncommon executables references: - https://github.com/ORCx41/DeleteShadowCopies diff --git a/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml b/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml index b8e409e86e3..00b1114d2bc 100644 --- a/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml +++ b/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml @@ -5,7 +5,7 @@ related: type: similar - id: 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8 # vssapi.dll type: similar -status: experimental +status: test description: Detects the image load of VSS DLL by uncommon executables references: - https://github.com/ORCx41/DeleteShadowCopies diff --git a/rules/windows/image_load/image_load_hktl_sharpevtmute.yml b/rules/windows/image_load/image_load_hktl_sharpevtmute.yml index e9a420ed894..82bb13b6805 100644 --- a/rules/windows/image_load/image_load_hktl_sharpevtmute.yml +++ b/rules/windows/image_load/image_load_hktl_sharpevtmute.yml @@ -3,7 +3,7 @@ id: 49329257-089d-46e6-af37-4afce4290685 related: - id: bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c # Process Creation type: similar -status: experimental +status: test description: Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs references: - https://github.com/bats3c/EvtMute diff --git a/rules/windows/image_load/image_load_office_excel_xll_susp_load.yml b/rules/windows/image_load/image_load_office_excel_xll_susp_load.yml index 3754f73df05..148d0e35407 100644 --- a/rules/windows/image_load/image_load_office_excel_xll_susp_load.yml +++ b/rules/windows/image_load/image_load_office_excel_xll_susp_load.yml @@ -3,7 +3,7 @@ id: af4c4609-5755-42fe-8075-4effb49f5d44 related: - id: c5f4b5cb-4c25-4249-ba91-aa03626e3185 type: derived -status: experimental +status: test description: Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location references: - https://www.mandiant.com/resources/blog/lnk-between-browsers diff --git a/rules/windows/image_load/image_load_office_powershell_dll_load.yml b/rules/windows/image_load/image_load_office_powershell_dll_load.yml index f99efc47d23..3c2235cb8ad 100644 --- a/rules/windows/image_load/image_load_office_powershell_dll_load.yml +++ b/rules/windows/image_load/image_load_office_powershell_dll_load.yml @@ -1,6 +1,6 @@ title: PowerShell Core DLL Loaded Via Office Application id: bb2ba6fb-95d4-4a25-89fc-30bb736c021a -status: experimental +status: test description: Detects PowerShell core DLL being loaded by an Office Product references: - Internal Research diff --git a/rules/windows/image_load/image_load_rundll32_remote_share_load.yml b/rules/windows/image_load/image_load_rundll32_remote_share_load.yml index ff412b655be..e93b5aac5db 100644 --- a/rules/windows/image_load/image_load_rundll32_remote_share_load.yml +++ b/rules/windows/image_load/image_load_rundll32_remote_share_load.yml @@ -1,6 +1,6 @@ title: Remote DLL Load Via Rundll32.EXE id: f40017b3-cb2e-4335-ab5d-3babf679c1de -status: experimental +status: test description: Detects a remote DLL load event via "rundll32.exe". references: - https://github.com/gabe-k/themebleed diff --git a/rules/windows/image_load/image_load_side_load_7za.yml b/rules/windows/image_load/image_load_side_load_7za.yml index 7b6804cb4b1..739d1f9cfa9 100644 --- a/rules/windows/image_load/image_load_side_load_7za.yml +++ b/rules/windows/image_load/image_load_side_load_7za.yml @@ -1,6 +1,6 @@ title: Potential 7za.DLL Sideloading id: 4f6edb78-5c21-42ab-a558-fd2a6fc1fd57 -status: experimental +status: test description: Detects potential DLL sideloading of "7za.dll" references: - https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d diff --git a/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml b/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml index 2c627a998ac..e9fcc62a14a 100644 --- a/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml +++ b/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml @@ -1,6 +1,6 @@ title: Abusable DLL Potential Sideloading From Suspicious Location id: 799a5f48-0ac1-4e0f-9152-71d137d48c2a -status: experimental +status: test description: Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations references: - https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html diff --git a/rules/windows/image_load/image_load_side_load_antivirus.yml b/rules/windows/image_load/image_load_side_load_antivirus.yml index f3b89e3785d..b5b3a05f458 100644 --- a/rules/windows/image_load/image_load_side_load_antivirus.yml +++ b/rules/windows/image_load/image_load_side_load_antivirus.yml @@ -1,6 +1,6 @@ title: Potential Antivirus Software DLL Sideloading id: 552b6b65-df37-4d3e-a258-f2fc4771ae54 -status: experimental +status: test description: Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) diff --git a/rules/windows/image_load/image_load_side_load_appverifui.yml b/rules/windows/image_load/image_load_side_load_appverifui.yml index 3d6bac44839..0e06be8b9db 100644 --- a/rules/windows/image_load/image_load_side_load_appverifui.yml +++ b/rules/windows/image_load/image_load_side_load_appverifui.yml @@ -1,6 +1,6 @@ title: Potential appverifUI.DLL Sideloading id: ee6cea48-c5b6-4304-a332-10fc6446f484 -status: experimental +status: test description: Detects potential DLL sideloading of "appverifUI.dll" references: - https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/ diff --git a/rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml b/rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml index 0084022098b..0cc29e9717f 100644 --- a/rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml +++ b/rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml @@ -1,6 +1,6 @@ title: Aruba Network Service Potential DLL Sideloading id: 90ae0469-0cee-4509-b67f-e5efcef040f7 -status: experimental +status: test description: Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking references: - https://twitter.com/wdormann/status/1616581559892545537?t=XLCBO9BziGzD7Bmbt8oMEQ&s=09 diff --git a/rules/windows/image_load/image_load_side_load_avkkid.yml b/rules/windows/image_load/image_load_side_load_avkkid.yml index 1fb23bd4060..34f5dcc903e 100644 --- a/rules/windows/image_load/image_load_side_load_avkkid.yml +++ b/rules/windows/image_load/image_load_side_load_avkkid.yml @@ -1,6 +1,6 @@ title: Potential AVKkid.DLL Sideloading id: 952ed57c-8f99-453d-aee0-53a49c22f95d -status: experimental +status: test description: Detects potential DLL sideloading of "AVKkid.dll" references: - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/ diff --git a/rules/windows/image_load/image_load_side_load_ccleaner_du.yml b/rules/windows/image_load/image_load_side_load_ccleaner_du.yml index 3f765ec9673..aa4e08c8301 100644 --- a/rules/windows/image_load/image_load_side_load_ccleaner_du.yml +++ b/rules/windows/image_load/image_load_side_load_ccleaner_du.yml @@ -1,6 +1,6 @@ title: Potential CCleanerDU.DLL Sideloading id: 1fbc0671-5596-4e17-8682-f020a0b995dc -status: experimental +status: test description: Detects potential DLL sideloading of "CCleanerDU.dll" references: - https://lab52.io/blog/2344-2/ diff --git a/rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml b/rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml index 08ceb513245..eac6adb4aee 100644 --- a/rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml +++ b/rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml @@ -1,6 +1,6 @@ title: Potential CCleanerReactivator.DLL Sideloading id: 3735d5ac-d770-4da0-99ff-156b180bc600 -status: experimental +status: test description: Detects potential DLL sideloading of "CCleanerReactivator.dll" references: - https://lab52.io/blog/2344-2/ diff --git a/rules/windows/image_load/image_load_side_load_chrome_frame_helper.yml b/rules/windows/image_load/image_load_side_load_chrome_frame_helper.yml index a97267762f8..29a3c5e73eb 100644 --- a/rules/windows/image_load/image_load_side_load_chrome_frame_helper.yml +++ b/rules/windows/image_load/image_load_side_load_chrome_frame_helper.yml @@ -1,6 +1,6 @@ title: Potential Chrome Frame Helper DLL Sideloading id: 72ca7c75-bf85-45cd-aca7-255d360e423c -status: experimental +status: test description: Detects potential DLL sideloading of "chrome_frame_helper.dll" references: - https://hijacklibs.net/entries/3rd_party/google/chrome_frame_helper.html diff --git a/rules/windows/image_load/image_load_side_load_coregen.yml b/rules/windows/image_load/image_load_side_load_coregen.yml index 9dc7dbeef5e..454209dd137 100644 --- a/rules/windows/image_load/image_load_side_load_coregen.yml +++ b/rules/windows/image_load/image_load_side_load_coregen.yml @@ -1,6 +1,6 @@ title: Potential DLL Sideloading Using Coregen.exe id: 0fa66f66-e3f6-4a9c-93f8-4f2610b00171 -status: experimental +status: test description: Detect usage of DLL "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs. references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Coregen/ diff --git a/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml b/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml index 80b1818f603..c2f9fd7c7ea 100644 --- a/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml +++ b/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml @@ -1,6 +1,6 @@ title: Potential DLL Sideloading Of DBGCORE.DLL id: 9ca2bf31-0570-44d8-a543-534c47c33ed7 -status: experimental +status: test description: Detects DLL sideloading of "dbgcore.dll" references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) diff --git a/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml b/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml index aca8455ca07..7f2e670b066 100644 --- a/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml +++ b/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml @@ -1,6 +1,6 @@ title: Potential DLL Sideloading Of DBGHELP.DLL id: 6414b5cd-b19d-447e-bb5e-9f03940b5784 -status: experimental +status: test description: Detects DLL sideloading of "dbghelp.dll" references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) diff --git a/rules/windows/image_load/image_load_side_load_eacore.yml b/rules/windows/image_load/image_load_side_load_eacore.yml index fa652280f5f..876836a5d49 100644 --- a/rules/windows/image_load/image_load_side_load_eacore.yml +++ b/rules/windows/image_load/image_load_side_load_eacore.yml @@ -1,6 +1,6 @@ title: Potential EACore.DLL Sideloading id: edd3ddc3-386f-4ba5-9ada-4376b2cfa7b5 -status: experimental +status: test description: Detects potential DLL sideloading of "EACore.dll" references: - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/ diff --git a/rules/windows/image_load/image_load_side_load_edputil.yml b/rules/windows/image_load/image_load_side_load_edputil.yml index c01ef110298..68731a236bc 100644 --- a/rules/windows/image_load/image_load_side_load_edputil.yml +++ b/rules/windows/image_load/image_load_side_load_edputil.yml @@ -1,6 +1,6 @@ title: Potential Edputil.DLL Sideloading id: e4903324-1a10-4ed3-981b-f6fe3be3a2c2 -status: experimental +status: test description: Detects potential DLL sideloading of "edputil.dll" references: - https://alternativeto.net/news/2023/5/cybercriminals-use-wordpad-vulnerability-to-spread-qbot-malware/ diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index 77c56db45ec..13210cabbe4 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -1,6 +1,6 @@ title: Potential System DLL Sideloading From Non System Locations id: 4fc0deee-0057-4998-ab31-d24e46e0aba4 -status: experimental +status: test description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.) references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there). Wietze Beukema (project and research) diff --git a/rules/windows/image_load/image_load_side_load_goopdate.yml b/rules/windows/image_load/image_load_side_load_goopdate.yml index 0efe6f037a8..9552d33e125 100644 --- a/rules/windows/image_load/image_load_side_load_goopdate.yml +++ b/rules/windows/image_load/image_load_side_load_goopdate.yml @@ -1,6 +1,6 @@ title: Potential Goopdate.DLL Sideloading id: b6188d2f-b3c4-4d2c-a17d-9706e0851af0 -status: experimental +status: test description: Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf diff --git a/rules/windows/image_load/image_load_side_load_gup_libcurl.yml b/rules/windows/image_load/image_load_side_load_gup_libcurl.yml index b6817ffa869..dbeeef9cdc0 100644 --- a/rules/windows/image_load/image_load_side_load_gup_libcurl.yml +++ b/rules/windows/image_load/image_load_side_load_gup_libcurl.yml @@ -1,6 +1,6 @@ title: Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE id: e49b5745-1064-4ac1-9a2e-f687bc2dd37e -status: experimental +status: test description: Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers diff --git a/rules/windows/image_load/image_load_side_load_iviewers.yml b/rules/windows/image_load/image_load_side_load_iviewers.yml index e50e6eae260..15b734624fe 100644 --- a/rules/windows/image_load/image_load_side_load_iviewers.yml +++ b/rules/windows/image_load/image_load_side_load_iviewers.yml @@ -1,6 +1,6 @@ title: Potential Iviewers.DLL Sideloading id: 4c21b805-4dd7-469f-b47d-7383a8fcb437 -status: experimental +status: test description: Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer) references: - https://www.secureworks.com/research/shadowpad-malware-analysis diff --git a/rules/windows/image_load/image_load_side_load_libvlc.yml b/rules/windows/image_load/image_load_side_load_libvlc.yml index 47c3653ef86..e2c12979a55 100644 --- a/rules/windows/image_load/image_load_side_load_libvlc.yml +++ b/rules/windows/image_load/image_load_side_load_libvlc.yml @@ -1,6 +1,6 @@ title: Potential Libvlc.DLL Sideloading id: bf9808c4-d24f-44a2-8398-b65227d406b6 -status: experimental +status: test description: Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe" references: - https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html diff --git a/rules/windows/image_load/image_load_side_load_mfdetours.yml b/rules/windows/image_load/image_load_side_load_mfdetours.yml index e9f7437afeb..671b016a52d 100644 --- a/rules/windows/image_load/image_load_side_load_mfdetours.yml +++ b/rules/windows/image_load/image_load_side_load_mfdetours.yml @@ -1,6 +1,6 @@ title: Potential Mfdetours.DLL Sideloading id: d2605a99-2218-4894-8fd3-2afb7946514d -status: experimental +status: test description: Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution. references: - Internal Research diff --git a/rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml b/rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml index ff085caaec1..fd2fb734c0d 100644 --- a/rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml +++ b/rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml @@ -3,7 +3,7 @@ id: 948a0953-f287-4806-bbcb-3b2e396df89f related: - id: d2605a99-2218-4894-8fd3-2afb7946514d type: similar -status: experimental +status: test description: Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution. references: - Internal Research diff --git a/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml b/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml index e9ce6fbd254..0d674de9773 100644 --- a/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml +++ b/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml @@ -3,7 +3,7 @@ id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 related: - id: df6ecb8b-7822-4f4b-b412-08f524b4576c # FileEvent rule type: similar -status: experimental +status: test description: Detects DLL sideloading of system dlls that are not present on the system by default. Usually to achieve techniques such as UAC bypass and privilege escalation references: - https://decoded.avast.io/martinchlumecky/png-steganography/ diff --git a/rules/windows/image_load/image_load_side_load_office_dlls.yml b/rules/windows/image_load/image_load_side_load_office_dlls.yml index 3ad585cdd80..494e9718fce 100644 --- a/rules/windows/image_load/image_load_side_load_office_dlls.yml +++ b/rules/windows/image_load/image_load_side_load_office_dlls.yml @@ -1,6 +1,6 @@ title: Microsoft Office DLL Sideload id: 829a3bdf-34da-4051-9cf4-8ed221a8ae4f -status: experimental +status: test description: Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) diff --git a/rules/windows/image_load/image_load_side_load_rcdll.yml b/rules/windows/image_load/image_load_side_load_rcdll.yml index 869dc89a584..c7cd048a15a 100644 --- a/rules/windows/image_load/image_load_side_load_rcdll.yml +++ b/rules/windows/image_load/image_load_side_load_rcdll.yml @@ -1,6 +1,6 @@ title: Potential Rcdll.DLL Sideloading id: 6e78b74f-c762-4800-82ad-f66787f10c8a -status: experimental +status: test description: Detects potential DLL sideloading of rcdll.dll references: - https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html diff --git a/rules/windows/image_load/image_load_side_load_rjvplatform_default_location.yml b/rules/windows/image_load/image_load_side_load_rjvplatform_default_location.yml index 233b693cab6..031f8a2564c 100644 --- a/rules/windows/image_load/image_load_side_load_rjvplatform_default_location.yml +++ b/rules/windows/image_load/image_load_side_load_rjvplatform_default_location.yml @@ -1,6 +1,6 @@ title: Potential RjvPlatform.DLL Sideloading From Default Location id: 259dda31-b7a3-444f-b7d8-17f96e8a7d0d -status: experimental +status: test description: Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default. references: - https://twitter.com/0gtweet/status/1666716511988330499 diff --git a/rules/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yml b/rules/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yml index 16a2f947820..9736f91c35f 100644 --- a/rules/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yml +++ b/rules/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yml @@ -1,6 +1,6 @@ title: Potential RjvPlatform.DLL Sideloading From Non-Default Location id: 0e0bc253-07ed-43f1-816d-e1b220fe8971 -status: experimental +status: test description: Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location. references: - https://twitter.com/0gtweet/status/1666716511988330499 diff --git a/rules/windows/image_load/image_load_side_load_robform.yml b/rules/windows/image_load/image_load_side_load_robform.yml index d1935bd6197..59ae90ce250 100644 --- a/rules/windows/image_load/image_load_side_load_robform.yml +++ b/rules/windows/image_load/image_load_side_load_robform.yml @@ -1,6 +1,6 @@ title: Potential RoboForm.DLL Sideloading id: f64c9b2d-b0ad-481d-9d03-7fc75020892a -status: experimental +status: test description: Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager references: - https://twitter.com/StopMalvertisin/status/1648604148848549888 diff --git a/rules/windows/image_load/image_load_side_load_shelldispatch.yml b/rules/windows/image_load/image_load_side_load_shelldispatch.yml index 3b2313a4e06..2893eaa8ece 100644 --- a/rules/windows/image_load/image_load_side_load_shelldispatch.yml +++ b/rules/windows/image_load/image_load_side_load_shelldispatch.yml @@ -1,6 +1,6 @@ title: Potential ShellDispatch.DLL Sideloading id: 844f8eb2-610b-42c8-89a4-47596e089663 -status: experimental +status: test description: Detects potential DLL sideloading of "ShellDispatch.dll" references: - https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ diff --git a/rules/windows/image_load/image_load_side_load_smadhook.yml b/rules/windows/image_load/image_load_side_load_smadhook.yml index d135bed8ada..5b658877606 100644 --- a/rules/windows/image_load/image_load_side_load_smadhook.yml +++ b/rules/windows/image_load/image_load_side_load_smadhook.yml @@ -1,6 +1,6 @@ title: Potential SmadHook.DLL Sideloading id: 24b6cf51-6122-469e-861a-22974e9c1e5b -status: experimental +status: test description: Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus references: - https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/ diff --git a/rules/windows/image_load/image_load_side_load_solidpdfcreator.yml b/rules/windows/image_load/image_load_side_load_solidpdfcreator.yml index 9c9dd392fb1..c0952513125 100644 --- a/rules/windows/image_load/image_load_side_load_solidpdfcreator.yml +++ b/rules/windows/image_load/image_load_side_load_solidpdfcreator.yml @@ -1,6 +1,6 @@ title: Potential SolidPDFCreator.DLL Sideloading id: a2edbce1-95c8-4291-8676-0d45146862b3 -status: experimental +status: test description: Detects potential DLL sideloading of "SolidPDFCreator.dll" references: - https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/ diff --git a/rules/windows/image_load/image_load_side_load_vivaldi_elf.yml b/rules/windows/image_load/image_load_side_load_vivaldi_elf.yml index 44a5dcf5f93..3baab600a52 100644 --- a/rules/windows/image_load/image_load_side_load_vivaldi_elf.yml +++ b/rules/windows/image_load/image_load_side_load_vivaldi_elf.yml @@ -1,6 +1,6 @@ title: Potential Vivaldi_elf.DLL Sideloading id: 2092cacb-d77b-4f98-ab0d-32b32f99a054 -status: experimental +status: test description: Detects potential DLL sideloading of "vivaldi_elf.dll" references: - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/ diff --git a/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_signed.yml b/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_signed.yml index 31459627106..1be2d7b8515 100644 --- a/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_signed.yml +++ b/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_signed.yml @@ -3,7 +3,7 @@ id: 98ffaed4-aec2-4e04-9b07-31492fe68b3d related: - id: 273a8dd8-3742-4302-bcc7-7df5a80fe425 type: similar -status: experimental +status: test description: Detects potential DLL sideloading of a signed dbghelp.dll by the Sysinternals VMMap. references: - https://techcommunity.microsoft.com/t5/sysinternals-blog/zoomit-v7-1-procdump-2-0-for-linux-process-explorer-v17-05/ba-p/3884766 diff --git a/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_unsigned.yml b/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_unsigned.yml index 16a2c60843e..0135e93a9da 100644 --- a/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_unsigned.yml +++ b/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_unsigned.yml @@ -3,7 +3,7 @@ id: 273a8dd8-3742-4302-bcc7-7df5a80fe425 related: - id: 98ffaed4-aec2-4e04-9b07-31492fe68b3d type: similar -status: experimental +status: test description: Detects potential DLL sideloading of an unsigned dbghelp.dll by the Sysinternals VMMap. references: - https://techcommunity.microsoft.com/t5/sysinternals-blog/zoomit-v7-1-procdump-2-0-for-linux-process-explorer-v17-05/ba-p/3884766 diff --git a/rules/windows/image_load/image_load_side_load_vmware_xfer.yml b/rules/windows/image_load/image_load_side_load_vmware_xfer.yml index cfe513b7dca..ce13045665c 100644 --- a/rules/windows/image_load/image_load_side_load_vmware_xfer.yml +++ b/rules/windows/image_load/image_load_side_load_vmware_xfer.yml @@ -1,6 +1,6 @@ title: Potential DLL Sideloading Via VMware Xfer id: 9313dc13-d04c-46d8-af4a-a930cc55d93b -status: experimental +status: test description: Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL references: - https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/ diff --git a/rules/windows/image_load/image_load_side_load_waveedit.yml b/rules/windows/image_load/image_load_side_load_waveedit.yml index 75619e6bd4d..2caa069bee9 100644 --- a/rules/windows/image_load/image_load_side_load_waveedit.yml +++ b/rules/windows/image_load/image_load_side_load_waveedit.yml @@ -1,6 +1,6 @@ title: Potential Waveedit.DLL Sideloading id: 71b31e99-9ad0-47d4-aeb5-c0ca3928eeeb -status: experimental +status: test description: Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software. references: - https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html diff --git a/rules/windows/image_load/image_load_side_load_wazuh.yml b/rules/windows/image_load/image_load_side_load_wazuh.yml index fb268f1a7a6..700461cc940 100644 --- a/rules/windows/image_load/image_load_side_load_wazuh.yml +++ b/rules/windows/image_load/image_load_side_load_wazuh.yml @@ -1,6 +1,6 @@ title: Potential Wazuh Security Platform DLL Sideloading id: db77ce78-7e28-4188-9337-cf30e2b3ba9f -status: experimental +status: test description: Detects potential DLL side loading of DLLs that are part of the Wazuh security platform references: - https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html diff --git a/rules/windows/image_load/image_load_side_load_windows_defender.yml b/rules/windows/image_load/image_load_side_load_windows_defender.yml index 2ce295c436b..d0d150a9f59 100644 --- a/rules/windows/image_load/image_load_side_load_windows_defender.yml +++ b/rules/windows/image_load/image_load_side_load_windows_defender.yml @@ -3,7 +3,7 @@ id: 418dc89a-9808-4b87-b1d7-e5ae0cb6effc related: - id: 7002aa10-b8d4-47ae-b5ba-51ab07e228b9 type: similar -status: experimental +status: test description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory. references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool diff --git a/rules/windows/image_load/image_load_side_load_wwlib.yml b/rules/windows/image_load/image_load_side_load_wwlib.yml index cdd7b1a0e86..7de9b90e1d7 100644 --- a/rules/windows/image_load/image_load_side_load_wwlib.yml +++ b/rules/windows/image_load/image_load_side_load_wwlib.yml @@ -1,6 +1,6 @@ title: Potential WWlib.DLL Sideloading id: e2e01011-5910-4267-9c3b-4149ed5479cf -status: experimental +status: test description: Detects potential DLL sideloading of "wwlib.dll" references: - https://twitter.com/WhichbufferArda/status/1658829954182774784 diff --git a/rules/windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml b/rules/windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml index 43f12df16f0..17cb4cb364a 100644 --- a/rules/windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml +++ b/rules/windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml @@ -1,6 +1,6 @@ title: Unsigned Module Loaded by ClickOnce Application id: 060d5ad4-3153-47bb-8382-43e5e29eda92 -status: experimental +status: test description: Detects unsigned module load by ClickOnce application. references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 diff --git a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml index 9c5ed041352..a1206b18ddb 100644 --- a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml +++ b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml @@ -1,6 +1,6 @@ title: DLL Load By System Process From Suspicious Locations id: 9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c -status: experimental +status: test description: Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public" references: - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea) diff --git a/rules/windows/image_load/image_load_susp_python_image_load.yml b/rules/windows/image_load/image_load_susp_python_image_load.yml index df60f3ac044..0523dd935a0 100644 --- a/rules/windows/image_load/image_load_susp_python_image_load.yml +++ b/rules/windows/image_load/image_load_susp_python_image_load.yml @@ -1,6 +1,6 @@ title: Python Image Load By Non-Python Process id: cbb56d62-4060-40f7-9466-d8aaf3123f83 -status: experimental +status: test description: Detects the image load of "Python Core" by a non-Python process. This might be indicative of a Python script bundled with Py2Exe. references: - https://www.py2exe.org/ diff --git a/rules/windows/network_connection/net_connection_win_addinutil.yml b/rules/windows/network_connection/net_connection_win_addinutil.yml index a2ab3099ee2..aeb9f4db89e 100644 --- a/rules/windows/network_connection/net_connection_win_addinutil.yml +++ b/rules/windows/network_connection/net_connection_win_addinutil.yml @@ -1,6 +1,6 @@ title: Network Connection Initiated By AddinUtil.EXE id: 5205613d-2a63-4412-a895-3a2458b587b3 -status: experimental +status: test description: Detects network connections made by the Add-In deployment cache updating utility (AddInutil.exe), which could indicate command and control communication. references: - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html diff --git a/rules/windows/network_connection/net_connection_win_dfsvc_uncommon_ports.yml b/rules/windows/network_connection/net_connection_win_dfsvc_uncommon_ports.yml index 29f02674ef5..7d38d2a8fd0 100644 --- a/rules/windows/network_connection/net_connection_win_dfsvc_uncommon_ports.yml +++ b/rules/windows/network_connection/net_connection_win_dfsvc_uncommon_ports.yml @@ -1,6 +1,6 @@ title: Dfsvc.EXE Network Connection To Uncommon Ports id: 4c5fba4a-9ef6-4f16-823d-606246054741 -status: experimental +status: test description: Detects network connections from "dfsvc.exe" used to handled ClickOnce applications to uncommon ports references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 diff --git a/rules/windows/network_connection/net_connection_win_google_api_non_browser_access.yml b/rules/windows/network_connection/net_connection_win_google_api_non_browser_access.yml index a87886fd5f0..d22a45e5923 100644 --- a/rules/windows/network_connection/net_connection_win_google_api_non_browser_access.yml +++ b/rules/windows/network_connection/net_connection_win_google_api_non_browser_access.yml @@ -1,6 +1,6 @@ title: Suspicious Non-Browser Network Communication With Google API id: 7e9cf7b6-e827-11ed-a05b-0242ac120003 -status: experimental +status: test description: Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet) references: - https://github.com/looCiprian/GC2-sheet diff --git a/rules/windows/network_connection/net_connection_win_notion_api_susp_communication.yml b/rules/windows/network_connection/net_connection_win_notion_api_susp_communication.yml index 3850deadd9f..954d0a76361 100644 --- a/rules/windows/network_connection/net_connection_win_notion_api_susp_communication.yml +++ b/rules/windows/network_connection/net_connection_win_notion_api_susp_communication.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious Network Connection To Notion API id: 7e9cf7b6-e827-11ed-a05b-15959c120003 -status: experimental +status: test description: Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as "OffensiveNotion C2" references: - https://github.com/mttaggart/OffensiveNotion diff --git a/rules/windows/network_connection/net_connection_win_office_susp_ports.yml b/rules/windows/network_connection/net_connection_win_office_susp_ports.yml index 9000832e28e..a449e808a59 100644 --- a/rules/windows/network_connection/net_connection_win_office_susp_ports.yml +++ b/rules/windows/network_connection/net_connection_win_office_susp_ports.yml @@ -1,6 +1,6 @@ title: Suspicious Office Outbound Connections id: 3b5ba899-9842-4bc2-acc2-12308498bf42 -status: experimental +status: test description: Detects office suit applications communicating to target systems on uncommon ports references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit diff --git a/rules/windows/network_connection/net_connection_win_powershell_network_connection.yml b/rules/windows/network_connection/net_connection_win_powershell_network_connection.yml index 878ab20cd84..821598e43f5 100755 --- a/rules/windows/network_connection/net_connection_win_powershell_network_connection.yml +++ b/rules/windows/network_connection/net_connection_win_powershell_network_connection.yml @@ -1,6 +1,6 @@ title: PowerShell Initiated Network Connection id: 1f21ec3f-810d-4b0e-8045-322202e22b4b -status: experimental +status: test description: Detects a PowerShell process that initiates network connections. Check for suspicious target ports and target systems. references: - https://www.youtube.com/watch?v=DLtJTxMWZ2o diff --git a/rules/windows/network_connection/net_connection_win_python.yml b/rules/windows/network_connection/net_connection_win_python.yml index b05cf39a94d..baf949daf94 100644 --- a/rules/windows/network_connection/net_connection_win_python.yml +++ b/rules/windows/network_connection/net_connection_win_python.yml @@ -1,6 +1,6 @@ title: Python Initiated Connection id: bef0bc5a-b9ae-425d-85c6-7b2d705980c6 -status: experimental +status: test description: Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python diff --git a/rules/windows/network_connection/net_connection_win_reddit_api_non_browser_access.yml b/rules/windows/network_connection/net_connection_win_reddit_api_non_browser_access.yml index 14fe0fb50f2..a11cb579721 100644 --- a/rules/windows/network_connection/net_connection_win_reddit_api_non_browser_access.yml +++ b/rules/windows/network_connection/net_connection_win_reddit_api_non_browser_access.yml @@ -1,6 +1,6 @@ title: Suspicious Non-Browser Network Communication With Reddit API id: d7b09985-95a3-44be-8450-b6eadf49833e -status: experimental +status: test description: Detects an a non-browser process interacting with the Reddit API which could indicate use of a covert C2 such as RedditC2 references: - https://github.com/kleiton0x00/RedditC2 diff --git a/rules/windows/network_connection/net_connection_win_susp_epmap.yml b/rules/windows/network_connection/net_connection_win_susp_epmap.yml index 6cff1bdea85..7f21a39286d 100644 --- a/rules/windows/network_connection/net_connection_win_susp_epmap.yml +++ b/rules/windows/network_connection/net_connection_win_susp_epmap.yml @@ -1,6 +1,6 @@ title: Suspicious Epmap Connection id: 628d7a0b-7b84-4466-8552-e6138bc03b43 -status: experimental +status: test description: Detects suspicious "epmap" connection to a remote computer via remote procedure call (RPC) references: - https://github.com/RiccardoAncarani/TaskShell/ diff --git a/rules/windows/network_connection/net_connection_win_susp_external_ip_lookup.yml b/rules/windows/network_connection/net_connection_win_susp_external_ip_lookup.yml index c3c8d98075a..a67408af9ac 100644 --- a/rules/windows/network_connection/net_connection_win_susp_external_ip_lookup.yml +++ b/rules/windows/network_connection/net_connection_win_susp_external_ip_lookup.yml @@ -3,7 +3,7 @@ id: edf3485d-dac4-4d50-90e4-b0e5813f7e60 related: - id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2 type: derived -status: experimental +status: test description: Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity. references: - https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md diff --git a/rules/windows/network_connection/net_connection_win_telegram_api_non_browser_access.yml b/rules/windows/network_connection/net_connection_win_telegram_api_non_browser_access.yml index c4c72a3e43a..2a97eba532c 100644 --- a/rules/windows/network_connection/net_connection_win_telegram_api_non_browser_access.yml +++ b/rules/windows/network_connection/net_connection_win_telegram_api_non_browser_access.yml @@ -1,6 +1,6 @@ title: Suspicious Non-Browser Network Communication With Telegram API id: c3dbbc9f-ef1d-470a-a90a-d343448d5875 -status: experimental +status: test description: Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2 references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf diff --git a/rules/windows/network_connection/net_connection_win_winlogon_net_connections.yml b/rules/windows/network_connection/net_connection_win_winlogon_net_connections.yml index cfe3b317c1d..1131b3efd03 100644 --- a/rules/windows/network_connection/net_connection_win_winlogon_net_connections.yml +++ b/rules/windows/network_connection/net_connection_win_winlogon_net_connections.yml @@ -1,6 +1,6 @@ title: Outbound Network Connection To Public IP Via Winlogon id: 7610a4ea-c06d-495f-a2ac-0a696abcfd3b -status: experimental +status: test description: Detects a "winlogon.exe" process that initiate network communications with public IP addresses references: - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ diff --git a/rules/windows/pipe_created/pipe_created_hktl_coercedpotato.yml b/rules/windows/pipe_created/pipe_created_hktl_coercedpotato.yml index 950af41ab7f..b681973b40c 100644 --- a/rules/windows/pipe_created/pipe_created_hktl_coercedpotato.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_coercedpotato.yml @@ -1,6 +1,6 @@ title: HackTool - CoercedPotato Named Pipe Creation id: 4d0083b3-580b-40da-9bba-626c19fe4033 -status: experimental +status: test description: Detects the pattern of a pipe name as used by the hack tool CoercedPotato references: - https://blog.hackvens.fr/articles/CoercedPotato.html diff --git a/rules/windows/pipe_created/pipe_created_hktl_diagtrack_eop.yml b/rules/windows/pipe_created/pipe_created_hktl_diagtrack_eop.yml index f6017cdbd51..aa9a5eec263 100644 --- a/rules/windows/pipe_created/pipe_created_hktl_diagtrack_eop.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_diagtrack_eop.yml @@ -1,6 +1,6 @@ title: HackTool - DiagTrackEoP Default Named Pipe id: 1f7025a6-e747-4130-aac4-961eb47015f1 -status: experimental +status: test description: Detects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses "SeImpersonate" privilege. references: - https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L22 diff --git a/rules/windows/pipe_created/pipe_created_hktl_efspotato.yml b/rules/windows/pipe_created/pipe_created_hktl_efspotato.yml index 0bbfcb29e40..0f9568efd46 100644 --- a/rules/windows/pipe_created/pipe_created_hktl_efspotato.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_efspotato.yml @@ -1,6 +1,6 @@ title: HackTool - EfsPotato Named Pipe Creation id: 637f689e-b4a5-4a86-be0e-0100a0a33ba2 -status: experimental +status: test description: Detects the pattern of a pipe name as used by the hack tool EfsPotato references: - https://twitter.com/SBousseaden/status/1429530155291193354?s=20 diff --git a/rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml b/rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml index 3042597dffa..59a901f45ce 100644 --- a/rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml @@ -1,6 +1,6 @@ title: HackTool - Koh Default Named Pipe id: 0adc67e0-a68f-4ffd-9c43-28905aad5d6a -status: experimental +status: test description: Detects creation of default named pipes used by the Koh tool references: - https://github.com/GhostPack/Koh/blob/0283d9f3f91cf74732ad377821986cfcb088e20a/Clients/BOF/KohClient.c#L12 diff --git a/rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml b/rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml index 7835d408a9d..f0c2647aa12 100644 --- a/rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml +++ b/rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml @@ -3,7 +3,7 @@ id: 41504465-5e3a-4a5b-a5b4-2a0baadd4463 related: - id: f3f3a972-f982-40ad-b63c-bca6afdfad7c type: derived -status: experimental +status: test description: Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html diff --git a/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml b/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml index d5b16290928..40018bb3ba3 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml @@ -3,7 +3,7 @@ id: ec19ebab-72dc-40e1-9728-4c0b805d722c related: - id: 14c71865-6cd3-44ae-adaa-1db923fae5f2 type: similar -status: experimental +status: test description: Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md diff --git a/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml b/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml index 69cb7347b91..c3a3cb8ede5 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml @@ -5,7 +5,7 @@ related: type: similar - id: 9e620995-f2d8-4630-8430-4afd89f77604 type: similar -status: experimental +status: test description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration. references: - https://github.com/samratashok/ADModule diff --git a/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml b/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml index 6681b902120..67a3c7e8897 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml @@ -5,7 +5,7 @@ related: type: similar - id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2 type: obsoletes -status: experimental +status: test description: Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance references: - https://github.com/PowerShellMafia/PowerSploit diff --git a/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml b/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml index 49608737f22..12c523d36c6 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml @@ -1,6 +1,6 @@ title: PowerShell Get Clipboard id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78 -status: experimental +status: test description: A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents. references: - https://github.com/OTRF/detection-hackathon-apt29/issues/16 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml index 4411512e443..9b235eb1ae2 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml @@ -3,7 +3,7 @@ id: 2f211361-7dce-442d-b78a-c04039677378 related: - id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7 type: derived -status: experimental +status: test description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below references: - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml index 6b1cef4f78b..5984513a787 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml @@ -3,7 +3,7 @@ id: 07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb related: - id: e55a5195-4724-480e-a77e-3ebe64bd3759 type: derived -status: experimental +status: test description: Detects Obfuscated Powershell via use MSHTA in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31) diff --git a/rules/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml b/rules/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml index 73cd2f78e8c..c5b7cae9831 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml @@ -7,7 +7,7 @@ related: type: similar - id: cacef8fc-9d3d-41f7-956d-455c6e881bc5 # PS ScriptBlock type: similar -status: experimental +status: test description: Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml index 6730552bc73..66054fa1f2e 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml @@ -3,7 +3,7 @@ id: de41232e-12e8-49fa-86bc-c05c7e722df9 related: - id: 65531a81-a694-4e31-ae04-f8ba5bc33759 type: derived -status: experimental +status: test description: Detects suspicious PowerShell download command author: Florian Roth (Nextron Systems) date: 2017/03/05 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml index 5628af37b02..5b22d096c4e 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml @@ -5,7 +5,7 @@ related: type: derived - id: ed965133-513f-41d9-a441-e38076a0798f type: similar -status: experimental +status: test description: Detects suspicious PowerShell invocation command parameters author: Florian Roth (Nextron Systems) date: 2017/03/12 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml index bf4c048020b..e3e58c6b491 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml @@ -7,7 +7,7 @@ related: type: similar - id: 536e2947-3729-478c-9903-745aaffe60d2 type: similar -status: experimental +status: test description: Detects suspicious PowerShell invocation command parameters author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro date: 2017/03/05 diff --git a/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml index 30e9e89c19b..df3893d2b41 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml @@ -3,7 +3,7 @@ id: 91e69562-2426-42ce-a647-711b8152ced6 related: - id: c86500e9-a645-4680-98d7-f882c70c1ea3 type: similar -status: experimental +status: test description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365. references: - https://o365blog.com/aadinternals/ diff --git a/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml b/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml index 51ed8b287d0..25c9abb2ac6 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml @@ -5,7 +5,7 @@ related: type: similar - id: 74176142-4684-4d8a-8b0a-713257e7df8e type: similar -status: experimental +status: test description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration. references: - https://github.com/samratashok/ADModule diff --git a/rules/windows/powershell/powershell_script/posh_ps_add_windows_capability.yml b/rules/windows/powershell/powershell_script/posh_ps_add_windows_capability.yml index 8180f26f907..58f21aee39d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_add_windows_capability.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_add_windows_capability.yml @@ -3,7 +3,7 @@ id: 155c7fd5-47b4-49b2-bbeb-eb4fab335429 related: - id: b36d01a3-ddaf-4804-be18-18a6247adfcd type: similar -status: experimental +status: test description: Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others. references: - https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell diff --git a/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml b/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml index 1970394e349..7973d890ca6 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml @@ -3,7 +3,7 @@ id: fa2559c8-1197-471d-9cdd-05a0273d4522 related: - id: 92a974db-ab84-457f-9ec0-55db83d7a825 type: similar -status: experimental +status: test description: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities references: - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi diff --git a/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml b/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml index 987d0f8e92a..eddd5f9c470 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml @@ -1,6 +1,6 @@ title: Potential Data Exfiltration Via Audio File id: e4f93c99-396f-47c8-bb0f-201b1fa69034 -status: experimental +status: test description: Detects potential exfiltration attempt via audio file using PowerShell references: - https://github.com/gtworek/PSBits/blob/e97cbbb173b31cbc4d37244d3412de0a114dacfb/NoDLP/bin2wav.ps1 diff --git a/rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml b/rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml index fd1f8201789..5560c705ac6 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml @@ -1,6 +1,6 @@ title: Potential In-Memory Execution Using Reflection.Assembly id: ddcd88cb-7f62-4ce5-86f9-1704190feb0a -status: experimental +status: test description: Detects usage of "Reflection.Assembly" load functions to dynamically load assemblies in memory references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50 diff --git a/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml b/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml index 4d15f4b03c4..9b7fcf1e28e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml @@ -3,7 +3,7 @@ id: 3c7d1587-3b13-439f-9941-7d14313dbdfe related: - id: 02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf type: similar -status: experimental +status: test description: Detects usage of COM objects that can be abused to download files in PowerShell by CLSID references: - https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0 diff --git a/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml b/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml index feb1f9faced..1dccc7e51a5 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml @@ -3,7 +3,7 @@ id: 55c925c1-7195-426b-a136-a9396800e29b related: - id: c740d4cf-a1e9-41de-bb16-8a46a4f57918 type: similar -status: experimental +status: test description: | Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images diff --git a/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml b/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml index 13adc62bf7f..d43feb7e115 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml @@ -3,7 +3,7 @@ id: df69cb1d-b891-4cd9-90c7-d617d90100ce related: - id: d75d6b6b-adb9-48f7-824b-ac2e786efe1f type: similar -status: experimental +status: test description: Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward. references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43 diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml b/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml index d56143b141b..c33ca7f3638 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml @@ -1,6 +1,6 @@ title: Active Directory Computers Enumeration With Get-AdComputer id: 36bed6b2-e9a0-4fff-beeb-413a92b86138 -status: experimental +status: test description: Detects usage of the "Get-AdComputer" to enumerate Computers or properties within Active Directory. references: - https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_process_security_software_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_get_process_security_software_discovery.yml index ec9455f00fa..d36c06abbbc 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_get_process_security_software_discovery.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_get_process_security_software_discovery.yml @@ -1,6 +1,6 @@ title: Security Software Discovery Via Powershell Script id: 904e8e61-8edf-4350-b59c-b905fc8e810c -status: experimental +status: test description: | Detects calls to "get-process" where the output is piped to a "where-object" filter to search for security solution processes. Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus diff --git a/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml b/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml index 9daa5f3ef44..60528cd72c7 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml @@ -3,7 +3,7 @@ id: 3245cd30-e015-40ff-a31d-5cadd5f377ec related: - id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18 type: similar -status: experimental +status: test description: Detects the execution of the hacktool Rubeus using specific command line flags references: - https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus diff --git a/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml b/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml index 8bd15a134f6..2d4a229c484 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml @@ -3,7 +3,7 @@ id: 21f9162c-5f5d-4b01-89a8-b705bd7d10ab related: - id: c31364f7-8be6-4b77-8483-dd2b5a7b69a3 type: similar -status: experimental +status: test description: Detects powershell scripts that import modules from suspicious directories references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md diff --git a/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml b/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml index 5470e201072..3a102abf4dc 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml @@ -3,7 +3,7 @@ id: 975b2262-9a49-439d-92a6-0709cccdf0b2 related: - id: 37651c2a-42cd-4a69-ae0d-22a4349aa04a type: similar -status: experimental +status: test description: Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages references: - https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml index 3072d3a9dc6..cb348064347 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml @@ -1,6 +1,6 @@ title: Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7 -status: experimental +status: test description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 references: - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888 diff --git a/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml index 1da9d4f781e..e5656f1e924 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml @@ -1,6 +1,6 @@ title: Malicious Nishang PowerShell Commandlets id: f772cee9-b7c2-4cb2-8f07-49870adc02e0 -status: experimental +status: test description: Detects Commandlet names and arguments from the Nishang exploitation framework references: - https://github.com/samratashok/nishang diff --git a/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml b/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml index 49e61249420..6e30760c71c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml @@ -1,6 +1,6 @@ title: PowerShell Remote Session Creation id: a0edd39f-a0c6-4c17-8141-261f958e8d8f -status: experimental +status: test description: | Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system diff --git a/rules/windows/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml b/rules/windows/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml index 224cd89dd25..cccdd23f261 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml @@ -7,7 +7,7 @@ related: type: similar - id: 38a7625e-b2cb-485d-b83d-aff137d859f4 # PS Module type: similar -status: experimental +status: test description: Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md diff --git a/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml b/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml index 68f8133dd63..6e40bbde91c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml @@ -1,6 +1,6 @@ title: PowerShell Script With File Hostname Resolving Capabilities id: fbc5e92f-3044-4e73-a5c6-1c4359b539de -status: experimental +status: test description: Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries. references: - https://www.fortypoundhead.com/showcontent.asp?artid=24022 diff --git a/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml b/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml index 47cd9c59d34..39880049471 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml @@ -1,6 +1,6 @@ title: PowerShell Script With File Upload Capabilities id: d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb -status: experimental +status: test description: Detects PowerShell scripts leveraging the "Invoke-WebRequest" cmdlet to send data via either "PUT" or "POST" method. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md diff --git a/rules/windows/powershell/powershell_script/posh_ps_set_acl.yml b/rules/windows/powershell/powershell_script/posh_ps_set_acl.yml index 55bcb8aa40f..aca0db52632 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_set_acl.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_set_acl.yml @@ -7,7 +7,7 @@ related: type: derived - id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 # PsScript High type: derived -status: experimental +status: test description: Detects PowerShell scripts set ACL to of a file or a folder references: - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md diff --git a/rules/windows/powershell/powershell_script/posh_ps_set_acl_susp_location.yml b/rules/windows/powershell/powershell_script/posh_ps_set_acl_susp_location.yml index 6dd1f808557..ff1923b702f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_set_acl_susp_location.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_set_acl_susp_location.yml @@ -7,7 +7,7 @@ related: type: derived - id: bdeb2cff-af74-4094-8426-724dc937f20a # ProcCreation Low type: derived -status: experimental +status: test description: Detects PowerShell scripts to set the ACL to a file in the Windows folder references: - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md diff --git a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml index baed83349c4..be739c0b496 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml @@ -7,7 +7,7 @@ related: type: similar - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 # Registry type: similar -status: experimental +status: test description: Detects use of Set-ExecutionPolicy to set insecure policies references: - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml index 4488e2ae15b..ca6e9f06485 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via Security Descriptors - ScriptBlock id: 2f77047c-e6e9-4c11-b088-a3de399524cd -status: experimental +status: test description: Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project. references: - https://github.com/HarmJ0y/DAMP diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml index 1203f0ab58f..2e09e11bd8b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml @@ -3,7 +3,7 @@ id: e8314f79-564d-4f79-bc13-fbc0bf2660d8 related: - id: 96cd126d-f970-49c4-848a-da3a09f55c55 type: derived -status: experimental +status: test description: Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation references: - Internal Research diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml index 8ab4eb08f79..a1b66299621 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml @@ -7,7 +7,7 @@ related: type: similar - id: 536e2947-3729-478c-9903-745aaffe60d2 type: similar -status: experimental +status: test description: Detects suspicious PowerShell invocation command parameters author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro date: 2017/03/05 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml index 61071b01be4..fcb2b047ab0 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml @@ -1,6 +1,6 @@ title: Change User Agents with WebRequest id: d4488827-73af-4f8d-9244-7b7662ef046e -status: experimental +status: test description: | Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml index 785f036b6db..f794f04bdc0 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml @@ -1,6 +1,6 @@ title: Potential Keylogger Activity id: 965e2db9-eddb-4cf6-a986-7a967df651e4 -status: experimental +status: test description: Detects PowerShell scripts that contains reference to keystroke capturing functions references: - https://twitter.com/ScumBots/status/1610626724257046529 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml index 4ec7187d452..cffcb7dfaa3 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml @@ -3,7 +3,7 @@ id: 96cd126d-f970-49c4-848a-da3a09f55c55 related: - id: e8314f79-564d-4f79-bc13-fbc0bf2660d8 type: derived -status: experimental +status: test description: Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts references: - https://github.com/1337Rin/Swag-PSO diff --git a/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml b/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml index 5499f3a0def..c62ab67ba67 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml @@ -3,7 +3,7 @@ id: 14c71865-6cd3-44ae-adaa-1db923fae5f2 related: - id: ec19ebab-72dc-40e1-9728-4c0b805d722c type: derived -status: experimental +status: test description: Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md diff --git a/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml b/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml index 568b04977c6..580ee4f7ef5 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml @@ -3,7 +3,7 @@ id: f3a98ce4-6164-4dd4-867c-4d83de7eca51 related: - id: deb9b646-a508-44ee-b7c9-d8965921c6b6 type: similar -status: experimental +status: test description: Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation references: - https://github.com/danielbohannon/Invoke-Obfuscation diff --git a/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml b/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml index 96b56cccc8c..91e7f0c9a75 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml @@ -1,6 +1,6 @@ title: Veeam Backup Servers Credential Dumping Script Execution id: 976d6e6f-a04b-4900-9713-0134a353e38b -status: experimental +status: test description: Detects execution of a PowerShell script that contains calls to the "Veeam.Backup" class, in order to dump stored credentials. references: - https://www.pwndefend.com/2021/02/15/retrieving-passwords-from-veeam-backup-servers/ diff --git a/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml b/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml index 77d721e972d..0ac2eb869f9 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml @@ -3,7 +3,7 @@ id: 1139d2e2-84b1-4226-b445-354492eba8ba related: - id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d type: derived -status: experimental +status: test description: Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs references: - https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/ diff --git a/rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml b/rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml index db275c86fcc..f8547cc4191 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript id: e2812b49-bae0-4b21-b366-7c142eafcde2 -status: experimental +status: test description: Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script references: - https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85) diff --git a/rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml b/rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml index 20df8bdd808..51dd93bdc8b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml @@ -3,7 +3,7 @@ id: 03d83090-8cba-44a0-b02f-0b756a050306 related: - id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702 type: similar -status: experimental +status: test description: Detects use of WinAPI functions in PowerShell scripts references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse diff --git a/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml b/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml index a02efba722b..5b56c82bb20 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml @@ -3,7 +3,7 @@ id: 488b44e7-3781-4a71-888d-c95abfacf44d related: - id: 12f6b752-042d-483e-bf9c-915a6d06ad75 type: similar -status: experimental +status: test description: Detects when a user disables the Windows Firewall via a Profile to help evade defense. references: - https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps diff --git a/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml b/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml index 56b3043b4ed..abefd5c8216 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml @@ -3,7 +3,7 @@ id: 504d63cb-0dba-4d02-8531-e72981aace2c related: - id: 114de787-4eb2-48cc-abdb-c0b449f93ea4 type: similar -status: experimental +status: test description: Detect use of X509Enrollment references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42 diff --git a/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml b/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml index e8d5a41a73b..12d6d22135e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml @@ -1,6 +1,6 @@ title: Powershell XML Execute Command id: 6c6c6282-7671-4fe9-a0ce-a2dcebdc342b -status: experimental +status: test description: | Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) diff --git a/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml b/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml index 66438bb408a..d593a5c8ba3 100755 --- a/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml @@ -1,6 +1,6 @@ title: Credential Dumping Tools Accessing LSASS Memory id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d -status: experimental +status: test description: Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools references: - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow diff --git a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml index 824d9090227..ee6011c6f2e 100755 --- a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml +++ b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml @@ -1,6 +1,6 @@ title: Direct Syscall of NtOpenProcess id: 3f3f3506-1895-401b-9cc3-e86b16e630d0 -status: experimental +status: test description: Detects the usage of the direct syscall of NtOpenProcess which might be done from a CobaltStrike BOF. references: - https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6 diff --git a/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml b/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml index 4f6fa422e58..a925cec3283 100644 --- a/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml +++ b/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml @@ -1,6 +1,6 @@ title: Potential NT API Stub Patching id: b916cba1-b38a-42da-9223-17114d846fd6 -status: experimental +status: test description: Detects potential NT API stub patching as seen used by the project PatchingAPI references: - https://github.com/D1rkMtr/UnhookingPatch diff --git a/rules/windows/process_access/proc_access_win_invoke_phantom.yml b/rules/windows/process_access/proc_access_win_invoke_phantom.yml index 5cec62e5a23..b1374edb8a8 100755 --- a/rules/windows/process_access/proc_access_win_invoke_phantom.yml +++ b/rules/windows/process_access/proc_access_win_invoke_phantom.yml @@ -1,6 +1,6 @@ title: Potential Svchost Memory Access id: 166e9c50-8cd9-44af-815d-d1f0c0e90dde -status: experimental +status: test description: Detects potential access to svchost process memory such as that used by Invoke-Phantom to kill the winRM Windows event logging service. references: - https://github.com/hlldz/Invoke-Phant0m diff --git a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml index b9d2d0811f0..be16e7dd824 100644 --- a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml +++ b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml @@ -3,7 +3,7 @@ id: a18dd26b-6450-46de-8c91-9659150cf088 related: - id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d type: obsoletes -status: experimental +status: test description: Detects process access to LSASS memory with suspicious access flags references: - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights diff --git a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml index 81c4db3def4..1ed13a3df5a 100644 --- a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml +++ b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml @@ -1,6 +1,6 @@ title: LSASS Access From Program in Potentially Suspicious Folder id: fa34b441-961a-42fa-a100-ecc28c886725 -status: experimental +status: test description: Detects process access to LSASS memory with suspicious access flags and from a potentially suspicious folder references: - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights diff --git a/rules/windows/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml b/rules/windows/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml index 70612f8b656..24a958d6409 100644 --- a/rules/windows/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml +++ b/rules/windows/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml @@ -3,7 +3,7 @@ id: ec570e53-4c76-45a9-804d-dc3f355ff7a7 related: - id: 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc type: derived -status: experimental +status: test description: Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration. references: - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ diff --git a/rules/windows/process_creation/proc_creation_win_7zip_password_extraction.yml b/rules/windows/process_creation/proc_creation_win_7zip_password_extraction.yml index 73fd3a8a6f7..1efaeec02ff 100644 --- a/rules/windows/process_creation/proc_creation_win_7zip_password_extraction.yml +++ b/rules/windows/process_creation/proc_creation_win_7zip_password_extraction.yml @@ -1,6 +1,6 @@ title: Password Protected Compressed File Extraction Via 7Zip id: b717b8fd-6467-4d7d-b3d3-27f9a463af77 -status: experimental +status: test description: Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files. references: - https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/ diff --git a/rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml b/rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml index 9fa881746a7..e1ff2063ddb 100644 --- a/rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml +++ b/rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml @@ -1,6 +1,6 @@ title: Suspicious AddinUtil.EXE CommandLine Execution id: 631b22a4-70f4-4e2f-9ea8-42f84d9df6d8 -status: experimental +status: test description: | Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload. references: diff --git a/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml b/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml index 9c767d7dd53..dbbe9071827 100644 --- a/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml @@ -1,6 +1,6 @@ title: Uncommon Child Process Of AddinUtil.EXE id: b5746143-59d6-4603-8d06-acbd60e166ee -status: experimental +status: test description: | Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload. references: diff --git a/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml b/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml index 81addd83bca..3f07b90bfe3 100644 --- a/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml +++ b/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml @@ -1,6 +1,6 @@ title: Uncommon AddinUtil.EXE CommandLine Execution id: 4f2cd9b6-4a17-440f-bb2a-687abb65993a -status: experimental +status: test description: | Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload. references: diff --git a/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml b/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml index 8ff2f9ba0a7..23bf8f40882 100644 --- a/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml @@ -1,6 +1,6 @@ title: AddinUtil.EXE Execution From Uncommon Directory id: 6120ac2a-a34b-42c0-a9bd-1fb9f459f348 -status: experimental +status: test description: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory. references: - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html diff --git a/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml b/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml index d7d2885b419..b8baf532dbd 100644 --- a/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml +++ b/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml @@ -1,6 +1,6 @@ title: Potential Adplus.EXE Abuse id: 2f869d59-7f6a-4931-992c-cce556ff2d53 -status: experimental +status: test description: Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands. references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/ diff --git a/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml b/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml index f99ca8092a1..3d424306a21 100644 --- a/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml @@ -3,7 +3,7 @@ id: 7efd2c8d-8b18-45b7-947d-adfe9ed04f61 related: - id: c0b40568-b1e9-4b03-8d6c-b096da6da9ab type: similar -status: experimental +status: test description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument author: Nasreddine Bencherchali (Nextron Systems), memory-shards references: diff --git a/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml b/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml index 0cbb8cd552a..2ee4d6d4d37 100644 --- a/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml @@ -3,7 +3,7 @@ id: c0b40568-b1e9-4b03-8d6c-b096da6da9ab related: - id: 7efd2c8d-8b18-45b7-947d-adfe9ed04f61 type: similar -status: experimental +status: test description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument author: Nasreddine Bencherchali (Nextron Systems), memory-shards references: diff --git a/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml index ad09e3ef8d9..24ce16161ba 100644 --- a/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml @@ -7,7 +7,7 @@ related: type: similar - id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec type: similar -status: experimental +status: test description: Detects potentially suspicious child processes of "aspnet_compiler.exe". references: - https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/ diff --git a/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml b/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml index ad5e3d071da..b886495a809 100644 --- a/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml +++ b/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml @@ -7,7 +7,7 @@ related: type: similar - id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec type: similar -status: experimental +status: test description: Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation. references: - https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/ diff --git a/rules/windows/process_creation/proc_creation_win_attrib_system.yml b/rules/windows/process_creation/proc_creation_win_attrib_system.yml index 6c0b06dbe49..92ce6018c60 100644 --- a/rules/windows/process_creation/proc_creation_win_attrib_system.yml +++ b/rules/windows/process_creation/proc_creation_win_attrib_system.yml @@ -3,7 +3,7 @@ id: bb19e94c-59ae-4c15-8c12-c563d23fe52b related: - id: efec536f-72e8-4656-8960-5e85d091345b type: similar -status: experimental +status: test description: Detects the execution of "attrib" with the "+s" flag to mark files as system files references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib diff --git a/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml b/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml index eb87a111652..f9bf2a80cfc 100644 --- a/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml +++ b/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml @@ -3,7 +3,7 @@ id: efec536f-72e8-4656-8960-5e85d091345b related: - id: bb19e94c-59ae-4c15-8c12-c563d23fe52b type: derived -status: experimental +status: test description: | Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs references: diff --git a/rules/windows/process_creation/proc_creation_win_bash_command_execution.yml b/rules/windows/process_creation/proc_creation_win_bash_command_execution.yml index fde7ab4d972..c81031d3f32 100644 --- a/rules/windows/process_creation/proc_creation_win_bash_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_bash_command_execution.yml @@ -1,6 +1,6 @@ title: Indirect Inline Command Execution Via Bash.EXE id: 5edc2273-c26f-406c-83f3-f4d948e740dd -status: experimental +status: test description: Detects execution of Microsoft bash launcher with the "-c" flag. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash references: - https://lolbas-project.github.io/lolbas/Binaries/Bash/ diff --git a/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml b/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml index 9b467f6d25a..609d6dc9d21 100644 --- a/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml @@ -3,7 +3,7 @@ id: 2d22a514-e024-4428-9dba-41505bd63a5b related: - id: 5edc2273-c26f-406c-83f3-f4d948e740dd type: similar -status: experimental +status: test description: Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash references: - https://lolbas-project.github.io/lolbas/Binaries/Bash/ diff --git a/rules/windows/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml b/rules/windows/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml index 9ab5dc95882..8570b2fa38a 100644 --- a/rules/windows/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml @@ -3,7 +3,7 @@ id: 811f459f-9231-45d4-959a-0266c6311987 related: - id: aaf46cdc-934e-4284-b329-34aa701e3771 type: similar -status: experimental +status: test description: Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/ diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml index cfb0d8aab93..1ed2acbb914 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml @@ -3,7 +3,7 @@ id: 99c840f2-2012-46fd-9141-c761987550ef related: - id: 90f138c1-f578-4ac3-8c49-eecfd847c8b7 type: similar -status: experimental +status: test description: Detects usage of bitsadmin downloading a file using an URL that contains an IP references: - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml index 0a3562b6deb..055a1e84dc3 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml @@ -1,6 +1,6 @@ title: Suspicious Download From File-Sharing Website Via Bitsadmin id: 8518ed3d-f7c9-4601-a26c-f361a4256a0c -status: experimental +status: test description: Detects usage of bitsadmin downloading a file from a suspicious domain references: - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml index 40289c12059..d90c4f3d1e9 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml @@ -1,6 +1,6 @@ title: File With Suspicious Extension Downloaded Via Bitsadmin id: 5b80a791-ad9b-4b75-bcc1-ad4e1e89c200 -status: experimental +status: test description: Detects usage of bitsadmin downloading a file with a suspicious extension references: - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml index 604c2fdd5c5..1938cbbd12d 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml @@ -1,6 +1,6 @@ title: File Download Via Bitsadmin To A Suspicious Target Folder id: 2ddef153-167b-4e89-86b6-757a9e65dcac -status: experimental +status: test description: Detects usage of bitsadmin downloading a file to a suspicious target folder references: - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml index 3d34532fe37..029d092f53d 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml @@ -1,6 +1,6 @@ title: File Download Via Bitsadmin To An Uncommon Target Folder id: 6e30c82f-a9f8-4aab-b79c-7c12bce6f248 -status: experimental +status: test description: Detects usage of bitsadmin downloading a file to uncommon target folder references: - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml index ea8e5507bc6..557cdcec130 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml @@ -3,7 +3,7 @@ id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4 related: - id: b3d34dc5-2efd-4ae3-845f-8ec14921f449 type: derived -status: experimental +status: test description: Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control references: - https://github.com/defaultnamehere/cookie_crimes/ diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml index 418ae9f60bb..d1331368d0c 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml @@ -1,6 +1,6 @@ title: Chromium Browser Headless Execution To Mockbin Like Site id: 1c526788-0abe-4713-862f-b520da5e5316 -status: experimental +status: test description: Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data). references: - https://www.zscaler.com/blogs/security-research/steal-it-campaign diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml index 9088ee6df31..9a584816172 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml @@ -1,6 +1,6 @@ title: Suspicious Chromium Browser Instance Executed With Custom Extensions id: 27ba3207-dd30-4812-abbf-5d20c57d474e -status: experimental +status: test description: Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start a instance with custom extensions references: - https://redcanary.com/blog/chromeloader/ diff --git a/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml b/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml index 3bab7878376..94c889d7f56 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml @@ -3,7 +3,7 @@ id: b3d34dc5-2efd-4ae3-845f-8ec14921f449 related: - id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4 type: derived -status: experimental +status: test description: Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks references: - https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf diff --git a/rules/windows/process_creation/proc_creation_win_certoc_download_direct_ip.yml b/rules/windows/process_creation/proc_creation_win_certoc_download_direct_ip.yml index b0e8ea59898..fbeb2b500d0 100644 --- a/rules/windows/process_creation/proc_creation_win_certoc_download_direct_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_certoc_download_direct_ip.yml @@ -3,7 +3,7 @@ id: b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a related: - id: 70ad0861-d1fe-491c-a45f-fa48148a300d type: similar -status: experimental +status: test description: Detects when a user downloads a file from an IP based URL using CertOC.exe references: - https://lolbas-project.github.io/lolbas/Binaries/Certoc/ diff --git a/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml b/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml index 8cef809ca31..ba846886814 100644 --- a/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml @@ -3,7 +3,7 @@ id: 242301bc-f92f-4476-8718-78004a6efd9f related: - id: 84232095-ecca-4015-b0d7-7726507ee793 type: similar -status: experimental +status: test description: Detects when a user installs certificates by using CertOC.exe to loads the target DLL file. references: - https://twitter.com/sblmsrsn/status/1445758411803480072?s=20 diff --git a/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml b/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml index 49ed6cb4e53..bb848a4bd8f 100644 --- a/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml @@ -3,7 +3,7 @@ id: 84232095-ecca-4015-b0d7-7726507ee793 related: - id: 242301bc-f92f-4476-8718-78004a6efd9f type: similar -status: experimental +status: test description: Detects when a user installs certificates by using CertOC.exe to load the target DLL file. references: - https://twitter.com/sblmsrsn/status/1445758411803480072?s=20 diff --git a/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml b/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml index eded0e089d6..774d0a966a0 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml @@ -5,7 +5,7 @@ related: type: similar - id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794 # File sharing download type: similar -status: experimental +status: test description: Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil diff --git a/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml index bbcb67ce3ab..303a553852e 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml @@ -5,7 +5,7 @@ related: type: similar - id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829 # Generic download type: similar -status: experimental +status: test description: Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil diff --git a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml index db283bb3197..8ea9c5d0376 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml @@ -3,7 +3,7 @@ id: ea0cdc3e-2239-4f26-a947-4e8f8224e464 related: - id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a type: derived -status: experimental +status: test description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious references: - https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior diff --git a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml index 56634768301..1c8dff03c8f 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml @@ -3,7 +3,7 @@ id: 82a6714f-4899-4f16-9c1e-9a333544d4c3 related: - id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a type: derived -status: experimental +status: test description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations references: - https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior diff --git a/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml b/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml index 08a7876dbe5..1e69c0c26db 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml @@ -1,6 +1,6 @@ title: Potential NTLM Coercion Via Certutil.EXE id: 6c6d9280-e6d0-4b9d-80ac-254701b64916 -status: experimental +status: test description: Detects possible NTLM coercion via certutil using the 'syncwithWU' flag references: - https://github.com/LOLBAS-Project/LOLBAS/issues/243 diff --git a/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml b/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml index 28cdd22c237..95e57fe5f76 100644 --- a/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml +++ b/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml @@ -1,6 +1,6 @@ title: Console CodePage Lookup Via CHCP id: 7090adee-82e2-4269-bd59-80691e7c6338 -status: experimental +status: test description: Detects use of chcp to look up the system locale value as part of host discovery references: - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/ diff --git a/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml b/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml index 34f6f66a27d..a47f891713a 100644 --- a/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml +++ b/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml @@ -1,6 +1,6 @@ title: Deleted Data Overwritten Via Cipher.EXE id: 4b046706-5789-4673-b111-66f25fe99534 -status: experimental +status: test description: | Detects usage of the "cipher" built-in utility in order to overwrite deleted data from disk. Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. diff --git a/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml b/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml index dd9a28ac9ee..16a8017383a 100644 --- a/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml +++ b/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml @@ -1,6 +1,6 @@ title: Cloudflared Tunnel Connections Cleanup id: 7050bba1-1aed-454e-8f73-3f46f09ce56a -status: experimental +status: test description: Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections. references: - https://github.com/cloudflare/cloudflared diff --git a/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml b/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml index c650c6561cc..9fe15ed7757 100644 --- a/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml +++ b/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml @@ -1,6 +1,6 @@ title: Cloudflared Tunnel Execution id: 9a019ffc-3580-4c9d-8d87-079f7e8d3fd4 -status: experimental +status: test description: Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks. references: - https://blog.reconinfosec.com/emergence-of-akira-ransomware-group diff --git a/rules/windows/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml b/rules/windows/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml index a3c1d7651b4..b8a74a55fb3 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml @@ -3,7 +3,7 @@ id: ae6f14e6-14de-45b0-9f44-c0986f50dc89 related: - id: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061 type: derived -status: experimental +status: test description: | Detects when a program changes the default file association of any extension to an executable. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. diff --git a/rules/windows/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml b/rules/windows/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml index 9a3a7405ca6..1ca643dc6f6 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml @@ -1,6 +1,6 @@ title: Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE id: 044ba588-dff4-4918-9808-3f95e8160606 -status: experimental +status: test description: Detects usage of the copy builtin cmd command to copy files with the ".dmp"/".dump" extension from a remote share references: - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ diff --git a/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml index 2f56c9d48eb..48471fc16ad 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml @@ -1,6 +1,6 @@ title: File Deletion Via Del id: 379fa130-190e-4c3f-b7bc-6c8e834485f3 -status: experimental +status: test description: | Detects execution of the builtin "del"/"erase" commands in order to delete files. Adversaries may delete files left behind by the actions of their intrusion activity. diff --git a/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml b/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml index ce00f3e6ef3..fdde9d91f8a 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml @@ -1,6 +1,6 @@ title: Greedy File Deletion Using Del id: 204b17ae-4007-471b-917b-b917b315c5db -status: experimental +status: test description: Detects execution of the "del" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence. references: - https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D diff --git a/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml index 3b2e6ea8c46..f242d335e16 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml @@ -1,6 +1,6 @@ title: Files And Subdirectories Listing Using Dir id: 7c9340a9-e2ee-4e43-94c5-c54ebbea1006 -status: experimental +status: test description: Detects usage of the "dir" command that is part of Windows batch/cmd to collect information about directories references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md diff --git a/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml b/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml index a8afa87fc26..f81862b0a67 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml @@ -1,6 +1,6 @@ title: Potential Dosfuscation Activity id: a77c1610-fc73-4019-8e29-0f51efc04a51 -status: experimental +status: test description: Detects possible payload obfuscation via the commandline references: - https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf diff --git a/rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml b/rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml index 1ef55fdeded..79f44dfeffc 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml @@ -1,6 +1,6 @@ title: Suspicious File Execution From Internet Hosted WebDav Share id: f0507c0f-a3a2-40f5-acc6-7f543c334993 -status: experimental +status: test description: Detects the execution of the "net use" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files references: - https://twitter.com/ShadowChasing1/status/1552595370961944576 diff --git a/rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml index b8488e0c558..8af94c79549 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml @@ -1,6 +1,6 @@ title: Cmd.EXE Missing Space Characters Execution Anomaly id: a16980c2-0c56-4de0-9a79-17971979efdd -status: experimental +status: test description: | Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe. This could be a sign of obfuscation of a fat finger problem (typo by the developer). diff --git a/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml index ce960abcb8a..5da84fa4c41 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml @@ -1,6 +1,6 @@ title: Suspicious Ping/Copy Command Combination id: ded2b07a-d12f-4284-9b76-653e37b6c8b0 -status: experimental +status: test description: Detects uncommon one-liner command having ping and copy at the same time, which is usually used by malware. references: - Internal Research diff --git a/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml index 7657e3ab4e8..7477513ecd9 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml @@ -1,6 +1,6 @@ title: Suspicious Ping/Del Command Combination id: 54786ddc-5b8a-11ed-9b6a-0242ac120002 -status: experimental +status: test description: Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example references: - https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack diff --git a/rules/windows/process_creation/proc_creation_win_cmd_redirect.yml b/rules/windows/process_creation/proc_creation_win_cmd_redirect.yml index 8ff34b631ca..db197e0b06f 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_redirect.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_redirect.yml @@ -3,7 +3,7 @@ id: 4f4eaa9f-5ad4-410c-a4be-bc6132b0175a related: - id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892 type: similar -status: experimental +status: test description: Detects the use of the redirection character ">" to redicrect information in commandline references: - https://ss64.com/nt/syntax-redirection.html diff --git a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml index bf889c045e9..950d81370cd 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml @@ -5,7 +5,7 @@ related: type: derived - id: 4f4eaa9f-5ad4-410c-a4be-bc6132b0175a type: similar -status: experimental +status: test description: Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location references: - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ diff --git a/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml index e052f5feb78..13f0a14a4fa 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml @@ -1,6 +1,6 @@ title: Directory Removal Via Rmdir id: 41ca393d-538c-408a-ac27-cf1e038be80c -status: experimental +status: test description: | Detects execution of the builtin "rmdir" command in order to delete directories. Adversaries may delete files left behind by the actions of their intrusion activity. diff --git a/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml b/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml index 4e7b251f148..48f0b7638a8 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml @@ -1,6 +1,6 @@ title: Copy From VolumeShadowCopy Via Cmd.EXE id: c73124a7-3e89-44a3-bdc1-25fe4df754b1 -status: experimental +status: test description: Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use) references: - https://twitter.com/vxunderground/status/1423336151860002816?s=20 diff --git a/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml b/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml index 1dfcc69e886..e90aba9a10c 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml @@ -3,7 +3,7 @@ id: 241e802a-b65e-484f-88cd-c2dc10f9206d related: - id: 00a4bacd-6db4-46d5-9258-a7d5ebff4003 type: obsoletes -status: experimental +status: test description: Detect the use of "<" to read and potentially execute a file via cmd.exe references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md diff --git a/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml b/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml index 17f1ddc42f4..850e973cafe 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml @@ -1,6 +1,6 @@ title: Persistence Via Sticky Key Backdoor id: 1070db9a-3e5d-412e-8e7b-7183b616e1b3 -status: experimental +status: test description: | By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. When the sticky keys are "activated" the privilleged shell is launched. diff --git a/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml b/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml index 5dab95a0a13..f03cb33ac58 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml @@ -1,6 +1,6 @@ title: Unusual Parent Process For Cmd.EXE id: 4b991083-3d0e-44ce-8fc4-b254025d8d4b -status: experimental +status: test description: Detects suspicious parent process for cmd.exe references: - https://www.elastic.co/guide/en/security/current/unusual-parent-process-for-cmd.exe.html diff --git a/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml b/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml index 1053f50bbdd..d22f3cb67b1 100644 --- a/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml +++ b/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml @@ -1,6 +1,6 @@ title: New Generic Credentials Added Via Cmdkey.EXE id: b1ec66c6-f4d1-4b5c-96dd-af28ccae7727 -status: experimental +status: test description: Detects usage of cmdkey to add generic credentials. As an example, this has to be used before connecting to an RDP session via command line interface. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol diff --git a/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml b/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml index 87b40ce8d11..d0dcf114c00 100644 --- a/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml @@ -1,6 +1,6 @@ title: Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE id: 07f8bdc2-c9b3-472a-9817-5a670b872f53 -status: experimental +status: test description: Detects usage of cmdkey to look for cached credentials on the system references: - https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation diff --git a/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml index c7abd6b8315..0a18f0c69f6 100644 --- a/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml @@ -1,6 +1,6 @@ title: Uncommon Child Process Of Conhost.EXE id: 7dc2dedd-7603-461a-bc13-15803d132355 -status: experimental +status: test description: Detects uncommon "conhost" child processes. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity. references: - http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ diff --git a/rules/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yml b/rules/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yml index cd0b375b769..d32235e9941 100644 --- a/rules/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yml @@ -1,6 +1,6 @@ title: Conhost Spawned By Uncommon Parent Process id: cbb9e3d1-2386-4e59-912e-62f1484f7a89 -status: experimental +status: test description: Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity. references: - https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html diff --git a/rules/windows/process_creation/proc_creation_win_csvde_export.yml b/rules/windows/process_creation/proc_creation_win_csvde_export.yml index 7502db2bea2..dc8cc918cc8 100644 --- a/rules/windows/process_creation/proc_creation_win_csvde_export.yml +++ b/rules/windows/process_creation/proc_creation_win_csvde_export.yml @@ -1,6 +1,6 @@ title: Active Directory Structure Export Via Csvde.EXE id: e5d36acd-acb4-4c6f-a13f-9eb203d50099 -status: experimental +status: test description: Detects the execution of "csvde.exe" in order to export organizational Active Directory structure. references: - https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms diff --git a/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking.yml b/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking.yml index 79b8865e5fd..a993af3f72c 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking.yml @@ -1,6 +1,6 @@ title: Potential Cookies Session Hijacking id: 5a6e1e16-07de-48d8-8aae-faa766c05e88 -status: experimental +status: test description: Detects execution of "curl.exe" with the "-c" flag in order to save cookie data. references: - https://curl.se/docs/manpage.html diff --git a/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml b/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml index 3fe0a02c1d1..10da8a72133 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml @@ -1,6 +1,6 @@ title: Curl Web Request With Potential Custom User-Agent id: 85de1f22-d189-44e4-8239-dc276b45379b -status: experimental +status: test description: Detects execution of "curl.exe" with a potential custom "User-Agent". Attackers can leverage this to download or exfiltrate data via "curl" to a domain that only accept specific "User-Agent" strings references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers diff --git a/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml b/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml index 89f690ac354..58e6052fec8 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml @@ -3,7 +3,7 @@ id: 9cc85849-3b02-4cb5-b371-3a1ff54f2218 related: - id: 5cb299fc-5fb1-4d07-b989-0644c68b6043 type: similar -status: experimental +status: test description: Detects file downloads directly from IP address URL using curl.exe references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers diff --git a/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml b/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml index 95bf8ca7aef..dd2190a9aae 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml @@ -1,6 +1,6 @@ title: Suspicious File Download From IP Via Curl.EXE id: 5cb299fc-5fb1-4d07-b989-0644c68b6043 -status: experimental +status: test description: Detects potentially suspicious file downloads directly from IP addresses using curl.exe references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers diff --git a/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml index e22aa438043..fe83c5198f9 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml @@ -1,6 +1,6 @@ title: Suspicious File Download From File Sharing Domain Via Curl.EXE id: 56454143-524f-49fb-b1c6-3fb8b1ad41fb -status: experimental +status: test description: Detects potentially suspicious file download from file sharing domains using curl.exe references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers diff --git a/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml b/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml index aa565216196..5069b28e086 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml @@ -1,6 +1,6 @@ title: Insecure Transfer Via Curl.EXE id: cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec -status: experimental +status: test description: Detects execution of "curl.exe" with the "--insecure" flag. references: - https://curl.se/docs/manpage.html diff --git a/rules/windows/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml b/rules/windows/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml index 6ac10640b65..6082f5f5eca 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml @@ -1,6 +1,6 @@ title: Insecure Proxy/DOH Transfer Via Curl.EXE id: 2c1486f5-02e8-4f86-9099-b97f2da4ed77 -status: experimental +status: test description: Detects execution of "curl.exe" with the "insecure" flag over proxy or DOH. references: - https://curl.se/docs/manpage.html diff --git a/rules/windows/process_creation/proc_creation_win_curl_local_file_read.yml b/rules/windows/process_creation/proc_creation_win_curl_local_file_read.yml index bc5e79d67b5..f9fefc3b6ad 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_local_file_read.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_local_file_read.yml @@ -1,6 +1,6 @@ title: Local File Read Using Curl.EXE id: aa6f6ea6-0676-40dd-b510-6e46f02d8867 -status: experimental +status: test description: Detects execution of "curl.exe" with the "file://" protocol handler in order to read local files. references: - https://curl.se/docs/manpage.html diff --git a/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml b/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml index 2f3ca8f8c4b..d29a2bf73f1 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml @@ -5,7 +5,7 @@ related: type: derived - id: 9a517fca-4ba3-4629-9278-a68694697b81 # Curl download type: similar -status: experimental +status: test description: Detects a suspicious curl process start on Windows and outputs the requested document to a local file references: - https://twitter.com/max_mal_/status/1542461200797163522 diff --git a/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml b/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml index b8a206282e3..3fec8ca31c6 100644 --- a/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml +++ b/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml @@ -3,7 +3,7 @@ id: e173ad47-4388-4012-ae62-bd13f71c18a8 related: - id: ee4c5d06-3abc-48cc-8885-77f1c20f4451 type: similar -status: experimental +status: test description: | Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll". Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter diff --git a/rules/windows/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml b/rules/windows/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml index da573abbb40..a801cacd0b7 100644 --- a/rules/windows/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious Child Process Of ClickOnce Application id: 67bc0e75-c0a9-4cfc-8754-84a505b63c04 -status: experimental +status: test description: Detects potentially suspicious child processes of a ClickOnce deployment application references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 diff --git a/rules/windows/process_creation/proc_creation_win_dirlister_execution.yml b/rules/windows/process_creation/proc_creation_win_dirlister_execution.yml index c5dc889245b..1d197418c2a 100644 --- a/rules/windows/process_creation/proc_creation_win_dirlister_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dirlister_execution.yml @@ -1,6 +1,6 @@ title: DirLister Execution id: b4dc61f5-6cce-468e-a608-b48b469feaa2 -status: experimental +status: test description: Detect the usage of "DirLister.exe" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files. references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md diff --git a/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml b/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml index c95f7c0dfe4..adf906fc507 100644 --- a/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml +++ b/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml @@ -9,7 +9,7 @@ related: type: similar - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution type: similar -status: experimental +status: test description: Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules. references: - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ diff --git a/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml b/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml index 34c9f9dbab6..6ca904192e9 100644 --- a/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml +++ b/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml @@ -9,7 +9,7 @@ related: type: similar - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution type: similar -status: experimental +status: test description: | Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension. Initial baselining of the allowed extension list is required. diff --git a/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml b/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml index b78bfab516a..3d966f14a27 100644 --- a/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml @@ -9,7 +9,7 @@ related: type: similar - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution type: similar -status: experimental +status: test description: Detects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location. references: - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ diff --git a/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml b/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml index c6d0b7d62c7..09c74587a44 100644 --- a/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml @@ -1,6 +1,6 @@ title: Dllhost.EXE Execution Anomaly id: e7888eb1-13b0-4616-bd99-4bc0c2b054b9 -status: experimental +status: test description: Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes. references: - https://redcanary.com/blog/child-processes/ diff --git a/rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml index a5d4bc085da..2c3ec73f7b5 100644 --- a/rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml @@ -1,6 +1,6 @@ title: Unusual Child Process of dns.exe id: a4e3d776-f12e-42c2-8510-9e6ed1f43ec3 -status: experimental +status: test description: Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) references: - https://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns.exe.html diff --git a/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml b/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml index d3ed4711e5e..b31f55077c9 100644 --- a/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml @@ -1,6 +1,6 @@ title: Potential Discovery Activity Via Dnscmd.EXE id: b6457d63-d2a2-4e29-859d-4e7affc153d1 -status: experimental +status: test description: Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd diff --git a/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml b/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml index cfbc94e7f27..324f94a53eb 100644 --- a/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml @@ -3,7 +3,7 @@ id: 9fc3072c-dc8f-4bf7-b231-18950000fadd related: - id: a20def93-0709-4eae-9bd2-31206e21e6b2 type: similar -status: experimental +status: test description: Detect usage of the "driverquery" utility to perform reconnaissance on installed drivers references: - https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/ diff --git a/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml b/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml index ace3c60f07d..b64926ce257 100644 --- a/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml @@ -3,7 +3,7 @@ id: a20def93-0709-4eae-9bd2-31206e21e6b2 related: - id: 9fc3072c-dc8f-4bf7-b231-18950000fadd type: similar -status: experimental +status: test description: Detect usage of the "driverquery" utility. Which can be used to perform reconnaissance on installed drivers references: - https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/ diff --git a/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml b/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml index 319b155db9c..04ebdede872 100644 --- a/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml +++ b/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml @@ -1,6 +1,6 @@ title: Potentially Over Permissive Permissions Granted Using Dsacls.EXE id: 01c42d3c-242d-4655-85b2-34f1739632f7 -status: experimental +status: test description: Detects usage of Dsacls to grant over permissive permissions references: - https://ss64.com/nt/dsacls.html diff --git a/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml b/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml index 884b3a8c860..216376d20b8 100644 --- a/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml +++ b/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml @@ -1,6 +1,6 @@ title: Potential Password Spraying Attempt Using Dsacls.EXE id: bac9fb54-2da7-44e9-988f-11e9a5edbc0c -status: experimental +status: test description: Detects possible password spraying attempts using Dsacls references: - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone diff --git a/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml b/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml index 5b2b0877011..4c370714e7d 100644 --- a/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml @@ -1,6 +1,6 @@ title: DumpMinitool Execution id: dee0a7a3-f200-4112-a99b-952196d81e42 -status: experimental +status: test description: Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump" references: - https://twitter.com/mrd0x/status/1511415432888131586 diff --git a/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml index c8fca0f7d6c..aff50762f35 100644 --- a/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml @@ -1,6 +1,6 @@ title: Suspicious DumpMinitool Execution id: eb1c4225-1c23-4241-8dd4-051389fde4ce -status: experimental +status: test description: Detects suspicious ways to use the "DumpMinitool.exe" binary references: - https://twitter.com/mrd0x/status/1511415432888131586 diff --git a/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml b/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml index e9b33ee1f1b..717f93882e2 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml @@ -1,6 +1,6 @@ title: LSASS Process Reconnaissance Via Findstr.EXE id: fe63010f-8823-4864-a96b-a7b4a0f7b929 -status: experimental +status: test description: Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID references: - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 diff --git a/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml b/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml index 859caea95cf..d70b253fc87 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml @@ -1,6 +1,6 @@ title: Permission Misconfiguration Reconnaissance Via Findstr.EXE id: 47e4bab7-c626-47dc-967b-255608c9a920 -status: experimental +status: test description: Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This is seen being used in combination with "icacls" to look for misconfigured files or folders permissions references: - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ diff --git a/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml b/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml index 8cf7a5f6aac..bdd6bd57a6d 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml @@ -3,7 +3,7 @@ id: ccb5742c-c248-4982-8c5c-5571b9275ad3 related: - id: fe63010f-8823-4864-a96b-a7b4a0f7b929 type: derived -status: experimental +status: test description: | Detects the excution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example. Attackers often time use this to extract specific information they require in their chain. references: diff --git a/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml b/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml index dcecd4f14cc..945b40bf6b4 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml @@ -3,7 +3,7 @@ id: 4fe074b4-b833-4081-8f24-7dcfeca72b42 related: - id: fe63010f-8823-4864-a96b-a7b4a0f7b929 type: derived -status: experimental +status: test description: | Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results. This detection focuses on the keywords that the attacker might use as a filter. diff --git a/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml b/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml index 2c55ce3e6dd..dd1bd8a9158 100644 --- a/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml +++ b/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml @@ -1,6 +1,6 @@ title: Fsutil Behavior Set SymlinkEvaluation id: c0b2768a-dd06-4671-8339-b16ca8d1f27f -status: experimental +status: test description: | A symbolic link is a type of file that contains a reference to another file. This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt diff --git a/rules/windows/process_creation/proc_creation_win_git_susp_clone.yml b/rules/windows/process_creation/proc_creation_win_git_susp_clone.yml index 3db20c367de..e74fcc261f8 100644 --- a/rules/windows/process_creation/proc_creation_win_git_susp_clone.yml +++ b/rules/windows/process_creation/proc_creation_win_git_susp_clone.yml @@ -1,6 +1,6 @@ title: Suspicious Git Clone id: aef9d1f1-7396-4e92-a927-4567c7a495c1 -status: experimental +status: test description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious references: - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt diff --git a/rules/windows/process_creation/proc_creation_win_googleupdate_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_googleupdate_susp_child_process.yml index 89b970ea392..4163f3cdb7e 100644 --- a/rules/windows/process_creation/proc_creation_win_googleupdate_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_googleupdate_susp_child_process.yml @@ -3,7 +3,7 @@ id: 84b1ecf9-6eff-4004-bafb-bae5c0e251b2 related: - id: bdbab15a-3826-48fa-a1b7-723cd8f32fcc type: derived -status: experimental +status: test description: Detects potentially suspicious child processes of "GoogleUpdate.exe" references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml index 7f1f207da48..53ce96a32ce 100644 --- a/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml @@ -1,6 +1,6 @@ title: File Decryption Using Gpg4win id: 037dcd71-33a8-4392-bb01-293c94663e5a -status: experimental +status: test description: Detects usage of Gpg4win to decrypt files references: - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml index 4b692d985f1..9366d857c7b 100644 --- a/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml @@ -1,6 +1,6 @@ title: File Encryption Using Gpg4win id: 550bbb84-ce5d-4e61-84ad-e590f0024dcd -status: experimental +status: test description: Detects usage of Gpg4win to encrypt files references: - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml index 71541371864..3ffc81e01d5 100644 --- a/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml @@ -1,6 +1,6 @@ title: Portable Gpg.EXE Execution id: 77df53a5-1d78-4f32-bc5a-0e7465bd8f41 -status: experimental +status: test description: Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data. references: - https://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml index c2384841393..fe700842659 100644 --- a/rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml @@ -1,6 +1,6 @@ title: File Encryption/Decryption Via Gpg4win From Suspicious Locations id: e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d -status: experimental +status: test description: Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations. references: - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html diff --git a/rules/windows/process_creation/proc_creation_win_gup_arbitrary_binary_execution.yml b/rules/windows/process_creation/proc_creation_win_gup_arbitrary_binary_execution.yml index 8325b2d4ec7..02780e158e0 100644 --- a/rules/windows/process_creation/proc_creation_win_gup_arbitrary_binary_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_gup_arbitrary_binary_execution.yml @@ -1,6 +1,6 @@ title: Arbitrary Binary Execution Using GUP Utility id: d65aee4d-2292-4cea-b832-83accd6cfa43 -status: experimental +status: test description: Detects execution of the Notepad++ updater (gup) to launch other commands or executables references: - https://twitter.com/nas_bench/status/1535322445439180803 diff --git a/rules/windows/process_creation/proc_creation_win_gup_download.yml b/rules/windows/process_creation/proc_creation_win_gup_download.yml index 3426777fb8f..7c6a789e1f0 100644 --- a/rules/windows/process_creation/proc_creation_win_gup_download.yml +++ b/rules/windows/process_creation/proc_creation_win_gup_download.yml @@ -1,6 +1,6 @@ title: File Download Using Notepad++ GUP Utility id: 44143844-0631-49ab-97a0-96387d6b2d7c -status: experimental +status: test description: Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files. references: - https://twitter.com/nas_bench/status/1535322182863179776 diff --git a/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml b/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml index 804183f55b0..617660a62a0 100644 --- a/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml @@ -1,6 +1,6 @@ title: Remote CHM File Download/Execution Via HH.EXE id: f57c58b3-ee69-4ef5-9041-455bf39aaa89 -status: experimental +status: test description: Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files. references: - https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html diff --git a/rules/windows/process_creation/proc_creation_win_hktl_certify.yml b/rules/windows/process_creation/proc_creation_win_hktl_certify.yml index 66f07058763..84a39e8dd30 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_certify.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_certify.yml @@ -1,6 +1,6 @@ title: HackTool - Certify Execution id: 762f2482-ff21-4970-8939-0aa317a886bb -status: experimental +status: test description: Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments. references: - https://github.com/GhostPack/Certify diff --git a/rules/windows/process_creation/proc_creation_win_hktl_certipy.yml b/rules/windows/process_creation/proc_creation_win_hktl_certipy.yml index 5fca2ce7189..caec8a5de72 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_certipy.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_certipy.yml @@ -1,6 +1,6 @@ title: HackTool - Certipy Execution id: 6938366d-8954-4ddc-baff-c830b3ba8fcd -status: experimental +status: test description: Detects Certipy a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments. references: - https://github.com/ly4k/Certipy diff --git a/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml b/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml index 93d713b1d99..695ef4b2cbf 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml @@ -3,7 +3,7 @@ id: 647c7b9e-d784-4fda-b9a0-45c565a7b729 related: - id: 4f154fb6-27d1-4813-a759-78b93e0b9c48 type: similar -status: experimental +status: test description: Detects use of Cobalt Strike commands accidentally entered in the CMD shell references: - https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf diff --git a/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml b/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml index 17dc63004f5..f9aed5927b5 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml @@ -3,7 +3,7 @@ id: 4f154fb6-27d1-4813-a759-78b93e0b9c48 related: - id: 647c7b9e-d784-4fda-b9a0-45c565a7b729 type: similar -status: experimental +status: test description: Detects Cobalt Strike module/commands accidentally entered in CMD shell references: - https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf diff --git a/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml b/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml index de94b836015..694d519b72c 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml @@ -1,6 +1,6 @@ title: Potential CobaltStrike Process Patterns id: f35c5d71-b489-4e22-a115-f003df287317 -status: experimental +status: test description: Detects potential process patterns related to Cobalt Strike beacon activity references: - https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/ diff --git a/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml b/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml index 3bc54475a79..56b9c88013e 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml @@ -1,6 +1,6 @@ title: HackTool - CoercedPotato Execution id: e8d34729-86a4-4140-adfd-0a29c2106307 -status: experimental +status: test description: Detects the use of CoercedPotato, a tool for privilege escalation references: - https://github.com/hackvens/CoercedPotato diff --git a/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_patterns.yml b/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_patterns.yml index 5fe7ad34221..369687d9360 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_patterns.yml @@ -1,6 +1,6 @@ title: HackTool - CrackMapExec Process Patterns id: f26307d8-14cd-47e3-a26b-4b4769f24af6 -status: experimental +status: test description: Detects suspicious process patterns found in logs when CrackMapExec is used references: - https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass diff --git a/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml b/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml index ee89630b60e..a1a52c01656 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml @@ -1,6 +1,6 @@ title: Suspicious Hacktool Execution - Imphash id: 24e3e58a-646b-4b50-adef-02ef935b9fc8 -status: experimental +status: test description: Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed references: - Internal Research diff --git a/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml b/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml index e00829046ab..b7064edd912 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml @@ -1,6 +1,6 @@ title: Suspicious Hacktool Execution - PE Metadata id: 37c1333a-a0db-48be-b64b-7393b2386e3b -status: experimental +status: test description: Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed references: - https://github.com/cube0x0 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_gmer.yml b/rules/windows/process_creation/proc_creation_win_hktl_gmer.yml index eabcb9373ef..c38491eaa66 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_gmer.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_gmer.yml @@ -1,6 +1,6 @@ title: HackTool - GMER Rootkit Detector and Remover Execution id: 9082ff1f-88ab-4678-a3cc-5bcff99fc74d -status: experimental +status: test description: Detects the execution GMER tool based on image and hash fields. references: - http://www.gmer.net/ diff --git a/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml b/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml index d51c41ec26b..c4c8064976e 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml @@ -1,6 +1,6 @@ title: HackTool - HandleKatz LSASS Dumper Execution id: ca621ba5-54ab-4035-9942-d378e6fcde3c -status: experimental +status: test description: Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same references: - https://github.com/codewhitesec/HandleKatz diff --git a/rules/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml b/rules/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml index 64cd45ece08..d69f34f7fd6 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml @@ -1,6 +1,6 @@ title: HackTool - Htran/NATBypass Execution id: f5e3b62f-e577-4e59-931e-0a15b2b94e1e -status: experimental +status: test description: Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass) references: - https://github.com/HiwinCN/HTran diff --git a/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml b/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml index b8c7e3bec6c..5f1d7cf3b3c 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml @@ -1,6 +1,6 @@ title: HackTool - Impersonate Execution id: cf0c254b-22f1-4b2b-8221-e137b3c0af94 -status: experimental +status: test description: Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively references: - https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/ diff --git a/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml b/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml index c2e1e91cc91..a8fbcc37512 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml @@ -1,6 +1,6 @@ title: HackTool - Inveigh Execution id: b99a1518-1ad5-4f65-bc95-1ffff97a8fd0 -status: experimental +status: test description: Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool references: - https://github.com/Kevin-Robertson/Inveigh diff --git a/rules/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml b/rules/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml index ec9edd29333..d16f4c0f7ae 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml @@ -1,6 +1,6 @@ title: HackTool - Jlaive In-Memory Assembly Execution id: 0a99eb3e-1617-41bd-b095-13dc767f3def -status: experimental +status: test description: Detects the use of Jlaive to execute assemblies in a copied PowerShell references: - https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool diff --git a/rules/windows/process_creation/proc_creation_win_hktl_krbrelay.yml b/rules/windows/process_creation/proc_creation_win_hktl_krbrelay.yml index 6746a5308e2..61164e308b6 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_krbrelay.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_krbrelay.yml @@ -1,6 +1,6 @@ title: HackTool - KrbRelay Execution id: e96253b8-6b3b-4f90-9e59-3b24b99cf9b4 -status: experimental +status: test description: Detects the use of KrbRelay, a Kerberos relaying tool references: - https://github.com/cube0x0/KrbRelay diff --git a/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml b/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml index 6f4e18c2cbe..9d9670d3277 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml @@ -1,6 +1,6 @@ title: HackTool - KrbRelayUp Execution id: 12827a56-61a4-476a-a9cb-f3068f191073 -status: experimental +status: test description: Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced references: - https://github.com/Dec0ne/KrbRelayUp diff --git a/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml b/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml index 3dd224222cd..e99a0ef71f9 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml @@ -1,6 +1,6 @@ title: HackTool - LocalPotato Execution id: 6bd75993-9888-4f91-9404-e1e4e4e34b77 -status: experimental +status: test description: Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples references: - https://www.localpotato.com/localpotato_html/LocalPotato.html diff --git a/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml b/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml index 3dc568dbbb7..743a3b6ef2b 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml @@ -1,6 +1,6 @@ title: HackTool - PCHunter Execution id: fca949cc-79ca-446e-8064-01aa7e52ece5 -status: experimental +status: test description: Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff references: - http://www.xuetr.com/ diff --git a/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml b/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml index dd4760d869b..b5a73187499 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml @@ -1,6 +1,6 @@ title: HackTool - PowerTool Execution id: a34f79a3-8e5f-4cc3-b765-de00695452c2 -status: experimental +status: test description: Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files references: - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ diff --git a/rules/windows/process_creation/proc_creation_win_hktl_quarks_pwdump.yml b/rules/windows/process_creation/proc_creation_win_hktl_quarks_pwdump.yml index 15851d9bff2..24ffc8da4d6 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_quarks_pwdump.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_quarks_pwdump.yml @@ -1,6 +1,6 @@ title: HackTool - Quarks PwDump Execution id: 0685b176-c816-4837-8e7b-1216f346636b -status: experimental +status: test description: Detects usage of the Quarks PwDump tool via commandline arguments references: - https://github.com/quarkslab/quarkspwdump diff --git a/rules/windows/process_creation/proc_creation_win_hktl_safetykatz.yml b/rules/windows/process_creation/proc_creation_win_hktl_safetykatz.yml index 7826291f5c9..e5518ac0ab9 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_safetykatz.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_safetykatz.yml @@ -1,6 +1,6 @@ title: HackTool - SafetyKatz Execution id: b1876533-4ed5-4a83-90f3-b8645840a413 -status: experimental +status: test description: Detects the execution of the hacktool SafetyKatz via PE information and default Image name references: - https://github.com/GhostPack/SafetyKatz diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharp_chisel.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharp_chisel.yml index 8959f50a90d..598e2f82cdf 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharp_chisel.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharp_chisel.yml @@ -3,7 +3,7 @@ id: cf93e05e-d798-4d9e-b522-b0248dc61eaf related: - id: 8b0e12da-d3c3-49db-bb4f-256703f380e5 type: similar -status: experimental +status: test description: Detects usage of the Sharp Chisel via the commandline arguments references: - https://github.com/shantanu561993/SharpChisel diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml index 2646ea73007..edef0dfdd86 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml @@ -3,7 +3,7 @@ id: f89b08d0-77ad-4728-817b-9b16c5a69c7a related: - id: cf0c254b-22f1-4b2b-8221-e137b3c0af94 type: similar -status: experimental +status: test description: Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively references: - https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/ diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharp_ldap_monitor.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharp_ldap_monitor.yml index c7eba389732..2d3b65c8335 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharp_ldap_monitor.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharp_ldap_monitor.yml @@ -1,6 +1,6 @@ title: HackTool - SharpLDAPmonitor Execution id: 9f8fc146-1d1a-4dbf-b8fd-dfae15e08541 -status: experimental +status: test description: Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects. references: - https://github.com/p0dalirius/LDAPmonitor diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml index 3aaf738c709..3058094de2d 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml @@ -1,6 +1,6 @@ title: HackTool - SharPersist Execution id: 26488ad0-f9fd-4536-876f-52fea846a2e4 -status: experimental +status: test description: Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms references: - https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharpevtmute.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharpevtmute.yml index b2ad94f1010..65c57c13365 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharpevtmute.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharpevtmute.yml @@ -3,7 +3,7 @@ id: bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c related: - id: 49329257-089d-46e6-af37-4afce4290685 # DLL load type: similar -status: experimental +status: test description: Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs references: - https://github.com/bats3c/EvtMute diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml index 74d93293706..824ed63e4bb 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml @@ -1,6 +1,6 @@ title: HackTool - SharpLdapWhoami Execution id: d9367cbb-c2e0-47ce-bdc0-128cb6da898d -status: experimental +status: test description: Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller references: - https://github.com/bugch3ck/SharpLdapWhoami diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml index 92acde4c37a..05f088c62e9 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml @@ -1,6 +1,6 @@ title: HackTool - SharpUp PrivEsc Tool Execution id: c484e533-ee16-4a93-b6ac-f0ea4868b2f1 -status: experimental +status: test description: Detects the use of SharpUp, a tool for local privilege escalation references: - https://github.com/GhostPack/SharpUp diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml index 1e254e2c0d2..6a0ff8282ec 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml @@ -3,7 +3,7 @@ id: b2317cfa-4a47-4ead-b3ff-297438c0bc2d related: - id: dcd74b95-3f36-4ed9-9598-0490951643aa type: similar -status: experimental +status: test description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems references: - https://github.com/tevora-threat/SharpView/ diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml b/rules/windows/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml index ce30b7e46fb..20f72c3f3b9 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml @@ -1,6 +1,6 @@ title: HackTool - Sliver C2 Implant Activity Pattern id: 42333b2c-b425-441c-b70e-99404a17170f -status: experimental +status: test description: Detects process activity patterns as seen being used by Sliver C2 framework implants references: - https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml b/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml index 1e2c088a370..bd889915fe5 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml @@ -1,6 +1,6 @@ title: HackTool - Stracciatella Execution id: 7a4d9232-92fc-404d-8ce1-4c92e7caf539 -status: experimental +status: test description: Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics. references: - https://github.com/mgeeky/Stracciatella diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml b/rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml index 278fcb649a1..33bc6301954 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml @@ -1,6 +1,6 @@ title: HackTool - SysmonEOP Execution id: 8a7e90c5-fe6e-45dc-889e-057fe4378bd9 -status: experimental +status: test description: Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120 references: - https://github.com/Wh04m1001/SysmonEoP diff --git a/rules/windows/process_creation/proc_creation_win_hktl_trufflesnout.yml b/rules/windows/process_creation/proc_creation_win_hktl_trufflesnout.yml index 99db403bc25..4b5b5a13666 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_trufflesnout.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_trufflesnout.yml @@ -1,6 +1,6 @@ title: HackTool - TruffleSnout Execution id: 69ca006d-b9a9-47f5-80ff-ecd4d25d481a -status: experimental +status: test description: Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration. references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md diff --git a/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml b/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml index 736eb477de8..081c0c219bc 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml @@ -1,6 +1,6 @@ title: HackTool - winPEAS Execution id: 98b53e78-ebaf-46f8-be06-421aafd176d9 -status: experimental +status: test description: WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz references: - https://github.com/carlospolop/PEASS-ng diff --git a/rules/windows/process_creation/proc_creation_win_hktl_wmiexec_default_powershell.yml b/rules/windows/process_creation/proc_creation_win_hktl_wmiexec_default_powershell.yml index 588172b4a00..3b8781a7e32 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_wmiexec_default_powershell.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_wmiexec_default_powershell.yml @@ -1,6 +1,6 @@ title: HackTool - Wmiexec Default Powershell Command id: 022eaba8-f0bf-4dd9-9217-4604b0bb3bb0 -status: experimental +status: test description: Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script references: - https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py diff --git a/rules/windows/process_creation/proc_creation_win_homoglyph_cyrillic_lookalikes.yml b/rules/windows/process_creation/proc_creation_win_homoglyph_cyrillic_lookalikes.yml index dae5610c1d2..06788d19cae 100644 --- a/rules/windows/process_creation/proc_creation_win_homoglyph_cyrillic_lookalikes.yml +++ b/rules/windows/process_creation/proc_creation_win_homoglyph_cyrillic_lookalikes.yml @@ -1,6 +1,6 @@ title: Potential Homoglyph Attack Using Lookalike Characters id: 32e280f1-8ad4-46ef-9e80-910657611fbc -status: experimental +status: test description: | Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that diff --git a/rules/windows/process_creation/proc_creation_win_iis_appcmd_http_logging.yml b/rules/windows/process_creation/proc_creation_win_iis_appcmd_http_logging.yml index 8158051e947..92411156ef5 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_appcmd_http_logging.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_appcmd_http_logging.yml @@ -1,6 +1,6 @@ title: Disable Windows IIS HTTP Logging id: e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e -status: experimental +status: test description: Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.002/T1562.002.md#atomic-test-1---disable-windows-iis-http-logging diff --git a/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml b/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml index 7487035c8e9..24b8c18b15f 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml @@ -1,6 +1,6 @@ title: Microsoft IIS Service Account Password Dumped id: 2d3cdeec-c0db-45b4-aa86-082f7eb75701 -status: experimental +status: test description: Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords references: - https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html diff --git a/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml b/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml index b1c60e9fcb4..d51a77ccfd2 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml @@ -1,6 +1,6 @@ title: Suspicious IIS URL GlobalRules Rewrite Via AppCmd id: 7c8af9b2-dcae-41a2-a9db-b28c288b5f08 -status: experimental +status: test description: Detects usage of "appcmd" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells. references: - https://twitter.com/malmoeb/status/1616702107242971144 diff --git a/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml b/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml index 593b33c53d8..257b4e90bbe 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml @@ -1,6 +1,6 @@ title: Microsoft IIS Connection Strings Decryption id: 97dbf6e2-e436-44d8-abee-4261b24d3e41 -status: experimental +status: test description: Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command. references: - https://www.elastic.co/guide/en/security/current/microsoft-iis-connection-strings-decryption.html diff --git a/rules/windows/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml b/rules/windows/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml index f77f6cafa12..fcd50fe5470 100644 --- a/rules/windows/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml +++ b/rules/windows/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml @@ -1,6 +1,6 @@ title: ImagingDevices Unusual Parent/Child Processes id: f11f2808-adb4-46c0-802a-8660db50fa99 -status: experimental +status: test description: Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity references: - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ diff --git a/rules/windows/process_creation/proc_creation_win_java_keytool_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_java_keytool_susp_child_process.yml index 83caf9a7b09..a5634bbe857 100644 --- a/rules/windows/process_creation/proc_creation_win_java_keytool_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_java_keytool_susp_child_process.yml @@ -1,6 +1,6 @@ title: Suspicious Shells Spawn by Java Utility Keytool id: 90fb5e62-ca1f-4e22-b42e-cc521874c938 -status: experimental +status: test description: Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation) references: - https://redcanary.com/blog/intelligence-insights-december-2021 diff --git a/rules/windows/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml index d9029e28239..ea60e620f0a 100644 --- a/rules/windows/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml @@ -1,6 +1,6 @@ title: Suspicious Child Process Of Manage Engine ServiceDesk id: cea2b7ea-792b-405f-95a1-b903ea06458f -status: experimental +status: test description: Detects suspicious child processes of the "Manage Engine ServiceDesk Plus" Java web service references: - https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/ diff --git a/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml index 9d556c12dc5..4da39b6881c 100644 --- a/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml @@ -1,6 +1,6 @@ title: Suspicious Shells Spawned by Java id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d -status: experimental +status: test description: Detects suspicious shell spawned from Java host process (e.g. log4j exploitation) author: Andreas Hunkeler (@Karneades), Florian Roth date: 2021/12/17 diff --git a/rules/windows/process_creation/proc_creation_win_kd_execution.yml b/rules/windows/process_creation/proc_creation_win_kd_execution.yml index 6196c0846ba..e9476b6a45e 100644 --- a/rules/windows/process_creation/proc_creation_win_kd_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_kd_execution.yml @@ -1,6 +1,6 @@ title: Windows Kernel Debugger Execution id: 27ee9438-90dc-4bef-904b-d3ef927f5e7e -status: experimental +status: test description: Detects execution of the Windows Kernel Debugger "kd.exe". references: - Internal Research diff --git a/rules/windows/process_creation/proc_creation_win_ksetup_password_change_computer.yml b/rules/windows/process_creation/proc_creation_win_ksetup_password_change_computer.yml index f135e827e71..a809225e211 100644 --- a/rules/windows/process_creation/proc_creation_win_ksetup_password_change_computer.yml +++ b/rules/windows/process_creation/proc_creation_win_ksetup_password_change_computer.yml @@ -1,6 +1,6 @@ title: Computer Password Change Via Ksetup.EXE id: de16d92c-c446-4d53-8938-10aeef41c8b6 -status: experimental +status: test description: Detects password change for the computer's domain account or host principal via "ksetup.exe" references: - https://twitter.com/Oddvarmoe/status/1641712700605513729 diff --git a/rules/windows/process_creation/proc_creation_win_ksetup_password_change_user.yml b/rules/windows/process_creation/proc_creation_win_ksetup_password_change_user.yml index 1aafe059d0e..1a38722e51a 100644 --- a/rules/windows/process_creation/proc_creation_win_ksetup_password_change_user.yml +++ b/rules/windows/process_creation/proc_creation_win_ksetup_password_change_user.yml @@ -1,6 +1,6 @@ title: Logged-On User Password Change Via Ksetup.EXE id: c9783e20-4793-4164-ba96-d9ee483992c4 -status: experimental +status: test description: Detects password change for the logged-on user's via "ksetup.exe" references: - https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup diff --git a/rules/windows/process_creation/proc_creation_win_ldifde_export.yml b/rules/windows/process_creation/proc_creation_win_ldifde_export.yml index 258c699c309..ebdacd3efa2 100644 --- a/rules/windows/process_creation/proc_creation_win_ldifde_export.yml +++ b/rules/windows/process_creation/proc_creation_win_ldifde_export.yml @@ -1,6 +1,6 @@ title: Active Directory Structure Export Via Ldifde.EXE id: 4f7a6757-ff79-46db-9687-66501a02d9ec -status: experimental +status: test description: Detects the execution of "ldifde.exe" in order to export organizational Active Directory structure. references: - https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit diff --git a/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml b/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml index b4692b468be..619b66d979f 100644 --- a/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml +++ b/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml @@ -1,6 +1,6 @@ title: Import LDAP Data Interchange Format File Via Ldifde.EXE id: 6f535e01-ca1f-40be-ab8d-45b19c0c8b7f -status: experimental +status: test description: | Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server. references: diff --git a/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml b/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml index 44ab5aaf403..216d599c982 100644 --- a/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml +++ b/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml @@ -1,6 +1,6 @@ title: Rebuild Performance Counter Values Via Lodctr.EXE id: cc9d3712-6310-4320-b2df-7cb408274d53 -status: experimental +status: test description: Detects the execution of "lodctr.exe" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions. references: - https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_appvlp.yml b/rules/windows/process_creation/proc_creation_win_lolbin_appvlp.yml index 41509fdacb0..6bd179fffe1 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_appvlp.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_appvlp.yml @@ -1,6 +1,6 @@ title: Using AppVLP To Circumvent ASR File Path Rule id: 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43 -status: experimental +status: test description: | Application Virtualization Utility is included with Microsoft Office. We are able to abuse "AppVLP" to execute shell commands. Normally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule folder diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml b/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml index 1640f883c46..baa4e6019c5 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml @@ -1,6 +1,6 @@ title: Lolbin Defaultpack.exe Use As Proxy id: b2309017-4235-44fe-b5af-b15363011957 -status: experimental +status: test description: Detect usage of the "defaultpack.exe" binary as a proxy to launch other programs references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/ diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_dotnet_dump.yml b/rules/windows/process_creation/proc_creation_win_lolbin_dotnet_dump.yml index b4b668dcde4..a6a8303deb1 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_dotnet_dump.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_dotnet_dump.yml @@ -1,6 +1,6 @@ title: Process Memory Dump Via Dotnet-Dump id: 53d8d3e1-ca33-4012-adf3-e05a4d652e34 -status: experimental +status: test description: Detects the execution of "dotnet-dump" with the "collect" flag. The execution could indicate potential process dumping of critical processes such as LSASS references: - https://learn.microsoft.com/en-us/dotnet/core/diagnostics/dotnet-dump#dotnet-dump-collect diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml b/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml index 208bbcd9111..36d81aad8ca 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml @@ -1,6 +1,6 @@ title: Gpscript Execution id: 1e59c230-6670-45bf-83b0-98903780607e -status: experimental +status: test description: Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy references: - https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/ diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_mspub_download.yml b/rules/windows/process_creation/proc_creation_win_lolbin_mspub_download.yml index c4f5df0671a..0fd864f7187 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_mspub_download.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_mspub_download.yml @@ -1,6 +1,6 @@ title: Arbitrary File Download Via MSPUB.EXE id: 3b3c7f55-f771-4dd6-8a6e-08d057a17caf -status: experimental +status: test description: Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files references: - https://github.com/LOLBAS-Project/LOLBAS/pull/238/files diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml index c4cee55c99b..0c064e3b462 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml @@ -3,7 +3,7 @@ id: 0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2 related: - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02 type: obsoletes -status: experimental +status: test description: Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting. references: - https://lolbas-project.github.io/lolbas/Binaries/Pcalua/ diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml b/rules/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml index 00bfdeb26e5..141c60a9eab 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml @@ -1,6 +1,6 @@ title: File Download Using ProtocolHandler.exe id: 104cdb48-a7a8-4ca7-a453-32942c6e5dcb -status: experimental +status: test description: Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml b/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml index 59ea8ff46b6..5395baa2c04 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml @@ -1,6 +1,6 @@ title: Lolbin Runexehelper Use As Proxy id: cd71385d-fd9b-4691-9b98-2b1f7e508714 -status: experimental +status: test description: Detect usage of the "runexehelper.exe" binary as a proxy to launch other programs references: - https://twitter.com/0gtweet/status/1206692239839289344 diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml b/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml index 84147ef26b5..f1ab31f7526 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml @@ -3,7 +3,7 @@ id: 45239e6a-b035-4aaf-b339-8ad379fcb67e related: - id: fa4b21c9-0057-4493-b289-2556416ae4d7 type: obsoletes -status: experimental +status: test description: Detects the usage of the "Squirrel.exe" binary as a LOLBIN. This binary is part of multiple software installations (Slack, Teams, Discord, etc.) references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/ diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml b/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml index 8ac6873e338..b0e2c0d1822 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml @@ -1,6 +1,6 @@ title: Lolbin Ssh.exe Use As Proxy id: 7d6d30b8-5b91-4b90-a891-46cccaf29598 -status: experimental +status: test description: Detect usage of the "ssh.exe" binary as a proxy to launch other programs references: - https://lolbas-project.github.io/lolbas/Binaries/Ssh/ diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml b/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml index 36ca90da1fd..77d8793a8d9 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml @@ -1,6 +1,6 @@ title: Lolbin Unregmp2.exe Use As Proxy id: 727454c0-d851-48b0-8b89-385611ab0704 -status: experimental +status: test description: Detect usage of the "unregmp2.exe" binary as a proxy to launch a custom version of "wmpnscfg.exe" references: - https://lolbas-project.github.io/lolbas/Binaries/Unregmp2/ diff --git a/rules/windows/process_creation/proc_creation_win_mftrace_child_process.yml b/rules/windows/process_creation/proc_creation_win_mftrace_child_process.yml index 77eedc78148..ad226cb9e86 100644 --- a/rules/windows/process_creation/proc_creation_win_mftrace_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_mftrace_child_process.yml @@ -1,6 +1,6 @@ title: Potential Mftrace.EXE Abuse id: 3d48c9d3-1aa6-418d-98d3-8fd3c01a564e -status: experimental +status: test description: Detects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries. references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/ diff --git a/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml b/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml index d1c6e2f0068..b8a80266171 100644 --- a/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml @@ -1,6 +1,6 @@ title: Potential Suspicious Mofcomp Execution id: 1dd05363-104e-4b4a-b963-196a534b03a1 -status: experimental +status: test description: | Detects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline. The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. diff --git a/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml b/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml index 9d898c2822e..f52b0cd9d29 100644 --- a/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml +++ b/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml @@ -3,7 +3,7 @@ id: 7002aa10-b8d4-47ae-b5ba-51ab07e228b9 related: - id: 418dc89a-9808-4b87-b1d7-e5ae0cb6effc type: similar -status: experimental +status: test description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory. references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool diff --git a/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml b/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml index 430eb17ec1d..7c9f17a2017 100644 --- a/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml @@ -1,6 +1,6 @@ title: Potential Arbitrary Command Execution Using Msdt.EXE id: 258fc8ce-8352-443a-9120-8a11e4857fa5 -status: experimental +status: test description: Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability references: - https://twitter.com/nao_sec/status/1530196847679401984 diff --git a/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml b/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml index b42e03f9fb7..a0324731c6e 100644 --- a/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml +++ b/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml @@ -3,7 +3,7 @@ id: dc4576d4-7467-424f-9eee-fd2b02855fe0 related: - id: 6545ce61-a1bd-4119-b9be-fcbee42c0cf3 type: obsoletes -status: experimental +status: test description: Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190 references: - https://twitter.com/nas_bench/status/1537896324837781506 diff --git a/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml index 48fa77d0454..26dd9b3173b 100644 --- a/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml @@ -1,6 +1,6 @@ title: Suspicious MSDT Parent Process id: 7a74da6b-ea76-47db-92cc-874ad90df734 -status: experimental +status: test description: Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation references: - https://twitter.com/nao_sec/status/1530196847679401984 diff --git a/rules/windows/process_creation/proc_creation_win_mshta_http.yml b/rules/windows/process_creation/proc_creation_win_mshta_http.yml index 5c39cfcb361..4616880dbcb 100644 --- a/rules/windows/process_creation/proc_creation_win_mshta_http.yml +++ b/rules/windows/process_creation/proc_creation_win_mshta_http.yml @@ -1,6 +1,6 @@ title: Remotely Hosted HTA File Executed Via Mshta.EXE id: b98d0db6-511d-45de-ad02-e82a98729620 -status: experimental +status: test description: Detects execution of the "mshta" utility with an argument containing the "http" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file references: - https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html diff --git a/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml b/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml index 4d24a13ae30..590edb8d363 100644 --- a/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml +++ b/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml @@ -1,6 +1,6 @@ title: Wscript Shell Run In CommandLine id: 2c28c248-7f50-417a-9186-a85b223010ee -status: experimental +status: test description: Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity references: - https://web.archive.org/web/20220830122045/http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html diff --git a/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml b/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml index e50506d3366..1f3c6e7fe16 100644 --- a/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml @@ -1,6 +1,6 @@ title: Suspicious Mshta.EXE Execution Patterns id: e32f92d1-523e-49c3-9374-bdb13b46a3ba -status: experimental +status: test description: Detects suspicious mshta process execution patterns references: - https://en.wikipedia.org/wiki/HTML_Application diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml b/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml index e8acd7b8672..ef35f355ea8 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml @@ -1,6 +1,6 @@ title: DllUnregisterServer Function Call Via Msiexec.EXE id: 84f52741-8834-4a8c-a413-2eb2269aa6c8 -status: experimental +status: test description: Detects MsiExec loading a DLL and calling its DllUnregisterServer function references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml b/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml index f32368aa646..f2681ce47ad 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml @@ -1,6 +1,6 @@ title: Msiexec Quiet Installation id: 79a87aa6-e4bd-42fc-a5bb-5e6fbdcd62f5 -status: experimental +status: test description: | Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) diff --git a/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml b/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml index 5ce66281fd5..958be5ee45e 100644 --- a/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml +++ b/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml @@ -1,6 +1,6 @@ title: Potential Process Injection Via Msra.EXE id: 744a188b-0415-4792-896f-11ddb0588dbc -status: experimental +status: test description: Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics references: - https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/ diff --git a/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml index 4114b891d66..655d78fde1e 100644 --- a/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml @@ -3,7 +3,7 @@ id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445 related: - id: 344482e4-a477-436c-aa70-7536d18a48c7 type: obsoletes -status: experimental +status: test description: Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection. author: FPT.EagleEye Team, wagga date: 2020/12/11 diff --git a/rules/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml index ca24ec639b3..6b1139af9f2 100644 --- a/rules/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml @@ -3,7 +3,7 @@ id: d55b793d-f847-4eea-b59a-5ab09908ac90 related: - id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445 type: similar -status: experimental +status: test description: Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection. references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers diff --git a/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml b/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml index 96dfaa21555..92a0f6ba0f8 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml @@ -1,6 +1,6 @@ title: New Remote Desktop Connection Initiated Via Mstsc.EXE id: 954f0af7-62dd-418f-b3df-a84bc2c7a774 -status: experimental +status: test description: | Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server. Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. diff --git a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml index 42b946752de..f3bcbfeeb4e 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml @@ -1,6 +1,6 @@ title: Mstsc.EXE Execution With Local RDP File id: 5fdce3ac-e7f9-4ecd-a3aa-a4d78ebbf0af -status: experimental +status: test description: Detects potential RDP connection via Mstsc using a local ".rdp" file references: - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/ diff --git a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml index f1baf59d25e..0b064545d4f 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml @@ -1,6 +1,6 @@ title: Suspicious Mstsc.EXE Execution With Local RDP File id: 6e22722b-dfb1-4508-a911-49ac840b40f8 -status: experimental +status: test description: Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations. references: - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/ diff --git a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml index 9a48f8a1596..cb1c7ff8d59 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml @@ -1,6 +1,6 @@ title: Mstsc.EXE Execution From Uncommon Parent id: ff3b6b39-e765-42f9-bb2c-ea6761e0e0f6 -status: experimental +status: test description: Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations. references: - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/ diff --git a/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml b/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml index fe0f3401ee5..0404696f9d5 100644 --- a/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml +++ b/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml @@ -1,6 +1,6 @@ title: Suspicious Manipulation Of Default Accounts Via Net.EXE id: 5b768e71-86f2-4879-b448-81061cbae951 -status: experimental +status: test description: Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc references: - https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html diff --git a/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml b/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml index 86e91dce1a2..8728eb9deef 100644 --- a/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml @@ -1,6 +1,6 @@ title: Suspicious Group And Account Reconnaissance Activity Using Net.EXE id: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0 -status: experimental +status: test description: Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE references: - https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ diff --git a/rules/windows/process_creation/proc_creation_win_net_network_connections_discovery.yml b/rules/windows/process_creation/proc_creation_win_net_network_connections_discovery.yml index af802b7c916..acf870c8266 100644 --- a/rules/windows/process_creation/proc_creation_win_net_network_connections_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_net_network_connections_discovery.yml @@ -1,6 +1,6 @@ title: System Network Connections Discovery Via Net.EXE id: 1c67a717-32ba-409b-a45d-0fb704a73a81 -status: experimental +status: test description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery diff --git a/rules/windows/process_creation/proc_creation_win_net_stop_service.yml b/rules/windows/process_creation/proc_creation_win_net_stop_service.yml index 1699ed5fe06..fd74e1d76d6 100644 --- a/rules/windows/process_creation/proc_creation_win_net_stop_service.yml +++ b/rules/windows/process_creation/proc_creation_win_net_stop_service.yml @@ -3,7 +3,7 @@ id: 88872991-7445-4a22-90b2-a3adadb0e827 related: - id: eb87818d-db5d-49cc-a987-d5da331fbd90 type: obsoletes -status: experimental +status: test description: Detects the stopping of a Windows service author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2023/03/05 diff --git a/rules/windows/process_creation/proc_creation_win_net_use_mount_internet_share.yml b/rules/windows/process_creation/proc_creation_win_net_use_mount_internet_share.yml index 181b37f2fe5..b352bf0463b 100644 --- a/rules/windows/process_creation/proc_creation_win_net_use_mount_internet_share.yml +++ b/rules/windows/process_creation/proc_creation_win_net_use_mount_internet_share.yml @@ -1,6 +1,6 @@ title: Windows Internet Hosted WebDav Share Mount Via Net.EXE id: 7e6237fe-3ddb-438f-9381-9bf9de5af8d0 -status: experimental +status: test description: Detects when an internet hosted webdav share is mounted using the "net.exe" utility references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view diff --git a/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml b/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml index faa499941d1..2e72dfd99f8 100644 --- a/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml +++ b/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml @@ -3,7 +3,7 @@ id: f117933c-980c-4f78-b384-e3d838111165 related: - id: 3abd6094-7027-475f-9630-8ab9be7b9725 type: similar -status: experimental +status: test description: Detects when a share is mounted using the "net.exe" utility references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_delete_rule.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_delete_rule.yml index 55c851fbd2e..212f8964352 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_delete_rule.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_delete_rule.yml @@ -1,6 +1,6 @@ title: Firewall Rule Deleted Via Netsh.EXE id: 1a5fefe6-734f-452e-a07d-fc1c35bce4b2 -status: experimental +status: test description: Detects the removal of a port or application rule in the Windows Firewall configuration using netsh references: - https://app.any.run/tasks/8bbd5b4c-b82d-4e6d-a3ea-d454594a37cc/ diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml index b31de7b8d16..fdf32e9f9aa 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml @@ -1,6 +1,6 @@ title: Suspicious Firewall Configuration Discovery Via Netsh.EXE id: 0e4164da-94bc-450d-a7be-a4b176179f1f -status: experimental +status: test description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules diff --git a/rules/windows/process_creation/proc_creation_win_nltest_execution.yml b/rules/windows/process_creation/proc_creation_win_nltest_execution.yml index 0d96a410528..ab92fb09f73 100644 --- a/rules/windows/process_creation/proc_creation_win_nltest_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_nltest_execution.yml @@ -5,7 +5,7 @@ related: type: similar - id: eeb66bbb-3dde-4582-815a-584aee9fe6d1 type: obsoletes -status: experimental +status: test description: Detects nltest commands that can be used for information discovery references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm diff --git a/rules/windows/process_creation/proc_creation_win_nltest_recon.yml b/rules/windows/process_creation/proc_creation_win_nltest_recon.yml index 5bb12223381..28089bffb57 100644 --- a/rules/windows/process_creation/proc_creation_win_nltest_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_nltest_recon.yml @@ -7,7 +7,7 @@ related: type: similar - id: 77815820-246c-47b8-9741-e0def3f57308 type: obsoletes -status: experimental +status: test description: Detects nltest commands that can be used for information discovery references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) diff --git a/rules/windows/process_creation/proc_creation_win_node_abuse.yml b/rules/windows/process_creation/proc_creation_win_node_abuse.yml index 7c3c47414b6..d5de0328435 100644 --- a/rules/windows/process_creation/proc_creation_win_node_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_node_abuse.yml @@ -1,6 +1,6 @@ title: Potential Arbitrary Code Execution Via Node.EXE id: 6640f31c-01ad-49b5-beb5-83498a5cd8bd -status: experimental +status: test description: Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc references: - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml index 87209a5ad14..21a46d9cee6 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml @@ -3,7 +3,7 @@ id: 3f5491e2-8db8-496b-9e95-1029fce852d4 related: - id: cb0fe7c5-f3a3-484d-aa25-d350a7912729 type: similar -status: experimental +status: test description: Detects execution of "odbcconf" with "INSTALLDRIVER" which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs. references: - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/ diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml index 301b8671331..0cc790e45eb 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml @@ -3,7 +3,7 @@ id: cb0fe7c5-f3a3-484d-aa25-d350a7912729 related: - id: 3f5491e2-8db8-496b-9e95-1029fce852d4 type: derived -status: experimental +status: test description: Detects execution of "odbcconf" with the "INSTALLDRIVER" action where the driver doesn't contain a ".dll" extension. This is often used as a defense evasion method. references: - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/ diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml index 8ec5dee90e7..04cd26a89cd 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml @@ -1,6 +1,6 @@ title: Odbcconf.EXE Suspicious DLL Location id: 6b65c28e-11f3-46cb-902a-68f2cafaf474 -status: experimental +status: test description: Detects execution of "odbcconf" where the path of the DLL being registered is located in a potentially suspicious location. references: - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml index 48340151f01..3e49b8e2975 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml @@ -3,7 +3,7 @@ id: 9f0a8bf3-a65b-440a-8c1e-5cb1547c8e70 related: - id: ba4cfc11-d0fa-4d94-bf20-7c332c412e76 type: similar -status: experimental +status: test description: Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs. references: - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml index 0440dd860af..37973aa0b86 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml @@ -3,7 +3,7 @@ id: ba4cfc11-d0fa-4d94-bf20-7c332c412e76 related: - id: 9f0a8bf3-a65b-440a-8c1e-5cb1547c8e70 type: derived -status: experimental +status: test description: Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses. references: - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml index e212750eef1..6f5416ea95c 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml @@ -5,7 +5,7 @@ related: type: similar - id: 65d2be45-8600-4042-b4c0-577a1ff8a60e type: obsoletes -status: experimental +status: test description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action. references: - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml index a853b9c7098..b49b496dec6 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml @@ -5,7 +5,7 @@ related: type: derived - id: 65d2be45-8600-4042-b4c0-577a1ff8a60e type: obsoletes -status: experimental +status: test description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension. references: - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml index cf2b81b8f77..7259f168abc 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml @@ -1,6 +1,6 @@ title: Uncommon Child Process Spawned By Odbcconf.EXE id: 8e3c7994-131e-4ba5-b6ea-804d49113a26 -status: experimental +status: test description: Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes. references: - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 diff --git a/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml b/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml index 8f093751a20..d903fa06b39 100644 --- a/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml +++ b/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml @@ -3,7 +3,7 @@ id: 4ae3e30b-b03f-43aa-87e3-b622f4048eed related: - id: 0c79148b-118e-472b-bdb7-9b57b444cc19 type: obsoletes -status: experimental +status: test description: Detects potential arbitrary file download using a Microsoft Office application references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/ diff --git a/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml b/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml index a8b2a2338ce..8f6cc5458dc 100644 --- a/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious Office Document Executed From Trusted Location id: f99abdf0-6283-4e71-bd2b-b5c048a94743 -status: experimental +status: test description: Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code. references: - Internal Research diff --git a/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml index 12421a51aee..33e616656f6 100644 --- a/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml @@ -3,7 +3,7 @@ id: c27515df-97a9-4162-8a60-dc0eeb51b775 related: - id: 438025f9-5856-4663-83f7-52f878a70a50 # Generic rule for suspicious office application child processes type: derived -status: experimental +status: test description: Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file. references: - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18 diff --git a/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml b/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml index da5f01b2525..0de29ed4b39 100644 --- a/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml +++ b/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml @@ -1,6 +1,6 @@ title: Suspicious Binary In User Directory Spawned From Office Application id: aa3a6f94-890e-4e22-b634-ffdfd54792cc -status: experimental +status: test description: Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio) references: - https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign diff --git a/rules/windows/process_creation/proc_creation_win_office_svchost_parent.yml b/rules/windows/process_creation/proc_creation_win_office_svchost_parent.yml index 7f3dfeddd30..c9afa827262 100644 --- a/rules/windows/process_creation/proc_creation_win_office_svchost_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_office_svchost_parent.yml @@ -1,6 +1,6 @@ title: Suspicious New Instance Of An Office COM Object id: 9bdaf1e9-fdef-443b-8081-4341b74a7e28 -status: experimental +status: test description: | Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc. This can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references) diff --git a/rules/windows/process_creation/proc_creation_win_pdqdeploy_execution.yml b/rules/windows/process_creation/proc_creation_win_pdqdeploy_execution.yml index 5504ade3c2c..f73876bf2b5 100644 --- a/rules/windows/process_creation/proc_creation_win_pdqdeploy_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_pdqdeploy_execution.yml @@ -3,7 +3,7 @@ id: d679950c-abb7-43a6-80fb-2a480c4fc450 related: - id: 12b8e9f5-96b2-41e1-9a42-8c6779a5c184 type: similar -status: experimental +status: test description: Detect use of PDQ Deploy remote admin tool references: - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md diff --git a/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml b/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml index dbed9f99dde..6c5a1cd82a5 100644 --- a/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml @@ -1,6 +1,6 @@ title: Perl Inline Command Execution id: f426547a-e0f7-441a-b63e-854ac5bdf54d -status: experimental +status: test description: Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code. references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet diff --git a/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml b/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml index ae425450b99..a13cb74d93a 100644 --- a/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml @@ -1,6 +1,6 @@ title: Php Inline Command Execution id: d81871ef-5738-47ab-9797-7a9c90cd4bfb -status: experimental +status: test description: Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code. references: - https://www.php.net/manual/en/features.commandline.php diff --git a/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml b/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml index 796d5fe48d0..90041f38338 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml @@ -3,7 +3,7 @@ id: c86500e9-a645-4680-98d7-f882c70c1ea3 related: - id: 91e69562-2426-42ce-a647-711b8152ced6 type: similar -status: experimental +status: test description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365. references: - https://o365blog.com/aadinternals/ diff --git a/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml b/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml index a0fe35c9f53..5cbfd28a7ea 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml @@ -5,7 +5,7 @@ related: type: similar - id: 74176142-4684-4d8a-8b0a-713257e7df8e type: similar -status: experimental +status: test description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration. references: - https://github.com/samratashok/ADModule diff --git a/rules/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yml b/rules/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yml index 7767ae28327..473f05fa149 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yml @@ -3,7 +3,7 @@ id: b36d01a3-ddaf-4804-be18-18a6247adfcd related: - id: 155c7fd5-47b4-49b2-bbeb-eb4fab335429 type: similar -status: experimental +status: test description: Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others. references: - https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell diff --git a/rules/windows/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml b/rules/windows/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml index e751c0e37de..2efc33ed96f 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml @@ -3,7 +3,7 @@ id: 92a974db-ab84-457f-9ec0-55db83d7a825 related: - id: fa2559c8-1197-471d-9cdd-05a0273d4522 type: similar -status: experimental +status: test description: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities references: - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml index 6c0c147782c..01cbda7786d 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml @@ -1,6 +1,6 @@ title: Powershell Base64 Encoded MpPreference Cmdlet id: c6fb44c6-71f5-49e6-9462-1425d328aee3 -status: experimental +status: test description: Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV references: - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml index 21f19606f1e..45295f7daa1 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml @@ -3,7 +3,7 @@ id: 1816994b-42e1-4fb1-afd2-134d88184f71 related: - id: 47688f1b-9f51-4656-b013-3cc49a166a36 type: obsoletes -status: experimental +status: test description: Detects calls to base64 encoded WMI class such as "Win32_Shadowcopy", "Win32_ScheduledJob", etc. references: - https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cl_loadassembly.yml b/rules/windows/process_creation/proc_creation_win_powershell_cl_loadassembly.yml index 8ed2e5dc43c..06beed98a58 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cl_loadassembly.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cl_loadassembly.yml @@ -1,6 +1,6 @@ title: Assembly Loading Via CL_LoadAssembly.ps1 id: c57872c7-614f-4d7f-a40d-b78c8df2d30d -status: experimental +status: test description: Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls. references: - https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/ diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yml b/rules/windows/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yml index f1a55bf3ff9..7fb441be922 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yml @@ -1,6 +1,6 @@ title: Potential Script Proxy Execution Via CL_Mutexverifiers.ps1 id: 1e0e1a81-e79b-44bc-935b-ddb9c8006b3d -status: experimental +status: test description: Detects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional PowerShell script commands references: - https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/ diff --git a/rules/windows/process_creation/proc_creation_win_powershell_decode_gzip.yml b/rules/windows/process_creation/proc_creation_win_powershell_decode_gzip.yml index 234522a8497..8d76e7d5548 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_decode_gzip.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_decode_gzip.yml @@ -1,6 +1,6 @@ title: Gzip Archive Decode Via PowerShell id: 98767d61-b2e8-4d71-b661-e36783ee24c1 -status: experimental +status: test description: Detects attempts of decoding encoded Gzip archives via PowerShell. references: - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution diff --git a/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml b/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml index 551845bcd01..590ae462284 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml @@ -1,6 +1,6 @@ title: PowerShell Execution With Potential Decryption Capabilities id: 434c08ba-8406-4d15-8b24-782cb071a691 -status: experimental +status: test description: Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware. references: - https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/ diff --git a/rules/windows/process_creation/proc_creation_win_powershell_disable_firewall.yml b/rules/windows/process_creation/proc_creation_win_powershell_disable_firewall.yml index b8d1e8ddc23..2440573e39c 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_disable_firewall.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_disable_firewall.yml @@ -3,7 +3,7 @@ id: 12f6b752-042d-483e-bf9c-915a6d06ad75 related: - id: 488b44e7-3781-4a71-888d-c95abfacf44d type: similar -status: experimental +status: test description: Detects attempts to disable the Windows Firewall using PowerShell references: - https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml index bc0c57874be..685f4897c36 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml @@ -3,7 +3,7 @@ id: 02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf related: - id: 3c7d1587-3b13-439f-9941-7d14313dbdfe type: similar -status: experimental +status: test description: Detects usage of COM objects that can be abused to download files in PowerShell by CLSID references: - https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml index f6208610083..030a7abc0f0 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml @@ -1,6 +1,6 @@ title: PowerShell Web Download id: 6e897651-f157-4d8f-aaeb-df8151488385 -status: experimental +status: test description: Detects suspicious ways to download files or content using PowerShell references: - https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_dll.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_dll.yml index 39bcefd1991..a10e8c9e92a 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_dll.yml @@ -1,6 +1,6 @@ title: Potential DLL File Download Via PowerShell Invoke-WebRequest id: 0f0450f3-8b47-441e-a31b-15a91dc243e2 -status: experimental +status: test description: Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest cmdlet references: - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml index a792c5e754d..e129a0565af 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml @@ -1,6 +1,6 @@ title: PowerShell Download and Execution Cradles id: 85b0b087-eddf-4a2b-b033-d771fa2b9775 -status: experimental +status: test description: Detects PowerShell download and execution cradles. references: - https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd diff --git a/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml b/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml index 2cab5dfc39d..efaf862a356 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml @@ -3,7 +3,7 @@ id: c740d4cf-a1e9-41de-bb16-8a46a4f57918 related: - id: 55c925c1-7195-426b-a136-a9396800e29b type: similar -status: experimental +status: test description: | Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images diff --git a/rules/windows/process_creation/proc_creation_win_powershell_encode.yml b/rules/windows/process_creation/proc_creation_win_powershell_encode.yml index 72dcd5a32c0..cdd82e75f6f 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_encode.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_encode.yml @@ -1,6 +1,6 @@ title: Suspicious Execution of Powershell with Base64 id: fb843269-508c-4b76-8b8d-88679db22ce7 -status: experimental +status: test description: Commandline to launch powershell with a base64 payload references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets diff --git a/rules/windows/process_creation/proc_creation_win_powershell_encoded_cmd_patterns.yml b/rules/windows/process_creation/proc_creation_win_powershell_encoded_cmd_patterns.yml index 73899bb5ffc..6fe238666df 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_encoded_cmd_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_encoded_cmd_patterns.yml @@ -1,6 +1,6 @@ title: Suspicious PowerShell Encoded Command Patterns id: b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c -status: experimental +status: test description: Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains references: - https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/ diff --git a/rules/windows/process_creation/proc_creation_win_powershell_encoded_obfusc.yml b/rules/windows/process_creation/proc_creation_win_powershell_encoded_obfusc.yml index 2e5b5e0d031..d40b11730c7 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_encoded_obfusc.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_encoded_obfusc.yml @@ -1,6 +1,6 @@ title: Suspicious Obfuscated PowerShell Code id: 8d01b53f-456f-48ee-90f6-bc28e67d4e35 -status: experimental +status: test description: Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines references: - https://app.any.run/tasks/fcadca91-3580-4ede-aff4-4d2bf809bf99/ diff --git a/rules/windows/process_creation/proc_creation_win_powershell_exec_data_file.yml b/rules/windows/process_creation/proc_creation_win_powershell_exec_data_file.yml index 93be2928fd4..a3f8f4a2c52 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_exec_data_file.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_exec_data_file.yml @@ -1,6 +1,6 @@ title: Powershell Inline Execution From A File id: ee218c12-627a-4d27-9e30-d6fb2fe22ed2 -status: experimental +status: test description: Detects inline execution of PowerShell code from a file references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml b/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml index 0ad8ddbc4a5..9f158a8ba81 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml @@ -3,7 +3,7 @@ id: 9e716b33-63b2-46da-86a4-bd3c3b9b5dfb related: - id: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c type: similar -status: experimental +status: test description: Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines. references: - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a diff --git a/rules/windows/process_creation/proc_creation_win_powershell_frombase64string_archive.yml b/rules/windows/process_creation/proc_creation_win_powershell_frombase64string_archive.yml index 3d3dc52ea15..2561e26815f 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_frombase64string_archive.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_frombase64string_archive.yml @@ -3,7 +3,7 @@ id: d75d6b6b-adb9-48f7-824b-ac2e786efe1f related: - id: df69cb1d-b891-4cd9-90c7-d617d90100ce type: similar -status: experimental +status: test description: Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward. references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml b/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml index dd3d5918a21..402733ae58c 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml @@ -1,6 +1,6 @@ title: Root Certificate Installed From Susp Locations id: 5f6a601c-2ecb-498b-9c33-660362323afa -status: experimental +status: test description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. references: - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ diff --git a/rules/windows/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yml b/rules/windows/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yml index b7d5035ebc2..329fecd6111 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yml @@ -3,7 +3,7 @@ id: c31364f7-8be6-4b77-8483-dd2b5a7b69a3 related: - id: 21f9162c-5f5d-4b01-89a8-b705bd7d10ab type: similar -status: experimental +status: test description: Detects powershell scripts that import modules from suspicious directories references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md diff --git a/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml b/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml index 7ec726db543..8525e42073b 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml @@ -3,7 +3,7 @@ id: 37651c2a-42cd-4a69-ae0d-22a4349aa04a related: - id: 975b2262-9a49-439d-92a6-0709cccdf0b2 type: similar -status: experimental +status: test description: Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages references: - https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package diff --git a/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml b/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml index 79cce4ba63a..3a676d2ea52 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml @@ -7,7 +7,7 @@ related: type: similar - id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090 type: similar -status: experimental +status: test description: Detects suspicious PowerShell invocation command parameters author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/05 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml b/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml index 96e512c03e2..1ba2ad95114 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml @@ -1,6 +1,6 @@ title: Suspicious Invoke-WebRequest Execution With DirectIP id: 1edff897-9146-48d2-9066-52e8d8f80a2f -status: experimental +status: test description: Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access references: - https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software diff --git a/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml b/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml index bf6cc03c811..f9604ea97e0 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml @@ -3,7 +3,7 @@ id: 5e3cc4d8-3e68-43db-8656-eaaeefdec9cc related: - id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 type: derived -status: experimental +status: test description: Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/ diff --git a/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml b/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml index be865cd0bfb..ab5996e33ae 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml @@ -5,7 +5,7 @@ related: type: derived - id: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c type: similar -status: experimental +status: test description: Detects Commandlet names from well-known PowerShell exploitation frameworks references: - https://adsecurity.org/?p=2921 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_set_service_disabled.yml b/rules/windows/process_creation/proc_creation_win_powershell_set_service_disabled.yml index bcf32e0a242..5c2534ff00f 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_set_service_disabled.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_set_service_disabled.yml @@ -1,6 +1,6 @@ title: Service StartupType Change Via PowerShell Set-Service id: 62b20d44-1546-4e61-afce-8e175eb9473c -status: experimental +status: test description: Detects the use of the PowerShell "Set-Service" cmdlet to change the startup type of a service to "disabled" or "manual" references: - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml b/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml index da3e26906a4..b045fe33b59 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml @@ -5,7 +5,7 @@ related: type: derived - id: c1337eb8-921a-4b59-855b-4ba188ddcc42 type: similar -status: experimental +status: test description: Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell diff --git a/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml b/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml index 64c0f98a24b..69225edada9 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml @@ -1,6 +1,6 @@ title: Exchange PowerShell Snap-Ins Usage id: 25676e10-2121-446e-80a4-71ff8506af47 -status: experimental +status: test description: Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27 references: - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ diff --git a/rules/windows/process_creation/proc_creation_win_powershell_stop_service.yml b/rules/windows/process_creation/proc_creation_win_powershell_stop_service.yml index 09292748704..0ffc735fa49 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_stop_service.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_stop_service.yml @@ -3,7 +3,7 @@ id: c49c5062-0966-4170-9efd-9968c913a6cf related: - id: eb87818d-db5d-49cc-a987-d5da331fbd90 type: obsoletes -status: experimental +status: test description: Detects the stopping of a Windows service author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2023/03/05 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml index 62b0471b5f5..dbf7baf8eee 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious PowerShell Child Processes id: e4b6d2a7-d8a4-4f19-acbd-943c16d90647 -status: experimental +status: test description: Detects potentially suspicious child processes spawned by PowerShell references: - https://twitter.com/ankit_anubhav/status/1518835408502620162 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml b/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml index 89c496f8517..a1aceed79cb 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml @@ -3,7 +3,7 @@ id: deb9b646-a508-44ee-b7c9-d8965921c6b6 related: - id: f3a98ce4-6164-4dd4-867c-4d83de7eca51 type: similar -status: experimental +status: test description: Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation references: - https://github.com/danielbohannon/Invoke-Obfuscation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_webclient_casing.yml b/rules/windows/process_creation/proc_creation_win_powershell_webclient_casing.yml index 4523382b21d..be33964e4b1 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_webclient_casing.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_webclient_casing.yml @@ -1,6 +1,6 @@ title: Net WebClient Casing Anomalies id: c86133ad-4725-4bd0-8170-210788e0a7ba -status: experimental +status: test description: Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques references: - https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/ diff --git a/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml b/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml index 4c039671b2c..7b47c7d7e4b 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml @@ -3,7 +3,7 @@ id: 114de787-4eb2-48cc-abdb-c0b449f93ea4 related: - id: 504d63cb-0dba-4d02-8531-e72981aace2c type: similar -status: experimental +status: test description: Detect use of X509Enrollment references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42 diff --git a/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml b/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml index b0307ffde0d..a13ba06b803 100644 --- a/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml @@ -7,7 +7,7 @@ related: type: similar - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry type: similar -status: experimental +status: test description: Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution. references: - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ diff --git a/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml index b0d6a0d3ef4..9c01e150268 100644 --- a/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml @@ -7,7 +7,7 @@ related: type: similar - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry type: similar -status: experimental +status: test description: Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution. references: - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ diff --git a/rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml b/rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml index 88c4ed5a599..04638f9f92c 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml @@ -1,6 +1,6 @@ title: PUA - 3Proxy Execution id: f38a82d2-fba3-4781-b549-525efbec8506 -status: experimental +status: test description: Detects the use of 3proxy, a tiny free proxy server references: - https://github.com/3proxy/3proxy diff --git a/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml b/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml index c681ebe74b4..7a7a6952cde 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml @@ -3,7 +3,7 @@ id: 455b9d50-15a1-4b99-853f-8d37655a4c1b related: - id: 9a132afa-654e-11eb-ae93-0242ac130002 type: similar -status: experimental +status: test description: Detects active directory enumeration activity using known AdFind CLI flags references: - https://www.joeware.net/freetools/tools/adfind/ diff --git a/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml b/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml index 7761afbeabc..d04c5ee1039 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml @@ -1,6 +1,6 @@ title: PUA - Advanced IP Scanner Execution id: bef37fa2-f205-4a7b-b484-0759bfd5f86f -status: experimental +status: test description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups. references: - https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/ diff --git a/rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner.yml b/rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner.yml index 182ee27e39d..a35ff4a83fb 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner.yml @@ -1,6 +1,6 @@ title: PUA - Advanced Port Scanner Execution id: 54773c5f-f1cc-4703-9126-2f797d96a69d -status: experimental +status: test description: Detects the use of Advanced Port Scanner. references: - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20Port%20Scanner diff --git a/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml b/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml index 46de677f38f..af649249af9 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml @@ -3,7 +3,7 @@ id: d2b749ee-4225-417e-b20e-a8d2193cbb84 related: - id: fa00b701-44c6-4679-994d-5a18afa8a707 type: similar -status: experimental +status: test description: Detects the execution of AdvancedRun utility references: - https://twitter.com/splinter_code/status/1483815103279603714 diff --git a/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml b/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml index aa7251a2f0d..f285dcdb8a9 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml @@ -3,7 +3,7 @@ id: fa00b701-44c6-4679-994d-5a18afa8a707 related: - id: d2b749ee-4225-417e-b20e-a8d2193cbb84 type: similar -status: experimental +status: test description: Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts references: - https://twitter.com/splinter_code/status/1483815103279603714 diff --git a/rules/windows/process_creation/proc_creation_win_pua_chisel.yml b/rules/windows/process_creation/proc_creation_win_pua_chisel.yml index 658f1bac65a..d4b04ca3177 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_chisel.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_chisel.yml @@ -3,7 +3,7 @@ id: 8b0e12da-d3c3-49db-bb4f-256703f380e5 related: - id: cf93e05e-d798-4d9e-b522-b0248dc61eaf type: similar -status: experimental +status: test description: Detects usage of the Chisel tunneling tool via the commandline arguments references: - https://github.com/jpillora/chisel/ diff --git a/rules/windows/process_creation/proc_creation_win_pua_cleanwipe.yml b/rules/windows/process_creation/proc_creation_win_pua_cleanwipe.yml index fba27cc4958..d2289e8431d 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_cleanwipe.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_cleanwipe.yml @@ -1,6 +1,6 @@ title: PUA - CleanWipe Execution id: f44800ac-38ec-471f-936e-3fa7d9c53100 -status: experimental +status: test description: Detects the use of CleanWipe a tool usually used to delete Symantec antivirus. references: - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/CleanWipe diff --git a/rules/windows/process_creation/proc_creation_win_pua_crassus.yml b/rules/windows/process_creation/proc_creation_win_pua_crassus.yml index dde52fca85b..5af7f9b90aa 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_crassus.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_crassus.yml @@ -1,6 +1,6 @@ title: PUA - Crassus Execution id: 2c32b543-1058-4808-91c6-5b31b8bed6c5 -status: experimental +status: test description: Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics. references: - https://github.com/vu-ls/Crassus diff --git a/rules/windows/process_creation/proc_creation_win_pua_csexec.yml b/rules/windows/process_creation/proc_creation_win_pua_csexec.yml index 236449fb27a..a9398da0fa9 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_csexec.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_csexec.yml @@ -1,6 +1,6 @@ title: PUA - CsExec Execution id: d08a2711-ee8b-4323-bdec-b7d85e892b31 -status: experimental +status: test description: Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative references: - https://github.com/malcomvetter/CSExec diff --git a/rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml b/rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml index 0564835a2ff..5bed99cfbf5 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml @@ -1,6 +1,6 @@ title: PUA - DefenderCheck Execution id: f0ca6c24-3225-47d5-b1f5-352bf07ecfa7 -status: experimental +status: test description: Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion. references: - https://github.com/matterpreter/DefenderCheck diff --git a/rules/windows/process_creation/proc_creation_win_pua_frp.yml b/rules/windows/process_creation/proc_creation_win_pua_frp.yml index 9426e44bcb9..9b809012f8e 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_frp.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_frp.yml @@ -1,6 +1,6 @@ title: PUA - Fast Reverse Proxy (FRP) Execution id: 32410e29-5f94-4568-b6a3-d91a8adad863 -status: experimental +status: test description: Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet. references: - https://asec.ahnlab.com/en/38156/ diff --git a/rules/windows/process_creation/proc_creation_win_pua_iox.yml b/rules/windows/process_creation/proc_creation_win_pua_iox.yml index 72972052ebf..5fb2df51bd7 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_iox.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_iox.yml @@ -1,6 +1,6 @@ title: PUA- IOX Tunneling Tool Execution id: d7654f02-e04b-4934-9838-65c46f187ebc -status: experimental +status: test description: Detects the use of IOX - a tool for port forwarding and intranet proxy purposes references: - https://github.com/EddieIvan01/iox diff --git a/rules/windows/process_creation/proc_creation_win_pua_netcat.yml b/rules/windows/process_creation/proc_creation_win_pua_netcat.yml index 5fc57befaf3..dc857162653 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_netcat.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_netcat.yml @@ -1,6 +1,6 @@ title: PUA - Netcat Suspicious Execution id: e31033fc-33f0-4020-9a16-faf9b31cbf08 -status: experimental +status: test description: Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network references: - https://nmap.org/ncat/ diff --git a/rules/windows/process_creation/proc_creation_win_pua_nimgrab.yml b/rules/windows/process_creation/proc_creation_win_pua_nimgrab.yml index 55706f147da..fd61809361f 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_nimgrab.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_nimgrab.yml @@ -1,6 +1,6 @@ title: PUA - Nimgrab Execution id: 74a12f18-505c-4114-8d0b-8448dd5485c6 -status: experimental +status: test description: Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files. references: - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md diff --git a/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml b/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml index 6f9f5efcf31..b4a321a2cf3 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml @@ -1,6 +1,6 @@ title: PUA - NirCmd Execution id: 4e2ed651-1906-4a59-a78a-18220fca1b22 -status: experimental +status: test description: Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity references: - https://www.nirsoft.net/utils/nircmd.html diff --git a/rules/windows/process_creation/proc_creation_win_pua_nps.yml b/rules/windows/process_creation/proc_creation_win_pua_nps.yml index 1e2bad0cc11..1a5550ff492 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_nps.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_nps.yml @@ -1,6 +1,6 @@ title: PUA - NPS Tunneling Tool Execution id: 68d37776-61db-42f5-bf54-27e87072d17e -status: experimental +status: test description: Detects the use of NPS, a port forwarding and intranet penetration proxy server references: - https://github.com/ehang-io/nps diff --git a/rules/windows/process_creation/proc_creation_win_pua_nsudo.yml b/rules/windows/process_creation/proc_creation_win_pua_nsudo.yml index 8caff78c942..390bb712b58 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_nsudo.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_nsudo.yml @@ -1,6 +1,6 @@ title: PUA - NSudo Execution id: 771d1eb5-9587-4568-95fb-9ec44153a012 -status: experimental +status: test description: Detects the use of NSudo tool for command execution references: - https://nsudo.m2team.org/en-us/ diff --git a/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml b/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml index be5017f7500..cc355a187c2 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml @@ -3,7 +3,7 @@ id: 811e0002-b13b-4a15-9d00-a613fce66e42 related: - id: 5722dff1-4bdd-4949-86ab-fbaf707e767a type: similar -status: experimental +status: test description: Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. Threat actors regularly abuse it to manipulate system processes. references: - https://processhacker.sourceforge.io/ diff --git a/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml b/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml index 3978ecc24dc..c299fb6008e 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml @@ -1,6 +1,6 @@ title: PUA - Potential PE Metadata Tamper Using Rcedit id: 0c92f2e6-f08f-4b73-9216-ecb0ca634689 -status: experimental +status: test description: Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion. references: - https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe diff --git a/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml b/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml index 2e470202ffe..b61912e1b91 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml @@ -5,7 +5,7 @@ related: type: obsoletes - id: cb7286ba-f207-44ab-b9e6-760d82b84253 type: obsoletes -status: experimental +status: test description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc references: - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ diff --git a/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml b/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml index 6432783ae4e..84559cbd2c8 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml @@ -1,6 +1,6 @@ title: PUA - Seatbelt Execution id: 38646daa-e78f-4ace-9de0-55547b2d30da -status: experimental +status: test description: Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters references: - https://github.com/GhostPack/Seatbelt diff --git a/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml b/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml index ebe83fdc672..3aaa59f44c5 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml @@ -3,7 +3,7 @@ id: 5722dff1-4bdd-4949-86ab-fbaf707e767a related: - id: 811e0002-b13b-4a15-9d00-a613fce66e42 type: similar -status: experimental +status: test description: Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations references: - https://github.com/winsiderss/systeminformer diff --git a/rules/windows/process_creation/proc_creation_win_pua_webbrowserpassview.yml b/rules/windows/process_creation/proc_creation_win_pua_webbrowserpassview.yml index 838d2b80d94..b08f5847cb4 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_webbrowserpassview.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_webbrowserpassview.yml @@ -1,6 +1,6 @@ title: PUA - WebBrowserPassView Execution id: d0dae994-26c6-4d2d-83b5-b3c8b79ae513 -status: experimental +status: test description: Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1555.003/T1555.003.md diff --git a/rules/windows/process_creation/proc_creation_win_pua_wsudo_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_pua_wsudo_susp_execution.yml index 6149712cfee..e42b3d26223 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_wsudo_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_wsudo_susp_execution.yml @@ -1,6 +1,6 @@ title: PUA - Wsudo Suspicious Execution id: bdeeabc9-ff2a-4a51-be59-bb253aac7891 -status: experimental +status: test description: Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc) references: - https://github.com/M2Team/Privexec/ diff --git a/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml b/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml index 799db7a3ccd..03929b66077 100644 --- a/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml @@ -1,6 +1,6 @@ title: Python Inline Command Execution id: 899133d5-4d7c-4a7f-94ee-27355c879d90 -status: experimental +status: test description: Detects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code. references: - https://docs.python.org/3/using/cmdline.html#cmdoption-c diff --git a/rules/windows/process_creation/proc_creation_win_query_session_exfil.yml b/rules/windows/process_creation/proc_creation_win_query_session_exfil.yml index 6b8b2b605a8..e7928dd1f20 100644 --- a/rules/windows/process_creation/proc_creation_win_query_session_exfil.yml +++ b/rules/windows/process_creation/proc_creation_win_query_session_exfil.yml @@ -1,6 +1,6 @@ title: Query Usage To Exfil Data id: 53ef0cef-fa24-4f25-a34a-6c72dfa2e6e2 -status: experimental +status: test description: Detects usage of "query.exe" a system binary to exfil information such as "sessions" and "processes" for later use references: - https://twitter.com/MichalKoczwara/status/1553634816016498688 diff --git a/rules/windows/process_creation/proc_creation_win_rar_susp_greedy_compression.yml b/rules/windows/process_creation/proc_creation_win_rar_susp_greedy_compression.yml index a92d678de5c..9c45be61b1c 100644 --- a/rules/windows/process_creation/proc_creation_win_rar_susp_greedy_compression.yml +++ b/rules/windows/process_creation/proc_creation_win_rar_susp_greedy_compression.yml @@ -1,6 +1,6 @@ title: Suspicious Greedy Compression Using Rar.EXE id: afe52666-401e-4a02-b4ff-5d128990b8cb -status: experimental +status: test description: Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes references: - https://decoded.avast.io/martinchlumecky/png-steganography diff --git a/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml b/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml index fc1c4ec81f5..8bbfb03d2fb 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml @@ -1,6 +1,6 @@ title: Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE id: 48917adc-a28e-4f5d-b729-11e75da8941f -status: experimental +status: test description: Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData. references: - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/ diff --git a/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml b/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml index 6e927e0a8e8..2b45c02e98e 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml @@ -3,7 +3,7 @@ id: fc0e89b5-adb0-43c1-b749-c12a10ec37de related: - id: d7662ff6-9e97-4596-a61d-9839e32dee8d type: similar -status: experimental +status: test description: Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products references: - https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html diff --git a/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml b/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml index 7e506c4ba45..6da47889b6c 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml @@ -1,6 +1,6 @@ title: Service Registry Key Deleted Via Reg.EXE id: 05b2aa93-1210-42c8-8d9a-2fcc13b284f5 -status: experimental +status: test description: Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services references: - https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465 diff --git a/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml b/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml index f71dfabe22b..d0e7c7917f4 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml @@ -3,7 +3,7 @@ id: 62e0298b-e994-4189-bc87-bc699aa62d97 related: - id: 73bba97f-a82d-42ce-b315-9182e76c57b1 type: derived -status: experimental +status: test description: Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import diff --git a/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml b/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml index d095234b0ee..38aa56f3739 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml @@ -3,7 +3,7 @@ id: 28ac00d6-22d9-4a3c-927f-bbd770104573 related: - id: d6ce7ebd-260b-4323-9768-a9631c8d4db2 # Registry type: similar -status: experimental +status: test description: | Detect activation of DisableRestrictedAdmin to disable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. diff --git a/rules/windows/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml b/rules/windows/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml index 282327d4553..c281521a14b 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml @@ -1,6 +1,6 @@ title: LSA PPL Protection Disabled Via Reg.EXE id: 8c0eca51-0f88-4db2-9183-fdfb10c703f9 -status: experimental +status: test description: Detects the usage of the "reg.exe" utility to disable PPL protection on the LSA process references: - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/ diff --git a/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml b/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml index 3eebf8cb9ba..f0832d4b268 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml @@ -1,6 +1,6 @@ title: Potential Tampering With RDP Related Registry Keys Via Reg.EXE id: 0d5675be-bc88-4172-86d3-1e96a4476536 -status: experimental +status: test description: Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ diff --git a/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml b/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml index ca933be8387..c0887bc7d13 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml @@ -1,6 +1,6 @@ title: Suspicious Windows Defender Registry Key Tampering Via Reg.EXE id: 452bce90-6fb0-43cc-97a5-affc283139b3 -status: experimental +status: test description: Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection references: - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/ diff --git a/rules/windows/process_creation/proc_creation_win_regasm_suspicious_execution.yml b/rules/windows/process_creation/proc_creation_win_regasm_suspicious_execution.yml index 20f82536a73..8235680587e 100644 --- a/rules/windows/process_creation/proc_creation_win_regasm_suspicious_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_regasm_suspicious_execution.yml @@ -1,6 +1,6 @@ title: Regasm/Regsvcs Suspicious Execution id: cc368ed0-2411-45dc-a222-510ace303cb2 -status: experimental +status: test description: Detects suspicious execution of Regasm/Regsvcs utilities references: - https://www.fortiguard.com/threat-signal-report/4718?s=09 diff --git a/rules/windows/process_creation/proc_creation_win_regini_ads.yml b/rules/windows/process_creation/proc_creation_win_regini_ads.yml index 3f2d587ba11..a7e3579bde3 100644 --- a/rules/windows/process_creation/proc_creation_win_regini_ads.yml +++ b/rules/windows/process_creation/proc_creation_win_regini_ads.yml @@ -3,7 +3,7 @@ id: 77946e79-97f1-45a2-84b4-f37b5c0d8682 related: - id: 5f60740a-f57b-4e76-82a1-15b6ff2cb134 type: derived -status: experimental +status: test description: Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys. references: - https://lolbas-project.github.io/lolbas/Binaries/Regini/ diff --git a/rules/windows/process_creation/proc_creation_win_regini_execution.yml b/rules/windows/process_creation/proc_creation_win_regini_execution.yml index 251f792966d..1a58c575a62 100644 --- a/rules/windows/process_creation/proc_creation_win_regini_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_regini_execution.yml @@ -3,7 +3,7 @@ id: 5f60740a-f57b-4e76-82a1-15b6ff2cb134 related: - id: 77946e79-97f1-45a2-84b4-f37b5c0d8682 type: derived -status: experimental +status: test description: Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files. references: - https://lolbas-project.github.io/lolbas/Binaries/Regini/ diff --git a/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml b/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml index 100bbf7440c..0a8231ab477 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml @@ -3,7 +3,7 @@ id: 10344bb3-7f65-46c2-b915-2d00d47be5b0 related: - id: 3fd4c8d7-8362-4557-a8e6-83b29cc0d724 type: similar -status: experimental +status: test description: | Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally. references: diff --git a/rules/windows/process_creation/proc_creation_win_registry_logon_script.yml b/rules/windows/process_creation/proc_creation_win_registry_logon_script.yml index 2d3ca3f40a7..dd6ed188311 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_logon_script.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_logon_script.yml @@ -3,7 +3,7 @@ id: 21d856f9-9281-4ded-9377-51a1a6e2a432 related: - id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458 type: derived -status: experimental +status: test description: Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence references: - https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html diff --git a/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml b/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml index 59033fddc1a..9f3ffc22d0e 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml @@ -3,7 +3,7 @@ id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77 related: - id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701 type: similar -status: experimental +status: test description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it references: - https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade diff --git a/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml b/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml index 9c6e44ecca5..761f9f9d8cd 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml @@ -7,7 +7,7 @@ related: type: similar - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry type: similar -status: experimental +status: test description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe". references: - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ diff --git a/rules/windows/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yml b/rules/windows/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yml index 2e0c2c18d36..e2ae3a66488 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yml @@ -7,7 +7,7 @@ related: type: similar - id: 61d0475c-173f-4844-86f7-f3eebae1c66b # PowerShell ScriptBlock type: similar -status: experimental +status: test description: Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine references: - https://learn.microsoft.com/de-de/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3 diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml index d07d11d61eb..397ae87bcd9 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious Regsvr32 HTTP IP Pattern id: 2dd2c217-bf68-437a-b57c-fe9fd01d5de8 -status: experimental +status: test description: Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address. references: - https://twitter.com/mrd0x/status/1461041276514623491 diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml index 4f27725b4e4..2a99c64e6cd 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml @@ -3,7 +3,7 @@ id: 867356ee-9352-41c9-a8f2-1be690d78216 related: - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d type: obsoletes -status: experimental +status: test description: Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers. references: - https://twitter.com/mrd0x/status/1461041276514623491 diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml index b2d1a88fc9d..27463a9d971 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml @@ -3,7 +3,7 @@ id: 6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca related: - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d type: obsoletes -status: experimental +status: test description: Detects potentially suspicious child processes of "regsvr32.exe". references: - https://redcanary.com/blog/intelligence-insights-april-2022/ diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml index f3417695657..75dcf5b0a21 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml @@ -3,7 +3,7 @@ id: 9525dc73-0327-438c-8c04-13c0e037e9da related: - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d type: obsoletes -status: experimental +status: test description: Detects execution of regsvr32 where the DLL is located in a potentially suspicious location. references: - https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml index fe7c1501991..7cf9cc245d8 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml @@ -1,6 +1,6 @@ title: Regsvr32 Execution From Highly Suspicious Location id: 327ff235-94eb-4f06-b9de-aaee571324be -status: experimental +status: test description: Detects execution of regsvr32 where the DLL is located in a highly suspicious locations references: - Internal Research diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml index 851256ec488..30f7c594b67 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml @@ -3,7 +3,7 @@ id: 089fc3d2-71e8-4763-a8a5-c97fbb0a403e related: - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d type: obsoletes -status: experimental +status: test description: Detects the execution of REGSVR32.exe with DLL files masquerading as other files references: - https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/ diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml index d0d5927f069..ccd0f9a82d5 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml @@ -3,7 +3,7 @@ id: ab37a6ec-6068-432b-a64e-2c7bf95b1d22 related: - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d type: obsoletes -status: experimental +status: test description: Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance. references: - https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml index e02eae5c1aa..d68f2966146 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml @@ -1,6 +1,6 @@ title: Remote Access Tool - AnyDesk Piped Password Via CLI id: b1377339-fda6-477a-b455-ac0923f9ec2c -status: experimental +status: test description: Detects piping the password to an anydesk instance via CMD and the '--set-password' flag. references: - https://redcanary.com/blog/misbehaving-rats/ diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.yml index af3921fd228..a6b1a9e8979 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.yml @@ -3,7 +3,7 @@ id: 065b00ca-5d5c-4557-ac95-64a6d0b64d86 related: - id: b52e84a3-029e-4529-b09b-71d19dd27e94 type: similar -status: experimental +status: test description: | An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport.yml index fb0366f6079..841c1dbb3c2 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport.yml @@ -1,6 +1,6 @@ title: Remote Access Tool - NetSupport Execution id: 758ff488-18d5-4cbe-8ec4-02b6285a434f -status: experimental +status: test description: | An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml index 5cf9125af8d..16b03b2601b 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml @@ -1,6 +1,6 @@ title: Remote Access Tool - NetSupport Execution From Unusual Location id: 37e8d358-6408-4853-82f4-98333fca7014 -status: experimental +status: test description: Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\Program Files') references: - https://redcanary.com/blog/misbehaving-rats/ diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml index aea1ed06ce6..bc177acf66b 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml @@ -1,6 +1,6 @@ title: Remote Access Tool - RURAT Execution From Unusual Location id: e01fa958-6893-41d4-ae03-182477c5e77d -status: experimental +status: test description: Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\Program Files') references: - https://redcanary.com/blog/misbehaving-rats/ diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_anomaly.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_anomaly.yml index 222bcce449b..64ac699b214 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_anomaly.yml @@ -1,6 +1,6 @@ title: Remote Access Tool - ScreenConnect Backstage Mode Anomaly id: 7b582f1a-b318-4c6a-bf4e-66fe49bf55a5 -status: experimental +status: test description: Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode references: - https://www.mandiant.com/resources/telegram-malware-iranian-espionage diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_exec.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_exec.yml index 31b2dbf2574..660ab10caf1 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_exec.yml @@ -1,6 +1,6 @@ title: Remote Access Tool - ScreenConnect Remote Command Execution id: b1f73849-6329-4069-bc8f-78a604bb8b23 -status: experimental +status: test description: Detects the execution of a system command via the ScreenConnect RMM service. references: - https://github.com/SigmaHQ/sigma/pull/4467 diff --git a/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml b/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml index 1e509d4011a..2d9869469d7 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml @@ -1,6 +1,6 @@ title: Renamed AutoIt Execution id: f4264e47-f522-4c38-a420-04525d5b880f -status: experimental +status: test description: | Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe. AutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks. diff --git a/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml b/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml index cdfc2195c05..a0e5762c2b4 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml @@ -1,6 +1,6 @@ title: Renamed BrowserCore.EXE Execution id: 8a4519e8-e64a-40b6-ae85-ba8ad2177559 -status: experimental +status: test description: Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens) references: - https://twitter.com/mariuszbit/status/1531631015139102720 diff --git a/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml b/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml index 79679f3b111..2b3be1eb6cc 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml @@ -3,7 +3,7 @@ id: 1a1ed54a-2ba4-4221-94d5-01dee560d71e related: - id: 515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48 type: similar -status: experimental +status: test description: Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory references: - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ diff --git a/rules/windows/process_creation/proc_creation_win_renamed_curl.yml b/rules/windows/process_creation/proc_creation_win_renamed_curl.yml index 4690f440adb..2cea5034a03 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_curl.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_curl.yml @@ -1,6 +1,6 @@ title: Renamed CURL.EXE Execution id: 7530cd3d-7671-43e3-b209-976966f6ea48 -status: experimental +status: test description: Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields references: - https://twitter.com/Kostastsale/status/1700965142828290260 diff --git a/rules/windows/process_creation/proc_creation_win_renamed_gpg4win.yml b/rules/windows/process_creation/proc_creation_win_renamed_gpg4win.yml index bf29e2ae341..08b10c7459f 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_gpg4win.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_gpg4win.yml @@ -1,6 +1,6 @@ title: Renamed Gpg.EXE Execution id: ec0722a3-eb5c-4a56-8ab2-bf6f20708592 -status: experimental +status: test description: Detects the execution of a renamed "gpg.exe". Often used by ransomware and loaders to decrypt/encrypt data. references: - https://securelist.com/locked-out/68960/ diff --git a/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml b/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml index 287e327c423..c4c13d98d6d 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml @@ -1,6 +1,6 @@ title: Renamed Mavinject.EXE Execution id: e6474a1b-5390-49cd-ab41-8d88655f7394 -status: experimental +status: test description: Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md diff --git a/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml b/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml index 20d1548aa93..6a5c90b2890 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml @@ -1,6 +1,6 @@ title: Renamed Msdt.EXE Execution id: bd1c6866-65fc-44b2-be51-5588fcff82b9 -status: experimental +status: test description: Detects the execution of a renamed "Msdt.exe" binary references: - https://lolbas-project.github.io/lolbas/Binaries/Msdt/ diff --git a/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml b/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml index 37c38252a3d..48ae4e590f3 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml @@ -1,6 +1,6 @@ title: Renamed NetSupport RAT Execution id: 0afbd410-de03-4078-8491-f132303cb67d -status: experimental +status: test description: Detects the execution of a renamed "client32.exe" (NetSupport RAT) via Imphash, Product and OriginalFileName strings references: - https://redcanary.com/blog/misbehaving-rats/ diff --git a/rules/windows/process_creation/proc_creation_win_renamed_plink.yml b/rules/windows/process_creation/proc_creation_win_renamed_plink.yml index c2d79235fe7..6a4d5a33ecc 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_plink.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_plink.yml @@ -1,6 +1,6 @@ title: Renamed Plink Execution id: 1c12727d-02bf-45ff-a9f3-d49806a3cf43 -status: experimental +status: test description: Detects the execution of a renamed version of the Plink binary references: - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/ diff --git a/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml b/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml index a485dd8ba80..6667dda49ca 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml @@ -3,7 +3,7 @@ id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed related: - id: 0ba1da6d-b6ce-4366-828c-18826c9de23e type: derived -status: experimental +status: test description: Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection references: - https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20 diff --git a/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml b/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml index 0f38671712e..f1e541c2eb4 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml @@ -1,6 +1,6 @@ title: Renamed Remote Utilities RAT (RURAT) Execution id: 9ef27c24-4903-4192-881a-3adde7ff92a5 -status: experimental +status: test description: Detects execution of renamed Remote Utilities (RURAT) via Product PE header field references: - https://redcanary.com/blog/misbehaving-rats/ diff --git a/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml b/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml index 121ea63fc36..ff78489fab3 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml @@ -1,6 +1,6 @@ title: Renamed Sysinternals Sdelete Execution id: c1d867fe-8d95-4487-aab4-e53f2d339f90 -status: experimental +status: test description: Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming) references: - https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete diff --git a/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml b/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml index b18156c9e42..c598023335a 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml @@ -1,6 +1,6 @@ title: Renamed Vmnat.exe Execution id: 7b4f794b-590a-4ad4-ba18-7964a2832205 -status: experimental +status: test description: Detects renamed vmnat.exe or portable version that can be used for DLL side-loading references: - https://twitter.com/malmoeb/status/1525901219247845376 diff --git a/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml b/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml index e34a064cd85..bed8d924152 100644 --- a/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml @@ -1,6 +1,6 @@ title: Ruby Inline Command Execution id: 20a5ffa1-3848-4584-b6f8-c7c7fd9f69c8 -status: experimental +status: test description: Detects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code. references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_ads_stored_dll_execution.yml b/rules/windows/process_creation/proc_creation_win_rundll32_ads_stored_dll_execution.yml index d7c01a1497f..83308c35ac9 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_ads_stored_dll_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_ads_stored_dll_execution.yml @@ -1,6 +1,6 @@ title: Potential Rundll32 Execution With DLL Stored In ADS id: 9248c7e1-2bf3-4661-a22c-600a8040b446 -status: experimental +status: test description: Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS). references: - https://lolbas-project.github.io/lolbas/Binaries/Rundll32 diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml b/rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml index 023daafc86b..811448ab2b6 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml @@ -1,6 +1,6 @@ title: Suspicious Advpack Call Via Rundll32.EXE id: a1473adb-5338-4a20-b4c3-126763e2d3d3 -status: experimental +status: test description: Detects execution of "rundll32" calling "advpack.dll" with potential obfuscated ordinal calls in order to leverage the "RegisterOCX" function references: - https://twitter.com/Hexacorn/status/1224848930795552769 diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_executable_invalid_extension.yml b/rules/windows/process_creation/proc_creation_win_rundll32_executable_invalid_extension.yml index ef78547f4a7..c2e12a14c34 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_executable_invalid_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_executable_invalid_extension.yml @@ -1,6 +1,6 @@ title: Rundll32 Execution Without DLL File id: c3a99af4-35a9-4668-879e-c09aeb4f2bdf -status: experimental +status: test description: Detects the execution of rundll32 with a command line that doesn't contain a .dll file references: - https://twitter.com/mrd0x/status/1481630810495139841?s=12 diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml b/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml index ae2c18bdc8a..5aec1b61aeb 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml @@ -1,6 +1,6 @@ title: Rundll32 InstallScreenSaver Execution id: 15bd98ea-55f4-4d37-b09a-e7caa0fa2221 -status: experimental +status: test description: An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver references: - https://lolbas-project.github.io/lolbas/Libraries/Desk/ diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_keymgr.yml b/rules/windows/process_creation/proc_creation_win_rundll32_keymgr.yml index 70304a4af7b..d549c8c3505 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_keymgr.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_keymgr.yml @@ -1,6 +1,6 @@ title: Suspicious Key Manager Access id: a4694263-59a8-4608-a3a0-6f8d3a51664c -status: experimental +status: test description: Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager) references: - https://twitter.com/NinjaParanoid/status/1516442028963659777 diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml b/rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml index 3d1c2d569de..39893387247 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml @@ -1,6 +1,6 @@ title: Rundll32 Execution Without CommandLine Parameters id: 1775e15e-b61b-4d14-a1a3-80981298085a -status: experimental +status: test description: Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity references: - https://www.cobaltstrike.com/help-opsec diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_ntlmrelay.yml b/rules/windows/process_creation/proc_creation_win_rundll32_ntlmrelay.yml index 9e8a5807771..31db732deb7 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_ntlmrelay.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_ntlmrelay.yml @@ -1,6 +1,6 @@ title: Suspicious NTLM Authentication on the Printer Spooler Service id: bb76d96b-821c-47cf-944b-7ce377864492 -status: experimental +status: test description: Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service references: - https://twitter.com/med0x2e/status/1520402518685200384 diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml b/rules/windows/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml index 3f65c881960..3209b188dd0 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml @@ -1,6 +1,6 @@ title: Potential Obfuscated Ordinal Call Via Rundll32 id: 43fa5350-db63-4b8f-9a01-789a427074e1 -status: experimental +status: test description: Detects execution of "rundll32" with potential obfuscated ordinal calls references: - Internal Research diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml index 05d1f3f4a6c..ed28458bb19 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml @@ -1,6 +1,6 @@ title: Rundll32 Spawned Via Explorer.EXE id: 1723e720-616d-4ddc-ab02-f7e3685a4713 -status: experimental +status: test description: Detects execution of "rundll32.exe" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary. references: - https://redcanary.com/blog/raspberry-robin/ diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_script_run.yml b/rules/windows/process_creation/proc_creation_win_rundll32_script_run.yml index f7f53f8e556..827b016b8a4 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_script_run.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_script_run.yml @@ -1,6 +1,6 @@ title: Suspicious Rundll32 Script in CommandLine id: 73fcad2e-ff14-4c38-b11d-4172c8ac86c7 -status: experimental +status: test description: Detects suspicious process related to rundll32 based on arguments references: - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52 diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_shell32_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_rundll32_shell32_susp_execution.yml index 00f3ac8ccbf..9ea945925ab 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_shell32_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_shell32_susp_execution.yml @@ -1,6 +1,6 @@ title: Shell32 DLL Execution in Suspicious Directory id: 32b96012-7892-429e-b26c-ac2bf46066ff -status: experimental +status: test description: Detects shell32.dll executing a DLL in a suspicious directory references: - https://www.group-ib.com/resources/threat-research/red-curl-2.html diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml b/rules/windows/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml index 38f3a68df2a..cdec3852b05 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml @@ -1,6 +1,6 @@ title: Potential ShellDispatch.DLL Functionality Abuse id: 82343930-652f-43f5-ab70-2ee9fdd6d5e9 -status: experimental +status: test description: Detects potential "ShellDispatch.dll" functionality abuse to execute arbitrary binaries via "ShellExecute" references: - https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yml b/rules/windows/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yml index 3b93739373e..84403e8320d 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yml @@ -3,7 +3,7 @@ id: 4aa6040b-3f28-44e3-a769-9208e5feb5ec related: - id: 089fc3d2-71e8-4763-a8a5-c97fbb0a403e type: similar -status: experimental +status: test description: Detects the execution of Rundll32.exe with DLL files masquerading as image files references: - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml b/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml index ecb2824ead5..90b7cac650e 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml @@ -3,7 +3,7 @@ id: d87bd452-6da1-456e-8155-7dc988157b7d related: - id: 36c5146c-d127-4f85-8e21-01bf62355d5a type: obsoletes -status: experimental +status: test description: Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack references: - https://redcanary.com/blog/raspberry-robin/ diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_user32_dll.yml b/rules/windows/process_creation/proc_creation_win_rundll32_user32_dll.yml index 3be4b9ebd1f..20439b6b8fa 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_user32_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_user32_dll.yml @@ -1,6 +1,6 @@ title: Suspicious Workstation Locking via Rundll32 id: 3b5b0213-0460-4e3f-8937-3abf98ff7dcc -status: experimental +status: test description: Detects a suspicious call to the user32.dll function that locks the user workstation references: - https://app.any.run/tasks/2aef9c63-f944-4763-b3ef-81eee209d128/ diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml index fc312f152eb..610c2e6f2e0 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml @@ -1,6 +1,6 @@ title: Suspicious WebDav Client Execution Via Rundll32.EXE id: 982e9f2d-1a85-4d5b-aea4-31f5e97c6555 -status: experimental +status: test description: | Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397 references: diff --git a/rules/windows/process_creation/proc_creation_win_sc_disable_service.yml b/rules/windows/process_creation/proc_creation_win_sc_disable_service.yml index 6c0ca900ab7..f744201a645 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_disable_service.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_disable_service.yml @@ -1,6 +1,6 @@ title: Service StartupType Change Via Sc.EXE id: 85c312b7-f44d-4a51-a024-d671c40b49fc -status: experimental +status: test description: Detect the use of "sc.exe" to change the startup type of a service to "disabled" or "demand" references: - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955 diff --git a/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml b/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml index 48386769987..6d13dddb245 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml @@ -3,7 +3,7 @@ id: 6c8fbee5-dee8-49bc-851d-c3142d02aa47 related: - id: a537cfc3-4297-4789-92b5-345bfd845ad0 # Generic SD tampering type: similar -status: experimental +status: test description: Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs. references: - https://twitter.com/0gtweet/status/1628720819537936386 diff --git a/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml b/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml index 5a5dbc15b7c..a840e37eb96 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml @@ -5,7 +5,7 @@ related: type: similar - id: a537cfc3-4297-4789-92b5-345bfd845ad0 # Specific Technique type: similar -status: experimental +status: test description: Detection of sc.exe utility adding a new service with special permission which hides that service. references: - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html diff --git a/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml b/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml index b982fdeb4e9..c843dc5037a 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml @@ -3,7 +3,7 @@ id: 81bcb81b-5b1f-474b-b373-52c871aaa7b1 related: - id: eb87818d-db5d-49cc-a987-d5da331fbd90 type: obsoletes -status: experimental +status: test description: Detects the stopping of a Windows service author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2023/03/05 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml b/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml index 81b371fdfb5..f859f72f1a5 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml @@ -3,7 +3,7 @@ id: 81325ce1-be01-4250-944f-b4789644556f related: - id: 43f487f0-755f-4c2a-bce7-d6d2eec2fcf8 # TODO: Recreate after baseline type: derived -status: experimental +status: test description: Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware references: - https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/ diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml b/rules/windows/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml index c1eae40a6c5..b5e40bb6f96 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml @@ -1,6 +1,6 @@ title: Uncommon One Time Only Scheduled Task At 00:00 id: 970823b7-273b-460a-8afc-3a6811998529 -status: experimental +status: test description: Detects scheduled task creation events that include suspicious actions, and is run once at 00:00 references: - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml b/rules/windows/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml index 4e129c49ba5..6a3e317d26c 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml @@ -3,7 +3,7 @@ id: f548a603-c9f2-4c89-b511-b089f7e94549 related: - id: 73a883d0-0348-4be4-a8d8-51031c2564f8 type: derived -status: experimental +status: test description: | Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks. In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key. diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_powershell_persistence.yml b/rules/windows/process_creation/proc_creation_win_schtasks_powershell_persistence.yml index 9c5e2ca66b7..14869fd6d54 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_powershell_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_powershell_persistence.yml @@ -3,7 +3,7 @@ id: b66474aa-bd92-4333-a16c-298155b120df related: - id: 6e8811ee-90ba-441e-8486-5653e68b2299 type: similar -status: experimental +status: test description: Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader references: - https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/ diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml index 9a3e9a0a2ed..d2bea93c3f9 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml @@ -3,7 +3,7 @@ id: 86588b36-c6d3-465f-9cee-8f9093e07798 related: - id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78 type: derived -status: experimental +status: test description: Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell. references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml index c99b4e9a91b..5efda8a852d 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml @@ -1,6 +1,6 @@ title: Suspicious Scheduled Task Creation via Masqueraded XML File id: dd2a821e-3b07-4d3b-a9ac-929fe4c6ca0c -status: experimental +status: test description: Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence references: - https://docs.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml- diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml b/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml index 94429dda1c6..8ad6361077e 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml @@ -1,6 +1,6 @@ title: Suspicious Command Patterns In Scheduled Task Creation id: f2c64357-b1d2-41b7-849f-34d2682c0fad -status: experimental +status: test description: Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands references: - https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/ diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_system.yml b/rules/windows/process_creation/proc_creation_win_schtasks_system.yml index 9e7d9d330a4..0364b432985 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_system.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_system.yml @@ -1,6 +1,6 @@ title: Schtasks Creation Or Modification With SYSTEM Privileges id: 89ca78fd-b37c-4310-b3d3-81a023f83936 -status: experimental +status: test description: Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges references: - https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern diff --git a/rules/windows/process_creation/proc_creation_win_secedit_execution.yml b/rules/windows/process_creation/proc_creation_win_secedit_execution.yml index fb8279682bd..1e15aaf74cf 100644 --- a/rules/windows/process_creation/proc_creation_win_secedit_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_secedit_execution.yml @@ -1,6 +1,6 @@ title: Potential Suspicious Activity Using SeCEdit id: c2c76b77-32be-4d1f-82c9-7e544bdfe0eb -status: experimental +status: test description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy references: - https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d diff --git a/rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml index 993df932ee6..991912bbd5a 100644 --- a/rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml @@ -1,6 +1,6 @@ title: Uncommon Child Processes Of SndVol.exe id: ba42babc-0666-4393-a4f7-ceaf5a69191e -status: experimental +status: test description: Detects potentially uncommon child processes of SndVol.exe (the Windows volume mixer) references: - https://twitter.com/Max_Mal_/status/1661322732456353792 diff --git a/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml b/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml index f6fc2cd6f99..694df291501 100644 --- a/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml @@ -1,6 +1,6 @@ title: Veeam Backup Database Suspicious Query id: 696bfb54-227e-4602-ac5b-30d9d2053312 -status: experimental +status: test description: Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information. references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers diff --git a/rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml b/rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml index bbb7f74cbd2..e9c72d99082 100644 --- a/rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml +++ b/rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml @@ -1,6 +1,6 @@ title: SQLite Chromium Profile Data DB Access id: 24c77512-782b-448a-8950-eddb0785fc71 -status: experimental +status: test description: Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing. references: - https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows diff --git a/rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml b/rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml index 012a329dfee..9192cf12fa2 100644 --- a/rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml +++ b/rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml @@ -1,6 +1,6 @@ title: SQLite Firefox Profile Data DB Access id: 4833155a-4053-4c9c-a997-777fcea0baa7 -status: experimental +status: test description: Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows diff --git a/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml b/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml index fd3689fca28..3cfa146bd20 100644 --- a/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml +++ b/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml @@ -1,6 +1,6 @@ title: Port Forwarding Attempt Via SSH id: 327f48c1-a6db-4eb8-875a-f6981f1b0183 -status: experimental +status: test description: Detects suspicious SSH tunnel port forwarding to a local port references: - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ diff --git a/rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml b/rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml index d2ab3821e24..aede5ee403a 100644 --- a/rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml +++ b/rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml @@ -3,7 +3,7 @@ id: f7d7ebd5-a016-46e2-9c54-f9932f2d386d related: - id: f38ce0b9-5e97-4b47-a211-7dc8d8b871da # plink.exe type: similar -status: experimental +status: test description: Execution of ssh.exe to perform data exfiltration and tunneling through RDP references: - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ diff --git a/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml b/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml index 9756c4c0042..c10b673d119 100644 --- a/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml @@ -1,6 +1,6 @@ title: Potential Amazon SSM Agent Hijacking id: d20ee2f4-822c-4827-9e15-41500b1fff10 -status: experimental +status: test description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report. references: - https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan diff --git a/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml b/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml index 0f150cb170f..33a297dc4ce 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml @@ -3,7 +3,7 @@ id: ad720b90-25ad-43ff-9b5e-5c841facc8e5 related: - id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e # Remote Desktop groups type: similar -status: experimental +status: test description: Detects suspicious command line that adds an account to the local administrators/administrateurs group references: - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 diff --git a/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml b/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml index c2f9774b902..275ef218086 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml @@ -1,6 +1,6 @@ title: Always Install Elevated Windows Installer id: cd951fdc-4b2f-47f5-ba99-a33bf61e3770 -status: experimental +status: test description: Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege references: - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg diff --git a/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml index 72ef4268797..eb0cd776317 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious Windows App Activity id: f91ed517-a6ba-471d-9910-b3b4a398c0f3 -status: experimental +status: test description: Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution references: - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ diff --git a/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml index 70dff26fadf..5745141b5e1 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml @@ -3,7 +3,7 @@ id: a7c3d773-caef-227e-a7e7-c2f13c622329 related: - id: f5647edc-a7bf-4737-ab50-ef8c60dc3add type: obsoletes -status: experimental +status: test description: | Detects attackers using tooling with bad opsec defaults. E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. diff --git a/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml b/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml index afedd9c18dd..fca1f14b055 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml @@ -1,6 +1,6 @@ title: Potential Command Line Path Traversal Evasion Attempt id: 1327381e-6ab0-4f38-b583-4c1b8346a56b -status: experimental +status: test description: Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline references: - https://twitter.com/hexacorn/status/1448037865435320323 diff --git a/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml b/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml index 645d0b0d6e9..3ce4b2cb29d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml @@ -3,7 +3,7 @@ id: 47147b5b-9e17-4d76-b8d2-7bac24c5ce1b related: - id: fc028194-969d-4122-8abe-0470d5b8f12f type: derived -status: experimental +status: test description: | Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. diff --git a/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml b/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml index 294c3b99dde..49fb0c5537e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml @@ -3,7 +3,7 @@ id: f5d19838-41b5-476c-98d8-ba8af4929ee2 related: - id: fff9d2b7-e11c-4a69-93d3-40ef66189767 type: derived -status: experimental +status: test description: | Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations. references: diff --git a/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml b/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml index f56bb811e0c..d9a4141405c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml @@ -1,6 +1,6 @@ title: Potential Data Exfiltration Activity Via CommandLine Tools id: 7d1aaf3d-4304-425c-b7c3-162055e0b3ab -status: experimental +status: test description: Detects the use of various CLI utilities exfiltrating data via web requests references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/ diff --git a/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml b/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml index a30857f9cf6..0a14cd5bc0c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml @@ -3,7 +3,7 @@ id: 5e6a80c8-2d45-4633-9ef4-fa2671a39c5c related: - id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8 # Image/CommandLine type: derived -status: experimental +status: test description: Detect execution of suspicious double extension files in ParentCommandLine references: - https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior diff --git a/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml b/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml index 7c94d76b5d4..6d5b7f6bf56 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml @@ -3,7 +3,7 @@ id: f26eb764-fd89-464b-85e2-dc4a8e6e77b8 related: - id: 378a05d8-963c-46c9-bcce-13c7657eac99 type: similar -status: experimental +status: test description: | Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of ".asar" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule) references: diff --git a/rules/windows/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml b/rules/windows/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml index 1e96f4e4814..1f730331fc3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml @@ -3,7 +3,7 @@ id: 378a05d8-963c-46c9-bcce-13c7657eac99 related: - id: f26eb764-fd89-464b-85e2-dc4a8e6e77b8 type: similar -status: experimental +status: test description: Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary. references: - https://positive.security/blog/ms-officecmd-rce diff --git a/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml b/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml index 935dc291b1f..8cd9d20c441 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml @@ -1,6 +1,6 @@ title: Elevated System Shell Spawned id: 178e615d-e666-498b-9630-9ed363038101 -status: experimental +status: test description: Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges. references: - https://github.com/Wh04m1001/SysmonEoP diff --git a/rules/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml b/rules/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml index 9d43fc6ef43..367be4cef60 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml @@ -1,6 +1,6 @@ title: Suspicious Execution From GUID Like Folder Names id: 90b63c33-2b97-4631-a011-ceb0f47b77c3 -status: experimental +status: test description: Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks references: - https://twitter.com/Kostastsale/status/1565257924204986369 diff --git a/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml b/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml index 447bb5775df..b76a30ae3ed 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml @@ -1,6 +1,6 @@ title: Execution from Suspicious Folder id: 3dfd06d2-eaf4-4532-9555-68aca59f57c4 -status: experimental +status: test description: Detects a suspicious execution from an uncommon folder references: - https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt diff --git a/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml b/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml index f7e821ad2dd..443e795cc5b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml @@ -3,7 +3,7 @@ id: 0900463c-b33b-49a8-be1d-552a3b553dae related: - id: a8f866e1-bdd4-425e-a27a-37619238d9c7 type: similar -status: experimental +status: test description: | Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe" references: diff --git a/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml b/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml index 3c063d25002..c6473041487 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml @@ -3,7 +3,7 @@ id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702 related: - id: 03d83090-8cba-44a0-b02f-0b756a050306 type: derived -status: experimental +status: test description: Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec references: - https://twitter.com/m417z/status/1566674631788007425 diff --git a/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml b/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml index cefbc8c7770..9a2b454d6c2 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml @@ -1,6 +1,6 @@ title: Execution of Suspicious File Type Extension id: c09dad97-1c78-4f71-b127-7edb2b8e491a -status: experimental +status: test description: Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process) references: - https://pentestlaboratories.com/2021/12/08/process-ghosting/ diff --git a/rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml b/rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml index 7fef7623c6f..cbd83ab9f82 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml @@ -3,7 +3,7 @@ id: caf201a9-c2ce-4a26-9c3a-2b9525413711 related: - id: e2812b49-bae0-4b21-b366-7c142eafcde2 type: similar -status: experimental +status: test description: Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script references: - https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85) diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml index 535d806af4d..dbb56975c51 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml @@ -3,7 +3,7 @@ id: a96970af-f126-420d-90e1-d37bf25e50e1 related: - id: 349d891d-fef0-4fe4-bc53-eee623a15969 type: similar -status: experimental +status: test description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection references: - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml index cb59f01fabd..2256975f81e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml @@ -3,7 +3,7 @@ id: 3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b related: - id: dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795 type: similar -status: experimental +status: test description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection references: - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ diff --git a/rules/windows/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml b/rules/windows/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml index 9f581bf0622..4f2e2ab79b3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml @@ -3,7 +3,7 @@ id: 9bd04a79-dabe-4f1f-a5ff-92430265c96b related: - id: f35c5d71-b489-4e22-a115-f003df287317 type: derived -status: experimental +status: test description: Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity. references: - https://www.elastic.co/guide/en/security/current/privilege-escalation-via-named-pipe-impersonation.html diff --git a/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml index fafa963f9eb..559657fd0cb 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml @@ -3,7 +3,7 @@ id: 5ce0f04e-3efc-42af-839d-5b3a543b76c0 related: - id: cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca type: derived -status: experimental +status: test description: Detects process execution from a fake recycle bin folder, often used to avoid security solution. references: - https://www.mandiant.com/resources/blog/infected-usb-steal-secrets diff --git a/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml b/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml index 3ea4b6b5d30..c6c597d9913 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml @@ -1,6 +1,6 @@ title: Potential Defense Evasion Via Right-to-Left Override id: ad691d92-15f2-4181-9aa4-723c74f9ddc3 -status: experimental +status: test description: | Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This is used as an obfuscation and masquerading techniques. diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml index 8628cf7b7e4..98d3f570a16 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml @@ -7,7 +7,7 @@ related: type: obsoletes - id: 7fd4bb39-12d0-45ab-bb36-cebabc73dc7b type: obsoletes -status: experimental +status: test description: Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts references: - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg diff --git a/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml b/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml index 5af203cdbfa..f273a2082b6 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml @@ -1,6 +1,6 @@ title: System File Execution Location Anomaly id: e4a6b256-3e47-40fc-89d2-7a477edd6915 -status: experimental +status: test description: Detects a Windows program executable started from a suspicious folder references: - https://twitter.com/GelosSnake/status/934900723426439170 diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_execution.yml index ddcaeece4db..a6cedbca262 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_execution.yml @@ -3,7 +3,7 @@ id: 9212f354-7775-4e28-9c9f-8f0a4544e664 related: - id: ef61af62-bc74-4f58-b49b-626448227652 type: derived -status: experimental +status: test description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database. references: - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml index 569ab46d8ff..53d1712a4c1 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml @@ -3,7 +3,7 @@ id: ef61af62-bc74-4f58-b49b-626448227652 related: - id: 9212f354-7775-4e28-9c9f-8f0a4544e664 type: derived -status: experimental +status: test description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory. references: - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml index b020e3df7cf..69003011edf 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml @@ -3,7 +3,7 @@ id: 7cccd811-7ae9-4ebe-9afd-cb5c406b824b related: - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 type: derived -status: experimental +status: test description: Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools references: - https://twitter.com/Moti_B/status/1008587936735035392 diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_execution.yml index aff51dc1e55..3f5b5531501 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_execution.yml @@ -1,6 +1,6 @@ title: Potential Memory Dumping Activity Via LiveKD id: a85f7765-698a-4088-afa0-ecfbf8d01fa4 -status: experimental +status: test description: Detects execution of LiveKD based on PE metadata or image name references: - https://learn.microsoft.com/en-us/sysinternals/downloads/livekd diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml index 2ed92160ffa..7cb9d7b1f4e 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml @@ -1,6 +1,6 @@ title: Kernel Memory Dump Via LiveKD id: c7746f1c-47d3-43d6-8c45-cd1e54b6b0a2 -status: experimental +status: test description: Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory references: - https://learn.microsoft.com/en-us/sysinternals/downloads/livekd diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml index b62bd7e12f1..c8c9336129c 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml @@ -1,6 +1,6 @@ title: Procdump Execution id: 2e65275c-8288-4ab4-aeb7-6274f58b6b20 -status: experimental +status: test description: Detects usage of the SysInternals Procdump utility references: - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml index 20200260f19..c3bb28b0d58 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml @@ -3,7 +3,7 @@ id: 8834e2f7-6b4b-4f09-8906-d2276470ee23 related: - id: 207b0396-3689-42d9-8399-4222658efc99 # Generic rule based on similar cli flags type: similar -status: experimental +status: test description: Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights references: - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml index 7b67c416c53..abb352311d6 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml @@ -1,6 +1,6 @@ title: Potential PsExec Remote Execution id: ea011323-7045-460b-b2d7-0f7442ea6b38 -status: experimental +status: test description: Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility references: - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yml index ffd5a28ad6b..bd75ae19264 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yml @@ -3,7 +3,7 @@ id: fdfcbd78-48f1-4a4b-90ac-d82241e368c5 related: - id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba type: obsoletes -status: experimental +status: test description: Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution references: - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml index 0b30fe207c3..5ed1f05f341 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml @@ -3,7 +3,7 @@ id: 7c0dcd3d-acf8-4f71-9570-f448b0034f94 related: - id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba type: similar -status: experimental +status: test description: Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account) references: - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml index b2352c405cc..930c35e9249 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml @@ -1,6 +1,6 @@ title: Suspicious Use of PsLogList id: aae1243f-d8af-40d8-ab20-33fc6d0c55bc -status: experimental +status: test description: Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs references: - https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/ diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml index ddd882d16a6..6ab71e6288c 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml @@ -1,6 +1,6 @@ title: Sysinternals PsService Execution id: 3371f518-5fe3-4cf6-a14b-2a0ae3fd8a4f -status: experimental +status: test description: Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering references: - https://docs.microsoft.com/en-us/sysinternals/downloads/psservice diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml index 8c082115ec8..98fa3c83d1c 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml @@ -3,7 +3,7 @@ id: 48bbc537-b652-4b4e-bd1d-281172df448f related: - id: 4beb6ae0-f85b-41e2-8f18-8668abc8af78 type: similar -status: experimental +status: test description: Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes references: - https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml index db2af26aeef..3d72c6b43f4 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml @@ -3,7 +3,7 @@ id: 4beb6ae0-f85b-41e2-8f18-8668abc8af78 related: - id: 48bbc537-b652-4b4e-bd1d-281172df448f # Basic Execution type: similar -status: experimental +status: test description: Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses references: - https://docs.microsoft.com/en-us/sysinternals/downloads/pssuspend diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_sdelete.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_sdelete.yml index ee21021ccbb..5a88207ac55 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_sdelete.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_sdelete.yml @@ -1,6 +1,6 @@ title: Potential File Overwrite Via Sysinternals SDelete id: a4824fca-976f-4964-b334-0621379e84c4 -status: experimental +status: test description: Detects the use of SDelete to erase a file not the free space references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml index 3d7f7706cd9..53131b483d4 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml @@ -3,7 +3,7 @@ id: 207b0396-3689-42d9-8399-4222658efc99 related: - id: 8834e2f7-6b4b-4f09-8906-d2276470ee23 # PsExec specific rule type: similar -status: experimental +status: test description: Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges references: - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec diff --git a/rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml b/rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml index ea7421f862e..a5f2f3b61fb 100644 --- a/rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml +++ b/rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml @@ -3,7 +3,7 @@ id: a383dec4-deec-4e6e-913b-ed9249670848 related: - id: b110ebaf-697f-4da1-afd5-b536fa27a2c1 type: similar -status: experimental +status: test description: Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages. references: - Internal Research diff --git a/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml b/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml index c10e835bafd..68137ee0370 100644 --- a/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml +++ b/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml @@ -1,6 +1,6 @@ title: Suspicious Command With Teams Objects Paths id: d2eb17db-1d39-41dc-b57f-301f6512fa75 -status: experimental +status: test description: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application. references: - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/ diff --git a/rules/windows/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml b/rules/windows/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml index 21165f1691a..78fb7387ad8 100644 --- a/rules/windows/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml +++ b/rules/windows/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml @@ -1,6 +1,6 @@ title: New Virtual Smart Card Created Via TpmVscMgr.EXE id: c633622e-cab9-4eaa-bb13-66a1d68b3e47 -status: experimental +status: test description: Detects execution of "Tpmvscmgr.exe" to create a new virtual smart card. references: - https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr diff --git a/rules/windows/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml b/rules/windows/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml index aa5c0300c31..d98c795a7f8 100644 --- a/rules/windows/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml +++ b/rules/windows/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml @@ -1,6 +1,6 @@ title: Potential RDP Session Hijacking Activity id: 224f140f-3553-4cd1-af78-13d81bf9f7cc -status: experimental +status: test description: Detects potential RDP Session Hijacking activity on Windows systems references: - https://twitter.com/Moti_B/status/909449115477659651 diff --git a/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml b/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml index 89dcaf75f3a..2a2c1446123 100644 --- a/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml @@ -3,7 +3,7 @@ id: 7aa4e81a-a65c-4e10-9f81-b200eb229d7d related: - id: 236d8e89-ed95-4789-a982-36f4643738ba type: derived -status: experimental +status: test description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state references: - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/ diff --git a/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml b/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml index af3330d57cc..65225d628bf 100644 --- a/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml +++ b/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml @@ -3,7 +3,7 @@ id: 236d8e89-ed95-4789-a982-36f4643738ba related: - id: 7aa4e81a-a65c-4e10-9f81-b200eb229d7d type: derived -status: experimental +status: test description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state references: - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/ diff --git a/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml index 49b1ea77895..bc3751e4ec8 100644 --- a/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml @@ -1,6 +1,6 @@ title: VMToolsd Suspicious Child Process id: 5687f942-867b-4578-ade7-1e341c46e99a -status: experimental +status: test description: Detects suspicious child process creations of VMware Tools process which may indicate persistence setup references: - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/ diff --git a/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml b/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml index 19360242f74..25e09bf7b23 100644 --- a/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml +++ b/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious Child Process Of VsCode id: 5a3164f2-b373-4152-93cf-090b13c12d27 -status: experimental +status: test description: Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles. references: - https://twitter.com/nas_bench/status/1618021838407495681 diff --git a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml index e3607a306f9..bc67db31d05 100644 --- a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml @@ -1,6 +1,6 @@ title: Visual Studio Code Tunnel Execution id: 90d6bd71-dffb-4989-8d86-a827fedd6624 -status: experimental +status: test description: Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel references: - https://ipfyx.fr/post/visual-studio-code-tunnel/ diff --git a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml index 177d912b9a1..058656265d9 100644 --- a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml +++ b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml @@ -1,6 +1,6 @@ title: Visual Studio Code Tunnel Shell Execution id: f4a623c2-4ef5-4c33-b811-0642f702c9f1 -status: experimental +status: test description: Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system. references: - https://ipfyx.fr/post/visual-studio-code-tunnel/ diff --git a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml index da5704365c3..bf46de2ab8c 100644 --- a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml @@ -1,6 +1,6 @@ title: Renamed Visual Studio Code Tunnel Execution id: 2cf29f11-e356-4f61-98c0-1bdb9393d6da -status: experimental +status: test description: Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel references: - https://ipfyx.fr/post/visual-studio-code-tunnel/ diff --git a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml index 8026d5d8d86..ccbab199b8f 100644 --- a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml +++ b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml @@ -1,6 +1,6 @@ title: Visual Studio Code Tunnel Service Installation id: 30bf1789-379d-4fdc-900f-55cd0a90a801 -status: experimental +status: test description: Detects the installation of VsCode tunnel (code-tunnel) as a service. references: - https://ipfyx.fr/post/visual-studio-code-tunnel/ diff --git a/rules/windows/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml b/rules/windows/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml index c3716f59a96..0eb26551840 100644 --- a/rules/windows/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml +++ b/rules/windows/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml @@ -1,6 +1,6 @@ title: Potential Binary Proxy Execution Via VSDiagnostics.EXE id: ac1c92b4-ac81-405a-9978-4604d78cc47e -status: experimental +status: test description: Detects execution of "VSDiagnostics.exe" with the "start" command in order to launch and proxy arbitrary binaries. references: - https://twitter.com/0xBoku/status/1679200664013135872 diff --git a/rules/windows/process_creation/proc_creation_win_webdav_lnk_execution.yml b/rules/windows/process_creation/proc_creation_win_webdav_lnk_execution.yml index cb1caed52e6..991c86b7762 100644 --- a/rules/windows/process_creation/proc_creation_win_webdav_lnk_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_webdav_lnk_execution.yml @@ -3,7 +3,7 @@ id: 1412aa78-a24c-4abd-83df-767dfb2c5bbe related: - id: f0507c0f-a3a2-40f5-acc6-7f543c334993 type: similar -status: experimental +status: test description: Detects possible execution via LNK file accessed on a WebDAV server. references: - https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html diff --git a/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml b/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml index e0e058805a7..53acd9cfb71 100644 --- a/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml @@ -3,7 +3,7 @@ id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd related: - id: 0cf2e1c6-8d10-4273-8059-738778f981ad type: derived -status: experimental +status: test description: Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow references: - https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html diff --git a/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml index 31fc12b12d8..1e8d6a6f0c5 100644 --- a/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml @@ -3,7 +3,7 @@ id: 396f6630-f3ac-44e3-bfc8-1b161bc00c4e related: - id: 5394fcc7-aeb2-43b5-9a09-cac9fc5edcd5 type: similar -status: experimental +status: test description: Detects suspicious Windows Error Reporting manager (wermgr.exe) child process references: - https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html diff --git a/rules/windows/process_creation/proc_creation_win_wermgr_susp_exec_location.yml b/rules/windows/process_creation/proc_creation_win_wermgr_susp_exec_location.yml index c8490ba9ee6..1f6f63ff445 100644 --- a/rules/windows/process_creation/proc_creation_win_wermgr_susp_exec_location.yml +++ b/rules/windows/process_creation/proc_creation_win_wermgr_susp_exec_location.yml @@ -3,7 +3,7 @@ id: 5394fcc7-aeb2-43b5-9a09-cac9fc5edcd5 related: - id: 396f6630-f3ac-44e3-bfc8-1b161bc00c4e type: similar -status: experimental +status: test description: Detects suspicious Windows Error Reporting manager (wermgr.exe) execution location. references: - https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html diff --git a/rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml b/rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml index 27a58fde21d..b8b708556e8 100644 --- a/rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml @@ -1,6 +1,6 @@ title: Potential Recon Activity Using Wevtutil id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf -status: experimental +status: test description: Detects usage of the wevtutil utility to perform reconnaissance references: - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html diff --git a/rules/windows/process_creation/proc_creation_win_wget_download_direct_ip.yml b/rules/windows/process_creation/proc_creation_win_wget_download_direct_ip.yml index 05195a8178d..f1ec536beb7 100644 --- a/rules/windows/process_creation/proc_creation_win_wget_download_direct_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_wget_download_direct_ip.yml @@ -1,6 +1,6 @@ title: Suspicious File Download From IP Via Wget.EXE id: 17f0c0a8-8bd5-4ee0-8c5f-a342c0199f35 -status: experimental +status: test description: Detects potentially suspicious file downloads directly from IP addresses using Wget.exe references: - https://www.gnu.org/software/wget/manual/wget.html diff --git a/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml index cbdeac7e8c7..2f0ee924958 100644 --- a/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml @@ -1,6 +1,6 @@ title: Suspicious File Download From File Sharing Domain Via Wget.EXE id: a0d7e4d2-bede-4141-8896-bc6e237e977c -status: experimental +status: test description: Detects potentially suspicious file downloads from file sharing domains using wget.exe references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers diff --git a/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml b/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml index 395246105c3..d50cb06d0a7 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml @@ -3,7 +3,7 @@ id: 79ce34ca-af29-4d0e-b832-fc1b377020db related: - id: 80167ada-7a12-41ed-b8e9-aa47195c66a1 type: obsoletes -status: experimental +status: test description: Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment diff --git a/rules/windows/process_creation/proc_creation_win_whoami_groups_discovery.yml b/rules/windows/process_creation/proc_creation_win_whoami_groups_discovery.yml index 2d92ba45cb7..a4866b9979c 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_groups_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_groups_discovery.yml @@ -1,6 +1,6 @@ title: Group Membership Reconnaissance Via Whoami.EXE id: bd8b828d-0dca-48e1-8a63-8a58ecf2644f -status: experimental +status: test description: Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami diff --git a/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml b/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml index 2d56ef9d69d..109c3f6e52c 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml @@ -1,6 +1,6 @@ title: Whoami.EXE Execution Anomaly id: 8de1cbe8-d6f5-496d-8237-5f44a721c7a0 -status: experimental +status: test description: Detects the execution of whoami.exe with suspicious parent processes. references: - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/ diff --git a/rules/windows/process_creation/proc_creation_win_whoami_priv_discovery.yml b/rules/windows/process_creation/proc_creation_win_whoami_priv_discovery.yml index bb770747c51..bbfcd96ae8c 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_priv_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_priv_discovery.yml @@ -1,6 +1,6 @@ title: Security Privileges Enumeration Via Whoami.EXE id: 97a80ec7-0e2f-4d05-9ef4-65760e634f6b -status: experimental +status: test description: Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami diff --git a/rules/windows/process_creation/proc_creation_win_whoami_susp_flags.yml b/rules/windows/process_creation/proc_creation_win_whoami_susp_flags.yml index d6b55155caa..2ae6164c73b 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_susp_flags.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_susp_flags.yml @@ -1,6 +1,6 @@ title: Suspicious Whoami.EXE Execution id: c30fb093-1109-4dc8-88a8-b30d11c95a5d -status: experimental +status: test description: Detects the execution of "whoami.exe" with the "/all" flag or with redirection options to export the results to a file for later use. references: - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/ diff --git a/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml b/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml index 0868cf343b9..c87f477284b 100644 --- a/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml +++ b/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml @@ -1,6 +1,6 @@ title: Suspicious WindowsTerminal Child Processes id: 8de89e52-f6e1-4b5b-afd1-41ecfa300d48 -status: experimental +status: test description: Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section) references: - https://persistence-info.github.io/Data/windowsterminalprofile.html diff --git a/rules/windows/process_creation/proc_creation_win_winget_add_custom_source.yml b/rules/windows/process_creation/proc_creation_win_winget_add_custom_source.yml index f590025cc26..4efffd1d2ed 100644 --- a/rules/windows/process_creation/proc_creation_win_winget_add_custom_source.yml +++ b/rules/windows/process_creation/proc_creation_win_winget_add_custom_source.yml @@ -5,7 +5,7 @@ related: type: similar - id: c15a46a0-07d4-4c87-b4b6-89207835a83b type: similar -status: experimental +status: test description: Detects usage of winget to add new additional download sources references: - https://learn.microsoft.com/en-us/windows/package-manager/winget/source diff --git a/rules/windows/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml b/rules/windows/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml index 3eff20d90b9..33e3ddd4bbb 100644 --- a/rules/windows/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml +++ b/rules/windows/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml @@ -5,7 +5,7 @@ related: type: similar - id: c15a46a0-07d4-4c87-b4b6-89207835a83b type: similar -status: experimental +status: test description: | Detects usage of winget to add a new insecure (http) download source. Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos) diff --git a/rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml b/rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml index fa0f7c1f3e5..bc2d1b3f369 100644 --- a/rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml +++ b/rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml @@ -5,7 +5,7 @@ related: type: similar - id: 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2 type: similar -status: experimental +status: test description: Detects usage of winget to add new potentially suspicious download sources references: - https://learn.microsoft.com/en-us/windows/package-manager/winget/source diff --git a/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml b/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml index ce25c5c2015..9ffd2a92461 100644 --- a/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml +++ b/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml @@ -1,6 +1,6 @@ title: Install New Package Via Winget Local Manifest id: 313d6012-51a0-4d93-8dfc-de8553239e25 -status: experimental +status: test description: | Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them. The manifest option enables you to install an application by passing in a YAML file directly to the client. diff --git a/rules/windows/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml b/rules/windows/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml index 13783e8cd28..fa562799e67 100644 --- a/rules/windows/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml +++ b/rules/windows/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml @@ -3,7 +3,7 @@ id: 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc related: - id: ec570e53-4c76-45a9-804d-dc3f355ff7a7 type: similar -status: experimental +status: test description: Detects execution of WinRAR in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration. references: - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ diff --git a/rules/windows/process_creation/proc_creation_win_winrar_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_winrar_susp_child_process.yml index 076f4a9f988..da37d2210aa 100644 --- a/rules/windows/process_creation/proc_creation_win_winrar_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_winrar_susp_child_process.yml @@ -3,7 +3,7 @@ id: 146aace8-9bd6-42ba-be7a-0070d8027b76 related: - id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343 type: similar -status: experimental +status: test description: Detects potentially suspicious child processes of WinRAR.exe. references: - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ diff --git a/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml b/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml index dff560319b0..d6809887400 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml @@ -1,6 +1,6 @@ title: Potential Windows Defender Tampering Via Wmic.EXE id: 51cbac1e-eee3-4a90-b1b7-358efb81fa0a -status: experimental +status: test description: Detects potential tampering with Windows Defender settings such as adding exclusion using wmic references: - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_computersystem.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_computersystem.yml index 30cb71b78d3..fec41430b4a 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_computersystem.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_computersystem.yml @@ -1,6 +1,6 @@ title: Computer System Reconnaissance Via Wmic.EXE id: 9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f -status: experimental +status: test description: Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc. references: - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_csproduct.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_csproduct.yml index 69a8be88a97..c3dd3482766 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_csproduct.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_csproduct.yml @@ -1,6 +1,6 @@ title: Hardware Model Reconnaissance Via Wmic.EXE id: 3e3ceccd-6c06-48b8-b5ff-ab1d25db8c1d -status: experimental +status: test description: Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information references: - https://jonconwayuk.wordpress.com/2014/01/31/wmic-csproduct-using-wmi-to-identify-make-and-model-of-hardware/ diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_group.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_group.yml index bff18ed4fe8..375e35e1b4c 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_group.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_group.yml @@ -1,6 +1,6 @@ title: Local Groups Reconnaissance Via Wmic.EXE id: 164eda96-11b2-430b-85ff-6a265c15bf32 -status: experimental +status: test description: | Detects the execution of "wmic" with the "group" flag. Adversaries may attempt to find local system groups and permission settings. diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml index 7aa13674518..d1f8c41aef8 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml @@ -1,6 +1,6 @@ title: Windows Hotfix Updates Reconnaissance Via Wmic.EXE id: dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45 -status: experimental +status: test description: Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts references: - https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml index 4ca49d1f181..ff92230053b 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml @@ -1,6 +1,6 @@ title: Process Reconnaissance Via Wmic.EXE id: 221b251a-357a-49a9-920a-271802777cc0 -status: experimental +status: test description: Detects the execution of "wmic" with the "process" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml index 942d53690f3..07db3fc47f2 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml @@ -1,6 +1,6 @@ title: Potential Product Reconnaissance Via Wmic.EXE id: 15434e33-5027-4914-88d5-3d4145ec25a9 -status: experimental +status: test description: Detects the execution of WMIC in order to get a list of firewall and antivirus products references: - https://thedfirreport.com/2023/03/06/2022-year-in-review/ diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml index 80d0b3f7d86..8c61e02a815 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml @@ -1,6 +1,6 @@ title: Potential Product Class Reconnaissance Via Wmic.EXE id: e568650b-5dcd-4658-8f34-ded0b1e13992 -status: experimental +status: test description: Detects the execution of WMIC in order to get a list of firewall and antivirus products references: - https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml index 6e055ea1ad8..7b6db1f335a 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml @@ -3,7 +3,7 @@ id: 76f55eaa-d27f-4213-9d45-7b0e4b60bbae related: - id: 68bcd73b-37ef-49cb-95fc-edc809730be6 type: similar -status: experimental +status: test description: | An adversary might use WMI to check if a certain remote service is running on a remote device. When the test completes, a service information will be displayed on the screen if it exists. diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_discovery.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_discovery.yml index b5fb1775114..6a8149d71ad 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_discovery.yml @@ -1,6 +1,6 @@ title: Potential System Information Discovery Via Wmic.EXE id: 9d5a1274-922a-49d0-87f3-8c653483b909 -status: experimental +status: test description: | Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml index 5126343f1eb..b3d54f81abf 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml @@ -5,7 +5,7 @@ related: type: similar - id: 76f55eaa-d27f-4213-9d45-7b0e4b60bbae type: similar -status: experimental +status: test description: Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts references: - https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py diff --git a/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml b/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml index 8c05b5f5a27..06bbf697d2d 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml @@ -5,7 +5,7 @@ related: type: obsoletes - id: 09af397b-c5eb-4811-b2bb-08b3de464ebf type: obsoletes -status: experimental +status: test description: Detects the execution of WMIC to query information on a remote system references: - https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/ diff --git a/rules/windows/process_creation/proc_creation_win_wmic_service_manipulation.yml b/rules/windows/process_creation/proc_creation_win_wmic_service_manipulation.yml index b17833d01b6..f1ca9fc45b9 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_service_manipulation.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_service_manipulation.yml @@ -1,6 +1,6 @@ title: Service Started/Stopped Via Wmic.EXE id: 0b7163dc-7eee-4960-af17-c0cd517f92da -status: experimental +status: test description: Detects usage of wmic to start or stop a service references: - https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html diff --git a/rules/windows/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml b/rules/windows/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml index 62d59a1b17e..2fa2054bd48 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml @@ -11,7 +11,7 @@ related: type: obsoletes - id: 04f5363a-6bca-42ff-be70-0d28bf629ead type: obsoletes -status: experimental +status: test description: Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin). references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ diff --git a/rules/windows/process_creation/proc_creation_win_wmic_terminate_application.yml b/rules/windows/process_creation/proc_creation_win_wmic_terminate_application.yml index 26ee602fa51..8dd0fe238a8 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_terminate_application.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_terminate_application.yml @@ -3,7 +3,7 @@ id: 49d9671b-0a0a-4c09-8280-d215bfd30662 related: - id: 847d5ff3-8a31-4737-a970-aeae8fe21765 # Uninstall Security Products type: derived -status: experimental +status: test description: Detects calls to the "terminate" function via wmic in order to kill an application references: - https://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/ diff --git a/rules/windows/process_creation/proc_creation_win_wmic_uninstall_application.yml b/rules/windows/process_creation/proc_creation_win_wmic_uninstall_application.yml index 53bec511aef..414b1ab0037 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_uninstall_application.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_uninstall_application.yml @@ -3,7 +3,7 @@ id: b53317a0-8acf-4fd1-8de8-a5401e776b96 related: - id: 847d5ff3-8a31-4737-a970-aeae8fe21765 # Uninstall Security Products type: derived -status: experimental +status: test description: Uninstall an application with wmic references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-10---application-uninstall-using-wmic diff --git a/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml index 2b4799250c8..a790fa85215 100644 --- a/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml @@ -1,6 +1,6 @@ title: Cscript/Wscript Suspicious Child Process id: b6676963-0353-4f88-90f5-36c20d443c6a -status: experimental +status: test description: Detects suspicious child processes of Wscript/Cscript author: Nasreddine Bencherchali (Nextron Systems) date: 2023/05/15 diff --git a/rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml b/rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml index 10be020863a..8944a9f5acc 100644 --- a/rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml @@ -1,6 +1,6 @@ title: Cscript/Wscript Uncommon Script Extension Execution id: 99b7460d-c9f1-40d7-a316-1f36f61d52ee -status: experimental +status: test description: Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension author: Nasreddine Bencherchali (Nextron Systems) date: 2023/05/15 diff --git a/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml b/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml index 4a0f186e31e..65491ff776b 100644 --- a/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml +++ b/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml @@ -3,7 +3,7 @@ id: 2267fe65-0681-42ad-9a6d-46553d3f3480 related: - id: dec44ca7-61ad-493c-bfd7-8819c5faa09b # LOLBIN Rule type: derived -status: experimental +status: test description: Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/ diff --git a/rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml b/rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml index abb571644d8..23f5d26a727 100644 --- a/rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml @@ -1,6 +1,6 @@ title: Windows Binary Executed From WSL id: ed825c86-c009-4014-b413-b76003e33d35 -status: experimental +status: test description: Detects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships references: - Internal Research diff --git a/rules/windows/process_tampering/proc_tampering_process_hollowing.yml b/rules/windows/process_tampering/proc_tampering_process_hollowing.yml index ddc610eecb6..d04b1e0a298 100644 --- a/rules/windows/process_tampering/proc_tampering_process_hollowing.yml +++ b/rules/windows/process_tampering/proc_tampering_process_hollowing.yml @@ -1,6 +1,6 @@ title: Potential Process Hollowing Activity id: c4b890e5-8d8c-4496-8c66-c805753817cd -status: experimental +status: test description: Detects when a memory process image does not match the disk image, indicative of process hollowing. references: - https://twitter.com/SecurePeacock/status/1486054048390332423?s=20 diff --git a/rules/windows/registry/registry_add/registry_add_malware_netwire.yml b/rules/windows/registry/registry_add/registry_add_malware_netwire.yml index 91b79089a9d..f643eaff868 100644 --- a/rules/windows/registry/registry_add/registry_add_malware_netwire.yml +++ b/rules/windows/registry/registry_add/registry_add_malware_netwire.yml @@ -1,6 +1,6 @@ title: Potential NetWire RAT Activity - Registry id: 1d218616-71b0-4c40-855b-9dbe75510f7f -status: experimental +status: test description: Detects registry keys related to NetWire RAT references: - https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing diff --git a/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml b/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml index e84fd2d5eaf..dad041dcaa7 100644 --- a/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml +++ b/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via New AMSI Providers - Registry id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f705 -status: experimental +status: test description: Detects when an attacker registers a new AMSI provider in order to achieve persistence references: - https://persistence-info.github.io/Data/amsi.html diff --git a/rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml b/rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml index 5d3f4522106..55f067b45ed 100644 --- a/rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml +++ b/rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml @@ -1,6 +1,6 @@ title: Potential COM Object Hijacking Via TreatAs Subkey - Registry id: 9b0f8a61-91b2-464f-aceb-0527e0a45020 -status: experimental +status: test description: Detects COM object hijacking via TreatAs subkey references: - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ diff --git a/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml b/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml index 09192a552c9..0b5db516bed 100644 --- a/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml +++ b/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via Disk Cleanup Handler - Registry id: d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a -status: experimental +status: test description: | Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence. The disk cleanup manager is part of the operating system. It displays the dialog box […] diff --git a/rules/windows/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml index 4706b5d675f..96fe42dfa40 100644 --- a/rules/windows/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml +++ b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml @@ -1,6 +1,6 @@ title: PUA - Sysinternal Tool Execution - Registry id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 -status: experimental +status: test description: Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key references: - https://twitter.com/Moti_B/status/1008587936735035392 diff --git a/rules/windows/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml index 1e2a436e64c..d8cdebdedf8 100644 --- a/rules/windows/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml +++ b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml @@ -5,7 +5,7 @@ related: type: derived - id: 8023f872-3f1d-4301-a384-801889917ab4 type: similar -status: experimental +status: test description: Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool) references: - Internal Research diff --git a/rules/windows/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml index 180da7c631a..cf22352087b 100644 --- a/rules/windows/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml +++ b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml @@ -5,7 +5,7 @@ related: type: derived - id: 9841b233-8df8-4ad7-9133-b0b4402a9014 type: obsoletes -status: experimental +status: test description: Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key. references: - https://twitter.com/Moti_B/status/1008587936735035392 diff --git a/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml b/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml index 37fffeeaef5..fa66851298d 100644 --- a/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml +++ b/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml @@ -1,6 +1,6 @@ title: Folder Removed From Exploit Guard ProtectedFolders List - Registry id: 272e55a4-9e6b-4211-acb6-78f51f0b1b40 -status: experimental +status: test description: Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder references: - https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ diff --git a/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml b/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml index 04f68324fc3..ec2b9d20cc0 100644 --- a/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml +++ b/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml @@ -5,7 +5,7 @@ related: type: similar - id: 5b16df71-8615-4f7f-ac9b-6c43c0509e61 type: similar -status: experimental +status: test description: Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query" references: - https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments diff --git a/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml b/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml index 4cb5739aa21..4272a303677 100644 --- a/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml +++ b/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml @@ -3,7 +3,7 @@ id: acd74772-5f88-45c7-956b-6a7b36c294d2 related: - id: 526cc8bc-1cdc-48ad-8b26-f19bff969cec type: similar -status: experimental +status: test description: Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware references: - https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/ diff --git a/rules/windows/registry/registry_event/registry_event_malware_qakbot_registry.yml b/rules/windows/registry/registry_event/registry_event_malware_qakbot_registry.yml index 7abdbde39b5..d56a0e72245 100644 --- a/rules/windows/registry/registry_event/registry_event_malware_qakbot_registry.yml +++ b/rules/windows/registry/registry_event/registry_event_malware_qakbot_registry.yml @@ -1,6 +1,6 @@ title: Potential Qakbot Registry Activity id: 1c8e96cd-2bed-487d-9de0-b46c90cade56 -status: experimental +status: test description: Detects a registry key used by IceID in a campaign that distributes malicious OneNote files references: - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution diff --git a/rules/windows/registry/registry_event/registry_event_scheduled_task_creation.yml b/rules/windows/registry/registry_event/registry_event_scheduled_task_creation.yml index f8a92e67956..097de02c5c4 100644 --- a/rules/windows/registry/registry_event/registry_event_scheduled_task_creation.yml +++ b/rules/windows/registry/registry_event/registry_event_scheduled_task_creation.yml @@ -1,6 +1,6 @@ title: Scheduled Task Created - Registry id: 93ff0ceb-e0ef-4586-8cd8-a6c277d738e3 -status: experimental +status: test description: Detects the creation of a scheduled task via Registry keys. references: - https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/task_scheduling/ diff --git a/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml b/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml index 11fdecf909a..a30a328ef84 100644 --- a/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml +++ b/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml @@ -1,6 +1,6 @@ title: Atbroker Registry Change id: 9577edbb-851f-4243-8c91-1d5b50c1a39b -status: experimental +status: test description: Detects creation/modification of Assistive Technology applications and persistence with usage of 'at' references: - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ diff --git a/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml b/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml index af8f2b071e3..c92fcc2539e 100644 --- a/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml +++ b/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml @@ -1,6 +1,6 @@ title: Registry Persistence via Service in Safe Mode id: 1547e27c-3974-43e2-a7d7-7f484fb928ec -status: experimental +status: test description: Detects the modification of the registry to allow a driver or service to persist in Safe Mode. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network diff --git a/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml b/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml index 379c0ce4d2c..de1103d8b73 100644 --- a/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml +++ b/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml @@ -1,6 +1,6 @@ title: Add Port Monitor Persistence in Registry id: 944e8941-f6f6-4ee8-ac05-1c224e923c0e -status: experimental +status: test description: | Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. diff --git a/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml b/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml index 64316504627..3e5e31cba92 100644 --- a/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml @@ -1,6 +1,6 @@ title: Add Debugger Entry To AeDebug For Persistence id: 092af964-4233-4373-b4ba-d86ea2890288 -status: experimental +status: test description: Detects when an attacker adds a new "Debugger" value to the "AeDebug" key in order to achieve persistence which will get invoked when an application crashes references: - https://persistence-info.github.io/Data/aedebug.html diff --git a/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml b/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml index 7348e6e3fad..3eda2311854 100644 --- a/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml +++ b/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml @@ -1,6 +1,6 @@ title: Allow RDP Remote Assistance Feature id: 37b437cf-3fc5-4c8e-9c94-1d7c9aff842b -status: experimental +status: test description: Detect enable rdp feature to allow specific user to rdp connect on the targeted machine references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md diff --git a/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml b/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml index 4fe68b3d3a6..c78f4fe4eb0 100644 --- a/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml +++ b/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml @@ -1,6 +1,6 @@ title: Potential AMSI COM Server Hijacking id: 160d2780-31f7-4922-8b3a-efce30e63e96 -status: experimental +status: test description: Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless references: - https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/ diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml index 09b521472b5..f4c3a6e8a12 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml @@ -3,7 +3,7 @@ id: 9df5f547-c86a-433e-b533-f2794357e242 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c type: obsoletes -status: experimental +status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml index 8266a28d503..7dccae04bd3 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml @@ -3,7 +3,7 @@ id: f59c3faf-50f3-464b-9f4c-1b67ab512d99 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c type: obsoletes -status: experimental +status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml index 44c64026a8e..d30b50a8a75 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml @@ -3,7 +3,7 @@ id: f674e36a-4b91-431e-8aef-f8a96c2aca35 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c type: obsoletes -status: experimental +status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml index d71a8ae380a..decacbab88e 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml @@ -3,7 +3,7 @@ id: 20f0ee37-5942-4e45-b7d5-c5b5db9df5cd related: - id: 17f878b8-9968-4578-b814-c4217fc5768c type: obsoletes -status: experimental +status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml index 02b8cd40d6f..b7a665399f4 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml @@ -3,7 +3,7 @@ id: cbf93e5d-ca6c-4722-8bea-e9119007c248 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c type: obsoletes -status: experimental +status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml index a20da226862..be13624af19 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml @@ -3,7 +3,7 @@ id: baecf8fb-edbf-429f-9ade-31fc3f22b970 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c type: obsoletes -status: experimental +status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml index 87310ceba94..cdb28f29052 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml @@ -3,7 +3,7 @@ id: b29aed60-ebd1-442b-9cb5-16a1d0324adb related: - id: 17f878b8-9968-4578-b814-c4217fc5768c type: obsoletes -status: experimental +status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml index 796cf174f77..4249f5e19b7 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml @@ -3,7 +3,7 @@ id: 480421f9-417f-4d3b-9552-fd2728443ec8 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c type: obsoletes -status: experimental +status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md diff --git a/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml b/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml index a94e9bf5b5d..fb87c2fca27 100644 --- a/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml +++ b/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml @@ -1,6 +1,6 @@ title: New BgInfo.EXE Custom DB Path Registry Configuration id: 53330955-dc52-487f-a3a2-da24dcff99b5 -status: experimental +status: test description: Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information. references: - Internal Research diff --git a/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml b/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml index 692590c376a..49defb4a9f1 100644 --- a/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml +++ b/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml @@ -3,7 +3,7 @@ id: 992dd79f-dde8-4bb0-9085-6350ba97cfb3 related: - id: cd277474-5c52-4423-a52b-ac2d7969902f type: similar -status: experimental +status: test description: Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via "BgInfo.exe" references: - Internal Research diff --git a/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml b/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml index 1ee4681fd0b..f3469c63fee 100644 --- a/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml +++ b/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml @@ -3,7 +3,7 @@ id: cd277474-5c52-4423-a52b-ac2d7969902f related: - id: 992dd79f-dde8-4bb0-9085-6350ba97cfb3 type: similar -status: experimental +status: test description: Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe" references: - Internal Research diff --git a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml index 28b518ee340..1566e450ffc 100644 --- a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml +++ b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml @@ -1,6 +1,6 @@ title: Bypass UAC Using Event Viewer id: 674202d0-b22a-4af4-ae5f-2eda1f3da1af -status: experimental +status: test description: Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification references: - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ diff --git a/rules/windows/registry/registry_set/registry_set_change_security_zones.yml b/rules/windows/registry/registry_set/registry_set_change_security_zones.yml index a82e61629ab..ad9043c6e7b 100644 --- a/rules/windows/registry/registry_set/registry_set_change_security_zones.yml +++ b/rules/windows/registry/registry_set/registry_set_change_security_zones.yml @@ -3,7 +3,7 @@ id: 45e112d0-7759-4c2a-aa36-9f8fb79d3393 related: - id: d88d0ab2-e696-4d40-a2ed-9790064e66b3 type: derived -status: experimental +status: test description: Hides the file extension through modification of the registry references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone diff --git a/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml b/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml index 50fff15fd47..f032c0a3736 100644 --- a/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml +++ b/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml @@ -1,6 +1,6 @@ title: Disable Sysmon Event Logging Via Registry id: 4916a35e-bfc4-47d0-8e25-a003d7067061 -status: experimental +status: test description: Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot. references: - https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650 diff --git a/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml b/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml index af15ebe1edf..048fa7ace07 100644 --- a/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml +++ b/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml @@ -1,6 +1,6 @@ title: Change Winevt Event Access Permission Via Registry id: 7d9263bd-dc47-4a58-bc92-5474abab390c -status: experimental +status: test description: Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel references: - https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/ diff --git a/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml b/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml index 95ce42d104b..d04bfa4f3a3 100644 --- a/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml +++ b/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml @@ -1,6 +1,6 @@ title: ClickOnce Trust Prompt Tampering id: ac9159cc-c364-4304-8f0a-d63fc1a0aabb -status: experimental +status: test description: Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet. references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 diff --git a/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml b/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml index e1f315009cc..a7c710e5be0 100644 --- a/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml @@ -1,6 +1,6 @@ title: CrashControl CrashDump Disabled id: 2ff692c2-4594-41ec-8fcb-46587de769e0 -status: experimental +status: test description: Detects disabling the CrashDump per registry (as used by HermeticWiper) references: - https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/ diff --git a/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml b/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml index 6da8b9abd56..6ab02f4c16a 100644 --- a/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml +++ b/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml @@ -3,7 +3,7 @@ id: a07f0359-4c90-4dc4-a681-8ffea40b4f47 related: - id: c0abc838-36b0-47c9-b3b3-a90c39455382 type: obsoletes -status: experimental +status: test description: Detect the creation of a service with a service binary located in a suspicious directory references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md diff --git a/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml b/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml index a4b9e0f9d71..c5941e0dfa3 100644 --- a/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml +++ b/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml @@ -1,6 +1,6 @@ title: Service Binary in Uncommon Folder id: 277dc340-0540-42e7-8efb-5ff460045e07 -status: experimental +status: test description: Detect the creation of a service with a service binary located in a uncommon directory references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md diff --git a/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml b/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml index 5dfc8b5f455..17190aee47c 100644 --- a/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml +++ b/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml @@ -1,6 +1,6 @@ title: Custom File Open Handler Executes PowerShell id: 7530b96f-ad8e-431d-a04d-ac85cc461fdc -status: experimental +status: test description: Detects the abuse of custom file open handler, executing powershell references: - https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/?cmp=30728 diff --git a/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml b/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml index 4982a1573b4..6ca04e90e11 100644 --- a/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml @@ -1,6 +1,6 @@ title: Potential Registry Persistence Attempt Via DbgManagedDebugger id: 9827ae57-3802-418f-994b-d5ecf5cd974b -status: experimental +status: test description: Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes references: - https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ diff --git a/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml b/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml index 321b592fcb7..a4e9bc50658 100644 --- a/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml @@ -1,6 +1,6 @@ title: Hypervisor Enforced Code Integrity Disabled id: 8b7273a4-ba5d-4d8a-b04f-11f2900d043a -status: experimental +status: test description: Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel references: - https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/ diff --git a/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml b/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml index aa8567d3bf5..a40b5f8410f 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml @@ -1,6 +1,6 @@ title: Potential AutoLogger Sessions Tampering id: f37b4bce-49d0-4087-9f5b-58bffda77316 -status: experimental +status: test description: Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging references: - https://twitter.com/MichalKoczwara/status/1553634816016498688 diff --git a/rules/windows/registry/registry_set/registry_set_disable_function_user.yml b/rules/windows/registry/registry_set/registry_set_disable_function_user.yml index 96d1c9a1eb7..3b4716e67e2 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_function_user.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_function_user.yml @@ -1,6 +1,6 @@ title: Disable Internal Tools or Feature in Registry id: e2482f8d-3443-4237-b906-cc145d87a076 -status: experimental +status: test description: Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md diff --git a/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml b/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml index 3502ab28e5c..8208a430d20 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml @@ -1,7 +1,7 @@ title: Disable Macro Runtime Scan Scope id: ab871450-37dc-4a3a-997f-6662aa8ae0f1 description: Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros -status: experimental +status: test date: 2022/10/25 modified: 2023/08/17 author: Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml b/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml index 9a11da231c1..652eb65dfd1 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml @@ -1,6 +1,6 @@ title: Disable Privacy Settings Experience in Registry id: 0372e1f9-0fd2-40f7-be1b-a7b2b848fa7b -status: experimental +status: test description: Detects registry modifications that disable Privacy Settings Experience references: - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1562.001/T1562.001.md diff --git a/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml b/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml index f0231eca820..2f2abbbd1cf 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml @@ -1,6 +1,6 @@ title: Disable Windows Security Center Notifications id: 3ae1a046-f7db-439d-b7ce-b8b366b81fa6 -status: experimental +status: test description: Detect set UseActionCenterExperience to 0 to disable the Windows security center notification references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md diff --git a/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml b/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml index 54434474ff5..d002b7a5ae5 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml @@ -1,6 +1,6 @@ title: Registry Disable System Restore id: 5de03871-5d46-4539-a82d-3aa992a69a83 -status: experimental +status: test description: Detects the modification of the registry to disable a system restore on the computer references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry diff --git a/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml b/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml index 23ed376e407..ac7987ba8a6 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml @@ -1,6 +1,6 @@ title: Disable UAC Using Registry id: 48437c39-9e5f-47fb-af95-3d663c3f2919 -status: experimental +status: test description: Detects when an attacker tries to disable User Account Control (UAC) by changing its registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-8---disable-uac-using-regexe diff --git a/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml b/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml index 22bd8681847..cf9b9969c22 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml @@ -1,6 +1,6 @@ title: Windows Defender Service Disabled id: e1aa95de-610a-427d-b9e7-9b46cfafbe6a -status: experimental +status: test description: Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ diff --git a/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml b/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml index 1ac85cc6d27..7a36346450e 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml @@ -1,6 +1,6 @@ title: Disable Windows Firewall by Registry id: e78c408a-e2ea-43cd-b5ea-51975cf358c0 -status: experimental +status: test description: Detect set EnableFirewall to 0 to disable the Windows firewall references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.004/T1562.004.md diff --git a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml index 6c760ba5f22..55748eb93b0 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml @@ -1,6 +1,6 @@ title: Disable Windows Event Logging Via Registry id: 2f78da12-f7c7-430b-8b19-a28f269b77a3 -status: experimental +status: test description: Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel references: - https://twitter.com/WhichbufferArda/status/1543900539280293889 diff --git a/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml b/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml index 781e6a9a4c9..cbf4d6474ef 100644 --- a/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml +++ b/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml @@ -1,6 +1,6 @@ title: Disable Exploit Guard Network Protection on Windows Defender id: bf9e1387-b040-4393-9851-1598f8ecfae9 -status: experimental +status: test description: Detects disabling Windows Defender Exploit Guard Network Protection references: - https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html diff --git a/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml b/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml index 0f8f898567c..d6ed06a3389 100644 --- a/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml +++ b/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml @@ -1,6 +1,6 @@ title: Disabled Windows Defender Eventlog id: fcddca7c-b9c0-4ddf-98da-e1e2d18b0157 -status: experimental +status: test description: Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections references: - https://twitter.com/WhichbufferArda/status/1543900539280293889/photo/2 diff --git a/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml b/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml index 5e221c7ebc5..edae0b44863 100644 --- a/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml +++ b/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml @@ -1,6 +1,6 @@ title: Disable PUA Protection on Windows Defender id: 8ffc5407-52e3-478f-9596-0a7371eafe13 -status: experimental +status: test description: Detects disabling Windows Defender PUA protection references: - https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html diff --git a/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml b/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml index 318153dd3db..ab8b138eb5f 100644 --- a/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml +++ b/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml @@ -1,6 +1,6 @@ title: Disable Tamper Protection on Windows Defender id: 93d298a1-d28f-47f1-a468-d971e7796679 -status: experimental +status: test description: Detects disabling Windows Defender Tamper Protection references: - https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html diff --git a/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml b/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml index 3a1f3119253..7f209fa3f23 100644 --- a/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml +++ b/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml @@ -1,6 +1,6 @@ title: Add DisallowRun Execution to Registry id: 275641a5-a492-45e2-a817-7c81e9d9d3e9 -status: experimental +status: test description: Detect set DisallowRun to 1 to prevent user running specific computer program references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md diff --git a/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml b/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml index a20d1d63925..ccc7551f5b6 100644 --- a/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml @@ -1,6 +1,6 @@ title: Persistence Via Disk Cleanup Handler - Autorun id: d4e2745c-f0c6-4bde-a3ab-b553b3f693cc -status: experimental +status: test description: | Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun. The disk cleanup manager is part of the operating system. diff --git a/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml b/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml index ca032002d17..85c35451d0c 100644 --- a/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml +++ b/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml @@ -5,7 +5,7 @@ related: type: derived - id: f63b56ee-3f79-4b8a-97fb-5c48007e8573 type: derived -status: experimental +status: test description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required) references: - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 diff --git a/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml b/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml index f5bbeafbdd1..4357c02879a 100644 --- a/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml +++ b/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml @@ -1,6 +1,6 @@ title: Scripted Diagnostics Turn Off Check Enabled - Registry id: 7d995e63-ec83-4aa3-89d5-8a17b5c87c86 -status: experimental +status: test description: Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability references: - https://twitter.com/wdormann/status/1537075968568877057?s=20&t=0lr18OAnmAGoGpma6grLUw diff --git a/rules/windows/registry/registry_set/registry_set_evtx_file_key_tamper.yml b/rules/windows/registry/registry_set/registry_set_evtx_file_key_tamper.yml index 9f564a05efe..d5fa767e55f 100644 --- a/rules/windows/registry/registry_set/registry_set_evtx_file_key_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_evtx_file_key_tamper.yml @@ -1,6 +1,6 @@ title: Potential EventLog File Location Tampering id: 0cb8d736-995d-4ce7-a31e-1e8d452a1459 -status: experimental +status: test description: Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting references: - https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key diff --git a/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml b/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml index 0d10a533b95..ba3932f2c74 100644 --- a/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml +++ b/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml @@ -1,6 +1,6 @@ title: Suspicious Application Allowed Through Exploit Guard id: 42205c73-75c8-4a63-9db1-e3782e06fda0 -status: experimental +status: test description: Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings references: - https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ diff --git a/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml b/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml index 3f8b35c967b..a5e9ca1038a 100644 --- a/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml +++ b/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml @@ -1,6 +1,6 @@ title: Change User Account Associated with the FAX Service id: e3fdf743-f05b-4051-990a-b66919be1743 -status: experimental +status: test description: Detect change of the user account associated with the FAX service to avoid the escalation problem. references: - https://twitter.com/dottor_morte/status/1544652325570191361 diff --git a/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml b/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml index adf10c8fc13..d3d44b9c6c3 100644 --- a/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml +++ b/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml @@ -1,6 +1,6 @@ title: Change the Fax Dll id: 9e3357ba-09d4-4fbd-a7c5-ad6386314513 -status: experimental +status: test description: Detect possible persistence using Fax DLL load when service restart references: - https://twitter.com/dottor_morte/status/1544652325570191361 diff --git a/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml b/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml index eb1d4c3e8f3..401a14e51bf 100644 --- a/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml @@ -1,6 +1,6 @@ title: Add Debugger Entry To Hangs Key For Persistence id: 833ef470-fa01-4631-a79b-6f291c9ac498 -status: experimental +status: test description: Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes references: - https://persistence-info.github.io/Data/wer_debugger.html diff --git a/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml b/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml index 57ce7ac0b5b..633e83856ca 100644 --- a/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml @@ -1,6 +1,6 @@ title: Persistence Via Hhctrl.ocx id: f10ed525-97fe-4fed-be7c-2feecca941b1 -status: experimental +status: test description: Detects when an attacker modifies the registry value of the "hhctrl" to point to a custom binary references: - https://persistence-info.github.io/Data/hhctrl.html diff --git a/rules/windows/registry/registry_set/registry_set_hide_file.yml b/rules/windows/registry/registry_set/registry_set_hide_file.yml index f0ef3461329..6d2ceb0c306 100644 --- a/rules/windows/registry/registry_set/registry_set_hide_file.yml +++ b/rules/windows/registry/registry_set/registry_set_hide_file.yml @@ -1,6 +1,6 @@ title: Modification of Explorer Hidden Keys id: 5a5152f1-463f-436b-b2f5-8eceb3964b42 -status: experimental +status: test description: Detects modifications to the hidden files keys in registry. This technique is abused by several malware families to hide their files from normal users. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-8---hide-files-through-registry diff --git a/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml b/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml index b86d129786b..76c1c3232b6 100644 --- a/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml @@ -5,7 +5,7 @@ related: type: similar - id: 526cc8bc-1cdc-48ad-8b26-f19bff969cec type: similar -status: experimental +status: test description: | Detects when the "index" value of a scheduled task is modified from the registry Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique) diff --git a/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml b/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml index 19d7840bd8a..fcb619000b7 100644 --- a/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml +++ b/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml @@ -3,7 +3,7 @@ id: 3fd4c8d7-8362-4557-a8e6-83b29cc0d724 related: - id: 10344bb3-7f65-46c2-b915-2d00d47be5b0 type: similar -status: experimental +status: test description: | Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally. references: diff --git a/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml b/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml index c79aa73e298..e0297e85699 100644 --- a/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml +++ b/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml @@ -1,6 +1,6 @@ title: New Root or CA or AuthRoot Certificate to Store id: d223b46b-5621-4037-88fe-fda32eead684 -status: experimental +status: test description: Detects the addition of new root, CA or AuthRoot certificates to the Windows registry references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store diff --git a/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml b/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml index 0f6af474145..219d8230b36 100644 --- a/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml +++ b/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml @@ -1,6 +1,6 @@ title: Internet Explorer DisableFirstRunCustomize Enabled id: ab567429-1dfb-4674-b6d2-979fd2f9d125 -status: experimental +status: test description: | Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows. references: diff --git a/rules/windows/registry/registry_set/registry_set_legalnotice_susp_message.yml b/rules/windows/registry/registry_set/registry_set_legalnotice_susp_message.yml index 2ab2dd1b5bd..9a8cb300b5a 100644 --- a/rules/windows/registry/registry_set/registry_set_legalnotice_susp_message.yml +++ b/rules/windows/registry/registry_set/registry_set_legalnotice_susp_message.yml @@ -1,6 +1,6 @@ title: Potential Ransomware Activity Using LegalNotice Message id: 8b9606c9-28be-4a38-b146-0e313cc232c1 -status: experimental +status: test description: Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages references: - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1491.001/T1491.001.md diff --git a/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml b/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml index acefd0a6b0f..a00b28cab11 100644 --- a/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml +++ b/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml @@ -1,6 +1,6 @@ title: Lolbas OneDriveStandaloneUpdater.exe Proxy Download id: 3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d -status: experimental +status: test description: | Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json diff --git a/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml b/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml index 098e845b946..9ad57ea1823 100644 --- a/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml +++ b/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml @@ -3,7 +3,7 @@ id: d6ce7ebd-260b-4323-9768-a9631c8d4db2 related: - id: 28ac00d6-22d9-4a3c-927f-bbd770104573 # process_creation type: similar -status: experimental +status: test description: | Detect activation of DisableRestrictedAdmin to disable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. diff --git a/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml b/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml index a6f8760091e..5ec29f14783 100644 --- a/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml +++ b/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml @@ -1,6 +1,6 @@ title: Lsass Full Dump Request Via DumpType Registry Settings id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f719 -status: experimental +status: test description: Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS. references: - https://github.com/deepinstinct/Lsass-Shtinkering diff --git a/rules/windows/registry/registry_set/registry_set_mal_adwind.yml b/rules/windows/registry/registry_set/registry_set_mal_adwind.yml index 0a0a23d9193..c3dbad96fdf 100644 --- a/rules/windows/registry/registry_set/registry_set_mal_adwind.yml +++ b/rules/windows/registry/registry_set/registry_set_mal_adwind.yml @@ -3,7 +3,7 @@ id: 42f0e038-767e-4b85-9d96-2c6335bad0b5 related: - id: 1fac1481-2dbc-48b2-9096-753c49b4ec71 type: derived -status: experimental +status: test description: Detects javaw.exe in AppData folder as used by Adwind / JRAT references: - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100 diff --git a/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml b/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml index e3942261aa6..2f8b0c8af9f 100644 --- a/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml +++ b/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml @@ -3,7 +3,7 @@ id: 92b0b372-a939-44ed-a11b-5136cf680e27 related: - id: c3198a27-23a0-4c2c-af19-e5328d49680e type: derived -status: experimental +status: test description: Attempts to detect system changes made by Blue Mockingbird references: - https://redcanary.com/blog/blue-mockingbird-cryptominer/ diff --git a/rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml b/rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml index 42e6ac51d49..bf347afaf4f 100644 --- a/rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml +++ b/rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml @@ -1,6 +1,6 @@ title: NET NGenAssemblyUsageLog Registry Key Tamper id: 28036918-04d3-423d-91c0-55ecf99fb892 -status: experimental +status: test description: | Detects changes to the NGenAssemblyUsageLog registry key. .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section). diff --git a/rules/windows/registry/registry_set/registry_set_new_network_provider.yml b/rules/windows/registry/registry_set/registry_set_new_network_provider.yml index 2e1fb51b396..0da51be40c5 100644 --- a/rules/windows/registry/registry_set/registry_set_new_network_provider.yml +++ b/rules/windows/registry/registry_set/registry_set_new_network_provider.yml @@ -3,7 +3,7 @@ id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701 related: - id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77 type: similar -status: experimental +status: test description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it references: - https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade diff --git a/rules/windows/registry/registry_set/registry_set_odbc_driver_registered.yml b/rules/windows/registry/registry_set/registry_set_odbc_driver_registered.yml index e17cb3267df..5194a35d429 100644 --- a/rules/windows/registry/registry_set/registry_set_odbc_driver_registered.yml +++ b/rules/windows/registry/registry_set/registry_set_odbc_driver_registered.yml @@ -1,6 +1,6 @@ title: New ODBC Driver Registered id: 3390fbef-c98d-4bdd-a863-d65ed7c610dd -status: experimental +status: test description: Detects the registration of a new ODBC driver. references: - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ diff --git a/rules/windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml b/rules/windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml index 4de12f53003..b40cb96248e 100644 --- a/rules/windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml +++ b/rules/windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious ODBC Driver Registered id: e4d22291-f3d5-4b78-9a0c-a1fbaf32a6a4 -status: experimental +status: test description: Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location references: - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ diff --git a/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml b/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml index e0ebb00103c..919485c555e 100644 --- a/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml +++ b/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting id: 396ae3eb-4174-4b9b-880e-dc0364d78a19 -status: experimental +status: test description: Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53 diff --git a/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml b/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml index e41e49e1fd9..cba1062f071 100644 --- a/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml +++ b/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml @@ -5,7 +5,7 @@ related: type: similar - id: 55f0a3a1-846e-40eb-8273-677371b8d912 # ProcCreation variation type: similar -status: experimental +status: test description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros references: - https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048 diff --git a/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml b/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml index e6f2dd451fe..ebcc2a7cb68 100644 --- a/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml +++ b/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml @@ -3,7 +3,7 @@ id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd related: - id: 295a59c1-7b79-4b47-a930-df12c15fc9c2 type: derived -status: experimental +status: test description: Detects registry changes to Office trust records where the path is located in a potentially suspicious location references: - https://twitter.com/inversecos/status/1494174785621819397 diff --git a/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml b/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml index 917eaffdd61..c0f7b532125 100644 --- a/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml +++ b/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml @@ -3,7 +3,7 @@ id: f742bde7-9528-42e5-bd82-84f51a8387d2 related: - id: a0bed973-45fa-4625-adb5-6ecdf9be70ac type: derived -status: experimental +status: test description: Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions. references: - Internal Research diff --git a/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml b/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml index b6ffaa73218..311b5a788c2 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via App Paths Default Property id: 707e097c-e20f-4f67-8807-1f72ff4500d6 -status: experimental +status: test description: | Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence The entries found under App Paths are used primarily for the following purposes. diff --git a/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml b/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml index cb5a0260a99..4c7af534f55 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml @@ -1,6 +1,6 @@ title: Potential Persistence Using DebugPath id: df4dc653-1029-47ba-8231-3c44238cc0ae -status: experimental +status: test description: Detects potential persistence using Appx DebugPath references: - https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/ diff --git a/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml b/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml index 6489943cd2b..9403fb0c822 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via AutodialDLL id: e6fe26ee-d063-4f5b-b007-39e90aaf50e3 -status: experimental +status: test description: Detects change the the "AutodialDLL" key which could be used as a persistence method to load custom DLL via the "ws2_32" library references: - https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ diff --git a/rules/windows/registry/registry_set/registry_set_persistence_chm.yml b/rules/windows/registry/registry_set/registry_set_persistence_chm.yml index 7bb5afdb685..63480e3104f 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_chm.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_chm.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via CHM Helper DLL id: 976dd1f2-a484-45ec-aa1d-0e87e882262b -status: experimental +status: test description: Detects when an attacker modifies the registry key "HtmlHelp Author" to achieve persistence references: - https://persistence-info.github.io/Data/htmlhelpauthor.html diff --git a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml index b1b6c4c57c3..91f333fefdf 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via COM Hijacking From Suspicious Locations id: 3d968d17-ffa4-4bc0-bfdc-f139de76ce77 -status: experimental +status: test description: Detects potential COM object hijacking where the "Server" (In/Out) is pointing to a suspicious or unsuale location references: - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea) diff --git a/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml b/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml index b1561e6ac9e..078b977cbf8 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml @@ -1,6 +1,6 @@ title: Potential PSFactoryBuffer COM Hijacking id: 243380fa-11eb-4141-af92-e14925e77c1b -status: experimental +status: test description: Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL. references: - https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine diff --git a/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml b/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml index 5090b01265d..5cd432a87bd 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via Custom Protocol Handler id: fdbf0b9d-0182-4c43-893b-a1eaab92d085 -status: experimental +status: test description: Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism. references: - https://ladydebug.com/blog/2019/06/21/custom-protocol-handler-cph/ diff --git a/rules/windows/registry/registry_set/registry_set_persistence_ie.yml b/rules/windows/registry/registry_set/registry_set_persistence_ie.yml index 20a89a75d6d..70108639d40 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_ie.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_ie.yml @@ -1,6 +1,6 @@ title: Modification of IE Registry Settings id: d88d0ab2-e696-4d40-a2ed-9790064e66b3 -status: experimental +status: test description: Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert javascript for persistence references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone diff --git a/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml b/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml index 68943d718db..eeb47876fe9 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml @@ -1,6 +1,6 @@ title: Register New IFiltre For Persistence id: b23818c7-e575-4d13-8012-332075ec0a2b -status: experimental +status: test description: Detects when an attacker register a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files references: - https://persistence-info.github.io/Data/ifilters.html diff --git a/rules/windows/registry/registry_set/registry_set_persistence_lsa_extension.yml b/rules/windows/registry/registry_set/registry_set_persistence_lsa_extension.yml index 1c7656f5225..26c034ce8ae 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_lsa_extension.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_lsa_extension.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via LSA Extensions id: 41f6531d-af6e-4c6e-918f-b946f2b85a36 -status: experimental +status: test description: | Detects when an attacker modifies the "REG_MULTI_SZ" value named "Extensions" to include a custom DLL to achieve persistence via lsass. The "Extensions" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading. diff --git a/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml b/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml index 801240e4dbd..7155db954e0 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via Mpnotify id: 92772523-d9c1-4c93-9547-b0ca500baba3 -status: experimental +status: test description: Detects when an attacker register a new SIP provider for persistence and defense evasion references: - https://persistence-info.github.io/Data/mpnotify.html diff --git a/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml b/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml index 7ff324935ff..5d3dc1602f7 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via MyComputer Registry Keys id: 8fbe98a8-8f9d-44f8-aa71-8c572e29ef06 -status: experimental +status: test description: Detects modification to the "Default" value of the "MyComputer" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example) references: - https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ diff --git a/rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml b/rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml index bd6dd1aad79..55b80796bd6 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via DLLPathOverride id: a1b1fd53-9c4a-444c-bae0-34a330fc7aa8 -status: experimental +status: test description: Detects when an attacker adds a new "DLLPathOverride" value to the "Natural Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" process references: - https://persistence-info.github.io/Data/naturallanguage6.html diff --git a/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml b/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml index 94dc3ffc2cc..f6a5ec1fce0 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via Visual Studio Tools for Office id: 9d15044a-7cfe-4d23-8085-6ebc11df7685 -status: experimental +status: test description: Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications. references: - https://twitter.com/_vivami/status/1347925307643355138 diff --git a/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml b/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml index 60812a0d404..c98cf92c712 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via Outlook Home Page id: ddd171b5-2cc6-4975-9e78-f0eccd08cc76 -status: experimental +status: test description: Detects potential persistence activity via outlook home pages. references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70 diff --git a/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml b/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml index af9b7f01a79..66ebe5debc2 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via Outlook Today Pages id: 487bb375-12ef-41f6-baae-c6a1572b4dd1 -status: experimental +status: test description: Detects potential persistence activity via outlook today pages. An attacker can set a custom page to execute arbitrary code and link to it via the registry key "UserDefinedUrl". references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74 diff --git a/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml b/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml index 791736e4365..0be6813dbf2 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml @@ -3,7 +3,7 @@ id: 0cf2e1c6-8d10-4273-8059-738778f981ad related: - id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd type: derived -status: experimental +status: test description: Detects potential WerFault "ReflectDebugger" registry value abuse for persistence. references: - https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html diff --git a/rules/windows/registry/registry_set/registry_set_persistence_scrobj_dll.yml b/rules/windows/registry/registry_set/registry_set_persistence_scrobj_dll.yml index 5ed42f59429..013622adfde 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_scrobj_dll.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_scrobj_dll.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via Scrobj.dll COM Hijacking id: fe20dda1-6f37-4379-bbe0-a98d400cae90 -status: experimental +status: test description: Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md diff --git a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml index f33bacadc52..9f0efd19884 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via COM Search Order Hijacking id: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12 -status: experimental +status: test description: Detects potential COM object hijacking leveraging the COM Search Order references: - https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/ diff --git a/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml b/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml index 2fa819da2bf..a533eeae8b6 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via Shim Database Modification id: dfb5b4e8-91d0-4291-b40a-e3b0d3942c45 -status: experimental +status: test description: | Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time diff --git a/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml b/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml index 3c20f92fcc0..3258fc3d023 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml @@ -1,6 +1,6 @@ title: Suspicious Shim Database Patching Activity id: bf344fea-d947-4ef4-9192-34d008315d3a -status: experimental +status: test description: Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence. references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/ diff --git a/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml b/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml index bf0b8d6223a..e5ee4a4eeeb 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via Shim Database In Uncommon Location id: 6b6976a3-b0e6-4723-ac24-ae38a737af41 -status: experimental +status: test description: Detects the installation of a new shim database where the file is located in a non-default location references: - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html diff --git a/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml b/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml index f7f261339ac..dc1f06d839f 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via TypedPaths id: 086ae989-9ca6-4fe7-895a-759c5544f247 -status: experimental +status: test description: Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt references: - https://twitter.com/dez_/status/1560101453150257154 diff --git a/rules/windows/registry/registry_set/registry_set_persistence_xll.yml b/rules/windows/registry/registry_set/registry_set_persistence_xll.yml index 0b65397e85f..d83a980835e 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_xll.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_xll.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via Excel Add-in - Registry id: 961e33d1-4f86-4fcf-80ab-930a708b2f82 -status: experimental +status: test description: Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started. references: - https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md diff --git a/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml b/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml index e387869c616..12a299fc4f1 100644 --- a/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml @@ -1,6 +1,6 @@ title: Potential Attachment Manager Settings Associations Tamper id: a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47 -status: experimental +status: test description: Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information) references: - https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 diff --git a/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml b/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml index dec092f2ff6..9df32c117f1 100644 --- a/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml @@ -1,6 +1,6 @@ title: Potential Attachment Manager Settings Attachments Tamper id: ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a -status: experimental +status: test description: Detects tampering with attachment manager settings policies attachments (See reference for more information) references: - https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 diff --git a/rules/windows/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml b/rules/windows/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml index 3a1e71bd1c1..43d0eebee43 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml @@ -3,7 +3,7 @@ id: 8218c875-90b9-42e2-b60d-0b0069816d10 related: - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 type: derived -status: experimental +status: test description: Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed. references: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScripts diff --git a/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml b/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml index c9d0d63cf62..87a58d8a235 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml @@ -7,7 +7,7 @@ related: type: similar - id: 61d0475c-173f-4844-86f7-f3eebae1c66b # PowerShell ScriptBlock type: similar -status: experimental +status: test description: Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3 diff --git a/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml b/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml index e6d5968f2bb..6ed5827916f 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml @@ -1,6 +1,6 @@ title: Suspicious Powershell In Registry Run Keys id: 8d85cf08-bf97-4260-ba49-986a2a65129c -status: experimental +status: test description: Detects potential PowerShell commands or code within registry run keys references: - https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry diff --git a/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml b/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml index 1fefb76a094..ebab3cb5a81 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml @@ -1,6 +1,6 @@ title: PowerShell Logging Disabled Via Registry Key Tampering id: fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7 -status: experimental +status: test description: Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-32---windows-powershell-logging-disabled diff --git a/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml b/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml index 66585215a48..c59e88c8844 100644 --- a/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml +++ b/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml @@ -7,7 +7,7 @@ related: type: similar - id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry type: similar -status: experimental +status: test description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe". references: - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ diff --git a/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml b/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml index 45d1f547fe9..7ab2871c752 100644 --- a/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml +++ b/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml @@ -5,7 +5,7 @@ related: type: derived - id: f50f3c09-557d-492d-81db-9064a8d4e211 type: similar -status: experimental +status: test description: Detects non-sysinternals tools setting the "accepteula" key which normally is set on sysinternals tool execution references: - Internal Research diff --git a/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml index 00df857fee5..fa0f016169e 100644 --- a/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml @@ -1,6 +1,6 @@ title: ETW Logging Disabled For rpcrt4.dll id: 90f342e1-1aaa-4e43-b092-39fda57ed11e -status: experimental +status: test description: Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll references: - http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html diff --git a/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml b/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml index 5adb113758c..25dc01e4e00 100644 --- a/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml +++ b/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml @@ -1,6 +1,6 @@ title: ScreenSaver Registry Key Set id: 40b6e656-4e11-4c0c-8772-c1cc6dae34ce -status: experimental +status: test description: Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl references: - https://twitter.com/VakninHai/status/1517027824984547329 diff --git a/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml b/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml index 4161b1f3cee..865b9396a14 100644 --- a/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml +++ b/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml @@ -1,6 +1,6 @@ title: ServiceDll Hijack id: 612e47e9-8a59-43a6-b404-f48683f45bd6 -status: experimental +status: test description: Detects changes to the "ServiceDLL" value related to a service in the registry. This is often used as a method of persistence. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time diff --git a/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml index 01d5d45f10a..1b78e5b1d1d 100644 --- a/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml @@ -1,6 +1,6 @@ title: ETW Logging Disabled For SCM id: 4f281b83-0200-4b34-bf35-d24687ea57c2 -status: experimental +status: test description: Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM) references: - http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html diff --git a/rules/windows/registry/registry_set/registry_set_sip_persistence.yml b/rules/windows/registry/registry_set/registry_set_sip_persistence.yml index e59f7be598b..1b5539655d7 100644 --- a/rules/windows/registry/registry_set/registry_set_sip_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_sip_persistence.yml @@ -1,6 +1,6 @@ title: Persistence Via New SIP Provider id: 5a2b21ee-6aaa-4234-ac9d-59a59edf90a1 -status: experimental +status: test description: Detects when an attacker register a new SIP provider for persistence and defense evasion references: - https://persistence-info.github.io/Data/codesigning.html diff --git a/rules/windows/registry/registry_set/registry_set_sophos_av_tamper.yml b/rules/windows/registry/registry_set/registry_set_sophos_av_tamper.yml index 10cf2243a3f..da9081de68a 100644 --- a/rules/windows/registry/registry_set/registry_set_sophos_av_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_sophos_av_tamper.yml @@ -1,6 +1,6 @@ title: Tamper With Sophos AV Registry Keys id: 9f4662ac-17ca-43aa-8f12-5d7b989d0101 -status: experimental +status: test description: Detects tamper attempts to sophos av functionality via registry key modification references: - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/ diff --git a/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml b/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml index 4e4457dbf90..fe1029069e9 100644 --- a/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml +++ b/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml @@ -1,6 +1,6 @@ title: Activate Suppression of Windows Security Center Notifications id: 0c93308a-3f1b-40a9-b649-57ea1a1c1d63 -status: experimental +status: test description: Detect set Notification_Suppress to 1 to disable the Windows security center notification references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md diff --git a/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml b/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml index aba450b5062..bc9f4cd92ad 100644 --- a/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml @@ -1,6 +1,6 @@ title: Potential PendingFileRenameOperations Tamper id: 4eec988f-7bf0-49f1-8675-1e6a510b3a2a -status: experimental +status: test description: Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images lcoations to stage currently used files for rename after reboot. references: - https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6 diff --git a/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml b/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml index 4dc1a22ba1e..c0963dc6dda 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml @@ -1,6 +1,6 @@ title: New RUN Key Pointing to Suspicious Folder id: 02ee49e2-e294-4d0f-9278-f5b3212fc588 -status: experimental +status: test description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder references: - https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html diff --git a/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders.yml b/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders.yml index bba7d81c43e..e5bf14bd728 100644 --- a/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders.yml @@ -1,6 +1,6 @@ title: Modify User Shell Folders Startup Value id: 9c226817-8dc9-46c2-a58d-66655aafd7dc -status: experimental +status: test description: Detect modification of the startup key to a path where a payload could be stored to be launched during startup references: - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1547.001/T1547.001.md diff --git a/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml b/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml index e2587359281..9a0e400605c 100644 --- a/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml +++ b/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml @@ -1,6 +1,6 @@ title: Scheduled TaskCache Change by Uncommon Program id: 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d -status: experimental +status: test description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ diff --git a/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml b/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml index c27f8459f77..1a6ab8b724a 100644 --- a/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml +++ b/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml @@ -1,6 +1,6 @@ title: Set TimeProviders DllName id: e88a6ddc-74f7-463b-9b26-f69fc0d2ce85 -status: experimental +status: test description: | Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. Adversaries may abuse time providers to execute DLLs when the system boots. diff --git a/rules/windows/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml b/rules/windows/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml index 6a02c0cc6db..a558027d01d 100644 --- a/rules/windows/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml +++ b/rules/windows/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml @@ -1,6 +1,6 @@ title: Old TLS1.0/TLS1.1 Protocol Version Enabled id: 439957a7-ad86-4a8f-9705-a28131c6821b -status: experimental +status: test description: Detects applications or users re-enabling old TLS versions by setting the "Enabled" value to "1" for the "Protocols" registry key. references: - https://techcommunity.microsoft.com/t5/windows-it-pro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/ba-p/3887947 diff --git a/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml b/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml index c8bef6af7f9..6cbb89226a4 100644 --- a/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml @@ -1,6 +1,6 @@ title: COM Hijacking via TreatAs id: dc5c24af-6995-49b2-86eb-a9ff62199e82 -status: experimental +status: test description: Detect modification of TreatAs key to enable "rundll32.exe -sta" command references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md diff --git a/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml b/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml index 51170b1e55f..a02443607a7 100644 --- a/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml +++ b/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml @@ -3,7 +3,7 @@ id: b110ebaf-697f-4da1-afd5-b536fa27a2c1 related: - id: a383dec4-deec-4e6e-913b-ed9249670848 type: similar -status: experimental +status: test description: Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages. references: - https://twitter.com/malmoeb/status/1560536653709598721 diff --git a/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml b/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml index 9d96673befa..e57b719f791 100755 --- a/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml @@ -1,6 +1,6 @@ title: UAC Bypass via Event Viewer id: 7c81fec3-1c1d-43b0-996a-46753041b1b6 -status: experimental +status: test description: Detects UAC bypass method using Windows event viewer references: - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ diff --git a/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml b/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml index 42b8644aa8c..f7bdc8b8567 100755 --- a/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml @@ -1,6 +1,6 @@ title: UAC Bypass via Sdclt id: 5b872a46-3b90-45c1-8419-f675db8053aa -status: experimental +status: test description: Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53) references: - https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ diff --git a/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml b/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml index 6eff31daaae..7d69e14ef76 100644 --- a/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml +++ b/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml @@ -1,6 +1,6 @@ title: VBScript Payload Stored in Registry id: 46490193-1b22-4c29-bdd6-5bf63907216f -status: experimental +status: test description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group references: - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ diff --git a/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml b/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml index 87a4f610455..2e3a19dd0dd 100644 --- a/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml @@ -5,7 +5,7 @@ related: type: obsoletes - id: fd115e64-97c7-491f-951c-fc8da7e042fa type: obsoletes -status: experimental +status: test description: Detects when attackers or tools disable Windows Defender functionalities via the Windows registry references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ diff --git a/rules/windows/registry/registry_set/registry_set_winget_admin_settings_tampering.yml b/rules/windows/registry/registry_set/registry_set_winget_admin_settings_tampering.yml index 019119e66c2..22d667fe9ef 100644 --- a/rules/windows/registry/registry_set/registry_set_winget_admin_settings_tampering.yml +++ b/rules/windows/registry/registry_set/registry_set_winget_admin_settings_tampering.yml @@ -1,6 +1,6 @@ title: Winget Admin Settings Modification id: 6db5eaf9-88f7-4ed9-af7d-9ef2ad12f236 -status: experimental +status: test description: Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks references: - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget diff --git a/rules/windows/registry/registry_set/registry_set_winget_enable_local_manifest.yml b/rules/windows/registry/registry_set/registry_set_winget_enable_local_manifest.yml index abcaff4779a..56aedbcd7d2 100644 --- a/rules/windows/registry/registry_set/registry_set_winget_enable_local_manifest.yml +++ b/rules/windows/registry/registry_set/registry_set_winget_enable_local_manifest.yml @@ -1,6 +1,6 @@ title: Enable Local Manifest Installation With Winget id: fa277e82-9b78-42dd-b05c-05555c7b6015 -status: experimental +status: test description: Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests. references: - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget diff --git a/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml b/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml index 236a8bab761..2434a5aa43c 100644 --- a/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml +++ b/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml @@ -1,6 +1,6 @@ title: Winlogon AllowMultipleTSSessions Enable id: f7997770-92c3-4ec9-b112-774c4ef96f96 -status: experimental +status: test description: | Detects when the 'AllowMultipleTSSessions' value is enabled. Which allows for multiple Remote Desktop connection sessions to be opened at once. diff --git a/rules/windows/sysmon/sysmon_file_block_executable.yml b/rules/windows/sysmon/sysmon_file_block_executable.yml index 2dd947a46e4..0768df81a14 100644 --- a/rules/windows/sysmon/sysmon_file_block_executable.yml +++ b/rules/windows/sysmon/sysmon_file_block_executable.yml @@ -1,6 +1,6 @@ title: Sysmon Blocked Executable id: 23b71bc5-953e-4971-be4c-c896cda73fc2 -status: experimental +status: test description: Triggers on any Sysmon "FileBlockExecutable" event, which indicates a violation of the configured block policy references: - https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e diff --git a/rules/windows/sysmon/sysmon_file_block_shredding.yml b/rules/windows/sysmon/sysmon_file_block_shredding.yml index 36353c30790..65d8823c85f 100644 --- a/rules/windows/sysmon/sysmon_file_block_shredding.yml +++ b/rules/windows/sysmon/sysmon_file_block_shredding.yml @@ -1,6 +1,6 @@ title: Sysmon Blocked File Shredding id: c3e5c1b1-45e9-4632-b242-27939c170239 -status: experimental +status: test description: Triggers on any Sysmon "FileBlockShredding" event, which indicates a violation of the configured shredding policy. references: - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon diff --git a/rules/windows/sysmon/sysmon_file_executable_detected.yml b/rules/windows/sysmon/sysmon_file_executable_detected.yml index 37eeae7e857..3d42f54130d 100644 --- a/rules/windows/sysmon/sysmon_file_executable_detected.yml +++ b/rules/windows/sysmon/sysmon_file_executable_detected.yml @@ -1,6 +1,6 @@ title: Sysmon File Executable Creation Detected id: 693a44e9-7f26-4cb6-b787-214867672d3a -status: experimental +status: test description: Triggers on any Sysmon "FileExecutableDetected" event, which triggers every time a PE that is monitored by the config is created. references: - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon diff --git a/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml b/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml index 335ef9b8fb2..23dfd17be25 100644 --- a/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml +++ b/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml @@ -1,6 +1,6 @@ title: Suspicious Scripting in a WMI Consumer id: fe21810c-2a8c-478f-8dd3-5a287fb2a0e0 -status: experimental +status: test description: Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers references: - https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/