diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-40444/file_event_win_exploit_cve_2021_40444.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-40444/file_event_win_exploit_cve_2021_40444.yml index e1518fc5596..5a93cde8583 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-40444/file_event_win_exploit_cve_2021_40444.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-40444/file_event_win_exploit_cve_2021_40444.yml @@ -1,6 +1,6 @@ title: Suspicious Word Cab File Write CVE-2021-40444 id: 60c0a111-787a-4e8a-9262-ee485f3ef9d5 -status: experimental +status: test description: Detects file creation patterns noticeable during the exploitation of CVE-2021-40444 references: - https://twitter.com/RonnyTNL/status/1436334640617373699?s=20 diff --git a/rules-emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml b/rules-emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml index 14b69260cf7..5f241efdc07 100644 --- a/rules-emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/rules-emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml @@ -1,6 +1,6 @@ title: CVE-2021-31979 CVE-2021-33771 Exploits id: 32b5db62-cb5f-4266-9639-0fa48376ac00 -status: experimental +status: test description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum references: - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ diff --git a/rules-emerging-threats/2021/Malware/Devil-Bait/file_event_win_malware_devil_bait_script_drop.yml b/rules-emerging-threats/2021/Malware/Devil-Bait/file_event_win_malware_devil_bait_script_drop.yml index c64f8175cb9..63368bd53f0 100644 --- a/rules-emerging-threats/2021/Malware/Devil-Bait/file_event_win_malware_devil_bait_script_drop.yml +++ b/rules-emerging-threats/2021/Malware/Devil-Bait/file_event_win_malware_devil_bait_script_drop.yml @@ -1,6 +1,6 @@ title: Potential Devil Bait Related Indicator id: 93d5f1b4-36df-45ed-8680-f66f242b8415 -status: experimental +status: test description: Detects the creation of ".xml" and ".txt" files in folders of the "\AppData\Roaming\Microsoft" directory by uncommon processes. This behavior was seen common across different Devil Bait samples and stages as described by the NCSC references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf diff --git a/rules-emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml b/rules-emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml index bbfa00cca78..36048b04297 100644 --- a/rules-emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml +++ b/rules-emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml @@ -3,7 +3,7 @@ id: e8954be4-b2b8-4961-be18-da1a5bda709c related: - id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892 type: derived -status: experimental +status: test description: Detects specific process behavior observed with Devil Bait samples references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf diff --git a/rules-emerging-threats/2021/Malware/Devil-Bait/proxy_malware_devil_bait_c2_communication.yml b/rules-emerging-threats/2021/Malware/Devil-Bait/proxy_malware_devil_bait_c2_communication.yml index fcffda7b351..a741e1530cf 100644 --- a/rules-emerging-threats/2021/Malware/Devil-Bait/proxy_malware_devil_bait_c2_communication.yml +++ b/rules-emerging-threats/2021/Malware/Devil-Bait/proxy_malware_devil_bait_c2_communication.yml @@ -1,6 +1,6 @@ title: Devil Bait Potential C2 Communication Traffic id: 514c50c9-373a-46e5-9012-f0327c526c8f -status: experimental +status: test description: Detects potential C2 communication related to Devil Bait malware references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf diff --git a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/file_event_win_malware_goofy_guineapig_file_indicators.yml b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/file_event_win_malware_goofy_guineapig_file_indicators.yml index a43f7f96ad6..a011d515529 100644 --- a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/file_event_win_malware_goofy_guineapig_file_indicators.yml +++ b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/file_event_win_malware_goofy_guineapig_file_indicators.yml @@ -1,6 +1,6 @@ title: Goofy Guineapig Backdoor IOC id: f0bafe60-1240-4798-9e60-4364b97e6bad -status: experimental +status: test description: Detects malicious indicators seen used by the Goofy Guineapig malware references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf diff --git a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml index d97e464f7bd..1b60f29cf72 100644 --- a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml +++ b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml @@ -1,6 +1,6 @@ title: Potential Goofy Guineapig Backdoor Activity id: 477a5ed3-a374-4282-9f3b-ed94e159a108 -status: experimental +status: test description: Detects a specific broken command that was used by Goofy-Guineapig as described by the NCSC report. references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf diff --git a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml index c5611d4b504..b01465ca713 100644 --- a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml +++ b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml @@ -1,6 +1,6 @@ title: Potential Goofy Guineapig GoolgeUpdate Process Anomaly id: bdbab15a-3826-48fa-a1b7-723cd8f32fcc -status: experimental +status: test description: Detects "GoogleUpdate.exe" spawning a new instance of itself in an uncommon location as seen used by the Goofy Guineapig backdoor references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf diff --git a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proxy_malware_goofy_gunieapig_c2_communication.yml b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proxy_malware_goofy_gunieapig_c2_communication.yml index 0a30cb20471..56a12c8c75b 100644 --- a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proxy_malware_goofy_gunieapig_c2_communication.yml +++ b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proxy_malware_goofy_gunieapig_c2_communication.yml @@ -1,6 +1,6 @@ title: Goofy Guineapig Backdoor Potential C2 Communication id: 4f573bb6-701a-4b8d-91db-87ae106e9a61 -status: experimental +status: test description: Detects potential C2 communication related to Goofy Guineapig backdoor references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf diff --git a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/win_system_malware_goofy_guineapig_service_persistence.yml b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/win_system_malware_goofy_guineapig_service_persistence.yml index f33537d0812..a4f6d9eef59 100644 --- a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/win_system_malware_goofy_guineapig_service_persistence.yml +++ b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/win_system_malware_goofy_guineapig_service_persistence.yml @@ -1,6 +1,6 @@ title: Goofy Guineapig Backdoor Service Creation id: 8c15dd74-9570-4f48-80b2-29996fd91ee6 -status: experimental +status: test description: Detects service creation persistence used by the Goofy Guineapig backdoor references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf diff --git a/rules-emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml b/rules-emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml index b449d2d952c..69b13e62a02 100644 --- a/rules-emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml +++ b/rules-emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml @@ -1,6 +1,6 @@ title: Small Sieve Malware File Indicator Creation id: 39466c42-c189-476a-989f-8cdb135c163a -status: experimental +status: test description: Detects filename indicators that contain a specific typo seen used by the Small Sieve malware. references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf diff --git a/rules-emerging-threats/2021/Malware/Small-Sieve/proxy_malware_small_sieve_telegram_communication.yml b/rules-emerging-threats/2021/Malware/Small-Sieve/proxy_malware_small_sieve_telegram_communication.yml index d2bb906ac78..45e49e8d3ed 100644 --- a/rules-emerging-threats/2021/Malware/Small-Sieve/proxy_malware_small_sieve_telegram_communication.yml +++ b/rules-emerging-threats/2021/Malware/Small-Sieve/proxy_malware_small_sieve_telegram_communication.yml @@ -1,6 +1,6 @@ title: Small Sieve Malware Potential C2 Communication id: b0422664-37a4-4e78-949a-4a139309eaf0 -status: experimental +status: test description: Detects potential C2 communication related to Small Sieve malware references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf diff --git a/rules-emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml b/rules-emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml index ccc1a92352d..43c0d8a9f61 100644 --- a/rules-emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml +++ b/rules-emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml @@ -1,6 +1,6 @@ title: Small Sieve Malware Registry Persistence id: 65c6e3c1-fb28-4c03-a51e-84919d8185f1 -status: experimental +status: test description: Detects registry value with specific intentional typo and strings seen used by the Small Sieve malware references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-21554/proc_creation_win_exploit_cve_2023_21554_queuejumper.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-21554/proc_creation_win_exploit_cve_2023_21554_queuejumper.yml index 879387907c9..30168bc4ff5 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-21554/proc_creation_win_exploit_cve_2023_21554_queuejumper.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-21554/proc_creation_win_exploit_cve_2023_21554_queuejumper.yml @@ -1,6 +1,6 @@ title: Potential CVE-2023-21554 QueueJumper Exploitation id: 53207cc2-0745-4c19-bc72-80be1cc16b3f -status: experimental +status: test description: Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper) references: - https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/ diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml index 0b02f74d85f..efd7cf86a46 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml @@ -1,6 +1,6 @@ title: Suspicious Sysmon as Execution Parent id: 6d1058a4-407e-4f3a-a144-1968c11dc5c3 -status: experimental +status: test description: Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120) references: - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120 diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-42475/fortios_sslvpnd_exploit_cve_2022_42475_exploitation_indicators.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-42475/fortios_sslvpnd_exploit_cve_2022_42475_exploitation_indicators.yml index 37f152df342..b4d98bc9e8b 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-42475/fortios_sslvpnd_exploit_cve_2022_42475_exploitation_indicators.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-42475/fortios_sslvpnd_exploit_cve_2022_42475_exploitation_indicators.yml @@ -1,6 +1,6 @@ title: Exploitation Indicator Of CVE-2022-42475 id: 293ccb8c-bed8-4868-8296-bef30e303b7e -status: experimental +status: test description: Detects exploitation indicators of CVE-2022-42475 a heap-based buffer overflow in sslvpnd. references: - https://www.fortiguard.com/psirt/FG-IR-22-398 diff --git a/rules-emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml b/rules-emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml index 487eed77406..e4c1f2d2600 100644 --- a/rules-emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml +++ b/rules-emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml @@ -1,6 +1,6 @@ title: BlueSky Ransomware Artefacts id: eee8311f-a752-44f0-bf2f-6b007db16300 -status: experimental +status: test description: Detect access to files and shares with names and extensions used by BlueSky ransomware which could indicate a current or previous encryption attempt. references: - https://unit42.paloaltonetworks.com/bluesky-ransomware/ diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-20198/cisco_syslog_cve_2023_20198_ios_xe_web_ui.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-20198/cisco_syslog_cve_2023_20198_ios_xe_web_ui.yml index 751e476b51d..e5b801bc986 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-20198/cisco_syslog_cve_2023_20198_ios_xe_web_ui.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-20198/cisco_syslog_cve_2023_20198_ios_xe_web_ui.yml @@ -1,6 +1,6 @@ title: Exploitation Indicators Of CVE-2023-20198 id: 2ece8816-b7a0-4d9b-b0e8-ae7ad18bc02b -status: experimental +status: test description: Detecting exploitation indicators of CVE-2023-20198 a privilege escalation vulnerability in Cisco IOS XE Software Web UI. references: - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_lnx_exploit_cve_2023_22518_confluence_java_child_proc.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_lnx_exploit_cve_2023_22518_confluence_java_child_proc.yml index 244cb6ae49f..0e16b9994e3 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_lnx_exploit_cve_2023_22518_confluence_java_child_proc.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_lnx_exploit_cve_2023_22518_confluence_java_child_proc.yml @@ -3,7 +3,7 @@ id: f8987c03-4290-4c96-870f-55e75ee377f4 related: - id: 1ddaa9a4-eb0b-4398-a9fe-7b018f9e23db type: similar -status: experimental +status: test description: | Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands. references: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml index 0177ca6d902..144556d2ade 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml @@ -3,7 +3,7 @@ id: 1ddaa9a4-eb0b-4398-a9fe-7b018f9e23db related: - id: f8987c03-4290-4c96-870f-55e75ee377f4 type: similar -status: experimental +status: test description: | Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands. references: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proxy_exploit_cve_2023_22518_confluence_auth_bypass.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proxy_exploit_cve_2023_22518_confluence_auth_bypass.yml index 7abb0ab2c76..53ded5e8d99 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proxy_exploit_cve_2023_22518_confluence_auth_bypass.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proxy_exploit_cve_2023_22518_confluence_auth_bypass.yml @@ -3,7 +3,7 @@ id: 27d2cdde-9778-490e-91ec-9bd0be6e8cc6 related: - id: a902d249-9b9c-4dc4-8fd0-fbe528ef965c type: similar -status: experimental +status: test description: | Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands. references: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-22518/web_exploit_cve_2023_22518_confluence_auth_bypass.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/web_exploit_cve_2023_22518_confluence_auth_bypass.yml index 431dcd2e524..6d19975a682 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-22518/web_exploit_cve_2023_22518_confluence_auth_bypass.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/web_exploit_cve_2023_22518_confluence_auth_bypass.yml @@ -3,7 +3,7 @@ id: a902d249-9b9c-4dc4-8fd0-fbe528ef965c related: - id: 27d2cdde-9778-490e-91ec-9bd0be6e8cc6 type: similar -status: experimental +status: test description: | Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands. references: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml index 634bb0c9fc1..cc8c4871a88 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml @@ -1,6 +1,6 @@ title: Potential CVE-2023-2283 Exploitation id: 8b244735-5833-4517-a45b-28d8c63924c0 -status: experimental +status: test description: Detects potential exploitation attempt of CVE-2023-2283 an authentication bypass in libSSH. The exploitation method causes an error message stating that keys for curve25519 could not be generated. It is an error message that is a sign of an exploitation attempt. It is not a sign of a successful exploitation. references: - https://twitter.com/kevin_backhouse/status/1666459308941357056?s=20 diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml index 042932982e6..0fa291b5da9 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml @@ -1,6 +1,6 @@ title: Outlook Task/Note Reminder Received id: fc06e655-d98c-412f-ac76-05c2698b1cb2 -status: experimental +status: test description: Detects changes to the registry values related to outlook that indicates that a reminder was triggered for a Note or Task item. This could be a sign of exploitation of CVE-2023-23397. Further investigation is required to determine the success of an exploitation. references: - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/ diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-25157/web_cve_2023_25157_geoserver_sql_injection.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-25157/web_cve_2023_25157_geoserver_sql_injection.yml index f22ec5abff6..f925b9797df 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-25157/web_cve_2023_25157_geoserver_sql_injection.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-25157/web_cve_2023_25157_geoserver_sql_injection.yml @@ -1,6 +1,6 @@ title: Potential CVE-2023-25157 Exploitation Attempt id: c0341543-5ed0-4475-aabc-7eea8c52aa66 -status: experimental +status: test description: Detects a potential exploitation attempt of CVE-2023-25157 a SQL injection in GeoServer references: - https://github.com/win3zz/CVE-2023-25157 diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-25717/web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-25717/web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yml index 9b36d3f1c1b..511b3e0cdbf 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-25717/web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-25717/web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yml @@ -1,6 +1,6 @@ title: Potential CVE-2023-25717 Exploitation Attempt id: 043c1609-0e32-4462-a6f2-5a0c2da3fafe -status: experimental +status: test description: Detects a potential exploitation attempt of CVE-2023-25717 a Remote Code Execution via an unauthenticated HTTP GET Request, in Ruckus Wireless Admin references: - https://cybir.com/2023/cve/proof-of-concept-ruckus-wireless-admin-10-4-unauthenticated-remote-code-execution-csrf-ssrf/ diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-27363/file_event_win_cve_2023_27363_foxit_rce.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-27363/file_event_win_cve_2023_27363_foxit_rce.yml index 730fecf86da..bf8862a9483 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-27363/file_event_win_cve_2023_27363_foxit_rce.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-27363/file_event_win_cve_2023_27363_foxit_rce.yml @@ -1,6 +1,6 @@ title: Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader id: 9cae055f-e1d2-4f81-b8a5-1986a68cdd84 -status: experimental +status: test description: Detects suspicious ".hta" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation. references: - https://github.com/j00sean/SecBugs/tree/ff72d553f75d93e1a0652830c0f74a71b3f19c46/CVEs/CVE-2023-27363 diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-27997/web_cve_2023_27997_pre_authentication_rce.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-27997/web_cve_2023_27997_pre_authentication_rce.yml index f542f55bdf8..2aea39b1520 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-27997/web_cve_2023_27997_pre_authentication_rce.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-27997/web_cve_2023_27997_pre_authentication_rce.yml @@ -1,6 +1,6 @@ title: Potential CVE-2023-27997 Exploitation Indicators id: 31e4e649-7394-4fd2-9ae7-dbc61eebb550 -status: experimental +status: test description: | Detects indicators of potential exploitation of CVE-2023-27997 in Frotigate weblogs. To avoid false positives it is best to look for successive requests to the endpoints mentioned as well as weird values of the "enc" parameter diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml index 0ce87ec1107..d4a4760be1d 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml @@ -1,6 +1,6 @@ title: Potential MOVEit Transfer CVE-2023-34362 Exploitation id: c3b2a774-3152-4989-83c1-7afc48fd1599 -status: experimental +status: test description: Detects file indicators of potential exploitation of MOVEit CVE-2023-34362. references: - https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/ diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/web_cve_2023_34362_known_payload_request.yml.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/web_cve_2023_34362_known_payload_request.yml.yml index 6032d2de3f1..b445db95cee 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/web_cve_2023_34362_known_payload_request.yml.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/web_cve_2023_34362_known_payload_request.yml.yml @@ -1,6 +1,6 @@ title: MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request id: 435e41f2-48eb-4c95-8a2b-ed24b50ec30b -status: experimental +status: test description: Detects get requests to specific files used during the exploitation of MOVEit CVE-2023-34362 references: - https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023 diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_report_creation.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_report_creation.yml index a4c2d5a6ac2..f965e14bb59 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_report_creation.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_report_creation.yml @@ -1,6 +1,6 @@ title: Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location id: 92389a99-5215-43b0-a09f-e334453b2ed3 -status: experimental +status: test description: Detects the creation of a "Report.wer" file in an uncommon folder structure. This could be a sign of potential exploitation of CVE-2023-36874. references: - https://github.com/Wh04m1001/CVE-2023-36874 diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml index 74a0f7cc8d4..7af974357b3 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml @@ -1,6 +1,6 @@ title: Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation id: ad0960eb-0015-4d16-be13-b3d9f18f1342 -status: experimental +status: test description: Detects the creation of a file named "wermgr.exe" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874. references: - https://github.com/Wh04m1001/CVE-2023-36874 diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36874/proc_creation_win_exploit_cve_2023_36874_fake_wermgr.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36874/proc_creation_win_exploit_cve_2023_36874_fake_wermgr.yml index 1daaf827a1f..f1715309151 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36874/proc_creation_win_exploit_cve_2023_36874_fake_wermgr.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36874/proc_creation_win_exploit_cve_2023_36874_fake_wermgr.yml @@ -1,6 +1,6 @@ title: Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution id: 50dbc08b-60ce-40f1-a6b6-346497e34c88 -status: experimental +status: test description: Detects the execution of a renamed "cmd", "powershell" or "powershell_ise" binary. Attackers were seen using these binaries in a renamed form as "wermgr.exe" in exploitation of CVE-2023-36874 references: - https://github.com/Wh04m1001/CVE-2023-36874 diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml index 0bbdda52467..34a52fafcb9 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml @@ -1,6 +1,6 @@ title: Potential CVE-2023-36884 Exploitation Dropped File id: 8023d3a2-dcdc-44da-8fa9-5c7906e55b38 -status: experimental +status: test description: Detects a specific file being created in the recent folder of Office. These files have been seen being dropped during potential exploitations of CVE-2023-36884 references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce.yml index 4987cd723c8..50d2ed37735 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce.yml @@ -1,6 +1,6 @@ title: Potential CVE-2023-36884 Exploitation Pattern id: 0066d244-c277-4c3e-88ec-9e7b777cc8bc -status: experimental +status: test description: Detects a unique pattern seen being used by RomCom potentially exploiting CVE-2023-36884 references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_extenstion_ip_pattern_traffic.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_extenstion_ip_pattern_traffic.yml index 660ae5e9b25..302f27643e6 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_extenstion_ip_pattern_traffic.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_extenstion_ip_pattern_traffic.yml @@ -1,6 +1,6 @@ title: Potential CVE-2303-36884 URL Request Pattern Traffic id: d9365e39-febd-4a4b-8441-3ca91bb9d333 -status: experimental +status: test description: Detects a specific URL pattern containing a specific extension and parameters pointing to an IP address. This pattern was seen being used by RomCOM potentially exploiting CVE-2023-36884 references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_traffic.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_traffic.yml index 97ff7e6efb8..17582b026ad 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_traffic.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_traffic.yml @@ -1,6 +1,6 @@ title: Potential CVE-2023-36884 Exploitation - File Downloads id: 6af1617f-c179-47e3-bd66-b28034a1052d -status: experimental +status: test description: Detects files seen being requested by RomCom while potentially exploiting CVE-2023-36884 references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_url_marker_traffic.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_url_marker_traffic.yml index 3d705dff8ba..a0423c78b6e 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_url_marker_traffic.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_url_marker_traffic.yml @@ -1,6 +1,6 @@ title: Potential CVE-2023-36884 Exploitation - URL Marker id: e59f71ff-c042-4f7a-8a82-8f53beea817e -status: experimental +status: test description: Detects a unique URL marker seen being used by RomCom potentially exploiting CVE-2023-36884 references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml index 98359f4d7c8..ba5cc73c9c1 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml @@ -1,6 +1,6 @@ title: Potential CVE-2023-36884 Exploitation - Share Access id: 3df95076-9e78-4e63-accb-16699c3b74f8 -status: experimental +status: test description: Detects access to a file share with a naming schema seen being used during exploitation of CVE-2023-36884 references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-38831/file_event_win_exploit_cve_2023_38331_winrar_susp_double_ext.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-38831/file_event_win_exploit_cve_2023_38331_winrar_susp_double_ext.yml index ec61e1c75d9..11f214495db 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-38831/file_event_win_exploit_cve_2023_38331_winrar_susp_double_ext.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-38831/file_event_win_exploit_cve_2023_38331_winrar_susp_double_ext.yml @@ -3,7 +3,7 @@ id: e4556676-fc5c-4e95-8c39-5ef27791541f related: - id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343 type: similar -status: experimental +status: test description: Detects the creation of a file with a double extension and a space by WinRAR. This could be a sign of exploitation of CVE-2023-38331 references: - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml index 8a952a8f0d6..2932cb3f568 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml @@ -3,7 +3,7 @@ id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343 related: - id: e4556676-fc5c-4e95-8c39-5ef27791541f type: similar -status: experimental +status: test description: Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries. references: - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-40477/file_event_win_exploit_cve_2023_40477_winrar_rev_file_abuse.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-40477/file_event_win_exploit_cve_2023_40477_winrar_rev_file_abuse.yml index 7cf5ccc31fb..dc4e8d698c5 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-40477/file_event_win_exploit_cve_2023_40477_winrar_rev_file_abuse.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-40477/file_event_win_exploit_cve_2023_40477_winrar_rev_file_abuse.yml @@ -1,6 +1,6 @@ title: CVE-2023-40477 Potential Exploitation - .REV File Creation id: c3bd6c55-d495-4c34-918e-e03e8828c074 -status: experimental +status: test description: Detects the creation of ".rev" files by WinRAR. Could be indicative of potential exploitation of CVE-2023-40477. Look for a suspicious execution shortly after creation or a WinRAR application crash. references: - https://wildptr.io/winrar-cve-2023-40477-poc-new-vulnerability-winrar-security-research/ diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-40477/win_application_exploit_cve_2023_40477_winrar_crash.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-40477/win_application_exploit_cve_2023_40477_winrar_crash.yml index a006293c034..753faf9dd2a 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-40477/win_application_exploit_cve_2023_40477_winrar_crash.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-40477/win_application_exploit_cve_2023_40477_winrar_crash.yml @@ -1,6 +1,6 @@ title: CVE-2023-40477 Potential Exploitation - WinRAR Application Crash id: e5a29b54-6fe7-4258-8a23-82960e31231a -status: experimental +status: test description: Detects a crash of "WinRAR.exe" where the version is lower than 6.23. This could indicate potential exploitation of CVE-2023-40477 references: - https://wildptr.io/winrar-cve-2023-40477-poc-new-vulnerability-winrar-security-research/ diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-43261/proxy_exploit_cve_2023_43261_milesight_information_disclosure.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-43261/proxy_exploit_cve_2023_43261_milesight_information_disclosure.yml index cf6ec6475c5..29bf5d9f598 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-43261/proxy_exploit_cve_2023_43261_milesight_information_disclosure.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-43261/proxy_exploit_cve_2023_43261_milesight_information_disclosure.yml @@ -3,7 +3,7 @@ id: f48f5368-355c-4a1b-8bf5-11c13d589eaa related: - id: a2bcca38-9f3a-4d5e-b603-0c587e8569d7 type: similar -status: experimental +status: test description: | Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in proxy logs. references: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-43261/web_exploit_cve_2023_43261_milesight_information_disclosure.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-43261/web_exploit_cve_2023_43261_milesight_information_disclosure.yml index bf74e77f8d4..19ea8c5aa1a 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-43261/web_exploit_cve_2023_43261_milesight_information_disclosure.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-43261/web_exploit_cve_2023_43261_milesight_information_disclosure.yml @@ -3,7 +3,7 @@ id: a2bcca38-9f3a-4d5e-b603-0c587e8569d7 related: - id: f48f5368-355c-4a1b-8bf5-11c13d589eaa type: similar -status: experimental +status: test description: | Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in access logs. references: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise.yml index 91662b74cfc..33b5783dba3 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise.yml @@ -3,7 +3,7 @@ id: 04017cd5-621e-4ec4-a762-1f042fe3d3e5 related: - id: ba5268de-4dd4-4d5c-8a90-2b5e6dc1aff8 type: derived -status: experimental +status: test description: | Detects potential exploitation of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing references: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise_poc.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise_poc.yml index d6836d181ff..1b1ca889a85 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise_poc.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise_poc.yml @@ -3,7 +3,7 @@ id: ba5268de-4dd4-4d5c-8a90-2b5e6dc1aff8 related: - id: 04017cd5-621e-4ec4-a762-1f042fe3d3e5 type: derived -status: experimental +status: test description: | Detects exploitation attempt of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing using known public proof of concept code references: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-46747/proxy_cve_2023_46747_f5_remote_code_execution.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-46747/proxy_cve_2023_46747_f5_remote_code_execution.yml index 2f0091f14c7..5a720e652bf 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-46747/proxy_cve_2023_46747_f5_remote_code_execution.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-46747/proxy_cve_2023_46747_f5_remote_code_execution.yml @@ -3,7 +3,7 @@ id: f195b2ff-e542-41bf-8d91-864fb81e5c20 related: - id: e9928831-ba14-42ea-a4bc-33d352b9929a type: similar -status: experimental +status: test description: Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP. references: - https://github.com/AliBrTab/CVE-2023-46747-POC/tree/main diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-46747/web_cve_2023_46747_f5_remote_code_execution.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-46747/web_cve_2023_46747_f5_remote_code_execution.yml index e839e5e08dd..4f57a633c07 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-46747/web_cve_2023_46747_f5_remote_code_execution.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-46747/web_cve_2023_46747_f5_remote_code_execution.yml @@ -3,7 +3,7 @@ id: e9928831-ba14-42ea-a4bc-33d352b9929a related: - id: f195b2ff-e542-41bf-8d91-864fb81e5c20 type: similar -status: experimental +status: test description: Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP. references: - https://github.com/AliBrTab/CVE-2023-46747-POC/tree/main diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-4966/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-4966/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml index d0be325218d..4c1b1f136b5 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-4966/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-4966/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml @@ -7,7 +7,7 @@ related: type: similar - id: a4e068b5-e27c-4f21-85b3-e69e5a4f7ce1 # Webserver Exploit type: similar -status: experimental +status: test description: Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs by looking for a very long host header string. references: - https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967 diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-4966/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-4966/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml index 2c5ec469558..4689c434f9b 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-4966/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-4966/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml @@ -7,7 +7,7 @@ related: type: similar - id: a4e068b5-e27c-4f21-85b3-e69e5a4f7ce1 # Webserver Exploit type: similar -status: experimental +status: test description: Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs. references: - https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967 diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-4966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-4966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml index 9c2798d65ed..b5abc4a117b 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-4966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-4966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml @@ -7,7 +7,7 @@ related: type: similar - id: a4e068b5-e27c-4f21-85b3-e69e5a4f7ce1 # Webserver Exploit type: similar -status: experimental +status: test description: Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs. references: - https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967 diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-4966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-4966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml index 45babdc0274..60354dde877 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-4966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-4966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml @@ -7,7 +7,7 @@ related: type: similar - id: aee7681f-b53d-4594-a9de-ac51e6ad3362 # Proxy Exploit type: similar -status: experimental +status: test description: Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs by looking for a very long host header string. references: - https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967 diff --git a/rules-emerging-threats/2023/Exploits/win_msmq_corrupted_packet.yml b/rules-emerging-threats/2023/Exploits/win_msmq_corrupted_packet.yml index 0c3408e6609..43a2e2704ee 100644 --- a/rules-emerging-threats/2023/Exploits/win_msmq_corrupted_packet.yml +++ b/rules-emerging-threats/2023/Exploits/win_msmq_corrupted_packet.yml @@ -1,6 +1,6 @@ title: MSMQ Corrupted Packet Encountered id: ae94b10d-fee9-4767-82bb-439b309d5a27 -status: experimental +status: test description: Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation references: - https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/ diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_renamed_cmd.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_renamed_cmd.yml index 0684adff58a..41b37aa3756 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_renamed_cmd.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_renamed_cmd.yml @@ -1,6 +1,6 @@ title: Potential COLDSTEEL RAT File Indicators id: c708a93f-46b4-4674-a5b8-54aa6219c5fa -status: experimental +status: test description: Detects the creation of a file named "dllhost.exe" in the "C:\users\public\Documents\" directory. Seen being used by the COLDSTEEL RAT in some of its variants. references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_service_dll_creation.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_service_dll_creation.yml index 095322bc188..f148f5f4254 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_service_dll_creation.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_service_dll_creation.yml @@ -1,6 +1,6 @@ title: Potential COLDSTEEL Persistence Service DLL Creation id: 1fea93a2-1524-4a3c-9828-3aa0c2414e27 -status: experimental +status: test description: Detects the creation of a file in a specific location and with a specific name related to COLDSTEEL RAT references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/image_load_malware_coldsteel_persistence_service_dll.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/image_load_malware_coldsteel_persistence_service_dll.yml index c61a57cb931..de1b29d530e 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/image_load_malware_coldsteel_persistence_service_dll.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/image_load_malware_coldsteel_persistence_service_dll.yml @@ -1,6 +1,6 @@ title: Potential COLDSTEEL Persistence Service DLL Load id: 1d7a57da-02e0-4f7f-92b1-c7b486ccfed5 -status: experimental +status: test description: | Detects a suspicious DLL load by an "svchost" process based on location and name that might be related to ColdSteel RAT. This DLL location and name has been seen used by ColdSteel as the service DLL for its persistence mechanism references: diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml index 8512127ccb2..ced5e608d53 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml @@ -1,6 +1,6 @@ title: COLDSTEEL RAT Anonymous User Process Execution id: e01b6eb5-1eb4-4465-a165-85d40d874add -status: experimental +status: test description: Detects the creation of a process executing as user called "ANONYMOUS" seen used by the "MileStone2016" variant of COLDSTEEL references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_cleanup.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_cleanup.yml index 10f4bba171d..904cd08149e 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_cleanup.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_cleanup.yml @@ -1,6 +1,6 @@ title: COLDSTEEL RAT Cleanup Command Execution id: 88516f06-ebe0-47ad-858e-ae9fd060ddea -status: experimental +status: test description: Detects the creation of a "rundll32" process from the ColdSteel persistence service to initiate the cleanup command by calling one of its own exports. This functionality is not present in "MileStone2017" and some "MileStone2016" samples references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml index be9c89b69f2..3f68e1c21b0 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml @@ -1,6 +1,6 @@ title: COLDSTEEL RAT Service Persistence Execution id: 9f9cd389-cea0-4142-bf1a-a3fd424abedd -status: experimental +status: test description: Detects the creation of an "svchost" process with specific command line flags, that were seen present and used by ColdSteel RAT references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yml index 06ea51ed82f..3a5ccd60164 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yml @@ -1,6 +1,6 @@ title: Potential COLDSTEEL RAT Windows User Creation id: 95214813-4c7a-4a50-921b-ee5c538e1d16 -status: experimental +status: test description: Detects creation of a new user profile with a specific username, seen being used by some variants of the COLDSTEEL RAT. references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf diff --git a/rules-emerging-threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml b/rules-emerging-threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml index 47840068341..049d6d2d8c9 100644 --- a/rules-emerging-threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml +++ b/rules-emerging-threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml @@ -1,6 +1,6 @@ title: DarkGate - Autoit3.EXE File Creation By Uncommon Process id: 1a433e1d-03d2-47a6-8063-ece992cf4e73 -status: experimental +status: test description: | Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe. This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs diff --git a/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml b/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml index efe050924bf..1dd908667af 100644 --- a/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml +++ b/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml @@ -1,6 +1,6 @@ title: DarkGate - Autoit3.EXE Execution Parameters id: f8e9aa1c-14f2-4dbd-aa59-b98968ed650d -status: experimental +status: test description: | Detects execution of the legitimate Autoit3 utility from a suspicious parent process. AutoIt3.exe is used within the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate diff --git a/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml b/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml index 25677494056..5d6a1165422 100644 --- a/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml +++ b/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml @@ -1,6 +1,6 @@ title: DarkGate - User Created Via Net.EXE id: bf906d7b-7070-4642-8383-e404cf26eba5 -status: experimental +status: test description: Detects creation of local users via the net.exe command with the name of "DarkGate" references: - Internal Research diff --git a/rules-emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml b/rules-emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml index afe5f7d8036..8e62c81b525 100644 --- a/rules-emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml +++ b/rules-emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml @@ -1,6 +1,6 @@ title: IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32 id: 2bd8e100-5b3b-4b6a-bbb5-b129d3ddddc5 -status: experimental +status: test description: Detects RunDLL32.exe executing a single digit DLL named "1.dll" with the export function "DllRegisterServer". This behaviour was often seen used by malware and especially IcedID references: - https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/ diff --git a/rules-emerging-threats/2023/Malware/Pikabot/net_connection_win_malware_pikabot_rundll32_activity.yml b/rules-emerging-threats/2023/Malware/Pikabot/net_connection_win_malware_pikabot_rundll32_activity.yml index 947b1c75024..6a67a4199bb 100644 --- a/rules-emerging-threats/2023/Malware/Pikabot/net_connection_win_malware_pikabot_rundll32_activity.yml +++ b/rules-emerging-threats/2023/Malware/Pikabot/net_connection_win_malware_pikabot_rundll32_activity.yml @@ -1,6 +1,6 @@ title: Potential Pikabot C2 Activity id: cae6cee6-0244-44d2-84ed-e65f548eb7dc -status: experimental +status: test description: | Detects the execution of rundll32 that leads to an external network connection. The malware Pikabot has been seen to use this technique to initiate C2-communication through hard-coded Windows binaries. diff --git a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml index fec001ba329..4b4db30a084 100644 --- a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml +++ b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml @@ -1,6 +1,6 @@ title: Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE id: e5144106-8198-4f6e-bfc2-0a551cc8dd94 -status: experimental +status: test description: | Detects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads. Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files. diff --git a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_discovery.yml b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_discovery.yml index 44d235606c5..b0477bfef0b 100644 --- a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_discovery.yml +++ b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_discovery.yml @@ -1,6 +1,6 @@ title: Potential Pikabot Discovery Activity id: 698d4431-514f-4c82-af4d-cf573872a9f5 -status: experimental +status: test description: | Detects system discovery activity carried out by Pikabot, such as incl. network, user info and domain groups. The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute). diff --git a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml index 902fdf7ca5b..1795d43951d 100644 --- a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml +++ b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml @@ -1,6 +1,6 @@ title: Potential Pikabot Hollowing Activity id: d8937fe7-42d5-4b4d-8178-e089c908f63f -status: experimental +status: test description: | Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries. The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries diff --git a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_uncommon_extension.yml b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_uncommon_extension.yml index 9fe2c92419f..b5b48a1f031 100644 --- a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_uncommon_extension.yml +++ b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_uncommon_extension.yml @@ -1,6 +1,6 @@ title: Pikabot Fake DLL Extension Execution Via Rundll32.EXE id: 1bf0ba65-9a39-42a2-9271-31d31bf2f0bf -status: experimental +status: test description: | Detects specific process tree behavior linked to "rundll32" executions, wherein the associated DLL lacks a common ".dll" extension, often signaling potential Pikabot activity. references: diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml index ae9419fbd1c..a2108191302 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml @@ -1,6 +1,6 @@ title: Qakbot Regsvr32 Calc Pattern id: 0033cf83-fb87-446d-9cac-43d63ad4d5a9 -status: experimental +status: test description: Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot references: - https://github.com/pr0xylife/Qakbot/ diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml index 91b42fddbef..e5c57fe7b3e 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml @@ -1,6 +1,6 @@ title: Potential Qakbot Rundll32 Execution id: cf879ffb-793a-4753-9a14-bc8f37cc90df -status: experimental +status: test description: Detects specific process tree behavior of a "rundll32" execution often linked with potential Qakbot activity. references: - https://github.com/pr0xylife/Qakbot/ diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml index 964552aa403..24689638426 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml @@ -1,6 +1,6 @@ title: Qakbot Rundll32 Exports Execution id: 339ed3d6-5490-46d0-96a7-8abe33078f58 -status: experimental +status: test description: Detects specific process tree behavior of a "rundll32" execution with exports linked with Qakbot activity. references: - https://github.com/pr0xylife/Qakbot/ diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml index d545e79e49f..710a5c5b10c 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml @@ -1,6 +1,6 @@ title: Qakbot Rundll32 Fake DLL Extension Execution id: bfd34392-c591-4009-b938-9fd985a28b85 -status: experimental +status: test description: Detects specific process tree behavior of a "rundll32" execution where the DLL doesn't have the ".dll" extension. This is often linked with potential Qakbot activity. references: - https://github.com/pr0xylife/Qakbot/ diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml index 53850ee2529..f5a066ee698 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml @@ -1,6 +1,6 @@ title: Qakbot Uninstaller Execution id: bc309b7a-3c29-4937-a4a3-e232473f9168 -status: experimental +status: test description: Detects the execution of the Qakbot uninstaller file mentioned in the USAO-CDCA document on the disruption of the Qakbot malware and botnet references: - https://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources diff --git a/rules-emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml b/rules-emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml index 24f24928799..a180ce93495 100644 --- a/rules-emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml +++ b/rules-emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml @@ -1,6 +1,6 @@ title: Rorschach Ransomware Execution Activity id: 0e9e6c63-1350-48c4-9fa1-7ccb235edc68 -status: experimental +status: test description: Detects Rorschach ransomware execution activity references: - https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/ diff --git a/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_encrypted_payload_ioc.yml b/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_encrypted_payload_ioc.yml index 081111fd9d4..d29e486f37f 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_encrypted_payload_ioc.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_encrypted_payload_ioc.yml @@ -1,6 +1,6 @@ title: SNAKE Malware Kernel Driver File Indicator id: d6d9d23f-69c1-41b5-8305-fa8250bd027f -status: experimental +status: test description: Detects SNAKE malware kernel driver file indicator references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF diff --git a/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_installers_ioc.yml b/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_installers_ioc.yml index 3f9600b7ec6..879097f9e42 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_installers_ioc.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_installers_ioc.yml @@ -1,6 +1,6 @@ title: SNAKE Malware Installer Name Indicators id: 99eccc2b-7182-442f-8806-b76cc36d866b -status: experimental +status: test description: Detects filename indicators associated with the SNAKE malware as reported by CISA in their report references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF diff --git a/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_werfault_creation.yml b/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_werfault_creation.yml index 09c2d1c7204..1c4baed9fa0 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_werfault_creation.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_werfault_creation.yml @@ -1,6 +1,6 @@ title: SNAKE Malware WerFault Persistence File Creation id: 64827580-e4c3-4c64-97eb-c72325d45399 -status: experimental +status: test description: Detects the creation of a file named "WerFault.exe" in the WinSxS directory by a non-system process, which can be indicative of potential SNAKE malware activity references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF diff --git a/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_cli_args.yml b/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_cli_args.yml index 542a864b2bf..1983488b525 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_cli_args.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_cli_args.yml @@ -1,6 +1,6 @@ title: Potential SNAKE Malware Installation CLI Arguments Indicator id: 02cbc035-b390-49fe-a9ff-3bb402c826db -status: experimental +status: test description: Detects a specific command line arguments sequence seen used by SNAKE malware during its installation as described by CISA in their report references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF diff --git a/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_exec.yml b/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_exec.yml index a4b89dffb0f..0d8c2309408 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_exec.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_exec.yml @@ -1,6 +1,6 @@ title: Potential SNAKE Malware Installation Binary Indicator id: d91ff53f-fd0c-419d-a6b8-ae038d5c3733 -status: experimental +status: test description: Detects a specific binary name seen used by SNAKE malware during its installation as described by CISA in their report references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF diff --git a/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_service_execution.yml b/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_service_execution.yml index f9a6b6a5806..6041bf8a868 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_service_execution.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_service_execution.yml @@ -1,6 +1,6 @@ title: Potential SNAKE Malware Persistence Service Execution id: f7536642-4a08-4dd9-b6d5-c3286d8975ed -status: experimental +status: test description: Detects a specific child/parent process relationship indicative of a "WerFault" process running from the "WinSxS" as a service. This could be indicative of potential SNAKE malware activity as reported by CISA. references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF diff --git a/rules-emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml b/rules-emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml index 3b8b9ea18a7..ceb6ccb75d8 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml @@ -1,6 +1,6 @@ title: SNAKE Malware Covert Store Registry Key id: d0fa35db-0e92-400e-aa16-d32ae2521618 -status: experimental +status: test description: Detects any registry event that targets the key 'SECURITY\Policy\Secrets\n' which is a key related to SNAKE malware as described by CISA references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF diff --git a/rules-emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml b/rules-emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml index ed264fa43c7..6641eb5bcf3 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml @@ -1,6 +1,6 @@ title: Potential Encrypted Registry Blob Related To SNAKE Malware id: 7e163e96-b9a5-45d6-b2cd-d7d87b13c60b -status: experimental +status: test description: Detects the creation of a registry value in the ".wav\OpenWithProgIds" key with an uncommon name. This could be related to SNAKE Malware as reported by CISA references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF diff --git a/rules-emerging-threats/2023/Malware/SNAKE/win_system_malware_snake_persistence_service.yml b/rules-emerging-threats/2023/Malware/SNAKE/win_system_malware_snake_persistence_service.yml index 5aa9f3bed0e..c6788a232ba 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/win_system_malware_snake_persistence_service.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/win_system_malware_snake_persistence_service.yml @@ -1,6 +1,6 @@ title: SNAKE Malware Service Persistence id: b2e60816-96b2-45bd-ba91-b63578c03ef6 -status: experimental +status: test description: Detects the creation of a service named "WerFaultSvc" which seems to be used by the SNAKE malware as a persistence mechanism as described by CISA in their report references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_c2_beacon_activity.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_c2_beacon_activity.yml index ea73ef90157..4e915b81f18 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_c2_beacon_activity.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_c2_beacon_activity.yml @@ -15,7 +15,7 @@ related: type: similar - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad type: similar -status: experimental +status: test description: Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise references: - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ diff --git a/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml b/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml index 6d466fe3e1f..7fa3f5dd9f9 100644 --- a/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml +++ b/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml @@ -1,6 +1,6 @@ title: DLL Names Used By SVR For GraphicalProton Backdoor id: e64c8ef3-9f98-40c8-b71e-96110991cb4c -status: experimental +status: test description: Hunts known SVR-specific DLL names. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a diff --git a/rules-emerging-threats/2023/TA/Cozy-Bear/win_security_apt_cozy_bear_scheduled_tasks_name.yml b/rules-emerging-threats/2023/TA/Cozy-Bear/win_security_apt_cozy_bear_scheduled_tasks_name.yml index 7bc11682ecb..10ae153924e 100644 --- a/rules-emerging-threats/2023/TA/Cozy-Bear/win_security_apt_cozy_bear_scheduled_tasks_name.yml +++ b/rules-emerging-threats/2023/TA/Cozy-Bear/win_security_apt_cozy_bear_scheduled_tasks_name.yml @@ -3,7 +3,7 @@ id: 8fa65166-f463-4fd2-ad4f-1436133c52e1 related: - id: 2bfc1373-0220-4fbd-8b10-33ddafd2a142 type: similar -status: experimental +status: test description: Hunts for known SVR-specific scheduled task names author: CISA references: diff --git a/rules-emerging-threats/2023/TA/Cozy-Bear/win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml b/rules-emerging-threats/2023/TA/Cozy-Bear/win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml index 0afd02e2418..a4f6c7d1137 100644 --- a/rules-emerging-threats/2023/TA/Cozy-Bear/win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml +++ b/rules-emerging-threats/2023/TA/Cozy-Bear/win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml @@ -3,7 +3,7 @@ id: 2bfc1373-0220-4fbd-8b10-33ddafd2a142 related: - id: 8fa65166-f463-4fd2-ad4f-1436133c52e1 # Security-Audting Eventlog type: similar -status: experimental +status: test description: Hunts for known SVR-specific scheduled task names author: CISA references: diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/dns_query_win_apt_diamond_steel_indicators.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/dns_query_win_apt_diamond_steel_indicators.yml index dd8eea66367..1ab52caacd4 100644 --- a/rules-emerging-threats/2023/TA/Diamond-Sleet/dns_query_win_apt_diamond_steel_indicators.yml +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/dns_query_win_apt_diamond_steel_indicators.yml @@ -1,6 +1,6 @@ title: Diamond Sleet APT DNS Communication Indicators id: fba38e0f-4607-4344-bb8f-a4b50cdeef7f -status: experimental +status: test description: Detects DNS queries related to Diamond Sleet APT activity references: - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/file_event_win_apt_diamond_sleet_indicators.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/file_event_win_apt_diamond_sleet_indicators.yml index 6c3bc997cc8..0c6a56ba98a 100644 --- a/rules-emerging-threats/2023/TA/Diamond-Sleet/file_event_win_apt_diamond_sleet_indicators.yml +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/file_event_win_apt_diamond_sleet_indicators.yml @@ -1,6 +1,6 @@ title: Diamond Sleet APT File Creation Indicators id: e1212b32-55ff-4dfb-a595-62b572248056 -status: experimental +status: test description: Detects file creation activity that is related to Diamond Sleet APT activity references: - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml index feed15f302b..60c4cc2e28a 100644 --- a/rules-emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml @@ -1,6 +1,6 @@ title: Diamond Sleet APT DLL Sideloading Indicators id: d1b65d98-37d7-4ff6-b139-2d87c1af3042 -status: experimental +status: test description: Detects DLL sideloading activity seen used by Diamond Sleet APT references: - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml index c1bbf8fb41f..e5dc3e15fa2 100644 --- a/rules-emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml @@ -1,6 +1,6 @@ title: Diamond Sleet APT Process Activity Indicators id: b5495d8d-24ad-4a44-8caf-ceae9a07a5c2 -status: experimental +status: test description: Detects process creation activity indicators related to Diamond Sleet APT references: - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml index 583e61a8a76..f40857af771 100644 --- a/rules-emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml @@ -1,6 +1,6 @@ title: Diamond Sleet APT Scheduled Task Creation - Registry id: 9f9f92ba-5300-43a4-b435-87d1ee571688 -status: experimental +status: test description: | Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability references: diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/win_security_apt_diamond_sleet_scheduled_task.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/win_security_apt_diamond_sleet_scheduled_task.yml index 7f9df765bd0..2a3ac1d5197 100644 --- a/rules-emerging-threats/2023/TA/Diamond-Sleet/win_security_apt_diamond_sleet_scheduled_task.yml +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/win_security_apt_diamond_sleet_scheduled_task.yml @@ -1,6 +1,6 @@ title: Diamond Sleet APT Scheduled Task Creation id: 3b8e5084-4de9-449a-a40d-0e11014f2e2d -status: experimental +status: test description: | Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability references: diff --git a/rules-emerging-threats/2023/TA/EquationGroup/net_dns_apt_equation_group_triangulation_c2_coms.yml b/rules-emerging-threats/2023/TA/EquationGroup/net_dns_apt_equation_group_triangulation_c2_coms.yml index 3850fbec32c..d1df8163926 100644 --- a/rules-emerging-threats/2023/TA/EquationGroup/net_dns_apt_equation_group_triangulation_c2_coms.yml +++ b/rules-emerging-threats/2023/TA/EquationGroup/net_dns_apt_equation_group_triangulation_c2_coms.yml @@ -3,7 +3,7 @@ id: 7fc30d63-728d-48d9-ad6f-14d14f4accf7 related: - id: aa03c712-75c6-438b-8d42-de88f2427e09 # Proxy C2 type: similar -status: experimental +status: test description: Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB references: - https://securelist.com/operation-triangulation/109842/ diff --git a/rules-emerging-threats/2023/TA/EquationGroup/proxy_apt_equation_group_triangulation_c2_coms.yml b/rules-emerging-threats/2023/TA/EquationGroup/proxy_apt_equation_group_triangulation_c2_coms.yml index 09f41413f47..9279b1cfdef 100644 --- a/rules-emerging-threats/2023/TA/EquationGroup/proxy_apt_equation_group_triangulation_c2_coms.yml +++ b/rules-emerging-threats/2023/TA/EquationGroup/proxy_apt_equation_group_triangulation_c2_coms.yml @@ -3,7 +3,7 @@ id: aa03c712-75c6-438b-8d42-de88f2427e09 related: - id: 7fc30d63-728d-48d9-ad6f-14d14f4accf7 # DNS C2 type: similar -status: experimental +status: test description: Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB references: - https://securelist.com/operation-triangulation/109842/ diff --git a/rules-emerging-threats/2023/TA/FIN7/file_event_win_apt_fin7_powershell_scripts_naming_convention.yml b/rules-emerging-threats/2023/TA/FIN7/file_event_win_apt_fin7_powershell_scripts_naming_convention.yml index a97a378779b..bd534689ce1 100644 --- a/rules-emerging-threats/2023/TA/FIN7/file_event_win_apt_fin7_powershell_scripts_naming_convention.yml +++ b/rules-emerging-threats/2023/TA/FIN7/file_event_win_apt_fin7_powershell_scripts_naming_convention.yml @@ -1,6 +1,6 @@ title: Potential APT FIN7 Related PowerShell Script Created id: a88d9f45-ec8a-4b0e-85ee-c9f6a65e9128 -status: experimental +status: test description: Detects PowerShell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers diff --git a/rules-emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml b/rules-emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml index 9195364bcc8..7e74903f581 100644 --- a/rules-emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml +++ b/rules-emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml @@ -1,6 +1,6 @@ title: Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity id: 911389c7-5ae3-43ea-bab3-a947ebdeb85e -status: experimental +status: test description: Detects specific command line execution used by FIN7 as reported by WithSecureLabs for reconnaissance and POWERTRASH execution references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers diff --git a/rules-emerging-threats/2023/TA/Lace-Tempest/file_event_win_apt_lace_tempest_indicators.yml b/rules-emerging-threats/2023/TA/Lace-Tempest/file_event_win_apt_lace_tempest_indicators.yml index 3d2ac26c8d2..f9ab5e98ce3 100644 --- a/rules-emerging-threats/2023/TA/Lace-Tempest/file_event_win_apt_lace_tempest_indicators.yml +++ b/rules-emerging-threats/2023/TA/Lace-Tempest/file_event_win_apt_lace_tempest_indicators.yml @@ -1,6 +1,6 @@ title: Lace Tempest File Indicators id: e94486ea-2650-4548-bf25-88cbd0bb32d7 -status: experimental +status: test description: Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7 references: - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification diff --git a/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml b/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml index 7a8a8ddfdc6..b476d95c80e 100644 --- a/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml +++ b/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml @@ -1,6 +1,6 @@ title: Lace Tempest PowerShell Evidence Eraser id: b377ddab-502d-4519-9e8c-5590033d2d70 -status: experimental +status: test description: | Detects a PowerShell script used by Lace Tempest APT to erase evidence from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team references: diff --git a/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml b/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml index a8cb343ff01..fa98bea1d37 100644 --- a/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml +++ b/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml @@ -1,6 +1,6 @@ title: Lace Tempest PowerShell Launcher id: 37dc5463-f7e3-4f61-ad76-ba59cd02a651 -status: experimental +status: test description: | Detects a PowerShell script used by Lace Tempest APT to launch their malware loader by exploiting CVE-2023-47246 as reported by SysAid Team references: diff --git a/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml b/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml index c6e118e5ef8..df8c4e86e16 100644 --- a/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml +++ b/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml @@ -1,6 +1,6 @@ title: Lace Tempest Cobalt Strike Download id: aa5b0a40-ed88-46aa-9fdc-0337b379ca9d -status: experimental +status: test description: Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team references: - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification diff --git a/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml b/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml index 911078ce8fb..8537680d651 100644 --- a/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml +++ b/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml @@ -1,6 +1,6 @@ title: Lace Tempest Malware Loader Execution id: 745ea50b-9673-4ba7-9426-cb45cf4a8e6d -status: experimental +status: test description: Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team references: - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification diff --git a/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml b/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml index c9323758cf8..9abe62c85d2 100644 --- a/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml +++ b/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml @@ -1,6 +1,6 @@ title: Lazarus APT DLL Sideloading Activity id: 24007168-a26b-4049-90d0-ce138e13a5cf -status: experimental +status: test description: Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company references: - https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/ diff --git a/rules-emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml b/rules-emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml index 0e86da4b02b..57898277171 100644 --- a/rules-emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml +++ b/rules-emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml @@ -1,6 +1,6 @@ title: Potential APT Mustang Panda Activity Against Australian Gov id: 7806bb49-f653-48d3-a915-5115c1a85234 -status: experimental +status: test description: Detects specific command line execution used by Mustang Panda in a targeted attack against the Australian government as reported by Lab52 references: - https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/ diff --git a/rules-emerging-threats/2023/TA/Okta-Support-System-Breach/okta_apt_suspicious_user_creation.yml b/rules-emerging-threats/2023/TA/Okta-Support-System-Breach/okta_apt_suspicious_user_creation.yml index b7fa0d1b57e..4195c6156b7 100644 --- a/rules-emerging-threats/2023/TA/Okta-Support-System-Breach/okta_apt_suspicious_user_creation.yml +++ b/rules-emerging-threats/2023/TA/Okta-Support-System-Breach/okta_apt_suspicious_user_creation.yml @@ -1,6 +1,6 @@ title: Okta 2023 Breach Indicator Of Compromise id: 00a8e92a-776b-425f-80f2-82d8f8fab2e5 -status: experimental +status: test description: | Detects new user account creation or activation with specific names related to the Okta Support System 2023 breach. This rule can be enhanced by filtering out known and legitimate username used in your environnement. diff --git a/rules-emerging-threats/2023/TA/Onyx-Sleet/file_event_win_apt_onyx_sleet_indicators.yml b/rules-emerging-threats/2023/TA/Onyx-Sleet/file_event_win_apt_onyx_sleet_indicators.yml index 078b4e92ba2..c40f39d2b34 100644 --- a/rules-emerging-threats/2023/TA/Onyx-Sleet/file_event_win_apt_onyx_sleet_indicators.yml +++ b/rules-emerging-threats/2023/TA/Onyx-Sleet/file_event_win_apt_onyx_sleet_indicators.yml @@ -1,6 +1,6 @@ title: Onyx Sleet APT File Creation Indicators id: 2fef4fd9-7206-40d1-b4f5-ad6441d0cd9b -status: experimental +status: test description: Detects file creation activity that is related to Onyx Sleet APT activity references: - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ diff --git a/rules-emerging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml b/rules-emerging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml index b1b7387747f..f81dc20a839 100644 --- a/rules-emerging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml +++ b/rules-emerging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml @@ -1,6 +1,6 @@ title: Peach Sandstorm APT Process Activity Indicators id: 2e7bbd54-2f26-476e-b4a1-ba5f1a012614 -status: experimental +status: test description: Detects process creation activity related to Peach Sandstorm APT references: - https://twitter.com/MsftSecIntel/status/1737895710169628824 diff --git a/rules-emerging-threats/2023/TA/Peach-Sandstorm/proxy_apt_peach_sandstorm_falsefont_backdoor_c2_coms.yml b/rules-emerging-threats/2023/TA/Peach-Sandstorm/proxy_apt_peach_sandstorm_falsefont_backdoor_c2_coms.yml index 8c1f71408a3..a371241d93f 100644 --- a/rules-emerging-threats/2023/TA/Peach-Sandstorm/proxy_apt_peach_sandstorm_falsefont_backdoor_c2_coms.yml +++ b/rules-emerging-threats/2023/TA/Peach-Sandstorm/proxy_apt_peach_sandstorm_falsefont_backdoor_c2_coms.yml @@ -1,6 +1,6 @@ title: Potential Peach Sandstorm APT C2 Communication Activity id: b8225208-81d0-4715-a822-12bcdd583e0f -status: experimental +status: test description: Detects potential C2 communication activity related to Peach Sandstorm APT references: - https://twitter.com/MsftSecIntel/status/1737895710169628824 diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_exfil_mail_pattern.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_exfil_mail_pattern.yml index f8e96747daf..d9679eec399 100644 --- a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_exfil_mail_pattern.yml +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_exfil_mail_pattern.yml @@ -1,6 +1,6 @@ title: UNC4841 - Email Exfiltration File Pattern id: 0785f462-60b0-4031-9ff4-b4f3a0ba589a -status: experimental +status: test description: Detects filename pattern of email related data used by UNC4841 for staging and exfiltration references: - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_file_indicators.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_file_indicators.yml index 04d1cd61a95..03a3fc7e7b7 100644 --- a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_file_indicators.yml +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_file_indicators.yml @@ -1,6 +1,6 @@ title: UNC4841 - Barracuda ESG Exploitation Indicators id: 5627c337-a9b2-407a-a82d-5fd97035ff39 -status: experimental +status: test description: Detects file indicators as seen used by UNC4841 during their Barracuda ESG zero day exploitation. references: - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_openssl_connection.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_openssl_connection.yml index 7079ee0b22c..8d310102575 100644 --- a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_openssl_connection.yml +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_openssl_connection.yml @@ -1,6 +1,6 @@ title: UNC4841 - SSL Certificate Exfiltration Via Openssl id: 60911c07-f989-4362-84af-c609828ef829 -status: experimental +status: test description: Detects the execution of "openssl" to connect to an IP address. This techniques was used by UNC4841 to exfiltrate SSL certificates and as a C2 channel with named pipes. Investigate commands executed in the temporal vicinity of this command. references: - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_compressed_file_tmep_sh.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_compressed_file_tmep_sh.yml index 1bf081ed8e0..797ffe90f9a 100644 --- a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_compressed_file_tmep_sh.yml +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_compressed_file_tmep_sh.yml @@ -1,6 +1,6 @@ title: UNC4841 - Download Compressed Files From Temp.sh Using Wget id: 60d050c4-e253-4d9a-b673-5ac100cfddfb -status: experimental +status: test description: Detects execution of "wget" to download a ".zip" or ".rar" files from "temp.sh". As seen used by UNC4841 during their Barracuda ESG zero day exploitation. references: - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml index 3f5d5e8d82e..d66d14c1ef7 100644 --- a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml @@ -1,6 +1,6 @@ title: UNC4841 - Download Tar File From Untrusted Direct IP Via Wget id: 23835beb-ec38-4e74-a5d4-b99af6684e91 -status: experimental +status: test description: Detects execution of "wget" to download a "tar" from an IP address that doesn't have a trusted certificate. As seen used by UNC4841 during their Barracuda ESG zero day exploitation. references: - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_atp_unc4841_seaspy_execution.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_atp_unc4841_seaspy_execution.yml index a9dbb5d263d..26a0081f9f5 100644 --- a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_atp_unc4841_seaspy_execution.yml +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_atp_unc4841_seaspy_execution.yml @@ -1,6 +1,6 @@ title: UNC4841 - Potential SEASPY Execution id: f6a711f3-d032-4f9e-890b-bbe776236c84 -status: experimental +status: test description: Detects execution of specific named binaries which were used by UNC4841 to deploy their SEASPY backdoor references: - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally diff --git a/rules-placeholder/windows/builtin/security/win_security_exploit_cve_2020_1472.yml b/rules-placeholder/windows/builtin/security/win_security_exploit_cve_2020_1472.yml index 744f8f53154..b72e0fdea94 100644 --- a/rules-placeholder/windows/builtin/security/win_security_exploit_cve_2020_1472.yml +++ b/rules-placeholder/windows/builtin/security/win_security_exploit_cve_2020_1472.yml @@ -1,6 +1,6 @@ title: Potential Zerologon (CVE-2020-1472) Exploitation id: dd7876d8-0f09-11eb-adc1-0242ac120002 -status: experimental +status: test description: Detects potential Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472) references: - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 diff --git a/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_forwarding_activity.yml b/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_forwarding_activity.yml index 9f11571c9d3..d4fabe7f054 100644 --- a/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_forwarding_activity.yml +++ b/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_forwarding_activity.yml @@ -1,6 +1,6 @@ title: Mail Forwarding/Redirecting Activity In O365 id: c726e007-2cd0-4a55-abfb-79730fbedee5 -status: experimental +status: test description: Detects email forwarding or redirecting acitivty in O365 Audit logs. references: - https://redcanary.com/blog/email-forwarding-rules/ diff --git a/rules-threat-hunting/cloud/okta/okta_password_health_report_query.yml b/rules-threat-hunting/cloud/okta/okta_password_health_report_query.yml index 66a7163e071..8287fbe0353 100644 --- a/rules-threat-hunting/cloud/okta/okta_password_health_report_query.yml +++ b/rules-threat-hunting/cloud/okta/okta_password_health_report_query.yml @@ -1,6 +1,6 @@ title: Okta Password Health Report Query id: 0d58814b-1660-4d31-8c93-d1086ed24cba -status: experimental +status: test description: | Detects all activities against the endpoint "/reports/password-health/*" which should only be accessed via OKTA Admin Console UI. Use this rule to hunt for potential suspicious requests. Correlate this event with "admin console" login and alert on requests without any corresponding admin console login diff --git a/rules-threat-hunting/windows/builtin/firewall_as/win_firewall_as_change_rule.yml b/rules-threat-hunting/windows/builtin/firewall_as/win_firewall_as_change_rule.yml index be353c24051..24fdd42094d 100644 --- a/rules-threat-hunting/windows/builtin/firewall_as/win_firewall_as_change_rule.yml +++ b/rules-threat-hunting/windows/builtin/firewall_as/win_firewall_as_change_rule.yml @@ -1,6 +1,6 @@ title: Firewall Rule Modified In The Windows Firewall Exception List id: 5570c4d9-8fdd-4622-965b-403a5a101aa0 -status: experimental +status: test description: Detects when a rule has been modified in the Windows firewall exception list references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) diff --git a/rules-threat-hunting/windows/file/file_access/file_access_win_susp_gpo_access_uncommon_process.yml b/rules-threat-hunting/windows/file/file_access/file_access_win_susp_gpo_access_uncommon_process.yml index 6397395d01a..879bc81193f 100644 --- a/rules-threat-hunting/windows/file/file_access/file_access_win_susp_gpo_access_uncommon_process.yml +++ b/rules-threat-hunting/windows/file/file_access/file_access_win_susp_gpo_access_uncommon_process.yml @@ -1,6 +1,6 @@ title: Access To Sysvol Policies Share By Uncommon Process id: 8344c19f-a023-45ff-ad63-a01c5396aea0 -status: experimental +status: test description: Detects file access requests to the Windows Sysvol Policies Share by uncommon processes references: - https://github.com/vletoux/pingcastle diff --git a/rules-threat-hunting/windows/file/file_delete/file_delete_win_zone_identifier_ads.yml b/rules-threat-hunting/windows/file/file_delete/file_delete_win_zone_identifier_ads.yml index d20897dc3b5..b2a1b53419f 100644 --- a/rules-threat-hunting/windows/file/file_delete/file_delete_win_zone_identifier_ads.yml +++ b/rules-threat-hunting/windows/file/file_delete/file_delete_win_zone_identifier_ads.yml @@ -3,7 +3,7 @@ id: 7eac0a16-5832-4e81-865f-0268a6d19e4b related: - id: 3109530e-ab47-4cc6-a953-cac5ebcc93ae type: similar -status: experimental +status: test description: Detects the deletion of the "Zone.Identifier" ADS. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps. references: - https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/ diff --git a/rules-threat-hunting/windows/file/file_event/file_event_win_dump_file_creation.yml b/rules-threat-hunting/windows/file/file_event/file_event_win_dump_file_creation.yml index fe101ae2895..79e5c0ffa2f 100644 --- a/rules-threat-hunting/windows/file/file_event/file_event_win_dump_file_creation.yml +++ b/rules-threat-hunting/windows/file/file_event/file_event_win_dump_file_creation.yml @@ -1,6 +1,6 @@ title: DMP/HDMP File Creation id: 3a525307-d100-48ae-b3b9-0964699d7f97 -status: experimental +status: test description: Detects the creation of a file with the ".dmp"/".hdmp" extension. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash. references: - https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps diff --git a/rules-threat-hunting/windows/file/file_event/file_event_win_scheduled_task_creation.yml b/rules-threat-hunting/windows/file/file_event/file_event_win_scheduled_task_creation.yml index 5b6c2358a20..14cb6421963 100644 --- a/rules-threat-hunting/windows/file/file_event/file_event_win_scheduled_task_creation.yml +++ b/rules-threat-hunting/windows/file/file_event/file_event_win_scheduled_task_creation.yml @@ -1,6 +1,6 @@ title: Scheduled Task Created - FileCreation id: a762e74f-4dce-477c-b023-4ed81df600f9 -status: experimental +status: test description: Detects the creation of a scheduled task via file creation. references: - https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/task_scheduling/ diff --git a/rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml b/rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml index 7c1c903545e..7e23e961962 100644 --- a/rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml +++ b/rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml @@ -1,6 +1,6 @@ title: Creation of an Executable by an Executable id: 297afac9-5d02-4138-8c58-b977bac60556 -status: experimental +status: test description: Detects the creation of an executable by another executable references: - Malware Sandbox diff --git a/rules-threat-hunting/windows/file/file_event/file_event_win_vscode_tunnel_indicators.yml b/rules-threat-hunting/windows/file/file_event/file_event_win_vscode_tunnel_indicators.yml index b535650171c..967e8b61604 100644 --- a/rules-threat-hunting/windows/file/file_event/file_event_win_vscode_tunnel_indicators.yml +++ b/rules-threat-hunting/windows/file/file_event/file_event_win_vscode_tunnel_indicators.yml @@ -1,6 +1,6 @@ title: VsCode Code Tunnel Execution File Indicator id: 9661ec9d-4439-4a7a-abed-d9be4ca43b6d -status: experimental +status: test description: | Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility. Attackers can abuse this functionality to establish a C2 channel references: diff --git a/rules-threat-hunting/windows/file/file_event/file_event_win_webdav_tmpfile_creation.yml b/rules-threat-hunting/windows/file/file_event/file_event_win_webdav_tmpfile_creation.yml index 0d5fe0d9f6b..a5435dd6649 100644 --- a/rules-threat-hunting/windows/file/file_event/file_event_win_webdav_tmpfile_creation.yml +++ b/rules-threat-hunting/windows/file/file_event/file_event_win_webdav_tmpfile_creation.yml @@ -1,6 +1,6 @@ title: WebDAV Temporary Local File Creation id: 4c55738d-72d8-490e-a2db-7969654e375f -status: experimental +status: test description: Detects the creation of WebDAV temporary files with potentially suspicious extensions references: - https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html diff --git a/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml b/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml index 1f663fc292c..4cd0ab46d5c 100644 --- a/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml +++ b/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml @@ -1,6 +1,6 @@ title: Non-DLL Extension File Renamed With DLL Extension id: bbfd974c-248e-4435-8de6-1e938c79c5c1 -status: experimental +status: test description: | Detects rename operations of files with non-DLL extensions to files with a DLL extension. This is often performed by malware in order to avoid initial detections based on extensions. references: diff --git a/rules-threat-hunting/windows/image_load/image_load_dll_amsi_uncommon_process.yml b/rules-threat-hunting/windows/image_load/image_load_dll_amsi_uncommon_process.yml index f407340e9ab..7bd79d43029 100644 --- a/rules-threat-hunting/windows/image_load/image_load_dll_amsi_uncommon_process.yml +++ b/rules-threat-hunting/windows/image_load/image_load_dll_amsi_uncommon_process.yml @@ -1,6 +1,6 @@ title: Amsi.DLL Load By Uncommon Process id: facd1549-e416-48e0-b8c4-41d7215eedc8 -status: experimental +status: test description: Detects loading of Amsi.dll by uncommon processes references: - https://infosecwriteups.com/amsi-bypass-new-way-2023-d506345944e9 diff --git a/rules-threat-hunting/windows/image_load/image_load_office_excel_xll_load.yml b/rules-threat-hunting/windows/image_load/image_load_office_excel_xll_load.yml index 1272d93aeb8..aeb45f6b292 100644 --- a/rules-threat-hunting/windows/image_load/image_load_office_excel_xll_load.yml +++ b/rules-threat-hunting/windows/image_load/image_load_office_excel_xll_load.yml @@ -1,6 +1,6 @@ title: Microsoft Excel Add-In Loaded id: c5f4b5cb-4c25-4249-ba91-aa03626e3185 -status: experimental +status: test description: Detects Microsoft Excel loading an Add-In (.xll) file references: - https://www.mandiant.com/resources/blog/lnk-between-browsers diff --git a/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_non_local_ip.yml b/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_non_local_ip.yml index 6c46d2ac710..ba3fc34acb2 100644 --- a/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_non_local_ip.yml +++ b/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_non_local_ip.yml @@ -1,6 +1,6 @@ title: Dfsvc.EXE Network Connection To Non-Local IPs id: 3c21219b-49b5-4268-bce6-c914ed50f09c -status: experimental +status: test description: Detects network connections from "dfsvc.exe" used to handled ClickOnce applications to non-local IPs references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 diff --git a/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_uncommon_ports.yml b/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_uncommon_ports.yml index f1c77fe1e04..f5be5fad64b 100644 --- a/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_uncommon_ports.yml +++ b/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_uncommon_ports.yml @@ -1,6 +1,6 @@ title: Dfsvc.EXE Initiated Network Connection Over Uncommon Port id: 4c5fba4a-9ef6-4f16-823d-606246054741 -status: experimental +status: test description: Detects an initiated network connection over uncommon ports from "dfsvc.exe". A utility used to handled ClickOnce applications. references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 diff --git a/rules-threat-hunting/windows/network_connection/net_connection_win_powershell_network_connection.yml b/rules-threat-hunting/windows/network_connection/net_connection_win_powershell_network_connection.yml index 45e54eafc04..3dbaad615b0 100644 --- a/rules-threat-hunting/windows/network_connection/net_connection_win_powershell_network_connection.yml +++ b/rules-threat-hunting/windows/network_connection/net_connection_win_powershell_network_connection.yml @@ -1,6 +1,6 @@ title: Network Connection Initiated By PowerShell Process id: 1f21ec3f-810d-4b0e-8045-322202e22b4b -status: experimental +status: test description: | Detects a network connection that was initiated from a PowerShell process. Often times malicious powershell scripts download additional payloads or communicate back to command and control channels via uncommon ports or IPs. diff --git a/rules-threat-hunting/windows/powershell/powershell_module/posh_pm_susp_netfirewallrule_recon.yml b/rules-threat-hunting/windows/powershell/powershell_module/posh_pm_susp_netfirewallrule_recon.yml index 50b32bc54cb..26f140e6631 100644 --- a/rules-threat-hunting/windows/powershell/powershell_module/posh_pm_susp_netfirewallrule_recon.yml +++ b/rules-threat-hunting/windows/powershell/powershell_module/posh_pm_susp_netfirewallrule_recon.yml @@ -1,6 +1,6 @@ title: Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet id: ea207a23-b441-4a17-9f76-ad5be47d51d3 -status: experimental +status: test description: Detects execution of "Get-NetFirewallRule" or "Show-NetFirewallRule" to enumerate the local firewall rules on a host. references: - https://learn.microsoft.com/en-us/powershell/module/netsecurity/get-netfirewallrule?view=windowsserver2022-ps diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_mailbox_access.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_mailbox_access.yml index 2ef3a4d9bfe..3ee22df0d29 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_mailbox_access.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_mailbox_access.yml @@ -1,6 +1,6 @@ title: Windows Mail App Mailbox Access Via PowerShell Script id: 4e485d01-e18a-43f6-a46b-ef20496fa9d3 -status: experimental +status: test description: Detects PowerShell scripts that try to access the default Windows MailApp MailBox. This indicates manipulation of or access to the stored emails of a user. E.g. this could be used by an attacker to exfiltrate or delete the content of the emails. references: - https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1070.008/T1070.008.md diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_new_smbmapping_quic.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_new_smbmapping_quic.yml index f38fd704ccd..ffb78320303 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_new_smbmapping_quic.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_new_smbmapping_quic.yml @@ -3,7 +3,7 @@ id: 6df07c3b-8456-4f8b-87bb-fe31ec964cae related: - id: 2238d337-42fb-4971-9a68-63570f2aede4 type: similar -status: experimental +status: test description: Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments references: - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1570/T1570.md diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml index 3369c27b556..e1c0d42dc99 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml @@ -3,7 +3,7 @@ id: 064060aa-09fb-4636-817f-020a32aa7e9e related: - id: 970007b7-ce32-49d0-a4a4-fbef016950bd type: similar -status: experimental +status: test description: Detects PowerShell scripts with potential registry reconnaissance capabilities. Adversaries may interact with the Windows registry to gather information about the system credentials, configuration, and installed software. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_functions_access.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_functions_access.yml index 279a17a36f0..0c77e186ae1 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_functions_access.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_functions_access.yml @@ -7,7 +7,7 @@ related: type: similar - id: 9f22ccd5-a435-453b-af96-bf99cbb594d4 type: similar -status: experimental +status: test description: Detects calls to WinAPI libraries from PowerShell scripts. Attackers can often leverage these APIs to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts. references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_library_access.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_library_access.yml index ad78be0485e..1cda9898eff 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_library_access.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_library_access.yml @@ -7,7 +7,7 @@ related: type: similar - id: 19d65a1c-8540-4140-8062-8eb00db0bba5 type: similar -status: experimental +status: test description: Detects calls to WinAPI functions from PowerShell scripts. Attackers can often leverage these APIs to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts. references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse diff --git a/rules-threat-hunting/windows/process_access/proc_access_win_lsass_susp_source_process.yml b/rules-threat-hunting/windows/process_access/proc_access_win_lsass_susp_source_process.yml index 267ba326d1b..329bc5babde 100644 --- a/rules-threat-hunting/windows/process_access/proc_access_win_lsass_susp_source_process.yml +++ b/rules-threat-hunting/windows/process_access/proc_access_win_lsass_susp_source_process.yml @@ -1,6 +1,6 @@ title: LSASS Access From Program In Potentially Suspicious Folder id: fa34b441-961a-42fa-a100-ecc28c886725 -status: experimental +status: test description: Detects process access to LSASS memory with suspicious access flags and from a potentially suspicious folder references: - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_csc_compilation.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_csc_compilation.yml index 3bd43b9913a..bfcd0d25495 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_csc_compilation.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_csc_compilation.yml @@ -3,7 +3,7 @@ id: acf2807c-805b-4042-aab9-f86b6ba9cb2b related: - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4 type: derived -status: experimental +status: test description: Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages. references: - https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/ diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_dfsvc_child_processes.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_dfsvc_child_processes.yml index 4eb3db3c8bd..c9a79e1f3fd 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_dfsvc_child_processes.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_dfsvc_child_processes.yml @@ -1,6 +1,6 @@ title: ClickOnce Deployment Execution - Dfsvc.EXE Child Process id: 241d52b5-eee0-49d0-ac8a-8b9c15c7221c -status: experimental +status: test description: Detects child processes of "dfsvc" which indicates a ClickOnce deployment execution. references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_child_process.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_child_process.yml index 9a57c9125d6..186d9e0e20e 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_child_process.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_child_process.yml @@ -9,7 +9,7 @@ related: type: similar - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution type: similar -status: experimental +status: test description: Detects any child process spawning from "Diskshadow.exe". This could be due to executing Diskshadow in interpreter mode or script mode and using the "exec" flag to launch other applications. references: - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_findstr_password_recon.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_findstr_password_recon.yml index 6f0b30e3ff8..ad3536933bd 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_findstr_password_recon.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_findstr_password_recon.yml @@ -1,6 +1,6 @@ title: Potential Password Reconnaissance Via Findstr.EXE id: 1a0f6f16-2099-4753-9a02-43b6ac7a1fa5 -status: experimental +status: test description: Detects command line usage of "findstr" to search for the "passwords" keyword in a variety of different languages references: - https://steflan-security.com/windows-privilege-escalation-credential-harvesting/ diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_iexpress_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_iexpress_execution.yml index aa976ace8e6..10168a1f1a3 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_iexpress_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_iexpress_execution.yml @@ -1,6 +1,6 @@ title: New Self Extracting Package Created Via IExpress.EXE id: c2b478fc-09bf-40b2-8768-ab3ec8d61c9a -status: experimental +status: test description: | Detects the "iexpress.exe" utility creating self-extracting packages. Attackers where seen leveraging "iexpress" to compile packages on the fly via ".sed" files. diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_mode_codepage_change.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_mode_codepage_change.yml index 3a74bf6392b..f2d6237491b 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_mode_codepage_change.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_mode_codepage_change.yml @@ -3,7 +3,7 @@ id: d48c5ffa-3b02-4c0f-9a9e-3c275650dd0e related: - id: 12fbff88-16b5-4b42-9754-cd001a789fb3 type: derived -status: experimental +status: test description: | Detects a CodePage modification using the "mode.com" utility. This behavior has been used by threat actors behind Dharma ransomware. diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_net_quic.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_net_quic.yml index 1ebb8ae2737..3dc27858d88 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_net_quic.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_net_quic.yml @@ -3,7 +3,7 @@ id: 2238d337-42fb-4971-9a68-63570f2aede4 related: - id: 6df07c3b-8456-4f8b-87bb-fe31ec964cae type: similar -status: experimental +status: test description: Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments. references: - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1570/T1570.md diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml index 141304cc4dd..b017cdd26fc 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml @@ -1,6 +1,6 @@ title: Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace id: ad856965-f44d-42a8-945e-bbf7bd03d05a -status: experimental +status: test description: | Detects the invocation of PowerShell commands with references to classes from the "System.Security.Cryptography" namespace. The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption. diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml index 2779d662318..7a9e286e469 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml @@ -1,6 +1,6 @@ title: Import New Module Via PowerShell CommandLine id: 4ad74d01-f48c-42d0-b88c-b31efa4d2262 -status: experimental +status: test description: Detects usage of the "Import-Module" cmdlet in order to add new Cmdlets to the current PowerShell session references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/import-module?view=powershell-7.3 diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml index 12abe2b93db..4e580f4a071 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml @@ -3,7 +3,7 @@ id: ce2c44b5-a6ac-412a-afba-9e89326fa972 related: - id: 0ba1da6d-b6ce-4366-828c-18826c9de23e type: similar -status: experimental +status: test description: | Detects execution of regsvr32 with the silent flag and no other flags on a DLL located in an uncommon or potentially suspicious location. When Regsvr32 is called in such a way, it implicitly calls the DLL export function 'DllRegisterServer'. diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_dllregisterserver.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_dllregisterserver.yml index 556d1bf323b..262e1cd3cd7 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_dllregisterserver.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_dllregisterserver.yml @@ -3,7 +3,7 @@ id: d81a9fc6-55db-4461-b962-0e78fea5b0ad related: - id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed # Renamed rundll32 type: similar -status: experimental +status: test description: | Detects when the DLL export function 'DllRegisterServer' is called in the commandline by Rundll32 explicitly where the DLL is located in a non-standard path. references: diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml index 1f7e0e41f74..eb3931f8c9d 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml @@ -3,7 +3,7 @@ id: 61065c72-5d7d-44ef-bf41-6a36684b545f related: - id: 178e615d-e666-498b-9630-9ed363038101 type: similar -status: experimental +status: test description: | Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges. Use this rule to hunt for potential suspicious processes. references: diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_event_log_query.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_event_log_query.yml index b6b6ca91c8a..c8066757871 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_event_log_query.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_event_log_query.yml @@ -3,7 +3,7 @@ id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f related: - id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf type: derived -status: experimental +status: test description: | Detect attempts to query the contents of the event log using command line utilities. Attackers use this technique in order to look for sensitive information in the logs such as passwords, usernames, IPs, etc. references: diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml index 6a1d451ff79..b4f7c1be372 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml @@ -1,6 +1,6 @@ title: Process Terminated Via Taskkill id: 86085955-ea48-42a2-9dd3-85d4c36b167d -status: experimental +status: test description: | Detects execution of "taskkill.exe" in order to stop a service or a process. Look for suspicious parents executing this command in order to hunt for potential malicious activity. Attackers might leverage this in order to conduct data destruction or data encrypted for impact on the data stores of services like Exchange and SQL Server. diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_wmic_recon_system_info.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_wmic_recon_system_info.yml index ebf0769598d..897802ba0ff 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_wmic_recon_system_info.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_wmic_recon_system_info.yml @@ -3,7 +3,7 @@ id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e related: - id: 9d5a1274-922a-49d0-87f3-8c653483b909 type: derived -status: experimental +status: test description: | Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, disk drive names, memory capacity, display resolution, baseboard, BIOS, diff --git a/rules-threat-hunting/windows/registry/registry_event/registry_event_scheduled_task_creation.yml b/rules-threat-hunting/windows/registry/registry_event/registry_event_scheduled_task_creation.yml index 116f3ab882f..9a73274ebc2 100644 --- a/rules-threat-hunting/windows/registry/registry_event/registry_event_scheduled_task_creation.yml +++ b/rules-threat-hunting/windows/registry/registry_event/registry_event_scheduled_task_creation.yml @@ -1,6 +1,6 @@ title: Scheduled Task Created - Registry id: 93ff0ceb-e0ef-4586-8cd8-a6c277d738e3 -status: experimental +status: test description: Detects the creation of a scheduled task via Registry keys. references: - https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/task_scheduling/ diff --git a/rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml b/rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml index 98097b8beb8..aae279cb70e 100644 --- a/rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml +++ b/rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml @@ -3,7 +3,7 @@ id: a0bed973-45fa-4625-adb5-6ecdf9be70ac related: - id: f742bde7-9528-42e5-bd82-84f51a8387d2 type: similar -status: experimental +status: test description: Detects changes to the registry keys related to "Trusted Location" of Microsoft Office. Attackers might add additional trusted locations to avoid macro security restrictions. references: - https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01 diff --git a/rules-threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml b/rules-threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml index 843ab1db2fa..a27e58865b5 100644 --- a/rules-threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml +++ b/rules-threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml @@ -1,6 +1,6 @@ title: Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace id: 1c2a3268-3881-414a-80af-a5b313b14c0e -status: experimental +status: test description: | Detects the setting of a registry inside the "\Shell\Open\Command" value with PowerShell classes from the "System.Security.Cryptography" namespace. The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption. diff --git a/rules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml b/rules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml index e3694277be0..2843e7a6bdc 100644 --- a/rules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml +++ b/rules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml @@ -1,6 +1,6 @@ title: AWS S3 Bucket Versioning Disable id: a136ac98-b2bc-4189-a14d-f0d0388e57a7 -status: experimental +status: test description: Detects when S3 bucket versioning is disabled. Threat actors use this technique during AWS ransomware incidents prior to deleting S3 objects. references: - https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82 diff --git a/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml b/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml index 257b7f62661..09eac93acd0 100644 --- a/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml +++ b/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml @@ -1,6 +1,6 @@ title: AWS ECS Task Definition That Queries The Credential Endpoint id: b94bf91e-c2bf-4047-9c43-c6810f43baad -status: experimental +status: test description: | Detects when an Elastic Container Service (ECS) Task Definition includes a command to query the credential endpoint. This can indicate a potential adversary adding a backdoor to establish persistence or escalate privileges. diff --git a/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml b/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml index ae7f84a06a9..9b14c04d348 100644 --- a/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml +++ b/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml @@ -3,7 +3,7 @@ id: f305fd62-beca-47da-ad95-7690a0620084 related: - id: 4723218f-2048-41f6-bcb0-417f2d784f61 type: similar -status: experimental +status: test description: Looks for potential enumeration of AWS buckets via ListBuckets. references: - https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md diff --git a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml index 6755f3547a7..d21df2190e4 100644 --- a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml +++ b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml @@ -1,6 +1,6 @@ title: AWS IAM S3Browser LoginProfile Creation id: db014773-b1d3-46bd-ba26-133337c0ffee -status: experimental +status: test description: Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile. references: - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor diff --git a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml index 3f38039a203..abb9586eabe 100644 --- a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml +++ b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml @@ -1,6 +1,6 @@ title: AWS IAM S3Browser Templated S3 Bucket Policy Creation id: db014773-7375-4f4e-b83b-133337c0ffee -status: experimental +status: test description: Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "". references: - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor diff --git a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml index e4e9323a4d3..1fd5582964c 100644 --- a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml +++ b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml @@ -1,6 +1,6 @@ title: AWS IAM S3Browser User or AccessKey Creation id: db014773-d9d9-4792-91e5-133337c0ffee -status: experimental +status: test description: Detects S3 Browser utility creating IAM User or AccessKey. references: - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor diff --git a/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml b/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml index b299af75d82..b9963f627b8 100644 --- a/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml +++ b/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml @@ -1,6 +1,6 @@ title: AWS Identity Center Identity Provider Change id: d3adb3ef-b7e7-4003-9092-1924c797db35 -status: experimental +status: test description: | Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider. A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation. diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_token.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_token.yml index 7e28e03371a..2b0bd1316ee 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_token.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_token.yml @@ -1,6 +1,6 @@ title: Anomalous Token id: 6555754e-5e7f-4a67-ad1c-4041c413a007 -status: experimental +status: test description: Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location. references: - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anomalous-token diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml index 2ca44a9efd7..f083499b8b1 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml @@ -1,6 +1,6 @@ title: Anomalous User Activity id: 258b6593-215d-4a26-a141-c8e31c1299a6 -status: experimental +status: test description: Indicates that there are anomalous patterns of behavior like suspicious changes to the directory. references: - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anomalous-user-activity diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml index 28dc4530378..b2a370d87c3 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml @@ -1,6 +1,6 @@ title: Activity From Anonymous IP Address id: be4d9c86-d702-4030-b52e-c7859110e5e8 -status: experimental +status: test description: Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address. references: - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml index cecd0cb48aa..5d6097fd6ac 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml @@ -1,6 +1,6 @@ title: Anonymous IP Address id: 53acd925-2003-440d-a1f3-71a5253fe237 -status: experimental +status: test description: Indicates sign-ins from an anonymous IP address, for example, using an anonymous browser or VPN. references: - https://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0 diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml index 3c5738586d1..493635128a2 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml @@ -1,6 +1,6 @@ title: Atypical Travel id: 1a41023f-1e70-4026-921a-4d9341a9038e -status: experimental +status: test description: Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior. references: - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#atypical-travel diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml index 23899ccdb56..4f9cce10803 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml @@ -1,6 +1,6 @@ title: Impossible Travel id: b2572bf9-e20a-4594-b528-40bde666525a -status: experimental +status: test description: Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second. references: - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#impossible-travel diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml index 565003619aa..ef61496dbcb 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml @@ -1,6 +1,6 @@ title: Suspicious Inbox Forwarding Identity Protection id: 27e4f1d6-ae72-4ea0-8a67-77a73a289c3d -status: experimental +status: test description: Indicates suspicious rules such as an inbox rule that forwards a copy of all emails to an external address references: - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-forwarding diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml index 5bc55b6679f..08b7cd01f1e 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml @@ -1,6 +1,6 @@ title: Suspicious Inbox Manipulation Rules id: ceb55fd0-726e-4656-bf4e-b585b7f7d572 -status: experimental +status: test description: Detects suspicious rules that delete or move messages or folders are set on a user's inbox. references: - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml index 17c116f1d9c..2ad40720216 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml @@ -1,6 +1,6 @@ title: Azure AD Account Credential Leaked id: 19128e5e-4743-48dc-bd97-52e5775af817 -status: experimental +status: test description: Indicates that the user's valid credentials have been leaked. references: - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#leaked-credentials diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml index 11b94259231..7dfa03d55fc 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml @@ -1,6 +1,6 @@ title: Malicious IP Address Sign-In Failure Rate id: a3f55ebd-0c01-4ed6-adc0-8fb76d8cd3cd -status: experimental +status: test description: Indicates sign-in from a malicious IP address based on high failure rates. references: - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malicious-ip-address diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml index 961202f937c..03752a91cf8 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml @@ -1,6 +1,6 @@ title: Malicious IP Address Sign-In Suspicious id: 36440e1c-5c22-467a-889b-593e66498472 -status: experimental +status: test description: Indicates sign-in from a malicious IP address known to be malicious at time of sign-in. references: - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malicious-ip-address diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml index 7ed25642163..8b2e301b4b0 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml @@ -1,6 +1,6 @@ title: Sign-In From Malware Infected IP id: 821b4dc3-1295-41e7-b157-39ab212dd6bd -status: experimental +status: test description: Indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server. references: - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml index 791d237e8d5..3563ce2b96a 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml @@ -1,6 +1,6 @@ title: New Country id: adf9f4d2-559e-4f5c-95be-c28dff0b1476 -status: experimental +status: test description: Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations. references: - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#new-country diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_password_spray.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_password_spray.yml index a477ec6c32f..50f1ab346d9 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_password_spray.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_password_spray.yml @@ -1,6 +1,6 @@ title: Password Spray Activity id: 28ecba0a-c743-4690-ad29-9a8f6f25a6f9 -status: experimental +status: test description: Indicates that a password spray attack has been successfully performed. references: - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#password-spray diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml index c2c1dbdb79b..0bc727be8f8 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml @@ -1,6 +1,6 @@ title: Primary Refresh Token Access Attempt id: a84fc3b1-c9ce-4125-8e74-bdcdb24021f1 -status: experimental +status: test description: Indicates access attempt to the PRT resource which can be used to move laterally into an organization or perform credential theft references: - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml index 1d39a814acb..66ee1881919 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml @@ -1,6 +1,6 @@ title: Suspicious Browser Activity id: 944f6adb-7a99-4c69-80c1-b712579e93e6 -status: experimental +status: test description: Indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser references: - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-browser diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml index c094c31382a..c860e3662b9 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml @@ -1,6 +1,6 @@ title: Azure AD Threat Intelligence id: a2cb56ff-4f46-437a-a0fa-ffa4d1303cba -status: experimental +status: test description: Indicates user activity that is unusual for the user or consistent with known attack patterns. references: - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml index 38ca23aabd1..3d1a71ead33 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml @@ -1,6 +1,6 @@ title: SAML Token Issuer Anomaly id: e3393cba-31f0-4207-831e-aef90ab17a8c -status: experimental +status: test description: Indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns references: - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#token-issuer-anomaly diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml index d9dbd1c9c4d..654579875b6 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml @@ -1,6 +1,6 @@ title: Unfamiliar Sign-In Properties id: 128faeef-79dd-44ca-b43c-a9e236a60f49 -status: experimental +status: test description: Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins. references: - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml index f544b80e639..2bcec687422 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml @@ -1,6 +1,6 @@ title: Stale Accounts In A Privileged Role id: e402c26a-267a-45bd-9615-bd9ceda6da85 -status: experimental +status: test description: Identifies when an account hasn't signed in during the past n number of days. references: - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml index 240624f6e85..b0c278eddce 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml @@ -1,6 +1,6 @@ title: Invalid PIM License id: 58af08eb-f9e1-43c8-9805-3ad9b0482bd8 -status: experimental +status: test description: Identifies when an organization doesn't have the proper license for PIM and is out of compliance. references: - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#the-organization-doesnt-have-microsoft-entra-premium-p2-or-microsoft-entra-id-governance diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml index c36f8d16f0e..fa07f36f4f9 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml @@ -1,6 +1,6 @@ title: Roles Assigned Outside PIM id: b1bc08d1-8224-4758-a0e6-fbcfc98c73bb -status: experimental +status: test description: Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack. references: - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml index 279cae7f010..57c61581f4b 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml @@ -1,6 +1,6 @@ title: Roles Activated Too Frequently id: 645fd80d-6c07-435b-9e06-7bc1b5656cba -status: experimental +status: test description: Identifies when the same privilege role has multiple activations by the same user. references: - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml index 3a02084021a..3dda29cdb57 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml @@ -1,6 +1,6 @@ title: Roles Activation Doesn't Require MFA id: 94a66f46-5b64-46ce-80b2-75dcbe627cc0 -status: experimental +status: test description: Identifies when a privilege role can be activated without performing mfa. references: - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml index cc1cd00d11d..a01d60c8c3d 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml @@ -1,6 +1,6 @@ title: Roles Are Not Being Used id: 8c6ec464-4ae4-43ac-936a-291da66ed13d -status: experimental +status: test description: Identifies when a user has been assigned a privilege role and are not using that role. references: - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml index dd24c9ab20f..d0c571cf7f0 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml @@ -1,6 +1,6 @@ title: Too Many Global Admins id: 7bbc309f-e2b1-4eb1-8369-131a367d67d3 -status: experimental +status: test description: Identifies an event where there are there are too many accounts assigned the Global Administrator role. references: - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators diff --git a/rules/cloud/gcp/audit/gcp_access_policy_deleted.yml b/rules/cloud/gcp/audit/gcp_access_policy_deleted.yml index 02359805cb0..ce50b17a27d 100644 --- a/rules/cloud/gcp/audit/gcp_access_policy_deleted.yml +++ b/rules/cloud/gcp/audit/gcp_access_policy_deleted.yml @@ -1,6 +1,6 @@ title: GCP Access Policy Deleted id: 32438676-1dba-4ac7-bf69-b86cba995e05 -status: experimental +status: test description: | Detects when an access policy that is applied to a GCP cloud resource is deleted. An adversary would be able to remove access policies to gain access to a GCP cloud resource. diff --git a/rules/cloud/gcp/audit/gcp_breakglass_container_workload_deployed.yml b/rules/cloud/gcp/audit/gcp_breakglass_container_workload_deployed.yml index 6b68e791ea2..40bdf031624 100644 --- a/rules/cloud/gcp/audit/gcp_breakglass_container_workload_deployed.yml +++ b/rules/cloud/gcp/audit/gcp_breakglass_container_workload_deployed.yml @@ -1,6 +1,6 @@ title: GCP Break-glass Container Workload Deployed id: 76737c19-66ee-4c07-b65a-a03301d1573d -status: experimental +status: test description: | Detects the deployment of workloads that are deployed by using the break-glass flag to override Binary Authorization controls. references: diff --git a/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_access_levels_modified.yml b/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_access_levels_modified.yml index 9632a4d0b53..77620be9f8b 100644 --- a/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_access_levels_modified.yml +++ b/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_access_levels_modified.yml @@ -1,6 +1,6 @@ title: Google Workspace Application Access Level Modified id: 22f2fb54-5312-435d-852f-7c74f81684ca -status: experimental +status: test description: | Detects when an access level is changed for a Google workspace application. An access level is part of BeyondCorp Enterprise which is Google Workspace's way of enforcing Zero Trust model. diff --git a/rules/cloud/m365/audit/microsoft365_disabling_mfa.yml b/rules/cloud/m365/audit/microsoft365_disabling_mfa.yml index f1516794b19..f2c9c39d29e 100644 --- a/rules/cloud/m365/audit/microsoft365_disabling_mfa.yml +++ b/rules/cloud/m365/audit/microsoft365_disabling_mfa.yml @@ -1,6 +1,6 @@ title: Disabling Multi Factor Authentication id: 60de9b57-dc4d-48b9-a6a0-b39e0469f876 -status: experimental +status: test description: Detects disabling of Multi Factor Authentication. references: - https://research.splunk.com/cloud/c783dd98-c703-4252-9e8a-f19d9f5c949e/ diff --git a/rules/cloud/m365/audit/microsoft365_new_federated_domain_added_audit.yml b/rules/cloud/m365/audit/microsoft365_new_federated_domain_added_audit.yml index 44c6a49161c..15a46cb76df 100644 --- a/rules/cloud/m365/audit/microsoft365_new_federated_domain_added_audit.yml +++ b/rules/cloud/m365/audit/microsoft365_new_federated_domain_added_audit.yml @@ -3,7 +3,7 @@ id: 58f88172-a73d-442b-94c9-95eaed3cbb36 related: - id: 42127bdd-9133-474f-a6f1-97b6c08a4339 type: similar -status: experimental +status: test description: Detects the addition of a new Federated Domain. references: - https://research.splunk.com/cloud/e155876a-6048-11eb-ae93-0242ac130002/ diff --git a/rules/cloud/okta/okta_admin_activity_from_proxy_query.yml b/rules/cloud/okta/okta_admin_activity_from_proxy_query.yml index dd6a9957a21..ce45d2a7b5b 100644 --- a/rules/cloud/okta/okta_admin_activity_from_proxy_query.yml +++ b/rules/cloud/okta/okta_admin_activity_from_proxy_query.yml @@ -1,6 +1,6 @@ title: Okta Admin Functions Access Through Proxy id: 9058ca8b-f397-4fd1-a9fa-2b7aad4d6309 -status: experimental +status: test description: Detects access to Okta admin functions through proxy. references: - https://www.beyondtrust.com/blog/entry/okta-support-unit-breach diff --git a/rules/cloud/okta/okta_fastpass_phishing_detection.yml b/rules/cloud/okta/okta_fastpass_phishing_detection.yml index 0149ef7a3e0..1928185e8eb 100644 --- a/rules/cloud/okta/okta_fastpass_phishing_detection.yml +++ b/rules/cloud/okta/okta_fastpass_phishing_detection.yml @@ -1,6 +1,6 @@ title: Okta FastPass Phishing Detection id: ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e -status: experimental +status: test description: Detects when Okta FastPass prevents a known phishing site. references: - https://sec.okta.com/fastpassphishingdetection diff --git a/rules/cloud/okta/okta_identity_provider_created.yml b/rules/cloud/okta/okta_identity_provider_created.yml index c21a195a5f9..03bb1d9257e 100644 --- a/rules/cloud/okta/okta_identity_provider_created.yml +++ b/rules/cloud/okta/okta_identity_provider_created.yml @@ -1,6 +1,6 @@ title: Okta Identity Provider Created id: 969c7590-8c19-4797-8c1b-23155de6e7ac -status: experimental +status: test description: Detects when a new identity provider is created for Okta. references: - https://developer.okta.com/docs/reference/api/system-log/ diff --git a/rules/cloud/okta/okta_new_behaviours_admin_console.yml b/rules/cloud/okta/okta_new_behaviours_admin_console.yml index d980057dcad..43629f98e7a 100644 --- a/rules/cloud/okta/okta_new_behaviours_admin_console.yml +++ b/rules/cloud/okta/okta_new_behaviours_admin_console.yml @@ -1,6 +1,6 @@ title: Okta New Admin Console Behaviours id: a0b38b70-3cb5-484b-a4eb-c4d8e7bcc0a9 -status: experimental +status: test description: Detects when Okta identifies new activity in the Admin Console. references: - https://developer.okta.com/docs/reference/api/system-log/ diff --git a/rules/cloud/okta/okta_password_in_alternateid_field.yml b/rules/cloud/okta/okta_password_in_alternateid_field.yml index 6328e5e3ea4..92ab6986e2b 100644 --- a/rules/cloud/okta/okta_password_in_alternateid_field.yml +++ b/rules/cloud/okta/okta_password_in_alternateid_field.yml @@ -1,6 +1,6 @@ title: Potential Okta Password in AlternateID Field id: 91b76b84-8589-47aa-9605-c837583b82a9 -status: experimental +status: test description: | Detects when a user has potentially entered their password into the username field, which will cause the password to be retained in log files. diff --git a/rules/cloud/okta/okta_suspicious_activity_enduser_report.yml b/rules/cloud/okta/okta_suspicious_activity_enduser_report.yml index 6db72dea19c..75e09e6a91b 100644 --- a/rules/cloud/okta/okta_suspicious_activity_enduser_report.yml +++ b/rules/cloud/okta/okta_suspicious_activity_enduser_report.yml @@ -1,6 +1,6 @@ title: Okta Suspicious Activity Reported by End-user id: 07e97cc6-aed1-43ae-9081-b3470d2367f1 -status: experimental +status: test description: Detects when an Okta end-user reports activity by their account as being potentially suspicious. references: - https://developer.okta.com/docs/reference/api/system-log/ diff --git a/rules/cloud/okta/okta_user_created.yml b/rules/cloud/okta/okta_user_created.yml index 7f29524c2f2..de480baf109 100644 --- a/rules/cloud/okta/okta_user_created.yml +++ b/rules/cloud/okta/okta_user_created.yml @@ -1,6 +1,6 @@ title: New Okta User Created id: b6c718dd-8f53-4b9f-98d8-93fdca966969 -status: experimental +status: test description: Detects new user account creation author: Nasreddine Bencherchali (Nextron Systems) date: 2023/10/25 diff --git a/rules/cloud/okta/okta_user_session_start_via_anonymised_proxy.yml b/rules/cloud/okta/okta_user_session_start_via_anonymised_proxy.yml index 8cf095fc7b5..37cb9e1045f 100644 --- a/rules/cloud/okta/okta_user_session_start_via_anonymised_proxy.yml +++ b/rules/cloud/okta/okta_user_session_start_via_anonymised_proxy.yml @@ -1,6 +1,6 @@ title: Okta User Session Start Via An Anonymising Proxy Service id: bde30855-5c53-4c18-ae90-1ff79ebc9578 -status: experimental +status: test description: Detects when an Okta user session starts where the user is behind an anonymising proxy service. references: - https://developer.okta.com/docs/reference/api/system-log/ diff --git a/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml b/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml index 533c0c4eddc..02764040e45 100644 --- a/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml +++ b/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious Shell Script Creation in Profile Folder id: 13f08f54-e705-4498-91fd-cce9d9cee9f1 -status: experimental +status: test description: Detects the creation of shell scripts under the "profile.d" path. references: - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html diff --git a/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml b/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml index facf55864d2..14d61ef7f1a 100644 --- a/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml +++ b/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml @@ -1,6 +1,6 @@ title: Wget Creating Files in Tmp Directory id: 35a05c60-9012-49b6-a11f-6bab741c9f74 -status: experimental +status: test description: Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp" references: - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html diff --git a/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml b/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml index 02cd87e731c..c3ea5de42ad 100644 --- a/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml @@ -1,6 +1,6 @@ title: Linux Base64 Encoded Pipe to Shell id: ba592c6d-6888-43c3-b8c6-689b8fe47337 -status: experimental +status: test description: Detects suspicious process command line that uses base64 encoded input for execution with a shell references: - https://github.com/arget13/DDexec diff --git a/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml b/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml index 15f24392aa3..f92b908ab73 100644 --- a/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml +++ b/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml @@ -1,6 +1,6 @@ title: Crontab Enumeration id: 403ed92c-b7ec-4edd-9947-5b535ee12d46 -status: experimental +status: test description: Detects usage of crontab to list the tasks of the user references: - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html diff --git a/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml b/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml index 4d7d8fbbb32..b22cd3d5c94 100644 --- a/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml +++ b/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml @@ -1,6 +1,6 @@ title: Potential Linux Process Code Injection Via DD Utility id: 4cad6c64-d6df-42d6-8dae-eb78defdc415 -status: experimental +status: test description: Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command. references: - https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/ diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml index 5d1caec2508..c41dc38f2e9 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml @@ -1,6 +1,6 @@ title: ESXi Network Configuration Discovery Via ESXCLI id: 33e814e0-1f00-4e43-9c34-31fb7ae2b174 -status: experimental +status: test description: Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration. references: - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/ diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml index fbcfc431142..dfc63fc1cf2 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml @@ -1,6 +1,6 @@ title: ESXi Admin Permission Assigned To Account Via ESXCLI id: 9691f58d-92c1-4416-8bf3-2edd753ec9cf -status: experimental +status: test description: Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account. references: - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml index d2436ef0f11..af6e9829d22 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml @@ -1,6 +1,6 @@ title: ESXi Storage Information Discovery Via ESXCLI id: f41dada5-3f56-4232-8503-3fb7f9cf2d60 -status: experimental +status: test description: Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit. references: - https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml index bdbb0d9b491..845319727e7 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml @@ -1,6 +1,6 @@ title: ESXi Syslog Configuration Change Via ESXCLI id: 38eb1dbb-011f-40b1-a126-cf03a0210563 -status: experimental +status: test description: Detects changes to the ESXi syslog configuration via "esxcli" references: - https://support.solarwinds.com/SuccessCenter/s/article/Configure-ESXi-Syslog-to-LEM?language=en_US diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml index d08272019a8..eee3487fc8b 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml @@ -1,6 +1,6 @@ title: ESXi System Information Discovery Via ESXCLI id: e80273e1-9faf-40bc-bd85-dbaff104c4e9 -status: experimental +status: test description: Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc. references: - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/ diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_user_account_creation.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_user_account_creation.yml index addf67f9b42..0b5069ed56b 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_user_account_creation.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_user_account_creation.yml @@ -1,6 +1,6 @@ title: ESXi Account Creation Via ESXCLI id: b28e4eb3-8bbc-4f0c-819f-edfe8e2f25db -status: experimental +status: test description: Detects user account creation on ESXi system via esxcli references: - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml index 0bdd6fe880a..b93f97ad0d4 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml @@ -1,6 +1,6 @@ title: ESXi VM List Discovery Via ESXCLI id: 5f1573a7-363b-4114-9208-ad7a61de46eb -status: experimental +status: test description: Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs. references: - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/ diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml index 5e69c617b26..42df2b18703 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml @@ -1,6 +1,6 @@ title: ESXi VM Kill Via ESXCLI id: 2992ac4d-31e9-4325-99f2-b18a73221bb2 -status: experimental +status: test description: Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM. references: - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/ diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml index c7ebfe228a1..2eede884801 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml @@ -1,6 +1,6 @@ title: ESXi VSAN Information Discovery Via ESXCLI id: d54c2f06-aca9-4e2b-81c9-5317858f4b79 -status: experimental +status: test description: Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide. references: - https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html diff --git a/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml index 73eaf0076a0..ea1e5b0c9ec 100644 --- a/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml @@ -1,6 +1,6 @@ title: OS Architecture Discovery Via Grep id: d27ab432-2199-483f-a297-03633c05bae6 -status: experimental +status: test description: | Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo" references: diff --git a/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml index 5b618f296a0..eabb5c08beb 100644 --- a/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml @@ -1,6 +1,6 @@ title: Potential GobRAT File Discovery Via Grep id: e34cfa0c-0a50-4210-9cb3-5632d08eb041 -status: experimental +status: test description: Detects the use of grep to discover specific files created by the GobRAT malware references: - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html diff --git a/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml b/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml index d60f1cb6e0c..737e41af771 100644 --- a/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml +++ b/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml @@ -1,6 +1,6 @@ title: Named Pipe Created Via Mkfifo id: 9d779ce8-5256-4b13-8b6f-b91c602b43f4 -status: experimental +status: test description: Detects the creation of a new named pipe using the "mkfifo" utility references: - https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk diff --git a/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml b/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml index 4f773c3d95f..250cba342db 100644 --- a/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml +++ b/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml @@ -3,7 +3,7 @@ id: 999c3b12-0a8c-40b6-8e13-dd7d62b75c7a related: - id: 9d779ce8-5256-4b13-8b6f-b91c602b43f4 type: derived -status: experimental +status: test description: Detects the creation of a new named pipe using the "mkfifo" utility in a potentially suspicious location references: - https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk diff --git a/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml b/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml index 5359bdca92b..03af205e6fb 100644 --- a/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml @@ -3,7 +3,7 @@ id: 457df417-8b9d-4912-85f3-9dbda39c3645 related: - id: e4ffe466-6ff8-48d4-94bd-e32d1a6061e2 type: derived -status: experimental +status: test description: Detects execution of binaries located in potentially suspicious locations via "nohup" references: - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html diff --git a/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml b/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml index add5b3a117a..d42e55c0a72 100644 --- a/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml +++ b/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml @@ -3,7 +3,7 @@ id: c4042d54-110d-45dd-a0e1-05c47822c937 related: - id: 32e62bc7-3de0-4bb1-90af-532978fe42c0 type: similar -status: experimental +status: test description: Detects python spawning a pretty tty which could be indicative of potential reverse shell activity references: - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/ diff --git a/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml b/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml index 32e41d206f7..b138ebc9e0f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml @@ -3,7 +3,7 @@ id: 32e62bc7-3de0-4bb1-90af-532978fe42c0 related: - id: c4042d54-110d-45dd-a0e1-05c47822c937 type: similar -status: experimental +status: test description: Detects executing python with keywords related to network activity that could indicate a potential reverse shell references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet diff --git a/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml b/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml index 86183047beb..b50cf0f0822 100644 --- a/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml +++ b/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml @@ -1,6 +1,6 @@ title: Potential Linux Amazon SSM Agent Hijacking id: f9b3edc5-3322-4fc7-8aa3-245d646cc4b7 -status: experimental +status: test description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report. references: - https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_container_residence_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_susp_container_residence_discovery.yml index 0a5d36c4f85..fa82f89141f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_container_residence_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_container_residence_discovery.yml @@ -1,6 +1,6 @@ title: Container Residence Discovery Via Proc Virtual FS id: 746c86fb-ccda-4816-8997-01386263acc4 -status: experimental +status: test description: Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem references: - https://blog.skyplabs.net/posts/container-detection/ diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml b/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml index 4e882da0b51..13629815405 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml @@ -3,7 +3,7 @@ id: 00b90cc1-17ec-402c-96ad-3a8117d7a582 related: - id: 00bca14a-df4e-4649-9054-3f2aa676bc04 type: derived -status: experimental +status: test description: Detects a suspicious curl process start the adds a file to a web request references: - https://twitter.com/d1r4c/status/1279042657508081664 diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_dockerenv_recon.yml b/rules/linux/process_creation/proc_creation_lnx_susp_dockerenv_recon.yml index 22b41e675f7..2e4c41830bc 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_dockerenv_recon.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_dockerenv_recon.yml @@ -1,6 +1,6 @@ title: Docker Container Discovery Via Dockerenv Listing id: 11701de9-d5a5-44aa-8238-84252f131895 -status: experimental +status: test description: Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery references: - https://blog.skyplabs.net/posts/container-detection/ diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml b/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml index c0ac903fab8..98d0b807449 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious Execution From Tmp Folder id: 312b42b1-bded-4441-8b58-163a3af58775 -status: experimental +status: test description: Detects a potentially suspicious execution of a process located in the '/tmp/' folder references: - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml b/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml index 32f9da31bd3..5779e0cdbff 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml @@ -1,6 +1,6 @@ title: Linux HackTool Execution id: a015e032-146d-4717-8944-7a1884122111 -status: experimental +status: test description: Detects known hacktool execution based on image name. references: - https://github.com/Gui774ume/ebpfkit diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_inod_listing.yml b/rules/linux/process_creation/proc_creation_lnx_susp_inod_listing.yml index 0b288ba2464..9e052d5454c 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_inod_listing.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_inod_listing.yml @@ -1,6 +1,6 @@ title: Potential Container Discovery Via Inodes Listing id: 43e26eb5-cd58-48d1-8ce9-a273f5d298d8 -status: experimental +status: test description: Detects listing of the inodes of the "/" directory to determine if the we are running inside of a container. references: - https://blog.skyplabs.net/posts/container-detection/ diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml b/rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml index 7d5a91f8663..cf0ec3e1955 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml @@ -1,6 +1,6 @@ title: Potential Suspicious Change To Sensitive/Critical Files id: 86157017-c2b1-4d4a-8c33-93b8e67e4af4 -status: experimental +status: test description: Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system. references: - https://docs.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml b/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml index 64236d73d0f..600a994ff1b 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml @@ -1,6 +1,6 @@ title: Shell Execution Of Process Located In Tmp Directory id: 2fade0b6-7423-4835-9d4f-335b39b83867 -status: experimental +status: test description: Detects execution of shells from a parent process located in a temporary (/tmp) directory references: - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml b/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml index 71eedc0df00..514239ba619 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml @@ -1,6 +1,6 @@ title: Execution Of Script Located In Potentially Suspicious Directory id: 30bcce26-51c5-49f2-99c8-7b59e3af36c7 -status: experimental +status: test description: Detects executions of scripts located in potentially suspicious locations such as "/tmp" via a shell such as "bash", "sh", etc. references: - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html diff --git a/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml b/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml index 87af0ce34f8..1b4668243bd 100644 --- a/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml +++ b/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml @@ -1,6 +1,6 @@ title: Download File To Potentially Suspicious Directory Via Wget id: cf610c15-ed71-46e1-bdf8-2bd1a99de6c4 -status: experimental +status: test description: Detects the use of wget to download content to a suspicious directory references: - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html diff --git a/rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml b/rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml index 6c3ece2e126..85a089c1188 100644 --- a/rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml @@ -1,6 +1,6 @@ title: Potential Xterm Reverse Shell id: 4e25af4b-246d-44ea-8563-e42aacab006b -status: experimental +status: test description: Detects usage of "xterm" as a potential reverse shell tunnel references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet diff --git a/rules/macos/process_creation/proc_creation_macos_csrutil_disable.yml b/rules/macos/process_creation/proc_creation_macos_csrutil_disable.yml index 15570945f0e..fa7511f8692 100644 --- a/rules/macos/process_creation/proc_creation_macos_csrutil_disable.yml +++ b/rules/macos/process_creation/proc_creation_macos_csrutil_disable.yml @@ -1,6 +1,6 @@ title: System Integrity Protection (SIP) Disabled id: 3603f18a-ec15-43a1-9af2-d196c8a7fec6 -status: experimental +status: test description: | Detects the use of csrutil to disable the Configure System Integrity Protection (SIP). This technique is used in post-exploit scenarios. references: diff --git a/rules/macos/process_creation/proc_creation_macos_csrutil_status.yml b/rules/macos/process_creation/proc_creation_macos_csrutil_status.yml index 82dd7b5e87a..0dc0abf1efb 100644 --- a/rules/macos/process_creation/proc_creation_macos_csrutil_status.yml +++ b/rules/macos/process_creation/proc_creation_macos_csrutil_status.yml @@ -1,6 +1,6 @@ title: System Integrity Protection (SIP) Enumeration id: 53821412-17b0-4147-ade0-14faae67d54b -status: experimental +status: test description: | Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios. references: diff --git a/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml b/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml index cdb55c7d21d..1835065729a 100644 --- a/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml +++ b/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml @@ -1,6 +1,6 @@ title: User Added To Admin Group Via DseditGroup id: 5d0fdb62-f225-42fb-8402-3dfe64da468a -status: experimental +status: test description: Detects attempts to create and/or add an account to the admin group, thus granting admin privileges. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-5---add-a-newexisting-user-to-the-admin-group-using-dseditgroup-utility---macos diff --git a/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml b/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml index f898962cc1d..6329028d797 100644 --- a/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml +++ b/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml @@ -1,6 +1,6 @@ title: Root Account Enable Via Dsenableroot id: 821bcf4d-46c7-4b87-bc57-9509d3ba7c11 -status: experimental +status: test description: Detects attempts to enable the root account via "dsenableroot" references: - https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1078.003/T1078.003.md diff --git a/rules/macos/process_creation/proc_creation_macos_ioreg_discovery.yml b/rules/macos/process_creation/proc_creation_macos_ioreg_discovery.yml index 3a042212c04..6f086f1cd48 100644 --- a/rules/macos/process_creation/proc_creation_macos_ioreg_discovery.yml +++ b/rules/macos/process_creation/proc_creation_macos_ioreg_discovery.yml @@ -1,6 +1,6 @@ title: System Information Discovery Using Ioreg id: 2d5e7a8b-f484-4a24-945d-7f0efd52eab0 -status: experimental +status: test description: | Detects the use of "ioreg" which will show I/O Kit registry information. This process is used for system information discovery. diff --git a/rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml b/rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml index 98bbae5fd79..9d326c3a9e0 100644 --- a/rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml +++ b/rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml @@ -1,6 +1,6 @@ title: JAMF MDM Potential Suspicious Child Process id: 2316929c-01aa-438c-970f-099145ab1ee6 -status: experimental +status: test description: Detects potential suspicious child processes of "jamf". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent. references: - https://github.com/MythicAgents/typhon/ diff --git a/rules/macos/process_creation/proc_creation_macos_jamf_usage.yml b/rules/macos/process_creation/proc_creation_macos_jamf_usage.yml index 8f5b3d13eec..414ef823603 100644 --- a/rules/macos/process_creation/proc_creation_macos_jamf_usage.yml +++ b/rules/macos/process_creation/proc_creation_macos_jamf_usage.yml @@ -1,6 +1,6 @@ title: JAMF MDM Execution id: be2e3a5c-9cc7-4d02-842a-68e9cb26ec49 -status: experimental +status: test description: | Detects execution of the "jamf" binary to create user accounts and run commands. For example, the binary can be abused by attackers on the system in order to bypass security controls or remove application control polices. references: diff --git a/rules/macos/process_creation/proc_creation_macos_susp_in_memory_download_and_compile.yml b/rules/macos/process_creation/proc_creation_macos_susp_in_memory_download_and_compile.yml index c8c1040f6de..30e7de4628b 100644 --- a/rules/macos/process_creation/proc_creation_macos_susp_in_memory_download_and_compile.yml +++ b/rules/macos/process_creation/proc_creation_macos_susp_in_memory_download_and_compile.yml @@ -1,6 +1,6 @@ title: Potential In-Memory Download And Compile Of Payloads id: 13db8d2e-7723-4c2c-93c1-a4d36994f7ef -status: experimental +status: test description: Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware references: - https://redcanary.com/blog/mac-application-bundles/ diff --git a/rules/macos/process_creation/proc_creation_macos_swvers_discovery.yml b/rules/macos/process_creation/proc_creation_macos_swvers_discovery.yml index 8ff85e62f46..d27e16562b8 100644 --- a/rules/macos/process_creation/proc_creation_macos_swvers_discovery.yml +++ b/rules/macos/process_creation/proc_creation_macos_swvers_discovery.yml @@ -1,6 +1,6 @@ title: System Information Discovery Using sw_vers id: 5de06a6f-673a-4fc0-8d48-bcfe3837b033 -status: experimental +status: test description: Detects the use of "sw_vers" for system information discovery references: - https://www.virustotal.com/gui/file/d3fa64f63563fe958b75238742d1e473800cb5f49f5cb79d38d4aa3c93709026/behavior diff --git a/rules/macos/process_creation/proc_creation_macos_system_profiler_discovery.yml b/rules/macos/process_creation/proc_creation_macos_system_profiler_discovery.yml index ca2c895bd3d..9d77d214ccd 100644 --- a/rules/macos/process_creation/proc_creation_macos_system_profiler_discovery.yml +++ b/rules/macos/process_creation/proc_creation_macos_system_profiler_discovery.yml @@ -1,6 +1,6 @@ title: System Information Discovery Using System_Profiler id: 4809c683-059b-4935-879d-36835986f8cf -status: experimental +status: test description: | Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information. This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes. diff --git a/rules/macos/process_creation/proc_creation_macos_tail_base64_decode_from_image.yml b/rules/macos/process_creation/proc_creation_macos_tail_base64_decode_from_image.yml index 2ea720557f9..4aafcf8278d 100644 --- a/rules/macos/process_creation/proc_creation_macos_tail_base64_decode_from_image.yml +++ b/rules/macos/process_creation/proc_creation_macos_tail_base64_decode_from_image.yml @@ -1,6 +1,6 @@ title: Potential Base64 Decoded From Images id: 09a910bf-f71f-4737-9c40-88880ba5913d -status: experimental +status: test description: | Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner. references: diff --git a/rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml b/rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml index ade684022fd..ad71e6aa917 100644 --- a/rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml +++ b/rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml @@ -3,7 +3,7 @@ id: b59c98c6-95e8-4d65-93ee-f594dfb96b17 related: - id: 85254a62-22be-4239-b79c-2ec17e566c37 type: similar -status: experimental +status: test description: Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP references: - https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash diff --git a/rules/web/proxy_generic/proxy_ua_base64_encoded.yml b/rules/web/proxy_generic/proxy_ua_base64_encoded.yml index 7d90a5ccdde..124a11a1873 100644 --- a/rules/web/proxy_generic/proxy_ua_base64_encoded.yml +++ b/rules/web/proxy_generic/proxy_ua_base64_encoded.yml @@ -3,7 +3,7 @@ id: d443095b-a221-4957-a2c4-cd1756c9b747 related: - id: 894a8613-cf12-48b3-8e57-9085f54aa0c3 type: derived -status: experimental +status: test description: Detects suspicious encoded User-Agent strings, as seen used by some malware. references: - https://deviceatlas.com/blog/list-of-user-agent-strings#desktop diff --git a/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml b/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml index 33ef7967730..8f541a58a25 100644 --- a/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml +++ b/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml @@ -1,6 +1,6 @@ title: Bitsadmin to Uncommon TLD id: 9eb68894-7476-4cd6-8752-23b51f5883a7 -status: experimental +status: test description: Detects Bitsadmin connections to domains with uncommon TLDs references: - https://twitter.com/jhencinski/status/1102695118455349248 diff --git a/rules/web/proxy_generic/proxy_ua_susp_base64.yml b/rules/web/proxy_generic/proxy_ua_susp_base64.yml index 45adb63eddc..7b26ed5b152 100644 --- a/rules/web/proxy_generic/proxy_ua_susp_base64.yml +++ b/rules/web/proxy_generic/proxy_ua_susp_base64.yml @@ -3,7 +3,7 @@ id: 894a8613-cf12-48b3-8e57-9085f54aa0c3 related: - id: d443095b-a221-4957-a2c4-cd1756c9b747 type: derived -status: experimental +status: test description: Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding. references: - https://blogs.jpcert.or.jp/en/2022/07/yamabot.html diff --git a/rules/web/proxy_generic/proxy_webdav_search_ms.yml b/rules/web/proxy_generic/proxy_webdav_search_ms.yml index 0588badeceb..a0efc9005f6 100644 --- a/rules/web/proxy_generic/proxy_webdav_search_ms.yml +++ b/rules/web/proxy_generic/proxy_webdav_search_ms.yml @@ -1,6 +1,6 @@ title: Search-ms and WebDAV Suspicious Indicators in URL id: 5039f3d2-406a-4c1a-9350-7a5a85dc84c2 -status: experimental +status: test description: Detects URL pattern used by search(-ms)/WebDAV initial access campaigns. references: - https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html diff --git a/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml b/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml index 17e3291c6d0..62fdf3fb62e 100644 --- a/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml +++ b/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml @@ -3,7 +3,7 @@ id: 85254a62-22be-4239-b79c-2ec17e566c37 related: - id: b59c98c6-95e8-4d65-93ee-f594dfb96b17 type: similar -status: experimental +status: test description: Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP references: - https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash diff --git a/rules/windows/builtin/application/application_error/win_application_msmpeng_crash_error.yml b/rules/windows/builtin/application/application_error/win_application_msmpeng_crash_error.yml index d501b53b020..66006fdf0e3 100644 --- a/rules/windows/builtin/application/application_error/win_application_msmpeng_crash_error.yml +++ b/rules/windows/builtin/application/application_error/win_application_msmpeng_crash_error.yml @@ -3,7 +3,7 @@ id: 545a5da6-f103-4919-a519-e9aec1026ee4 related: - id: 6c82cf5c-090d-4d57-9188-533577631108 type: similar -status: experimental +status: test description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine references: - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5 diff --git a/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon.yml b/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon.yml index 1ec65dee75d..1e72af96575 100644 --- a/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon.yml +++ b/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon.yml @@ -3,7 +3,7 @@ id: 218d2855-2bba-4f61-9c85-81d0ea63ac71 related: - id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d type: similar -status: experimental +status: test description: Detects failed logon attempts from clients to MSSQL server. author: Nasreddine Bencherchali (Nextron Systems), j4son date: 2023/10/11 diff --git a/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml b/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml index 966e3e6957c..132c53f92de 100644 --- a/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml +++ b/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml @@ -3,7 +3,7 @@ id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d related: - id: 218d2855-2bba-4f61-9c85-81d0ea63ac71 type: similar -status: experimental +status: test description: Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack. author: j4son date: 2023/10/11 diff --git a/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml b/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml index 7ff83280ebe..fb34bbcabd4 100644 --- a/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml +++ b/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml @@ -3,7 +3,7 @@ id: 076ebe48-cc05-4d8f-9d41-89245cd93a14 related: - id: b1f73849-6329-4069-bc8f-78a604bb8b23 type: similar -status: experimental +status: test description: Detects command execution via ScreenConnect RMM references: - https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling diff --git a/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml b/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml index e7d582b5ee3..2f354b9e8e0 100644 --- a/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml +++ b/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml @@ -3,7 +3,7 @@ id: 5d19eb78-5b5b-4ef2-a9f0-4bfa94d58a13 related: - id: b1f73849-6329-4069-bc8f-78a604bb8b23 type: similar -status: experimental +status: test description: Detects file being transferred via ScreenConnect RMM references: - https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling diff --git a/rules/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer.yml b/rules/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer.yml index e18c75b2936..2a1822b34c1 100644 --- a/rules/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer.yml +++ b/rules/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer.yml @@ -1,6 +1,6 @@ title: Microsoft Malware Protection Engine Crash - WER id: 6c82cf5c-090d-4d57-9188-533577631108 -status: experimental +status: test description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine references: - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5 diff --git a/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml b/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml index 3b45dc52304..e7145460a01 100644 --- a/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml +++ b/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml @@ -1,6 +1,6 @@ title: Sysinternals Tools AppX Versions Execution id: d29a20b2-be4b-4827-81f2-3d8a59eab5fc -status: experimental +status: test description: Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths references: - Internal Research diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml index 34f841c4008..542cbb5a2e3 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml @@ -1,6 +1,6 @@ title: Suspicious Remote AppX Package Locations id: 8b48ad89-10d8-4382-a546-50588c410f0d -status: experimental +status: test description: Detects an appx package added the pipeline of the "to be processed" packages which is downloaded from a suspicious domain references: - Internal Research diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml index 7291d4f8594..69fb40d1439 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml @@ -1,6 +1,6 @@ title: BITS Transfer Job Download From File Sharing Domains id: d635249d-86b5-4dad-a8c7-d7272b788586 -status: experimental +status: test description: Detects BITS transfer job downloading files from a file sharing domain. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md diff --git a/rules/windows/builtin/capi2/win_capi2_acquire_certificate_private_key.yml b/rules/windows/builtin/capi2/win_capi2_acquire_certificate_private_key.yml index 2d8eb6b886d..2bb76c3f1f8 100644 --- a/rules/windows/builtin/capi2/win_capi2_acquire_certificate_private_key.yml +++ b/rules/windows/builtin/capi2/win_capi2_acquire_certificate_private_key.yml @@ -1,6 +1,6 @@ title: Certificate Private Key Acquired id: e2b5163d-7deb-4566-9af3-40afea6858c3 -status: experimental +status: test description: Detects when an application acquires a certificate private key references: - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html diff --git a/rules/windows/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yml b/rules/windows/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yml index c221b48978b..72a7cee6090 100644 --- a/rules/windows/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yml +++ b/rules/windows/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yml @@ -1,6 +1,6 @@ title: Certificate Exported From Local Certificate Store id: 58c0bff0-40a0-46e8-b5e8-b734b84d2017 -status: experimental +status: test description: Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store. references: - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml index 04bcfc6ac3a..3388e03d551 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml @@ -1,6 +1,6 @@ title: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation id: f8931561-97f5-4c46-907f-0a4a592e47a7 -status: experimental +status: test description: | Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired. This event is best correlated with EID 3089 to determine the error of the validation. diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml index a90de90e922..752880df3ff 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml @@ -1,6 +1,6 @@ title: CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked id: 5daf11c3-022b-4969-adb9-365e6c078c7c -status: experimental +status: test description: Detects block events for files that are disallowed by code integrity for protected processes references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml index fef43209e27..48028ce3218 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml @@ -1,6 +1,6 @@ title: CodeIntegrity - Blocked Image/Driver Load For Policy Violation id: e4be5675-4a53-426a-8c81-a8bb2387e947 -status: experimental +status: test description: Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy. references: - https://twitter.com/wdormann/status/1590434950335320065 diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml index 732e52f77ad..78c6a8308d0 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml @@ -1,6 +1,6 @@ title: CodeIntegrity - Blocked Driver Load With Revoked Certificate id: 9b72b82d-f1c5-4632-b589-187159bc6ec1 -status: experimental +status: test description: Detects blocked load attempts of revoked drivers references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml index e2e4b123532..77b42a69cd0 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml @@ -1,6 +1,6 @@ title: CodeIntegrity - Revoked Kernel Driver Loaded id: 320fccbf-5e32-4101-82b8-2679c5f007c6 -status: experimental +status: test description: Detects the load of a revoked kernel driver references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml index 6223b7444da..d415b043aab 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml @@ -1,6 +1,6 @@ title: CodeIntegrity - Blocked Image Load With Revoked Certificate id: 6f156c48-3894-4952-baf0-16193e9067d2 -status: experimental +status: test description: Detects blocked image load events with revoked certificates by code integrity. references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml index f11b2c28af9..3ea655c289e 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml @@ -1,6 +1,6 @@ title: CodeIntegrity - Revoked Image Loaded id: 881b7725-47cc-4055-8000-425823344c59 -status: experimental +status: test description: Detects image load events with revoked certificates by code integrity. references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml index 31cc5d201d8..e72df24588d 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml @@ -1,6 +1,6 @@ title: CodeIntegrity - Unsigned Kernel Module Loaded id: 951f8d29-f2f6-48a7-859f-0673ff105e6f -status: experimental +status: test description: Detects the presence of a loaded unsigned kernel module on the system. references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml index b2e318d8973..748cc057eba 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml @@ -1,6 +1,6 @@ title: CodeIntegrity - Unsigned Image Loaded id: c92c24e7-f595-493f-9c98-53d5142f5c18 -status: experimental +status: test description: Detects loaded unsigned image on the system references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml index fc5f5fe816f..80b2445fdb1 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml @@ -1,6 +1,6 @@ title: CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module id: 2f8cd7a0-9d5a-4f62-9f8b-2c951aa0dd1f -status: experimental +status: test description: Detects loaded kernel modules that did not meet the WHQL signing requirements. references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations diff --git a/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml b/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml index fc80250ee3b..e5622c0cdf6 100644 --- a/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml +++ b/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml @@ -3,7 +3,7 @@ id: 090ffaad-c01a-4879-850c-6d57da98452d related: - id: 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b type: similar -status: experimental +status: test description: Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration references: - https://thedfirreport.com/2021/12/13/diavol-ransomware/ diff --git a/rules/windows/builtin/dns_server/win_dns_server_failed_dns_zone_transfer.yml b/rules/windows/builtin/dns_server/win_dns_server_failed_dns_zone_transfer.yml index 2d9095f2fd3..6461916383c 100644 --- a/rules/windows/builtin/dns_server/win_dns_server_failed_dns_zone_transfer.yml +++ b/rules/windows/builtin/dns_server/win_dns_server_failed_dns_zone_transfer.yml @@ -1,6 +1,6 @@ title: Failed DNS Zone Transfer id: 6d444368-6da1-43fe-b2fc-44202430480e -status: experimental +status: test description: Detects when a DNS zone transfer failed. references: - https://kb.eventtracker.com/evtpass/evtpages/EventId_6004_Microsoft-Windows-DNS-Server-Service_65410.asp diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml index 86775c18f0a..81405a6efa2 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml @@ -1,6 +1,6 @@ title: Uncommon New Firewall Rule Added In Windows Firewall Exception List id: cde0a575-7d3d-4a49-9817-b8004a7bf105 -status: experimental +status: test description: Detects when a rule has been added to the Windows Firewall exception list references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml index 2c2fef840df..90e094b77ae 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml @@ -3,7 +3,7 @@ id: 9e2575e7-2cb9-4da1-adc8-ed94221dca5e related: - id: cde0a575-7d3d-4a49-9817-b8004a7bf105 type: derived -status: experimental +status: test description: Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location. references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml b/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml index 3b3076445d4..ddde0a8551f 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml @@ -1,6 +1,6 @@ title: All Rules Have Been Deleted From The Windows Firewall Configuration id: 79609c82-a488-426e-abcf-9f341a39365d -status: experimental +status: test description: Detects when a all the rules have been deleted from the Windows Defender Firewall configuration references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml b/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml index fa5a3a3f605..36d2a7c489b 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml @@ -1,6 +1,6 @@ title: A Rule Has Been Deleted From The Windows Firewall Exception List id: c187c075-bb3e-4c62-b4fa-beae0ffc211f -status: experimental +status: test description: Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml b/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml index e196c2624a5..16dd0de90b0 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml @@ -1,6 +1,6 @@ title: Windows Defender Firewall Has Been Reset To Its Default Configuration id: 04b60639-39c0-412a-9fbe-e82499c881a3 -status: experimental +status: test description: Detects activity when Windows Defender Firewall has been reset to its default configuration references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml b/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml index afd7c90d221..63749b92177 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml @@ -1,6 +1,6 @@ title: Windows Firewall Settings Have Been Changed id: 00bb5bd5-1379-4fcf-a965-a5b6f7478064 -status: experimental +status: test description: Detects activity when the settings of the Windows firewall have been changed references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) diff --git a/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml b/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml index 417e5af5f99..cdc61fb3965 100644 --- a/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml +++ b/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml @@ -1,6 +1,6 @@ title: Standard User In High Privileged Group id: 7ac407cc-0f48-4328-aede-de1d2e6fef41 -status: experimental +status: test description: Detect standard users login that are part of high privileged groups such as the Administrator group references: - https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers diff --git a/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml b/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml index 4d378916947..77d53ea104b 100644 --- a/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml +++ b/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml @@ -1,6 +1,6 @@ title: Mailbox Export to Exchange Webserver id: 516376b4-05cd-4122-bae0-ad7641c38d48 -status: experimental +status: test description: Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it references: - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html diff --git a/rules/windows/builtin/security/account_management/win_security_access_token_abuse.yml b/rules/windows/builtin/security/account_management/win_security_access_token_abuse.yml index b0f532c5294..ad2d8a9d9fd 100644 --- a/rules/windows/builtin/security/account_management/win_security_access_token_abuse.yml +++ b/rules/windows/builtin/security/account_management/win_security_access_token_abuse.yml @@ -1,6 +1,6 @@ title: Potential Access Token Abuse id: 02f7c9c1-1ae8-4c6a-8add-04693807f92f -status: experimental +status: test description: Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag". references: - https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation diff --git a/rules/windows/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml b/rules/windows/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml index 4b285c08125..b168cad94c0 100644 --- a/rules/windows/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml +++ b/rules/windows/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml @@ -1,6 +1,6 @@ title: Windows Filtering Platform Blocked Connection From EDR Agent Binary id: bacf58c6-e199-4040-a94f-95dea0f1e45a -status: experimental +status: test description: | Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents. Adversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events. diff --git a/rules/windows/builtin/security/win_security_hktl_edr_silencer.yml b/rules/windows/builtin/security/win_security_hktl_edr_silencer.yml index 8acae880d5c..2b5ef8f8834 100644 --- a/rules/windows/builtin/security/win_security_hktl_edr_silencer.yml +++ b/rules/windows/builtin/security/win_security_hktl_edr_silencer.yml @@ -1,6 +1,6 @@ title: HackTool - EDRSilencer Execution - Filter Added id: 98054878-5eab-434c-85d4-72d4e5a3361b -status: experimental +status: test description: | Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names. references: diff --git a/rules/windows/builtin/security/win_security_hktl_nofilter.yml b/rules/windows/builtin/security/win_security_hktl_nofilter.yml index 1e8bd099bad..65b1c435c79 100644 --- a/rules/windows/builtin/security/win_security_hktl_nofilter.yml +++ b/rules/windows/builtin/security/win_security_hktl_nofilter.yml @@ -1,6 +1,6 @@ title: HackTool - NoFilter Execution id: 7b14c76a-c602-4ae6-9717-eff868153fc0 -status: experimental +status: test description: | Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators references: diff --git a/rules/windows/builtin/security/win_security_password_policy_enumerated.yml b/rules/windows/builtin/security/win_security_password_policy_enumerated.yml index 41237366f91..e34601b3197 100644 --- a/rules/windows/builtin/security/win_security_password_policy_enumerated.yml +++ b/rules/windows/builtin/security/win_security_password_policy_enumerated.yml @@ -1,6 +1,6 @@ title: Password Policy Enumerated id: 12ba6a38-adb3-4d6b-91ba-a7fb248e3199 -status: experimental +status: test description: Detects when the password policy is enumerated. references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4661 diff --git a/rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml b/rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml index c1bbd97709a..4e74565af40 100644 --- a/rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml +++ b/rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml @@ -1,6 +1,6 @@ title: Service Registry Key Read Access Request id: 11d00fff-5dc3-428c-8184-801f292faec0 -status: experimental +status: test description: | Detects "read access" requests on the services registry key. Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. diff --git a/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml b/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml index af624d7e78d..33f7c0200bc 100644 --- a/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml +++ b/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml @@ -3,7 +3,7 @@ id: c8b00925-926c-47e3-beea-298fd563728e related: - id: 1a31b18a-f00c-4061-9900-f735b96c99fc type: similar -status: experimental +status: test description: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform references: - https://redcanary.com/blog/misbehaving-rats/ diff --git a/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml b/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml index f7d6edc4a9b..5058cb6d5af 100644 --- a/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml +++ b/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious AccessMask Requested From LSASS id: 4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76 -status: experimental +status: test description: Detects process handle on LSASS process with certain access mask references: - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html diff --git a/rules/windows/builtin/system/lsasrv/win_system_lsasrv_ntlmv1.yml b/rules/windows/builtin/system/lsasrv/win_system_lsasrv_ntlmv1.yml index dc4cb002b90..9d36b3efb70 100644 --- a/rules/windows/builtin/system/lsasrv/win_system_lsasrv_ntlmv1.yml +++ b/rules/windows/builtin/system/lsasrv/win_system_lsasrv_ntlmv1.yml @@ -1,6 +1,6 @@ title: NTLMv1 Logon Between Client and Server id: e9d4ab66-a532-4ef7-a502-66a9e4a34f5d -status: experimental +status: test description: Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware. references: - https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/22H2/W10_22H2_Pro_20230321_19045.2728/WEPExplorer/LsaSrv.xml diff --git a/rules/windows/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml b/rules/windows/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml index dba3cbaf122..2d0c1e5f30a 100644 --- a/rules/windows/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml +++ b/rules/windows/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml @@ -1,6 +1,6 @@ title: Local Privilege Escalation Indicator TabTip id: bc2e25ed-b92b-4daa-b074-b502bdd1982b -status: experimental +status: test description: Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode references: - https://github.com/antonioCoco/JuicyPotatoNG diff --git a/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml b/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml index d3e99b675c1..24e46f5e306 100644 --- a/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml +++ b/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml @@ -7,7 +7,7 @@ related: type: derived - id: 100ef69e-3327-481c-8e5c-6d80d9507556 type: derived -status: experimental +status: test description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution references: - https://twitter.com/deviouspolack/status/832535435960209408 diff --git a/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml b/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml index b0ebfd71703..c8178e3d18c 100644 --- a/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml @@ -3,7 +3,7 @@ id: 100ef69e-3327-481c-8e5c-6d80d9507556 related: - id: a62b37e0-45d3-48d9-a517-90c1a1b0186b type: derived -status: experimental +status: test description: Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution references: - https://twitter.com/deviouspolack/status/832535435960209408 diff --git a/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_cert_use_no_strong_mapping.yml b/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_cert_use_no_strong_mapping.yml index f1621267096..a09745c8a3e 100644 --- a/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_cert_use_no_strong_mapping.yml +++ b/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_cert_use_no_strong_mapping.yml @@ -1,6 +1,6 @@ title: Certificate Use With No Strong Mapping id: 993c2665-e6ef-40e3-a62a-e1a97686af79 -status: experimental +status: test description: | Detects a user certificate that was valid but could not be mapped to a user in a strong way (such as via explicit mapping, key trust mapping, or a SID) This could be a sign of exploitation of the elevation of privilege vulnerabilities (CVE-2022-34691, CVE-2022-26931, CVE-2022-26923) that can occur when the KDC allows certificate spoofing by not requiring a strong mapping. diff --git a/rules/windows/builtin/system/microsoft_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml b/rules/windows/builtin/system/microsoft_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml index 2e6c871a87f..770c1aaf58b 100644 --- a/rules/windows/builtin/system/microsoft_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml +++ b/rules/windows/builtin/system/microsoft_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml @@ -1,6 +1,6 @@ title: Suspicious Usage of CVE_2021_34484 or CVE 2022_21919 id: 52a85084-6989-40c3-8f32-091e12e17692 -status: experimental +status: test description: During exploitation of this vulnerability, two logs (Provider_Name:Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \Users\TEMP is created may be created during the exploitation. Viewed on 2008 Server references: - https://packetstormsecurity.com/files/166692/Windows-User-Profile-Service-Privlege-Escalation.html diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml index e4333da732f..baf83193713 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml @@ -1,6 +1,6 @@ title: CSExec Service Installation id: a27e5fa9-c35e-4e3d-b7e0-1ce2af66ad12 -status: experimental +status: test description: Detects CSExec service installation and execution events references: - https://github.com/malcomvetter/CSExec diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_remcom.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_remcom.yml index 44590237d6a..0cafdc5b2fc 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_remcom.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_remcom.yml @@ -1,6 +1,6 @@ title: RemCom Service Installation id: 9e36ed87-4986-482e-8e3b-5c23ffff11bf -status: experimental +status: test description: Detects RemCom service installation and execution events references: - https://github.com/kavika13/RemCom/ diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml index 8e3a5cf4049..547e49c51d6 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml @@ -3,7 +3,7 @@ id: 1a31b18a-f00c-4061-9900-f735b96c99fc related: - id: c8b00925-926c-47e3-beea-298fd563728e type: similar -status: experimental +status: test description: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform references: - https://redcanary.com/blog/misbehaving-rats/ diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml index 1c1bee909ae..bcd9b1bbcce 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml @@ -1,6 +1,6 @@ title: PsExec Service Installation id: 42c575ea-e41e-41f1-b248-8093c3e82a28 -status: experimental +status: test description: Detects PsExec service installation and execution events references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_generic.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_generic.yml index 8edccd725de..6eb9322bdbc 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_generic.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_generic.yml @@ -3,7 +3,7 @@ id: acfa2210-0d71-4eeb-b477-afab494d596c related: - id: d6b5520d-3934-48b4-928c-2aa3f92d6963 type: similar -status: experimental +status: test description: Detects Windows services that got terminated for whatever reason references: - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml index f1b8f27f9ba..d3886e2626e 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml @@ -3,7 +3,7 @@ id: d6b5520d-3934-48b4-928c-2aa3f92d6963 related: - id: acfa2210-0d71-4eeb-b477-afab494d596c type: similar -status: experimental +status: test description: Detects important or interesting Windows services that got terminated for whatever reason references: - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml index f52e2a9d012..24ffbd18c3c 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml @@ -1,6 +1,6 @@ title: Important Windows Service Terminated Unexpectedly id: 56abae0c-6212-4b97-adc0-0b559bb950c3 -status: experimental +status: test description: Detects important or interesting Windows services that got terminated unexpectedly. references: - https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/ diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml b/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml index 6bacc3f5062..566018fe94c 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml @@ -1,6 +1,6 @@ title: Remote Thread Created In KeePass.EXE id: 77564cc2-7382-438b-a7f6-395c2ae53b9a -status: experimental +status: test description: Detects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity references: - https://www.cisa.gov/uscert/ncas/alerts/aa20-259a diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_mstsc_susp_location.yml b/rules/windows/create_remote_thread/create_remote_thread_win_mstsc_susp_location.yml index fce977a4f4f..7090772996f 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_mstsc_susp_location.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_mstsc_susp_location.yml @@ -1,6 +1,6 @@ title: Remote Thread Creation In Mstsc.Exe From Suspicious Location id: c0aac16a-b1e7-4330-bab0-3c27bb4987c7 -status: experimental +status: test description: | Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location. This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials. diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml b/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml index 1ebba8e8c49..c0c126a447e 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml @@ -3,7 +3,7 @@ id: 99b97608-3e21-4bfe-8217-2a127c396a0e related: - id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50 type: similar -status: experimental +status: test description: Detects the creation of a remote thread from a Powershell process in an uncommon target process references: - https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml index 6ac793d0a94..8cfb96dce97 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml @@ -3,7 +3,7 @@ id: 02d1d718-dd13-41af-989d-ea85c7fab93f related: - id: 66d31e5f-52d6-40a4-9615-002d3789a119 type: derived -status: experimental +status: test description: Detects uncommon processes creating remote threads. references: - Personal research, statistical analysis diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml index 598fab745e5..8dee57222a2 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml @@ -3,7 +3,7 @@ id: 66d31e5f-52d6-40a4-9615-002d3789a119 related: - id: 02d1d718-dd13-41af-989d-ea85c7fab93f type: derived -status: experimental +status: test description: Detects uncommon processes creating remote threads. references: - Personal research, statistical analysis diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_target_image.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_target_image.yml index 9dc7fdb68a7..0dc30bf9b35 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_target_image.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_target_image.yml @@ -3,7 +3,7 @@ id: a1a144b7-5c9b-4853-a559-2172be8d4a03 related: - id: f016c716-754a-467f-a39e-63c06f773987 type: obsoletes -status: experimental +status: test description: Detects uncommon target processes for remote thread creation references: - https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection diff --git a/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml b/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml index 001a51f465f..24da21b23d9 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml @@ -1,6 +1,6 @@ title: Creation Of a Suspicious ADS File Outside a Browser Download id: 573df571-a223-43bc-846e-3f98da481eca -status: experimental +status: test description: Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers references: - https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/ diff --git a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml index a48002d98d6..d8b9eca0a6d 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml @@ -3,7 +3,7 @@ id: 52182dfb-afb7-41db-b4bc-5336cb29b464 related: - id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99 type: similar -status: experimental +status: test description: Detects the download of suspicious file type from a well-known file and paste sharing domain references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015 diff --git a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml index 3157d7de2ca..664f76427f6 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml @@ -3,7 +3,7 @@ id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99 related: - id: 52182dfb-afb7-41db-b4bc-5336cb29b464 type: similar -status: experimental +status: test description: Detects the download of suspicious file type from a well-known file and paste sharing domain references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015 diff --git a/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml b/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml index 08ac32bcb76..c719950b0f1 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml @@ -1,6 +1,6 @@ title: HackTool Named File Stream Created id: 19b041f6-e583-40dc-b842-d6fa8011493f -status: experimental +status: test description: Detects the creation of a named file stream with the imphash of a well-known hack tool references: - https://github.com/gentilkiwi/mimikatz diff --git a/rules/windows/create_stream_hash/create_stream_hash_winget_susp_package_source.yml b/rules/windows/create_stream_hash/create_stream_hash_winget_susp_package_source.yml index d6a2b9acbae..1792faecc26 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_winget_susp_package_source.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_winget_susp_package_source.yml @@ -1,6 +1,6 @@ title: Potential Suspicious Winget Package Installation id: a3f5c081-e75b-43a0-9f5b-51f26fe5dba2 -status: experimental +status: test description: Detects potential suspicious winget package installation from a suspicious source. references: - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget diff --git a/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml b/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml index 6377385673a..d7869180a02 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious File Download From ZIP TLD id: 0bb4bbeb-fe52-4044-b40c-430a04577ebe -status: experimental +status: test description: Detects the download of a file with a potentially suspicious extension from a .zip top level domain. references: - https://twitter.com/cyb3rops/status/1659175181695287297 diff --git a/rules/windows/dns_query/dns_query_win_cloudflared_communication.yml b/rules/windows/dns_query/dns_query_win_cloudflared_communication.yml index 2733c38e910..1ecae0ec241 100644 --- a/rules/windows/dns_query/dns_query_win_cloudflared_communication.yml +++ b/rules/windows/dns_query/dns_query_win_cloudflared_communication.yml @@ -1,6 +1,6 @@ title: Cloudflared Tunnels Related DNS Requests id: a1d9eec5-33b2-4177-8d24-27fe754d0812 -status: experimental +status: test description: Detects DNS query requests to Cloudflared tunnels domains. references: - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/ diff --git a/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml b/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml index 54b62bfd967..b5df3e4f2a3 100644 --- a/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml +++ b/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml @@ -7,7 +7,7 @@ related: type: similar - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode type: similar -status: experimental +status: test description: | Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. references: diff --git a/rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml b/rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml index 260c77a4aa4..160adb3f6f8 100644 --- a/rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml +++ b/rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml @@ -1,6 +1,6 @@ title: DNS Server Discovery Via LDAP Query id: a21bcd7e-38ec-49ad-b69a-9ea17e69509e -status: experimental +status: test description: Detects DNS server discovery via LDAP query requests from uncommon applications references: - https://github.com/redcanaryco/atomic-red-team/blob/980f3f83fd81f37c1ca9c02dccfd1c3d9f9d0841/atomics/T1016/T1016.md#atomic-test-9---dns-server-discovery-using-nslookup diff --git a/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml b/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml index ac8617682d7..42656d7f212 100644 --- a/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml +++ b/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml @@ -7,7 +7,7 @@ related: type: obsoletes - id: ed785237-70fa-46f3-83b6-d264d1dc6eb4 type: obsoletes -status: experimental +status: test description: | An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. diff --git a/rules/windows/dns_query/dns_query_win_tor_onion_domain_query.yml b/rules/windows/dns_query/dns_query_win_tor_onion_domain_query.yml index 430e8c1da24..046b352420f 100644 --- a/rules/windows/dns_query/dns_query_win_tor_onion_domain_query.yml +++ b/rules/windows/dns_query/dns_query_win_tor_onion_domain_query.yml @@ -3,7 +3,7 @@ id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544 related: - id: 8384bd26-bde6-4da9-8e5d-4174a7a47ca2 type: similar -status: experimental +status: test description: Detects DNS queries to an ".onion" address related to Tor routing networks references: - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/ diff --git a/rules/windows/dns_query/dns_query_win_ufile_io_query.yml b/rules/windows/dns_query/dns_query_win_ufile_io_query.yml index 1ef60ac954e..3890fad5025 100644 --- a/rules/windows/dns_query/dns_query_win_ufile_io_query.yml +++ b/rules/windows/dns_query/dns_query_win_ufile_io_query.yml @@ -3,7 +3,7 @@ id: 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b related: - id: 090ffaad-c01a-4879-850c-6d57da98452d type: similar -status: experimental +status: test description: Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration references: - https://thedfirreport.com/2021/12/13/diavol-ransomware/ diff --git a/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml b/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml index d03bca54df3..a0c0dd9086e 100644 --- a/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml +++ b/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml @@ -7,7 +7,7 @@ related: type: similar - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels type: similar -status: experimental +status: test description: | Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. references: diff --git a/rules/windows/driver_load/driver_load_win_mal_drivers.yml b/rules/windows/driver_load/driver_load_win_mal_drivers.yml index 22362077dd5..2a630f2f21a 100644 --- a/rules/windows/driver_load/driver_load_win_mal_drivers.yml +++ b/rules/windows/driver_load/driver_load_win_mal_drivers.yml @@ -1,6 +1,6 @@ title: Malicious Driver Load id: 05296024-fe8a-4baf-8f3d-9a5f5624ceb2 -status: experimental +status: test description: Detects loading of known malicious drivers via their hash. references: - https://loldrivers.io/ diff --git a/rules/windows/driver_load/driver_load_win_mal_drivers_names.yml b/rules/windows/driver_load/driver_load_win_mal_drivers_names.yml index 4fbc90ee395..25bf5037f01 100644 --- a/rules/windows/driver_load/driver_load_win_mal_drivers_names.yml +++ b/rules/windows/driver_load/driver_load_win_mal_drivers_names.yml @@ -1,6 +1,6 @@ title: Malicious Driver Load By Name id: 39b64854-5497-4b57-a448-40977b8c9679 -status: experimental +status: test description: Detects loading of known malicious drivers via the file name of the drivers. references: - https://loldrivers.io/ diff --git a/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml b/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml index ecd3d7dd443..6524fba28a4 100644 --- a/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml +++ b/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml @@ -3,7 +3,7 @@ id: 67add051-9ee7-4ad3-93ba-42935615ae8d related: - id: 10cb6535-b31d-4512-9962-513dcbc42cc1 type: similar -status: experimental +status: test description: Detects driver load of the Process Hacker tool references: - https://processhacker.sourceforge.io/ diff --git a/rules/windows/driver_load/driver_load_win_pua_system_informer.yml b/rules/windows/driver_load/driver_load_win_pua_system_informer.yml index f9f2f8b6cce..8a220bffb07 100644 --- a/rules/windows/driver_load/driver_load_win_pua_system_informer.yml +++ b/rules/windows/driver_load/driver_load_win_pua_system_informer.yml @@ -3,7 +3,7 @@ id: 10cb6535-b31d-4512-9962-513dcbc42cc1 related: - id: 67add051-9ee7-4ad3-93ba-42935615ae8d type: similar -status: experimental +status: test description: Detects driver load of the System Informer tool references: - https://systeminformer.sourceforge.io/ diff --git a/rules/windows/driver_load/driver_load_win_vuln_drivers.yml b/rules/windows/driver_load/driver_load_win_vuln_drivers.yml index 3ee7abf3661..abb007fee59 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_drivers.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_drivers.yml @@ -1,6 +1,6 @@ title: Vulnerable Driver Load id: 7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8 -status: experimental +status: test description: Detects loading of known vulnerable drivers via their hash. references: - https://loldrivers.io/ diff --git a/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml b/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml index fbf65d88d67..96f8524f325 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml @@ -1,6 +1,6 @@ title: Vulnerable Driver Load By Name id: 72cd00d6-490c-4650-86ff-1d11f491daa1 -status: experimental +status: test description: Detects the load of known vulnerable drivers via the file name of the drivers. references: - https://loldrivers.io/ diff --git a/rules/windows/file/file_access/file_access_win_browser_credential_access.yml b/rules/windows/file/file_access/file_access_win_browser_credential_access.yml index a9359999498..b726536e9f5 100644 --- a/rules/windows/file/file_access/file_access_win_browser_credential_access.yml +++ b/rules/windows/file/file_access/file_access_win_browser_credential_access.yml @@ -1,6 +1,6 @@ title: Access To Browser Credential Files By Uncommon Application id: 91cb43db-302a-47e3-b3c8-7ede481e27bf -status: experimental +status: test description: | Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing. diff --git a/rules/windows/file/file_access/file_access_win_credential_manager_access.yml b/rules/windows/file/file_access/file_access_win_credential_manager_access.yml index cad181453c0..acfb53fb362 100644 --- a/rules/windows/file/file_access/file_access_win_credential_manager_access.yml +++ b/rules/windows/file/file_access/file_access_win_credential_manager_access.yml @@ -1,6 +1,6 @@ title: Credential Manager Access By Uncommon Application id: 407aecb1-e762-4acf-8c7b-d087bcff3bb6 -status: experimental +status: test description: | Detects suspicious processes based on name and location that access the windows credential manager and vault. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function diff --git a/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml b/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml index 8678bfdfb0e..22e88ebdbc5 100644 --- a/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml +++ b/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml @@ -1,6 +1,6 @@ title: Access To Windows DPAPI Master Keys By Uncommon Application id: 46612ae6-86be-4802-bc07-39b59feb1309 -status: experimental +status: test description: | Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function diff --git a/rules/windows/file/file_access/file_access_win_reg_and_hive_access.yml b/rules/windows/file/file_access/file_access_win_reg_and_hive_access.yml index dea4215eb8d..3229f4683bd 100644 --- a/rules/windows/file/file_access/file_access_win_reg_and_hive_access.yml +++ b/rules/windows/file/file_access/file_access_win_reg_and_hive_access.yml @@ -1,6 +1,6 @@ title: Access To .Reg/.Hive Files By Uncommon Application id: 337a31c6-46c4-46be-886a-260d7aa78cac -status: experimental +status: test description: Detects file access requests to files ending with either the ".hive"/".reg" extension, usually associated with Windows Registry backups. references: - https://github.com/tccontre/Reg-Restore-Persistence-Mole diff --git a/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml b/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml index 2836f61376e..856f0847ba5 100644 --- a/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml +++ b/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml @@ -1,6 +1,6 @@ title: Access To Windows Credential History File By Uncommon Application id: 7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2 -status: experimental +status: test description: | Detects file access requests to the Windows Credential History File by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function diff --git a/rules/windows/file/file_access/file_access_win_susp_gpo_access_file.yml b/rules/windows/file/file_access/file_access_win_susp_gpo_access_file.yml index 37a2d6dcc60..50cd8097d86 100644 --- a/rules/windows/file/file_access/file_access_win_susp_gpo_access_file.yml +++ b/rules/windows/file/file_access/file_access_win_susp_gpo_access_file.yml @@ -3,7 +3,7 @@ id: d51694fe-484a-46ac-92d6-969e76d60d10 related: - id: 8344c19f-a023-45ff-ad63-a01c5396aea0 type: derived -status: experimental +status: test description: Detects file access requests to potentially sensitive files hosted on the Windows Sysvol share. references: - https://github.com/vletoux/pingcastle diff --git a/rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml b/rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml index 4591128a81d..4123fac8c13 100644 --- a/rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml +++ b/rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml @@ -3,7 +3,7 @@ id: 3109530e-ab47-4cc6-a953-cac5ebcc93ae related: - id: 7eac0a16-5832-4e81-865f-0268a6d19e4b type: similar -status: experimental +status: test description: Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps. references: - https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/ diff --git a/rules/windows/file/file_event/file_event_win_aspnet_temp_files.yml b/rules/windows/file/file_event/file_event_win_aspnet_temp_files.yml index 4862e6b4fd7..2807616395c 100644 --- a/rules/windows/file/file_event/file_event_win_aspnet_temp_files.yml +++ b/rules/windows/file/file_event/file_event_win_aspnet_temp_files.yml @@ -7,7 +7,7 @@ related: type: similar - id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec type: similar -status: experimental +status: test description: | Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider. references: diff --git a/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml b/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml index 02eedbdff08..48da801f500 100644 --- a/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml +++ b/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml @@ -1,6 +1,6 @@ title: EVTX Created In Uncommon Location id: 65236ec7-ace0-4f0c-82fd-737b04fd4dcb -status: experimental +status: test description: Detects the creation of new files with the ".evtx" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls references: - https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key diff --git a/rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml b/rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml index 64756bc1864..c689dba2dfd 100644 --- a/rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml +++ b/rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml @@ -3,7 +3,7 @@ id: aba15bdd-657f-422a-bab3-ac2d2a0d6f1c related: - id: 3a525307-d100-48ae-b3b9-0964699d7f97 type: similar -status: experimental +status: test description: Detects the creation of a file with the ".dmp"/".hdmp" extension by a shell or scripting application such as "cmd", "powershell", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash. references: - https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps diff --git a/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml b/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml index 526eaa2eb51..b113fd1fa94 100644 --- a/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml +++ b/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml @@ -5,7 +5,7 @@ related: type: obsoletes - id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a type: obsoletes -status: experimental +status: test description: Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials. references: - https://www.google.com/search?q=procdump+lsass diff --git a/rules/windows/file/file_event/file_event_win_new_scr_file.yml b/rules/windows/file/file_event/file_event_win_new_scr_file.yml index 7b277774e89..ba8026ec718 100644 --- a/rules/windows/file/file_event/file_event_win_new_scr_file.yml +++ b/rules/windows/file/file_event/file_event_win_new_scr_file.yml @@ -1,6 +1,6 @@ title: SCR File Write Event id: c048f047-7e2a-4888-b302-55f509d4a91d -status: experimental +status: test description: Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example. references: - https://lolbas-project.github.io/lolbas/Libraries/Desk/ diff --git a/rules/windows/file/file_event/file_event_win_ntds_dit_creation.yml b/rules/windows/file/file_event/file_event_win_ntds_dit_creation.yml index f4d39dfd6bf..2828582d32d 100644 --- a/rules/windows/file/file_event/file_event_win_ntds_dit_creation.yml +++ b/rules/windows/file/file_event/file_event_win_ntds_dit_creation.yml @@ -1,6 +1,6 @@ title: NTDS.DIT Created id: 0b8baa3f-575c-46ee-8715-d6f28cc7d33c -status: experimental +status: test description: Detects creation of a file named "ntds.dit" (Active Directory Database) references: - Internal Research diff --git a/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml b/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml index 30ea4582d5f..1282361ec39 100644 --- a/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml +++ b/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml @@ -3,7 +3,7 @@ id: 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66 related: - id: 91174a41-dc8f-401b-be89-7bfc140612a0 type: similar -status: experimental +status: test description: Detects the creation of a new office macro files on the systems via an application (browser, mail client). references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md diff --git a/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml b/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml index 90502e03333..dce7b494af3 100644 --- a/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml +++ b/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml @@ -1,6 +1,6 @@ title: OneNote Attachment File Dropped In Suspicious Location id: 7fd164ba-126a-4d9c-9392-0d4f7c243df0 -status: experimental +status: test description: Detects creation of files with the ".one"/".onepkg" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments references: - https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/ diff --git a/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml b/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml index 071b2761742..de271fcef41 100644 --- a/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml +++ b/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml @@ -1,6 +1,6 @@ title: File With Uncommon Extension Created By An Office Application id: c7a74c80-ba5a-486e-9974-ab9e682bc5e4 -status: experimental +status: test description: Detects the creation of files with an executable or script extension by an Office application. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ diff --git a/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml b/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml index 2ea9b34532e..2e98422c50f 100644 --- a/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml +++ b/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml @@ -1,6 +1,6 @@ title: Uncommon File Created In Office Startup Folder id: a10a2c40-2c4d-49f8-b557-1a946bc55d9d -status: experimental +status: test description: Detects the creation of a file with an uncommon extension in an Office application startup folder references: - https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/ diff --git a/rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml b/rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml index 3999f8481fb..dca8c2bb922 100644 --- a/rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml +++ b/rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml @@ -1,6 +1,6 @@ title: Suspicious File Created In PerfLogs id: bbb7e38c-0b41-4a11-b306-d2a457b7ac2b -status: experimental +status: test description: Detects suspicious file based on their extension being created in "C:\PerfLogs\". Note that this directory mostly contains ".etl" files references: - Internal Research diff --git a/rules/windows/file/file_event/file_event_win_powershell_drop_binary_or_script.yml b/rules/windows/file/file_event/file_event_win_powershell_drop_binary_or_script.yml index b0be4a1985b..265abe5dac9 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_drop_binary_or_script.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_drop_binary_or_script.yml @@ -1,6 +1,6 @@ title: Potential Binary Or Script Dropper Via PowerShell id: 7047d730-036f-4f40-b9d8-1c63e36d5e62 -status: experimental +status: test description: Detects PowerShell creating a binary executable or a script file. references: - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution diff --git a/rules/windows/file/file_event/file_event_win_powershell_drop_powershell.yml b/rules/windows/file/file_event/file_event_win_powershell_drop_powershell.yml index e622ef627c1..6bb60c37901 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_drop_powershell.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_drop_powershell.yml @@ -1,6 +1,6 @@ title: PowerShell Script Dropped Via PowerShell.EXE id: 576426ad-0131-4001-ae01-be175da0c108 -status: experimental +status: test description: Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence. references: - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution diff --git a/rules/windows/file/file_event/file_event_win_powershell_module_creation.yml b/rules/windows/file/file_event/file_event_win_powershell_module_creation.yml index dfaa770a897..98cd38a339d 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_module_creation.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_module_creation.yml @@ -1,6 +1,6 @@ title: PowerShell Module File Created id: e36941d0-c0f0-443f-bc6f-cb2952eb69ea -status: experimental +status: test description: Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. references: - Internal Research diff --git a/rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml b/rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml index 094d09c106f..e3ad338f545 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml @@ -1,6 +1,6 @@ title: Potential Suspicious PowerShell Module File Created id: e8a52bbd-bced-459f-bd93-64db45ce7657 -status: experimental +status: test description: Detects the creation of a new PowerShell module in the first folder of the module directory structure "\WindowsPowerShell\Modules\malware\malware.psm1". This is somewhat an uncommon practice as legitimate modules often includes a version folder. references: - Internal Research diff --git a/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml b/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml index 1495dbf22c1..d351e677c55 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml @@ -1,6 +1,6 @@ title: PowerShell Module File Created By Non-PowerShell Process id: e3845023-ca9a-4024-b2b2-5422156d5527 -status: experimental +status: test description: Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. by a non-PowerShell process references: - Internal Research diff --git a/rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml b/rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml index 6505f169c5f..e4bfa90a4dc 100644 --- a/rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml +++ b/rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml @@ -1,6 +1,6 @@ title: PSScriptPolicyTest Creation By Uncommon Process id: 1027d292-dd87-4a1a-8701-2abe04d7783c -status: experimental +status: test description: Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker. references: - https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/ diff --git a/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml b/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml index f5254b05e8f..d44d34f4750 100644 --- a/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml +++ b/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml @@ -1,6 +1,6 @@ title: RDP File Creation From Suspicious Application id: fccfb43e-09a7-4bd2-8b37-a5a7df33386d -status: experimental +status: test description: Detects Rclone config file being created references: - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/ diff --git a/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_remote_file.yml b/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_remote_file.yml index 6f4067d1aba..614b897e954 100644 --- a/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_remote_file.yml +++ b/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_remote_file.yml @@ -3,7 +3,7 @@ id: 0afecb6e-6223-4a82-99fb-bf5b981e92a5 related: - id: b1f73849-6329-4069-bc8f-78a604bb8b23 type: similar -status: experimental +status: test description: | Detects the creation of files in a specific location by ScreenConnect RMM. ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\\Documents\ConnectWiseControl\Temp\" before execution. diff --git a/rules/windows/file/file_event/file_event_win_sed_file_creation.yml b/rules/windows/file/file_event/file_event_win_sed_file_creation.yml index b6147a2bb5b..ad0259acf28 100644 --- a/rules/windows/file/file_event/file_event_win_sed_file_creation.yml +++ b/rules/windows/file/file_event/file_event_win_sed_file_creation.yml @@ -3,7 +3,7 @@ id: 760e75d8-c3b5-409b-a9bf-6130b4c4603f related: - id: ab90dab8-c7da-4010-9193-563528cfa347 type: derived -status: experimental +status: test description: | Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location. These files are used by the "iexpress.exe" utility in order to create self extracting packages. diff --git a/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml b/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml index 9c942db5f6b..68b29e78f92 100644 --- a/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml +++ b/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml @@ -3,7 +3,7 @@ id: a8f866e1-bdd4-425e-a27a-37619238d9c7 related: - id: 0900463c-b33b-49a8-be1d-552a3b553dae type: similar -status: experimental +status: test description: | Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe" references: diff --git a/rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml b/rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml index 46d20787500..c54c39906f7 100644 --- a/rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml +++ b/rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml @@ -1,6 +1,6 @@ title: Potential Homoglyph Attack Using Lookalike Characters in Filename id: 4f1707b1-b50b-45b4-b5a2-3978b5a5d0d6 -status: experimental +status: test description: | Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that diff --git a/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml index ae9c0297b86..03fc2f92ef7 100644 --- a/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml +++ b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml @@ -1,6 +1,6 @@ title: Legitimate Application Dropped Executable id: f0540f7e-2db3-4432-b9e0-3965486744bc -status: experimental +status: test description: Detects programs on a Windows system that should not write executables to disk references: - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326 diff --git a/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml index e271d35b5c3..3642c3a83e1 100644 --- a/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml +++ b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml @@ -1,6 +1,6 @@ title: Legitimate Application Dropped Script id: 7d604714-e071-49ff-8726-edeb95a70679 -status: experimental +status: test description: Detects programs on a Windows system that should not write scripts to disk references: - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326 diff --git a/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml b/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml index a70fa7bfbb6..4cf91ba39f0 100644 --- a/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml +++ b/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml @@ -3,7 +3,7 @@ id: 3215aa19-f060-4332-86d5-5602511f3ca8 related: - id: b4926b47-a9d7-434c-b3a0-adc3fa0bd13e type: derived -status: experimental +status: test description: | Detects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default. references: diff --git a/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml b/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml index 2e279f53348..1273a113915 100644 --- a/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml +++ b/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml @@ -3,7 +3,7 @@ id: cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca related: - id: 5ce0f04e-3efc-42af-839d-5b3a543b76c0 type: derived -status: experimental +status: test description: Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware references: - https://www.mandiant.com/resources/blog/infected-usb-steal-secrets diff --git a/rules/windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml b/rules/windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml index c5cbca4ce3f..25dcc3ed117 100644 --- a/rules/windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml +++ b/rules/windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml @@ -1,6 +1,6 @@ title: Windows Terminal Profile Settings Modification By Uncommon Process id: 9b64de98-9db3-4033-bd7a-f51430105f00 -status: experimental +status: test description: Detects the creation or modification of the Windows Terminal Profile settings file "settings.json" by an uncommon process. references: - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1547.015/T1547.015.md#atomic-test-1---persistence-by-modifying-windows-terminal-profile diff --git a/rules/windows/file/file_event/file_event_win_susp_winsxs_binary_creation.yml b/rules/windows/file/file_event/file_event_win_susp_winsxs_binary_creation.yml index 51ed8361737..3f54ec7bde7 100644 --- a/rules/windows/file/file_event/file_event_win_susp_winsxs_binary_creation.yml +++ b/rules/windows/file/file_event/file_event_win_susp_winsxs_binary_creation.yml @@ -3,7 +3,7 @@ id: 34746e8c-5fb8-415a-b135-0abc167e912a related: - id: 64827580-e4c3-4c64-97eb-c72325d45399 type: derived -status: experimental +status: test description: Detects the creation of binaries in the WinSxS folder by non-system processes references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF diff --git a/rules/windows/file/file_event/file_event_win_sysinternals_livekd_default_dump_name.yml b/rules/windows/file/file_event/file_event_win_sysinternals_livekd_default_dump_name.yml index fa1d013c368..7c1a3ac1e2e 100644 --- a/rules/windows/file/file_event/file_event_win_sysinternals_livekd_default_dump_name.yml +++ b/rules/windows/file/file_event/file_event_win_sysinternals_livekd_default_dump_name.yml @@ -1,6 +1,6 @@ title: LiveKD Kernel Memory Dump File Created id: 814ddeca-3d31-4265-8e07-8cc54fb44903 -status: experimental +status: test description: Detects the creation of a file that has the same name as the default LiveKD kernel memory dump. references: - Internal Research diff --git a/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver.yml b/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver.yml index 0d3f5c27f25..9a405099da1 100644 --- a/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver.yml +++ b/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver.yml @@ -1,6 +1,6 @@ title: LiveKD Driver Creation id: 16fe46bb-4f64-46aa-817d-ff7bec4a2352 -status: experimental +status: test description: Detects the creation of the LiveKD driver, which is used for live kernel debugging references: - Internal Research diff --git a/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver_susp_creation.yml b/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver_susp_creation.yml index 7b47f5169e5..e997ad9c53a 100644 --- a/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver_susp_creation.yml +++ b/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver_susp_creation.yml @@ -3,7 +3,7 @@ id: 059c5af9-5131-4d8d-92b2-de4ad6146712 related: - id: 16fe46bb-4f64-46aa-817d-ff7bec4a2352 type: similar -status: experimental +status: test description: Detects the creation of the LiveKD driver by a process image other than "livekd.exe". references: - Internal Research diff --git a/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml b/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml index 5b3b14352bc..60e2e7816a3 100644 --- a/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml +++ b/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml @@ -1,6 +1,6 @@ title: Process Explorer Driver Creation By Non-Sysinternals Binary id: de46c52b-0bf8-4936-a327-aace94f94ac6 -status: experimental +status: test description: | Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself. Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards. diff --git a/rules/windows/file/file_event/file_event_win_sysinternals_procmon_driver_susp_creation.yml b/rules/windows/file/file_event/file_event_win_sysinternals_procmon_driver_susp_creation.yml index 6c543a9a434..8feed78794e 100644 --- a/rules/windows/file/file_event/file_event_win_sysinternals_procmon_driver_susp_creation.yml +++ b/rules/windows/file/file_event/file_event_win_sysinternals_procmon_driver_susp_creation.yml @@ -1,6 +1,6 @@ title: Process Monitor Driver Creation By Non-Sysinternals Binary id: a05baa88-e922-4001-bc4d-8738135f27de -status: experimental +status: test description: Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself. references: - Internal Research diff --git a/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump.yml b/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump.yml index 0fbc2c3c9a0..28736649e9e 100644 --- a/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump.yml +++ b/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump.yml @@ -1,6 +1,6 @@ title: LSASS Process Memory Dump Creation Via Taskmgr.EXE id: 69ca12af-119d-44ed-b50f-a47af0ebc364 -status: experimental +status: test description: Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager. author: Swachchhanda Shrawan Poudel date: 2023/10/19 diff --git a/rules/windows/file/file_event/file_event_win_vscode_tunnel_remote_creation_artefacts.yml b/rules/windows/file/file_event/file_event_win_vscode_tunnel_remote_creation_artefacts.yml index 99ade0380b0..0f1e97f311b 100644 --- a/rules/windows/file/file_event/file_event_win_vscode_tunnel_remote_creation_artefacts.yml +++ b/rules/windows/file/file_event/file_event_win_vscode_tunnel_remote_creation_artefacts.yml @@ -1,6 +1,6 @@ title: Visual Studio Code Tunnel Remote File Creation id: 56e05d41-ce99-4ecd-912d-93f019ee0b71 -status: experimental +status: test description: | Detects the creation of file by the "node.exe" process in the ".vscode-server" directory. Could be a sign of remote file creation via VsCode tunnel feature references: diff --git a/rules/windows/file/file_event/file_event_win_vscode_tunnel_renamed_execution.yml b/rules/windows/file/file_event/file_event_win_vscode_tunnel_renamed_execution.yml index 5bd3aeeb692..c5b2e80bb8d 100644 --- a/rules/windows/file/file_event/file_event_win_vscode_tunnel_renamed_execution.yml +++ b/rules/windows/file/file_event/file_event_win_vscode_tunnel_renamed_execution.yml @@ -1,6 +1,6 @@ title: Renamed VsCode Code Tunnel Execution - File Indicator id: d102b8f5-61dc-4e68-bd83-9a3187c67377 -status: experimental +status: test description: | Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility by an "Image" or "Process" other than VsCode. references: diff --git a/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml b/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml index 88cc7372658..f7ee94c4c7b 100644 --- a/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml +++ b/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml @@ -3,7 +3,7 @@ id: ab90dab8-c7da-4010-9193-563528cfa347 related: - id: 760e75d8-c3b5-409b-a9bf-6130b4c4603f type: derived -status: experimental +status: test description: | Detects the creation of a binary file with the ".sed" extension. The ".sed" extension stand for Self Extraction Directive files. These files are used by the "iexpress.exe" utility in order to create self extracting packages. diff --git a/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml b/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml index 419cded28cc..b8bb326b611 100644 --- a/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml +++ b/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml @@ -1,6 +1,6 @@ title: Amsi.DLL Loaded Via LOLBIN Process id: 6ec86d9e-912e-4726-91a2-209359b999b9 -status: experimental +status: test description: Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack references: - Internal Research diff --git a/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml b/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml index 9934ec077d8..bf9f49625fc 100644 --- a/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml +++ b/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml @@ -1,6 +1,6 @@ title: CredUI.DLL Loaded By Uncommon Process id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784 -status: experimental +status: test description: Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW". references: - https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html diff --git a/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml b/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml index 3508612218f..96f25782f2b 100644 --- a/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml +++ b/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml @@ -3,7 +3,7 @@ id: b48492dc-c5ef-4572-8dff-32bc241c15c8 related: - id: 3669afd2-9891-4534-a626-e5cf03810a61 type: derived -status: experimental +status: test description: | Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. diff --git a/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml b/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml index 67cecc0da57..3629494d455 100644 --- a/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml +++ b/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml @@ -3,7 +3,7 @@ id: 3669afd2-9891-4534-a626-e5cf03810a61 related: - id: b48492dc-c5ef-4572-8dff-32bc241c15c8 type: derived -status: experimental +status: test description: | Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. diff --git a/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml b/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml index f1af8ce06f0..a113ecc3315 100644 --- a/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml +++ b/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml @@ -5,7 +5,7 @@ related: type: obsoletes - id: fe6e002f-f244-4278-9263-20e4b593827f type: obsoletes -status: experimental +status: test description: | Detects loading of essential DLLs used by PowerShell by non-PowerShell process. Detects behavior similar to meterpreter's "load powershell" extension. diff --git a/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml b/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml index 81dce59c451..0437cbe7c8a 100644 --- a/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml +++ b/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml @@ -5,7 +5,7 @@ related: type: similar - id: 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8 # vssapi.dll type: similar -status: experimental +status: test description: Detects the image load of vss_ps.dll by uncommon executables references: - https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add diff --git a/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml b/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml index 52bf4d10224..55b5afe0df1 100644 --- a/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml +++ b/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml @@ -5,7 +5,7 @@ related: type: similar - id: 48bfd177-7cf2-412b-ad77-baf923489e82 # vsstrace.dll type: similar -status: experimental +status: test description: Detects the image load of VSS DLL by uncommon executables references: - https://github.com/ORCx41/DeleteShadowCopies diff --git a/rules/windows/image_load/image_load_office_excel_xll_susp_load.yml b/rules/windows/image_load/image_load_office_excel_xll_susp_load.yml index 3754f73df05..148d0e35407 100644 --- a/rules/windows/image_load/image_load_office_excel_xll_susp_load.yml +++ b/rules/windows/image_load/image_load_office_excel_xll_susp_load.yml @@ -3,7 +3,7 @@ id: af4c4609-5755-42fe-8075-4effb49f5d44 related: - id: c5f4b5cb-4c25-4249-ba91-aa03626e3185 type: derived -status: experimental +status: test description: Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location references: - https://www.mandiant.com/resources/blog/lnk-between-browsers diff --git a/rules/windows/image_load/image_load_office_powershell_dll_load.yml b/rules/windows/image_load/image_load_office_powershell_dll_load.yml index f99efc47d23..3c2235cb8ad 100644 --- a/rules/windows/image_load/image_load_office_powershell_dll_load.yml +++ b/rules/windows/image_load/image_load_office_powershell_dll_load.yml @@ -1,6 +1,6 @@ title: PowerShell Core DLL Loaded Via Office Application id: bb2ba6fb-95d4-4a25-89fc-30bb736c021a -status: experimental +status: test description: Detects PowerShell core DLL being loaded by an Office Product references: - Internal Research diff --git a/rules/windows/image_load/image_load_rundll32_remote_share_load.yml b/rules/windows/image_load/image_load_rundll32_remote_share_load.yml index ff412b655be..e93b5aac5db 100644 --- a/rules/windows/image_load/image_load_rundll32_remote_share_load.yml +++ b/rules/windows/image_load/image_load_rundll32_remote_share_load.yml @@ -1,6 +1,6 @@ title: Remote DLL Load Via Rundll32.EXE id: f40017b3-cb2e-4335-ab5d-3babf679c1de -status: experimental +status: test description: Detects a remote DLL load event via "rundll32.exe". references: - https://github.com/gabe-k/themebleed diff --git a/rules/windows/image_load/image_load_side_load_7za.yml b/rules/windows/image_load/image_load_side_load_7za.yml index 7b6804cb4b1..739d1f9cfa9 100644 --- a/rules/windows/image_load/image_load_side_load_7za.yml +++ b/rules/windows/image_load/image_load_side_load_7za.yml @@ -1,6 +1,6 @@ title: Potential 7za.DLL Sideloading id: 4f6edb78-5c21-42ab-a558-fd2a6fc1fd57 -status: experimental +status: test description: Detects potential DLL sideloading of "7za.dll" references: - https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d diff --git a/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml b/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml index 2c627a998ac..e9fcc62a14a 100644 --- a/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml +++ b/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml @@ -1,6 +1,6 @@ title: Abusable DLL Potential Sideloading From Suspicious Location id: 799a5f48-0ac1-4e0f-9152-71d137d48c2a -status: experimental +status: test description: Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations references: - https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html diff --git a/rules/windows/image_load/image_load_side_load_appverifui.yml b/rules/windows/image_load/image_load_side_load_appverifui.yml index 3d6bac44839..0e06be8b9db 100644 --- a/rules/windows/image_load/image_load_side_load_appverifui.yml +++ b/rules/windows/image_load/image_load_side_load_appverifui.yml @@ -1,6 +1,6 @@ title: Potential appverifUI.DLL Sideloading id: ee6cea48-c5b6-4304-a332-10fc6446f484 -status: experimental +status: test description: Detects potential DLL sideloading of "appverifUI.dll" references: - https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/ diff --git a/rules/windows/image_load/image_load_side_load_avkkid.yml b/rules/windows/image_load/image_load_side_load_avkkid.yml index 1fb23bd4060..34f5dcc903e 100644 --- a/rules/windows/image_load/image_load_side_load_avkkid.yml +++ b/rules/windows/image_load/image_load_side_load_avkkid.yml @@ -1,6 +1,6 @@ title: Potential AVKkid.DLL Sideloading id: 952ed57c-8f99-453d-aee0-53a49c22f95d -status: experimental +status: test description: Detects potential DLL sideloading of "AVKkid.dll" references: - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/ diff --git a/rules/windows/image_load/image_load_side_load_ccleaner_du.yml b/rules/windows/image_load/image_load_side_load_ccleaner_du.yml index 3f765ec9673..aa4e08c8301 100644 --- a/rules/windows/image_load/image_load_side_load_ccleaner_du.yml +++ b/rules/windows/image_load/image_load_side_load_ccleaner_du.yml @@ -1,6 +1,6 @@ title: Potential CCleanerDU.DLL Sideloading id: 1fbc0671-5596-4e17-8682-f020a0b995dc -status: experimental +status: test description: Detects potential DLL sideloading of "CCleanerDU.dll" references: - https://lab52.io/blog/2344-2/ diff --git a/rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml b/rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml index 08ceb513245..eac6adb4aee 100644 --- a/rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml +++ b/rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml @@ -1,6 +1,6 @@ title: Potential CCleanerReactivator.DLL Sideloading id: 3735d5ac-d770-4da0-99ff-156b180bc600 -status: experimental +status: test description: Detects potential DLL sideloading of "CCleanerReactivator.dll" references: - https://lab52.io/blog/2344-2/ diff --git a/rules/windows/image_load/image_load_side_load_chrome_frame_helper.yml b/rules/windows/image_load/image_load_side_load_chrome_frame_helper.yml index a97267762f8..29a3c5e73eb 100644 --- a/rules/windows/image_load/image_load_side_load_chrome_frame_helper.yml +++ b/rules/windows/image_load/image_load_side_load_chrome_frame_helper.yml @@ -1,6 +1,6 @@ title: Potential Chrome Frame Helper DLL Sideloading id: 72ca7c75-bf85-45cd-aca7-255d360e423c -status: experimental +status: test description: Detects potential DLL sideloading of "chrome_frame_helper.dll" references: - https://hijacklibs.net/entries/3rd_party/google/chrome_frame_helper.html diff --git a/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location.yml index f39e67c66f1..04d2fd91f9e 100644 --- a/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location.yml @@ -1,6 +1,6 @@ title: System Control Panel Item Loaded From Uncommon Location id: 2b140a5c-dc02-4bb8-b6b1-8bdb45714cde -status: experimental +status: test description: Detects image load events of system control panel items (.cpl) from uncommon or non-system locations which might be the result of sideloading. references: - https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/ diff --git a/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml b/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml index 80b1818f603..c2f9fd7c7ea 100644 --- a/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml +++ b/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml @@ -1,6 +1,6 @@ title: Potential DLL Sideloading Of DBGCORE.DLL id: 9ca2bf31-0570-44d8-a543-534c47c33ed7 -status: experimental +status: test description: Detects DLL sideloading of "dbgcore.dll" references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) diff --git a/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml b/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml index aca8455ca07..7f2e670b066 100644 --- a/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml +++ b/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml @@ -1,6 +1,6 @@ title: Potential DLL Sideloading Of DBGHELP.DLL id: 6414b5cd-b19d-447e-bb5e-9f03940b5784 -status: experimental +status: test description: Detects DLL sideloading of "dbghelp.dll" references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) diff --git a/rules/windows/image_load/image_load_side_load_eacore.yml b/rules/windows/image_load/image_load_side_load_eacore.yml index fa652280f5f..876836a5d49 100644 --- a/rules/windows/image_load/image_load_side_load_eacore.yml +++ b/rules/windows/image_load/image_load_side_load_eacore.yml @@ -1,6 +1,6 @@ title: Potential EACore.DLL Sideloading id: edd3ddc3-386f-4ba5-9ada-4376b2cfa7b5 -status: experimental +status: test description: Detects potential DLL sideloading of "EACore.dll" references: - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/ diff --git a/rules/windows/image_load/image_load_side_load_edputil.yml b/rules/windows/image_load/image_load_side_load_edputil.yml index c01ef110298..68731a236bc 100644 --- a/rules/windows/image_load/image_load_side_load_edputil.yml +++ b/rules/windows/image_load/image_load_side_load_edputil.yml @@ -1,6 +1,6 @@ title: Potential Edputil.DLL Sideloading id: e4903324-1a10-4ed3-981b-f6fe3be3a2c2 -status: experimental +status: test description: Detects potential DLL sideloading of "edputil.dll" references: - https://alternativeto.net/news/2023/5/cybercriminals-use-wordpad-vulnerability-to-spread-qbot-malware/ diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index a855e227847..617def24f6e 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -1,6 +1,6 @@ title: Potential System DLL Sideloading From Non System Locations id: 4fc0deee-0057-4998-ab31-d24e46e0aba4 -status: experimental +status: test description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.). references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there). Wietze Beukema (project and research) diff --git a/rules/windows/image_load/image_load_side_load_goopdate.yml b/rules/windows/image_load/image_load_side_load_goopdate.yml index 0efe6f037a8..9552d33e125 100644 --- a/rules/windows/image_load/image_load_side_load_goopdate.yml +++ b/rules/windows/image_load/image_load_side_load_goopdate.yml @@ -1,6 +1,6 @@ title: Potential Goopdate.DLL Sideloading id: b6188d2f-b3c4-4d2c-a17d-9706e0851af0 -status: experimental +status: test description: Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf diff --git a/rules/windows/image_load/image_load_side_load_gup_libcurl.yml b/rules/windows/image_load/image_load_side_load_gup_libcurl.yml index b6817ffa869..dbeeef9cdc0 100644 --- a/rules/windows/image_load/image_load_side_load_gup_libcurl.yml +++ b/rules/windows/image_load/image_load_side_load_gup_libcurl.yml @@ -1,6 +1,6 @@ title: Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE id: e49b5745-1064-4ac1-9a2e-f687bc2dd37e -status: experimental +status: test description: Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers diff --git a/rules/windows/image_load/image_load_side_load_libvlc.yml b/rules/windows/image_load/image_load_side_load_libvlc.yml index 47c3653ef86..e2c12979a55 100644 --- a/rules/windows/image_load/image_load_side_load_libvlc.yml +++ b/rules/windows/image_load/image_load_side_load_libvlc.yml @@ -1,6 +1,6 @@ title: Potential Libvlc.DLL Sideloading id: bf9808c4-d24f-44a2-8398-b65227d406b6 -status: experimental +status: test description: Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe" references: - https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html diff --git a/rules/windows/image_load/image_load_side_load_mfdetours.yml b/rules/windows/image_load/image_load_side_load_mfdetours.yml index e9f7437afeb..671b016a52d 100644 --- a/rules/windows/image_load/image_load_side_load_mfdetours.yml +++ b/rules/windows/image_load/image_load_side_load_mfdetours.yml @@ -1,6 +1,6 @@ title: Potential Mfdetours.DLL Sideloading id: d2605a99-2218-4894-8fd3-2afb7946514d -status: experimental +status: test description: Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution. references: - Internal Research diff --git a/rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml b/rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml index ff085caaec1..fd2fb734c0d 100644 --- a/rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml +++ b/rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml @@ -3,7 +3,7 @@ id: 948a0953-f287-4806-bbcb-3b2e396df89f related: - id: d2605a99-2218-4894-8fd3-2afb7946514d type: similar -status: experimental +status: test description: Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution. references: - Internal Research diff --git a/rules/windows/image_load/image_load_side_load_rjvplatform_default_location.yml b/rules/windows/image_load/image_load_side_load_rjvplatform_default_location.yml index 233b693cab6..031f8a2564c 100644 --- a/rules/windows/image_load/image_load_side_load_rjvplatform_default_location.yml +++ b/rules/windows/image_load/image_load_side_load_rjvplatform_default_location.yml @@ -1,6 +1,6 @@ title: Potential RjvPlatform.DLL Sideloading From Default Location id: 259dda31-b7a3-444f-b7d8-17f96e8a7d0d -status: experimental +status: test description: Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default. references: - https://twitter.com/0gtweet/status/1666716511988330499 diff --git a/rules/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yml b/rules/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yml index 16a2f947820..9736f91c35f 100644 --- a/rules/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yml +++ b/rules/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yml @@ -1,6 +1,6 @@ title: Potential RjvPlatform.DLL Sideloading From Non-Default Location id: 0e0bc253-07ed-43f1-816d-e1b220fe8971 -status: experimental +status: test description: Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location. references: - https://twitter.com/0gtweet/status/1666716511988330499 diff --git a/rules/windows/image_load/image_load_side_load_robform.yml b/rules/windows/image_load/image_load_side_load_robform.yml index d1935bd6197..59ae90ce250 100644 --- a/rules/windows/image_load/image_load_side_load_robform.yml +++ b/rules/windows/image_load/image_load_side_load_robform.yml @@ -1,6 +1,6 @@ title: Potential RoboForm.DLL Sideloading id: f64c9b2d-b0ad-481d-9d03-7fc75020892a -status: experimental +status: test description: Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager references: - https://twitter.com/StopMalvertisin/status/1648604148848549888 diff --git a/rules/windows/image_load/image_load_side_load_shelldispatch.yml b/rules/windows/image_load/image_load_side_load_shelldispatch.yml index 3b2313a4e06..2893eaa8ece 100644 --- a/rules/windows/image_load/image_load_side_load_shelldispatch.yml +++ b/rules/windows/image_load/image_load_side_load_shelldispatch.yml @@ -1,6 +1,6 @@ title: Potential ShellDispatch.DLL Sideloading id: 844f8eb2-610b-42c8-89a4-47596e089663 -status: experimental +status: test description: Detects potential DLL sideloading of "ShellDispatch.dll" references: - https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ diff --git a/rules/windows/image_load/image_load_side_load_smadhook.yml b/rules/windows/image_load/image_load_side_load_smadhook.yml index d135bed8ada..5b658877606 100644 --- a/rules/windows/image_load/image_load_side_load_smadhook.yml +++ b/rules/windows/image_load/image_load_side_load_smadhook.yml @@ -1,6 +1,6 @@ title: Potential SmadHook.DLL Sideloading id: 24b6cf51-6122-469e-861a-22974e9c1e5b -status: experimental +status: test description: Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus references: - https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/ diff --git a/rules/windows/image_load/image_load_side_load_solidpdfcreator.yml b/rules/windows/image_load/image_load_side_load_solidpdfcreator.yml index 9c9dd392fb1..c0952513125 100644 --- a/rules/windows/image_load/image_load_side_load_solidpdfcreator.yml +++ b/rules/windows/image_load/image_load_side_load_solidpdfcreator.yml @@ -1,6 +1,6 @@ title: Potential SolidPDFCreator.DLL Sideloading id: a2edbce1-95c8-4291-8676-0d45146862b3 -status: experimental +status: test description: Detects potential DLL sideloading of "SolidPDFCreator.dll" references: - https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/ diff --git a/rules/windows/image_load/image_load_side_load_vivaldi_elf.yml b/rules/windows/image_load/image_load_side_load_vivaldi_elf.yml index 44a5dcf5f93..3baab600a52 100644 --- a/rules/windows/image_load/image_load_side_load_vivaldi_elf.yml +++ b/rules/windows/image_load/image_load_side_load_vivaldi_elf.yml @@ -1,6 +1,6 @@ title: Potential Vivaldi_elf.DLL Sideloading id: 2092cacb-d77b-4f98-ab0d-32b32f99a054 -status: experimental +status: test description: Detects potential DLL sideloading of "vivaldi_elf.dll" references: - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/ diff --git a/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_signed.yml b/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_signed.yml index 31459627106..1be2d7b8515 100644 --- a/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_signed.yml +++ b/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_signed.yml @@ -3,7 +3,7 @@ id: 98ffaed4-aec2-4e04-9b07-31492fe68b3d related: - id: 273a8dd8-3742-4302-bcc7-7df5a80fe425 type: similar -status: experimental +status: test description: Detects potential DLL sideloading of a signed dbghelp.dll by the Sysinternals VMMap. references: - https://techcommunity.microsoft.com/t5/sysinternals-blog/zoomit-v7-1-procdump-2-0-for-linux-process-explorer-v17-05/ba-p/3884766 diff --git a/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_unsigned.yml b/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_unsigned.yml index 16a2c60843e..0135e93a9da 100644 --- a/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_unsigned.yml +++ b/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_unsigned.yml @@ -3,7 +3,7 @@ id: 273a8dd8-3742-4302-bcc7-7df5a80fe425 related: - id: 98ffaed4-aec2-4e04-9b07-31492fe68b3d type: similar -status: experimental +status: test description: Detects potential DLL sideloading of an unsigned dbghelp.dll by the Sysinternals VMMap. references: - https://techcommunity.microsoft.com/t5/sysinternals-blog/zoomit-v7-1-procdump-2-0-for-linux-process-explorer-v17-05/ba-p/3884766 diff --git a/rules/windows/image_load/image_load_side_load_waveedit.yml b/rules/windows/image_load/image_load_side_load_waveedit.yml index 75619e6bd4d..2caa069bee9 100644 --- a/rules/windows/image_load/image_load_side_load_waveedit.yml +++ b/rules/windows/image_load/image_load_side_load_waveedit.yml @@ -1,6 +1,6 @@ title: Potential Waveedit.DLL Sideloading id: 71b31e99-9ad0-47d4-aeb5-c0ca3928eeeb -status: experimental +status: test description: Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software. references: - https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html diff --git a/rules/windows/image_load/image_load_side_load_wazuh.yml b/rules/windows/image_load/image_load_side_load_wazuh.yml index fb268f1a7a6..700461cc940 100644 --- a/rules/windows/image_load/image_load_side_load_wazuh.yml +++ b/rules/windows/image_load/image_load_side_load_wazuh.yml @@ -1,6 +1,6 @@ title: Potential Wazuh Security Platform DLL Sideloading id: db77ce78-7e28-4188-9337-cf30e2b3ba9f -status: experimental +status: test description: Detects potential DLL side loading of DLLs that are part of the Wazuh security platform references: - https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html diff --git a/rules/windows/image_load/image_load_side_load_windows_defender.yml b/rules/windows/image_load/image_load_side_load_windows_defender.yml index 2ce295c436b..d0d150a9f59 100644 --- a/rules/windows/image_load/image_load_side_load_windows_defender.yml +++ b/rules/windows/image_load/image_load_side_load_windows_defender.yml @@ -3,7 +3,7 @@ id: 418dc89a-9808-4b87-b1d7-e5ae0cb6effc related: - id: 7002aa10-b8d4-47ae-b5ba-51ab07e228b9 type: similar -status: experimental +status: test description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory. references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool diff --git a/rules/windows/image_load/image_load_side_load_wwlib.yml b/rules/windows/image_load/image_load_side_load_wwlib.yml index cdd7b1a0e86..7de9b90e1d7 100644 --- a/rules/windows/image_load/image_load_side_load_wwlib.yml +++ b/rules/windows/image_load/image_load_side_load_wwlib.yml @@ -1,6 +1,6 @@ title: Potential WWlib.DLL Sideloading id: e2e01011-5910-4267-9c3b-4149ed5479cf -status: experimental +status: test description: Detects potential DLL sideloading of "wwlib.dll" references: - https://twitter.com/WhichbufferArda/status/1658829954182774784 diff --git a/rules/windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml b/rules/windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml index 43f12df16f0..17cb4cb364a 100644 --- a/rules/windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml +++ b/rules/windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml @@ -1,6 +1,6 @@ title: Unsigned Module Loaded by ClickOnce Application id: 060d5ad4-3153-47bb-8382-43e5e29eda92 -status: experimental +status: test description: Detects unsigned module load by ClickOnce application. references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 diff --git a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml index 9c5ed041352..a1206b18ddb 100644 --- a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml +++ b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml @@ -1,6 +1,6 @@ title: DLL Load By System Process From Suspicious Locations id: 9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c -status: experimental +status: test description: Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public" references: - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea) diff --git a/rules/windows/image_load/image_load_susp_python_image_load.yml b/rules/windows/image_load/image_load_susp_python_image_load.yml index df60f3ac044..0523dd935a0 100644 --- a/rules/windows/image_load/image_load_susp_python_image_load.yml +++ b/rules/windows/image_load/image_load_susp_python_image_load.yml @@ -1,6 +1,6 @@ title: Python Image Load By Non-Python Process id: cbb56d62-4060-40f7-9466-d8aaf3123f83 -status: experimental +status: test description: Detects the image load of "Python Core" by a non-Python process. This might be indicative of a Python script bundled with Py2Exe. references: - https://www.py2exe.org/ diff --git a/rules/windows/image_load/image_load_susp_unsigned_dll.yml b/rules/windows/image_load/image_load_susp_unsigned_dll.yml index f62d35f56d1..b7a205316cb 100644 --- a/rules/windows/image_load/image_load_susp_unsigned_dll.yml +++ b/rules/windows/image_load/image_load_susp_unsigned_dll.yml @@ -1,6 +1,6 @@ title: Unsigned DLL Loaded by RunDLL32/RegSvr32 id: b5de0c9a-6f19-43e0-af4e-55ad01f550af -status: experimental +status: test description: | Detects RunDLL32/RegSvr32 loading an unsigned or untrusted DLL. Adversaries often abuse those programs to proxy execution of malicious code. diff --git a/rules/windows/network_connection/net_connection_win_addinutil.yml b/rules/windows/network_connection/net_connection_win_addinutil.yml index dc83002d91d..65e2c394be3 100644 --- a/rules/windows/network_connection/net_connection_win_addinutil.yml +++ b/rules/windows/network_connection/net_connection_win_addinutil.yml @@ -1,6 +1,6 @@ title: Network Connection Initiated By AddinUtil.EXE id: 5205613d-2a63-4412-a895-3a2458b587b3 -status: experimental +status: test description: | Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe". This could indicate a potential command and control communication as this tool doesn't usually initiate network activity. diff --git a/rules/windows/network_connection/net_connection_win_notion_api_susp_communication.yml b/rules/windows/network_connection/net_connection_win_notion_api_susp_communication.yml index 3850deadd9f..954d0a76361 100644 --- a/rules/windows/network_connection/net_connection_win_notion_api_susp_communication.yml +++ b/rules/windows/network_connection/net_connection_win_notion_api_susp_communication.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious Network Connection To Notion API id: 7e9cf7b6-e827-11ed-a05b-15959c120003 -status: experimental +status: test description: Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as "OffensiveNotion C2" references: - https://github.com/mttaggart/OffensiveNotion diff --git a/rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml b/rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml index be5deb3f0ab..253b83470a9 100644 --- a/rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml +++ b/rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml @@ -1,6 +1,6 @@ title: Office Application Initiated Network Connection Over Uncommon Ports id: 3b5ba899-9842-4bc2-acc2-12308498bf42 -status: experimental +status: test description: Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports. references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit diff --git a/rules/windows/network_connection/net_connection_win_python.yml b/rules/windows/network_connection/net_connection_win_python.yml index bd6f1267860..5312bbe489c 100644 --- a/rules/windows/network_connection/net_connection_win_python.yml +++ b/rules/windows/network_connection/net_connection_win_python.yml @@ -1,6 +1,6 @@ title: Python Initiated Connection id: bef0bc5a-b9ae-425d-85c6-7b2d705980c6 -status: experimental +status: test description: Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python diff --git a/rules/windows/network_connection/net_connection_win_susp_devtunnel_connection.yml b/rules/windows/network_connection/net_connection_win_susp_devtunnel_connection.yml index 33680cfd9a2..f590754e9fa 100644 --- a/rules/windows/network_connection/net_connection_win_susp_devtunnel_connection.yml +++ b/rules/windows/network_connection/net_connection_win_susp_devtunnel_connection.yml @@ -7,7 +7,7 @@ related: type: similar - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels type: similar -status: experimental +status: test description: | Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. references: diff --git a/rules/windows/network_connection/net_connection_win_susp_epmap.yml b/rules/windows/network_connection/net_connection_win_susp_epmap.yml index 6cff1bdea85..7f21a39286d 100644 --- a/rules/windows/network_connection/net_connection_win_susp_epmap.yml +++ b/rules/windows/network_connection/net_connection_win_susp_epmap.yml @@ -1,6 +1,6 @@ title: Suspicious Epmap Connection id: 628d7a0b-7b84-4466-8552-e6138bc03b43 -status: experimental +status: test description: Detects suspicious "epmap" connection to a remote computer via remote procedure call (RPC) references: - https://github.com/RiccardoAncarani/TaskShell/ diff --git a/rules/windows/network_connection/net_connection_win_susp_external_ip_lookup.yml b/rules/windows/network_connection/net_connection_win_susp_external_ip_lookup.yml index 30cada781d7..15595cf5fac 100644 --- a/rules/windows/network_connection/net_connection_win_susp_external_ip_lookup.yml +++ b/rules/windows/network_connection/net_connection_win_susp_external_ip_lookup.yml @@ -3,7 +3,7 @@ id: edf3485d-dac4-4d50-90e4-b0e5813f7e60 related: - id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2 type: derived -status: experimental +status: test description: Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity. references: - https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md diff --git a/rules/windows/network_connection/net_connection_win_susp_google_api_non_browser_access.yml b/rules/windows/network_connection/net_connection_win_susp_google_api_non_browser_access.yml index ecaf81e8ed5..be4b853668a 100644 --- a/rules/windows/network_connection/net_connection_win_susp_google_api_non_browser_access.yml +++ b/rules/windows/network_connection/net_connection_win_susp_google_api_non_browser_access.yml @@ -1,6 +1,6 @@ title: Suspicious Non-Browser Network Communication With Google API id: 7e9cf7b6-e827-11ed-a05b-0242ac120003 -status: experimental +status: test description: | Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet) references: diff --git a/rules/windows/network_connection/net_connection_win_telegram_api_non_browser_access.yml b/rules/windows/network_connection/net_connection_win_telegram_api_non_browser_access.yml index c4c72a3e43a..2a97eba532c 100644 --- a/rules/windows/network_connection/net_connection_win_telegram_api_non_browser_access.yml +++ b/rules/windows/network_connection/net_connection_win_telegram_api_non_browser_access.yml @@ -1,6 +1,6 @@ title: Suspicious Non-Browser Network Communication With Telegram API id: c3dbbc9f-ef1d-470a-a90a-d343448d5875 -status: experimental +status: test description: Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2 references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf diff --git a/rules/windows/network_connection/net_connection_win_vscode_tunnel_connection.yml b/rules/windows/network_connection/net_connection_win_vscode_tunnel_connection.yml index 64c07283510..47d1f690af9 100644 --- a/rules/windows/network_connection/net_connection_win_vscode_tunnel_connection.yml +++ b/rules/windows/network_connection/net_connection_win_vscode_tunnel_connection.yml @@ -7,7 +7,7 @@ related: type: similar - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels type: similar -status: experimental +status: test description: | Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. references: diff --git a/rules/windows/network_connection/net_connection_win_winlogon_net_connections.yml b/rules/windows/network_connection/net_connection_win_winlogon_net_connections.yml index cfe3b317c1d..1131b3efd03 100644 --- a/rules/windows/network_connection/net_connection_win_winlogon_net_connections.yml +++ b/rules/windows/network_connection/net_connection_win_winlogon_net_connections.yml @@ -1,6 +1,6 @@ title: Outbound Network Connection To Public IP Via Winlogon id: 7610a4ea-c06d-495f-a2ac-0a696abcfd3b -status: experimental +status: test description: Detects a "winlogon.exe" process that initiate network communications with public IP addresses references: - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ diff --git a/rules/windows/network_connection/net_connection_win_wordpad_uncommon_ports.yml b/rules/windows/network_connection/net_connection_win_wordpad_uncommon_ports.yml index cabee0abaac..ed43f7aa434 100644 --- a/rules/windows/network_connection/net_connection_win_wordpad_uncommon_ports.yml +++ b/rules/windows/network_connection/net_connection_win_wordpad_uncommon_ports.yml @@ -1,6 +1,6 @@ title: Suspicious Wordpad Outbound Connections id: 786cdae8-fefb-4eb2-9227-04e34060db01 -status: experimental +status: test description: | Detects a network connection initiated by "wordpad.exe" over uncommon destination ports. This might indicate potential process injection activity from a beacon or similar mechanisms. diff --git a/rules/windows/pipe_created/pipe_created_hktl_coercedpotato.yml b/rules/windows/pipe_created/pipe_created_hktl_coercedpotato.yml index 950af41ab7f..b681973b40c 100644 --- a/rules/windows/pipe_created/pipe_created_hktl_coercedpotato.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_coercedpotato.yml @@ -1,6 +1,6 @@ title: HackTool - CoercedPotato Named Pipe Creation id: 4d0083b3-580b-40da-9bba-626c19fe4033 -status: experimental +status: test description: Detects the pattern of a pipe name as used by the hack tool CoercedPotato references: - https://blog.hackvens.fr/articles/CoercedPotato.html diff --git a/rules/windows/pipe_created/pipe_created_hktl_diagtrack_eop.yml b/rules/windows/pipe_created/pipe_created_hktl_diagtrack_eop.yml index f6017cdbd51..aa9a5eec263 100644 --- a/rules/windows/pipe_created/pipe_created_hktl_diagtrack_eop.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_diagtrack_eop.yml @@ -1,6 +1,6 @@ title: HackTool - DiagTrackEoP Default Named Pipe id: 1f7025a6-e747-4130-aac4-961eb47015f1 -status: experimental +status: test description: Detects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses "SeImpersonate" privilege. references: - https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L22 diff --git a/rules/windows/pipe_created/pipe_created_hktl_efspotato.yml b/rules/windows/pipe_created/pipe_created_hktl_efspotato.yml index 6cde19667ef..ad05a4ac20d 100644 --- a/rules/windows/pipe_created/pipe_created_hktl_efspotato.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_efspotato.yml @@ -1,6 +1,6 @@ title: HackTool - EfsPotato Named Pipe Creation id: 637f689e-b4a5-4a86-be0e-0100a0a33ba2 -status: experimental +status: test description: Detects the pattern of a pipe name as used by the hack tool EfsPotato references: - https://twitter.com/SBousseaden/status/1429530155291193354?s=20 diff --git a/rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml b/rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml index 3042597dffa..59a901f45ce 100644 --- a/rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml @@ -1,6 +1,6 @@ title: HackTool - Koh Default Named Pipe id: 0adc67e0-a68f-4ffd-9c43-28905aad5d6a -status: experimental +status: test description: Detects creation of default named pipes used by the Koh tool references: - https://github.com/GhostPack/Koh/blob/0283d9f3f91cf74732ad377821986cfcb088e20a/Clients/BOF/KohClient.c#L12 diff --git a/rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml b/rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml index 7835d408a9d..f0c2647aa12 100644 --- a/rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml +++ b/rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml @@ -3,7 +3,7 @@ id: 41504465-5e3a-4a5b-a5b4-2a0baadd4463 related: - id: f3f3a972-f982-40ad-b63c-bca6afdfad7c type: derived -status: experimental +status: test description: Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html diff --git a/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml b/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml index 2738c82cd10..128921e3113 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml @@ -3,7 +3,7 @@ id: ec19ebab-72dc-40e1-9728-4c0b805d722c related: - id: 14c71865-6cd3-44ae-adaa-1db923fae5f2 type: similar -status: experimental +status: test description: Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md diff --git a/rules/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml b/rules/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml index 73cd2f78e8c..c5b7cae9831 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml @@ -7,7 +7,7 @@ related: type: similar - id: cacef8fc-9d3d-41f7-956d-455c6e881bc5 # PS ScriptBlock type: similar -status: experimental +status: test description: Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md diff --git a/rules/windows/powershell/powershell_script/posh_ps_add_windows_capability.yml b/rules/windows/powershell/powershell_script/posh_ps_add_windows_capability.yml index 8180f26f907..58f21aee39d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_add_windows_capability.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_add_windows_capability.yml @@ -3,7 +3,7 @@ id: 155c7fd5-47b4-49b2-bbeb-eb4fab335429 related: - id: b36d01a3-ddaf-4804-be18-18a6247adfcd type: similar -status: experimental +status: test description: Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others. references: - https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell diff --git a/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml b/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml index 1970394e349..7973d890ca6 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml @@ -3,7 +3,7 @@ id: fa2559c8-1197-471d-9cdd-05a0273d4522 related: - id: 92a974db-ab84-457f-9ec0-55db83d7a825 type: similar -status: experimental +status: test description: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities references: - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml b/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml index d56143b141b..c33ca7f3638 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml @@ -1,6 +1,6 @@ title: Active Directory Computers Enumeration With Get-AdComputer id: 36bed6b2-e9a0-4fff-beeb-413a92b86138 -status: experimental +status: test description: Detects usage of the "Get-AdComputer" to enumerate Computers or properties within Active Directory. references: - https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_process_security_software_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_get_process_security_software_discovery.yml index ec9455f00fa..d36c06abbbc 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_get_process_security_software_discovery.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_get_process_security_software_discovery.yml @@ -1,6 +1,6 @@ title: Security Software Discovery Via Powershell Script id: 904e8e61-8edf-4350-b59c-b905fc8e810c -status: experimental +status: test description: | Detects calls to "get-process" where the output is piped to a "where-object" filter to search for security solution processes. Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus diff --git a/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml b/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml index 9daa5f3ef44..60528cd72c7 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml @@ -3,7 +3,7 @@ id: 3245cd30-e015-40ff-a31d-5cadd5f377ec related: - id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18 type: similar -status: experimental +status: test description: Detects the execution of the hacktool Rubeus using specific command line flags references: - https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus diff --git a/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml b/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml index 22994a2e658..4683f58e64a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml @@ -3,7 +3,7 @@ id: 851fd622-b675-4d26-b803-14bc7baa517a related: - id: d557dc06-62e8-4468-a8e8-7984124908ce type: similar -status: experimental +status: test description: | Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation. author: Swachchhanda Shrawan Poudel diff --git a/rules/windows/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml b/rules/windows/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml index 224cd89dd25..cccdd23f261 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml @@ -7,7 +7,7 @@ related: type: similar - id: 38a7625e-b2cb-485d-b83d-aff137d859f4 # PS Module type: similar -status: experimental +status: test description: Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md diff --git a/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml b/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml index 68f8133dd63..6e40bbde91c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml @@ -1,6 +1,6 @@ title: PowerShell Script With File Hostname Resolving Capabilities id: fbc5e92f-3044-4e73-a5c6-1c4359b539de -status: experimental +status: test description: Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries. references: - https://www.fortypoundhead.com/showcontent.asp?artid=24022 diff --git a/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml b/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml index 47cd9c59d34..39880049471 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml @@ -1,6 +1,6 @@ title: PowerShell Script With File Upload Capabilities id: d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb -status: experimental +status: test description: Detects PowerShell scripts leveraging the "Invoke-WebRequest" cmdlet to send data via either "PUT" or "POST" method. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md diff --git a/rules/windows/powershell/powershell_script/posh_ps_set_acl.yml b/rules/windows/powershell/powershell_script/posh_ps_set_acl.yml index 55bcb8aa40f..aca0db52632 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_set_acl.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_set_acl.yml @@ -7,7 +7,7 @@ related: type: derived - id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 # PsScript High type: derived -status: experimental +status: test description: Detects PowerShell scripts set ACL to of a file or a folder references: - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md diff --git a/rules/windows/powershell/powershell_script/posh_ps_set_acl_susp_location.yml b/rules/windows/powershell/powershell_script/posh_ps_set_acl_susp_location.yml index 6dd1f808557..ff1923b702f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_set_acl_susp_location.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_set_acl_susp_location.yml @@ -7,7 +7,7 @@ related: type: derived - id: bdeb2cff-af74-4094-8426-724dc937f20a # ProcCreation Low type: derived -status: experimental +status: test description: Detects PowerShell scripts to set the ACL to a file in the Windows folder references: - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md diff --git a/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml b/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml index f6f8e6cdceb..0fe3a0cdf80 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml @@ -3,7 +3,7 @@ id: 14c71865-6cd3-44ae-adaa-1db923fae5f2 related: - id: ec19ebab-72dc-40e1-9728-4c0b805d722c type: derived -status: experimental +status: test description: Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md diff --git a/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml b/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml index 96b56cccc8c..91e7f0c9a75 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml @@ -1,6 +1,6 @@ title: Veeam Backup Servers Credential Dumping Script Execution id: 976d6e6f-a04b-4900-9713-0134a353e38b -status: experimental +status: test description: Detects execution of a PowerShell script that contains calls to the "Veeam.Backup" class, in order to dump stored credentials. references: - https://www.pwndefend.com/2021/02/15/retrieving-passwords-from-veeam-backup-servers/ diff --git a/rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml b/rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml index db275c86fcc..f8547cc4191 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript id: e2812b49-bae0-4b21-b366-7c142eafcde2 -status: experimental +status: test description: Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script references: - https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85) diff --git a/rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml b/rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml index 20df8bdd808..51dd93bdc8b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml @@ -3,7 +3,7 @@ id: 03d83090-8cba-44a0-b02f-0b756a050306 related: - id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702 type: similar -status: experimental +status: test description: Detects use of WinAPI functions in PowerShell scripts references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse diff --git a/rules/windows/process_access/proc_access_win_hktl_generic_access.yml b/rules/windows/process_access/proc_access_win_hktl_generic_access.yml index fd21e20f157..705cda8dffc 100644 --- a/rules/windows/process_access/proc_access_win_hktl_generic_access.yml +++ b/rules/windows/process_access/proc_access_win_hktl_generic_access.yml @@ -1,6 +1,6 @@ title: HackTool - Generic Process Access id: d0d2f720-d14f-448d-8242-51ff396a334e -status: experimental +status: test description: Detects process access requests from hacktool processes based on their default image name references: - https://jsecurity101.medium.com/bypassing-access-mask-auditing-strategies-480fb641c158 diff --git a/rules/windows/process_access/proc_access_win_lsass_memdump.yml b/rules/windows/process_access/proc_access_win_lsass_memdump.yml index 20167f08d40..c2603e2bd5d 100755 --- a/rules/windows/process_access/proc_access_win_lsass_memdump.yml +++ b/rules/windows/process_access/proc_access_win_lsass_memdump.yml @@ -1,6 +1,6 @@ title: Potential Credential Dumping Activity Via LSASS id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da -status: experimental +status: test description: | Detects process access requests to the LSASS process with specific call trace calls and access masks. This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature. diff --git a/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml b/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml index 979c02d93f0..4fe2f6d4d24 100644 --- a/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml +++ b/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml @@ -3,7 +3,7 @@ id: a18dd26b-6450-46de-8c91-9659150cf088 related: - id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d type: similar -status: experimental +status: test description: Detects process access requests to LSASS process with potentially suspicious access flags references: - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights diff --git a/rules/windows/process_access/proc_access_win_susp_direct_ntopenprocess_call.yml b/rules/windows/process_access/proc_access_win_susp_direct_ntopenprocess_call.yml index 4308363af1c..5290882aab5 100644 --- a/rules/windows/process_access/proc_access_win_susp_direct_ntopenprocess_call.yml +++ b/rules/windows/process_access/proc_access_win_susp_direct_ntopenprocess_call.yml @@ -1,6 +1,6 @@ title: Potential Direct Syscall of NtOpenProcess id: 3f3f3506-1895-401b-9cc3-e86b16e630d0 -status: experimental +status: test description: Detects potential calls to NtOpenProcess directly from NTDLL. references: - https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6 diff --git a/rules/windows/process_access/proc_access_win_susp_invoke_patchingapi.yml b/rules/windows/process_access/proc_access_win_susp_invoke_patchingapi.yml index 13f56b61c52..996dfb6abfb 100644 --- a/rules/windows/process_access/proc_access_win_susp_invoke_patchingapi.yml +++ b/rules/windows/process_access/proc_access_win_susp_invoke_patchingapi.yml @@ -1,6 +1,6 @@ title: Potential NT API Stub Patching id: b916cba1-b38a-42da-9223-17114d846fd6 -status: experimental +status: test description: Detects potential NT API stub patching as seen used by the project PatchingAPI references: - https://github.com/D1rkMtr/UnhookingPatch diff --git a/rules/windows/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml b/rules/windows/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml index 70612f8b656..24a958d6409 100644 --- a/rules/windows/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml +++ b/rules/windows/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml @@ -3,7 +3,7 @@ id: ec570e53-4c76-45a9-804d-dc3f355ff7a7 related: - id: 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc type: derived -status: experimental +status: test description: Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration. references: - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ diff --git a/rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml b/rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml index 9fa881746a7..e1ff2063ddb 100644 --- a/rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml +++ b/rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml @@ -1,6 +1,6 @@ title: Suspicious AddinUtil.EXE CommandLine Execution id: 631b22a4-70f4-4e2f-9ea8-42f84d9df6d8 -status: experimental +status: test description: | Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload. references: diff --git a/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml b/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml index 9c767d7dd53..dbbe9071827 100644 --- a/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml @@ -1,6 +1,6 @@ title: Uncommon Child Process Of AddinUtil.EXE id: b5746143-59d6-4603-8d06-acbd60e166ee -status: experimental +status: test description: | Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload. references: diff --git a/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml b/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml index 81addd83bca..3f07b90bfe3 100644 --- a/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml +++ b/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml @@ -1,6 +1,6 @@ title: Uncommon AddinUtil.EXE CommandLine Execution id: 4f2cd9b6-4a17-440f-bb2a-687abb65993a -status: experimental +status: test description: | Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload. references: diff --git a/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml b/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml index 8ff2f9ba0a7..23bf8f40882 100644 --- a/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml @@ -1,6 +1,6 @@ title: AddinUtil.EXE Execution From Uncommon Directory id: 6120ac2a-a34b-42c0-a9bd-1fb9f459f348 -status: experimental +status: test description: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory. references: - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html diff --git a/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml b/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml index d7d2885b419..b8baf532dbd 100644 --- a/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml +++ b/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml @@ -1,6 +1,6 @@ title: Potential Adplus.EXE Abuse id: 2f869d59-7f6a-4931-992c-cce556ff2d53 -status: experimental +status: test description: Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands. references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/ diff --git a/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml index ad09e3ef8d9..24ce16161ba 100644 --- a/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml @@ -7,7 +7,7 @@ related: type: similar - id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec type: similar -status: experimental +status: test description: Detects potentially suspicious child processes of "aspnet_compiler.exe". references: - https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/ diff --git a/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml b/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml index ad5e3d071da..b886495a809 100644 --- a/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml +++ b/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml @@ -7,7 +7,7 @@ related: type: similar - id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec type: similar -status: experimental +status: test description: Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation. references: - https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/ diff --git a/rules/windows/process_creation/proc_creation_win_bash_command_execution.yml b/rules/windows/process_creation/proc_creation_win_bash_command_execution.yml index fde7ab4d972..c81031d3f32 100644 --- a/rules/windows/process_creation/proc_creation_win_bash_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_bash_command_execution.yml @@ -1,6 +1,6 @@ title: Indirect Inline Command Execution Via Bash.EXE id: 5edc2273-c26f-406c-83f3-f4d948e740dd -status: experimental +status: test description: Detects execution of Microsoft bash launcher with the "-c" flag. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash references: - https://lolbas-project.github.io/lolbas/Binaries/Bash/ diff --git a/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml b/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml index 9b467f6d25a..609d6dc9d21 100644 --- a/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml @@ -3,7 +3,7 @@ id: 2d22a514-e024-4428-9dba-41505bd63a5b related: - id: 5edc2273-c26f-406c-83f3-f4d948e740dd type: similar -status: experimental +status: test description: Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash references: - https://lolbas-project.github.io/lolbas/Binaries/Bash/ diff --git a/rules/windows/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml b/rules/windows/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml index 9ab5dc95882..8570b2fa38a 100644 --- a/rules/windows/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml @@ -3,7 +3,7 @@ id: 811f459f-9231-45d4-959a-0266c6311987 related: - id: aaf46cdc-934e-4284-b329-34aa701e3771 type: similar -status: experimental +status: test description: Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/ diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml index 6404a63a664..a77bda1ceae 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml @@ -1,6 +1,6 @@ title: Suspicious Download From File-Sharing Website Via Bitsadmin id: 8518ed3d-f7c9-4601-a26c-f361a4256a0c -status: experimental +status: test description: Detects usage of bitsadmin downloading a file from a suspicious domain references: - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml index 40289c12059..d90c4f3d1e9 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml @@ -1,6 +1,6 @@ title: File With Suspicious Extension Downloaded Via Bitsadmin id: 5b80a791-ad9b-4b75-bcc1-ad4e1e89c200 -status: experimental +status: test description: Detects usage of bitsadmin downloading a file with a suspicious extension references: - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml index 604c2fdd5c5..1938cbbd12d 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml @@ -1,6 +1,6 @@ title: File Download Via Bitsadmin To A Suspicious Target Folder id: 2ddef153-167b-4e89-86b6-757a9e65dcac -status: experimental +status: test description: Detects usage of bitsadmin downloading a file to a suspicious target folder references: - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml index 8319387bda8..6a09580e57c 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml @@ -3,7 +3,7 @@ id: 88d6e60c-759d-4ac1-a447-c0f1466c2d21 related: - id: 27ba3207-dd30-4812-abbf-5d20c57d474e type: similar -status: experimental +status: test description: Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension references: - https://redcanary.com/blog/chromeloader/ diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml index 418ae9f60bb..d1331368d0c 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml @@ -1,6 +1,6 @@ title: Chromium Browser Headless Execution To Mockbin Like Site id: 1c526788-0abe-4713-862f-b520da5e5316 -status: experimental +status: test description: Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data). references: - https://www.zscaler.com/blogs/security-research/steal-it-campaign diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml index 3fbed6e5eaf..f3a33096050 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml @@ -3,7 +3,7 @@ id: 27ba3207-dd30-4812-abbf-5d20c57d474e related: - id: 88d6e60c-759d-4ac1-a447-c0f1466c2d21 type: similar -status: experimental +status: test description: Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension references: - https://redcanary.com/blog/chromeloader/ diff --git a/rules/windows/process_creation/proc_creation_win_certoc_download_direct_ip.yml b/rules/windows/process_creation/proc_creation_win_certoc_download_direct_ip.yml index b0e8ea59898..fbeb2b500d0 100644 --- a/rules/windows/process_creation/proc_creation_win_certoc_download_direct_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_certoc_download_direct_ip.yml @@ -3,7 +3,7 @@ id: b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a related: - id: 70ad0861-d1fe-491c-a45f-fa48148a300d type: similar -status: experimental +status: test description: Detects when a user downloads a file from an IP based URL using CertOC.exe references: - https://lolbas-project.github.io/lolbas/Binaries/Certoc/ diff --git a/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml index 854e18c7e23..353501dbfe2 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml @@ -5,7 +5,7 @@ related: type: similar - id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829 # Generic download type: similar -status: experimental +status: test description: Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil diff --git a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml index db283bb3197..8ea9c5d0376 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml @@ -3,7 +3,7 @@ id: ea0cdc3e-2239-4f26-a947-4e8f8224e464 related: - id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a type: derived -status: experimental +status: test description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious references: - https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior diff --git a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml index 56634768301..1c8dff03c8f 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml @@ -3,7 +3,7 @@ id: 82a6714f-4899-4f16-9c1e-9a333544d4c3 related: - id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a type: derived -status: experimental +status: test description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations references: - https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior diff --git a/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml b/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml index 28cdd22c237..95e57fe5f76 100644 --- a/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml +++ b/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml @@ -1,6 +1,6 @@ title: Console CodePage Lookup Via CHCP id: 7090adee-82e2-4269-bd59-80691e7c6338 -status: experimental +status: test description: Detects use of chcp to look up the system locale value as part of host discovery references: - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/ diff --git a/rules/windows/process_creation/proc_creation_win_cloudflared_portable_execution.yml b/rules/windows/process_creation/proc_creation_win_cloudflared_portable_execution.yml index 5a7a1c1ff4c..b0a11e994d9 100644 --- a/rules/windows/process_creation/proc_creation_win_cloudflared_portable_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cloudflared_portable_execution.yml @@ -1,6 +1,6 @@ title: Cloudflared Portable Execution id: fadb84f0-4e84-4f6d-a1ce-9ef2bffb6ccd -status: experimental +status: test description: | Detects the execution of the "cloudflared" binary from a non standard location. references: diff --git a/rules/windows/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml b/rules/windows/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml index 12305388ebc..455c6b4a15e 100644 --- a/rules/windows/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml @@ -5,7 +5,7 @@ related: type: similar - id: 9a019ffc-3580-4c9d-8d87-079f7e8d3fd4 type: similar -status: experimental +status: test description: | Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB. The free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com. diff --git a/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml b/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml index 0d7fbad446f..a64fa397bd5 100644 --- a/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml +++ b/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml @@ -1,6 +1,6 @@ title: Cloudflared Tunnel Connections Cleanup id: 7050bba1-1aed-454e-8f73-3f46f09ce56a -status: experimental +status: test description: Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections. references: - https://github.com/cloudflare/cloudflared diff --git a/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml b/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml index 633b1069bbe..585eab19c0f 100644 --- a/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml +++ b/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml @@ -1,6 +1,6 @@ title: Cloudflared Tunnel Execution id: 9a019ffc-3580-4c9d-8d87-079f7e8d3fd4 -status: experimental +status: test description: Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks. references: - https://blog.reconinfosec.com/emergence-of-akira-ransomware-group diff --git a/rules/windows/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml b/rules/windows/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml index 9a3a7405ca6..1ca643dc6f6 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml @@ -1,6 +1,6 @@ title: Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE id: 044ba588-dff4-4918-9808-3f95e8160606 -status: experimental +status: test description: Detects usage of the copy builtin cmd command to copy files with the ".dmp"/".dump" extension from a remote share references: - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ diff --git a/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml b/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml index ce00f3e6ef3..fdde9d91f8a 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml @@ -1,6 +1,6 @@ title: Greedy File Deletion Using Del id: 204b17ae-4007-471b-917b-b917b315c5db -status: experimental +status: test description: Detects execution of the "del" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence. references: - https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D diff --git a/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml index ce960abcb8a..5da84fa4c41 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml @@ -1,6 +1,6 @@ title: Suspicious Ping/Copy Command Combination id: ded2b07a-d12f-4284-9b76-653e37b6c8b0 -status: experimental +status: test description: Detects uncommon one-liner command having ping and copy at the same time, which is usually used by malware. references: - Internal Research diff --git a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml index bf889c045e9..950d81370cd 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml @@ -5,7 +5,7 @@ related: type: derived - id: 4f4eaa9f-5ad4-410c-a4be-bc6132b0175a type: similar -status: experimental +status: test description: Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location references: - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ diff --git a/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml b/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml index f08878e392c..1555af7f49e 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml @@ -1,6 +1,6 @@ title: Unusual Parent Process For Cmd.EXE id: 4b991083-3d0e-44ce-8fc4-b254025d8d4b -status: experimental +status: test description: Detects suspicious parent process for cmd.exe references: - https://www.elastic.co/guide/en/security/current/unusual-parent-process-for-cmd.exe.html diff --git a/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml index 9b1a6c212bb..7937ed91d25 100644 --- a/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml @@ -1,6 +1,6 @@ title: Uncommon Child Process Of Conhost.EXE id: 7dc2dedd-7603-461a-bc13-15803d132355 -status: experimental +status: test description: Detects uncommon "conhost" child processes. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity. references: - http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ diff --git a/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking.yml b/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking.yml index 79b8865e5fd..a993af3f72c 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking.yml @@ -1,6 +1,6 @@ title: Potential Cookies Session Hijacking id: 5a6e1e16-07de-48d8-8aae-faa766c05e88 -status: experimental +status: test description: Detects execution of "curl.exe" with the "-c" flag in order to save cookie data. references: - https://curl.se/docs/manpage.html diff --git a/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml b/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml index 3fe0a02c1d1..10da8a72133 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml @@ -1,6 +1,6 @@ title: Curl Web Request With Potential Custom User-Agent id: 85de1f22-d189-44e4-8239-dc276b45379b -status: experimental +status: test description: Detects execution of "curl.exe" with a potential custom "User-Agent". Attackers can leverage this to download or exfiltrate data via "curl" to a domain that only accept specific "User-Agent" strings references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers diff --git a/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml b/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml index 89f690ac354..58e6052fec8 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml @@ -3,7 +3,7 @@ id: 9cc85849-3b02-4cb5-b371-3a1ff54f2218 related: - id: 5cb299fc-5fb1-4d07-b989-0644c68b6043 type: similar -status: experimental +status: test description: Detects file downloads directly from IP address URL using curl.exe references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers diff --git a/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml b/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml index 95bf8ca7aef..dd2190a9aae 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml @@ -1,6 +1,6 @@ title: Suspicious File Download From IP Via Curl.EXE id: 5cb299fc-5fb1-4d07-b989-0644c68b6043 -status: experimental +status: test description: Detects potentially suspicious file downloads directly from IP addresses using curl.exe references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers diff --git a/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml index 0a7cdcc02f9..7f2aeea5985 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml @@ -1,6 +1,6 @@ title: Suspicious File Download From File Sharing Domain Via Curl.EXE id: 56454143-524f-49fb-b1c6-3fb8b1ad41fb -status: experimental +status: test description: Detects potentially suspicious file download from file sharing domains using curl.exe references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers diff --git a/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml b/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml index aa565216196..5069b28e086 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml @@ -1,6 +1,6 @@ title: Insecure Transfer Via Curl.EXE id: cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec -status: experimental +status: test description: Detects execution of "curl.exe" with the "--insecure" flag. references: - https://curl.se/docs/manpage.html diff --git a/rules/windows/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml b/rules/windows/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml index 6ac10640b65..6082f5f5eca 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml @@ -1,6 +1,6 @@ title: Insecure Proxy/DOH Transfer Via Curl.EXE id: 2c1486f5-02e8-4f86-9099-b97f2da4ed77 -status: experimental +status: test description: Detects execution of "curl.exe" with the "insecure" flag over proxy or DOH. references: - https://curl.se/docs/manpage.html diff --git a/rules/windows/process_creation/proc_creation_win_curl_local_file_read.yml b/rules/windows/process_creation/proc_creation_win_curl_local_file_read.yml index bc5e79d67b5..f9fefc3b6ad 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_local_file_read.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_local_file_read.yml @@ -1,6 +1,6 @@ title: Local File Read Using Curl.EXE id: aa6f6ea6-0676-40dd-b510-6e46f02d8867 -status: experimental +status: test description: Detects execution of "curl.exe" with the "file://" protocol handler in order to read local files. references: - https://curl.se/docs/manpage.html diff --git a/rules/windows/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml b/rules/windows/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml index da573abbb40..a801cacd0b7 100644 --- a/rules/windows/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious Child Process Of ClickOnce Application id: 67bc0e75-c0a9-4cfc-8754-84a505b63c04 -status: experimental +status: test description: Detects potentially suspicious child processes of a ClickOnce deployment application references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 diff --git a/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml b/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml index c95f7c0dfe4..adf906fc507 100644 --- a/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml +++ b/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml @@ -9,7 +9,7 @@ related: type: similar - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution type: similar -status: experimental +status: test description: Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules. references: - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ diff --git a/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml b/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml index 34c9f9dbab6..6ca904192e9 100644 --- a/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml +++ b/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml @@ -9,7 +9,7 @@ related: type: similar - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution type: similar -status: experimental +status: test description: | Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension. Initial baselining of the allowed extension list is required. diff --git a/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml b/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml index b78bfab516a..3d966f14a27 100644 --- a/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml @@ -9,7 +9,7 @@ related: type: similar - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution type: similar -status: experimental +status: test description: Detects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location. references: - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ diff --git a/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml b/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml index c6d0b7d62c7..09c74587a44 100644 --- a/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml @@ -1,6 +1,6 @@ title: Dllhost.EXE Execution Anomaly id: e7888eb1-13b0-4616-bd99-4bc0c2b054b9 -status: experimental +status: test description: Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes. references: - https://redcanary.com/blog/child-processes/ diff --git a/rules/windows/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml b/rules/windows/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml index 89c798b1c14..a1b8cd00795 100644 --- a/rules/windows/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml @@ -1,6 +1,6 @@ title: Binary Proxy Execution Via Dotnet-Trace.EXE id: 9257c05b-4a4a-48e5-a670-b7b073cf401b -status: experimental +status: test description: Detects commandline arguments for executing a child process via dotnet-trace.exe references: - https://twitter.com/bohops/status/1740022869198037480 diff --git a/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml b/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml index cfbc94e7f27..324f94a53eb 100644 --- a/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml @@ -3,7 +3,7 @@ id: 9fc3072c-dc8f-4bf7-b231-18950000fadd related: - id: a20def93-0709-4eae-9bd2-31206e21e6b2 type: similar -status: experimental +status: test description: Detect usage of the "driverquery" utility to perform reconnaissance on installed drivers references: - https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/ diff --git a/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml b/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml index ace3c60f07d..b64926ce257 100644 --- a/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml @@ -3,7 +3,7 @@ id: a20def93-0709-4eae-9bd2-31206e21e6b2 related: - id: 9fc3072c-dc8f-4bf7-b231-18950000fadd type: similar -status: experimental +status: test description: Detect usage of the "driverquery" utility. Which can be used to perform reconnaissance on installed drivers references: - https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/ diff --git a/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml b/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml index 5b2b0877011..4c370714e7d 100644 --- a/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml @@ -1,6 +1,6 @@ title: DumpMinitool Execution id: dee0a7a3-f200-4112-a99b-952196d81e42 -status: experimental +status: test description: Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump" references: - https://twitter.com/mrd0x/status/1511415432888131586 diff --git a/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml index c8fca0f7d6c..aff50762f35 100644 --- a/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml @@ -1,6 +1,6 @@ title: Suspicious DumpMinitool Execution id: eb1c4225-1c23-4241-8dd4-051389fde4ce -status: experimental +status: test description: Detects suspicious ways to use the "DumpMinitool.exe" binary references: - https://twitter.com/mrd0x/status/1511415432888131586 diff --git a/rules/windows/process_creation/proc_creation_win_findstr_download.yml b/rules/windows/process_creation/proc_creation_win_findstr_download.yml index cef27141ca2..4f988f667c5 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_download.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_download.yml @@ -3,7 +3,7 @@ id: 587254ee-a24b-4335-b3cd-065c0f1f4baa related: - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f type: obsoletes -status: experimental +status: test description: | Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry. references: diff --git a/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml b/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml index 5941a31c969..d48a8f331e4 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml @@ -1,6 +1,6 @@ title: LSASS Process Reconnaissance Via Findstr.EXE id: fe63010f-8823-4864-a96b-a7b4a0f7b929 -status: experimental +status: test description: Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID references: - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 diff --git a/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml b/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml index 3285947e8e9..7213f41330d 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml @@ -1,6 +1,6 @@ title: Permission Misconfiguration Reconnaissance Via Findstr.EXE id: 47e4bab7-c626-47dc-967b-255608c9a920 -status: experimental +status: test description: Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This is seen being used in combination with "icacls" to look for misconfigured files or folders permissions references: - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ diff --git a/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml b/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml index 1d30a9c23be..7de5e6a666f 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml @@ -3,7 +3,7 @@ id: ccb5742c-c248-4982-8c5c-5571b9275ad3 related: - id: fe63010f-8823-4864-a96b-a7b4a0f7b929 type: derived -status: experimental +status: test description: | Detects the excution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example. Attackers often time use this to extract specific information they require in their chain. references: diff --git a/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml b/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml index d4656b0d2fc..e9f3da04763 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml @@ -3,7 +3,7 @@ id: 4fe074b4-b833-4081-8f24-7dcfeca72b42 related: - id: fe63010f-8823-4864-a96b-a7b4a0f7b929 type: derived -status: experimental +status: test description: | Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results. This detection focuses on the keywords that the attacker might use as a filter. diff --git a/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml b/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml index 5a6705ab7ee..576508e5fcd 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml @@ -3,7 +3,7 @@ id: 04936b66-3915-43ad-a8e5-809eadfd1141 related: - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f type: obsoletes -status: experimental +status: test description: | Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands. references: diff --git a/rules/windows/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml b/rules/windows/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml index 7054dfbcb6c..58381a72bd3 100644 --- a/rules/windows/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml +++ b/rules/windows/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml @@ -1,6 +1,6 @@ title: Forfiles.EXE Child Process Masquerading id: f53714ec-5077-420e-ad20-907ff9bb2958 -status: experimental +status: test description: | Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory. references: diff --git a/rules/windows/process_creation/proc_creation_win_googleupdate_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_googleupdate_susp_child_process.yml index 89b970ea392..4163f3cdb7e 100644 --- a/rules/windows/process_creation/proc_creation_win_googleupdate_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_googleupdate_susp_child_process.yml @@ -3,7 +3,7 @@ id: 84b1ecf9-6eff-4004-bafb-bae5c0e251b2 related: - id: bdbab15a-3826-48fa-a1b7-723cd8f32fcc type: derived -status: experimental +status: test description: Detects potentially suspicious child processes of "GoogleUpdate.exe" references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml index 7f1f207da48..53ce96a32ce 100644 --- a/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml @@ -1,6 +1,6 @@ title: File Decryption Using Gpg4win id: 037dcd71-33a8-4392-bb01-293c94663e5a -status: experimental +status: test description: Detects usage of Gpg4win to decrypt files references: - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml index 4b692d985f1..9366d857c7b 100644 --- a/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml @@ -1,6 +1,6 @@ title: File Encryption Using Gpg4win id: 550bbb84-ce5d-4e61-84ad-e590f0024dcd -status: experimental +status: test description: Detects usage of Gpg4win to encrypt files references: - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml index 1dbc87389db..1a0b74c07a0 100644 --- a/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml @@ -1,6 +1,6 @@ title: Portable Gpg.EXE Execution id: 77df53a5-1d78-4f32-bc5a-0e7465bd8f41 -status: experimental +status: test description: Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data. references: - https://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml index c2384841393..fe700842659 100644 --- a/rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml @@ -1,6 +1,6 @@ title: File Encryption/Decryption Via Gpg4win From Suspicious Locations id: e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d -status: experimental +status: test description: Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations. references: - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html diff --git a/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml b/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml index ce18c5800c9..44c767e74ad 100644 --- a/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml @@ -1,6 +1,6 @@ title: Remote CHM File Download/Execution Via HH.EXE id: f57c58b3-ee69-4ef5-9041-455bf39aaa89 -status: experimental +status: test description: Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files. references: - https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html diff --git a/rules/windows/process_creation/proc_creation_win_hktl_certify.yml b/rules/windows/process_creation/proc_creation_win_hktl_certify.yml index 66f07058763..84a39e8dd30 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_certify.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_certify.yml @@ -1,6 +1,6 @@ title: HackTool - Certify Execution id: 762f2482-ff21-4970-8939-0aa317a886bb -status: experimental +status: test description: Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments. references: - https://github.com/GhostPack/Certify diff --git a/rules/windows/process_creation/proc_creation_win_hktl_certipy.yml b/rules/windows/process_creation/proc_creation_win_hktl_certipy.yml index 5fca2ce7189..caec8a5de72 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_certipy.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_certipy.yml @@ -1,6 +1,6 @@ title: HackTool - Certipy Execution id: 6938366d-8954-4ddc-baff-c830b3ba8fcd -status: experimental +status: test description: Detects Certipy a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments. references: - https://github.com/ly4k/Certipy diff --git a/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml b/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml index 3bc54475a79..56b9c88013e 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml @@ -1,6 +1,6 @@ title: HackTool - CoercedPotato Execution id: e8d34729-86a4-4140-adfd-0a29c2106307 -status: experimental +status: test description: Detects the use of CoercedPotato, a tool for privilege escalation references: - https://github.com/hackvens/CoercedPotato diff --git a/rules/windows/process_creation/proc_creation_win_hktl_edrsilencer.yml b/rules/windows/process_creation/proc_creation_win_hktl_edrsilencer.yml index ed84c742657..a3a3547da72 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_edrsilencer.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_edrsilencer.yml @@ -1,6 +1,6 @@ title: HackTool - EDRSilencer Execution id: eb2d07d4-49cb-4523-801a-da002df36602 -status: experimental +status: test description: | Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information. references: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharpmove.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharpmove.yml index eafe3b8e3d3..027eb41a6e6 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharpmove.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharpmove.yml @@ -1,6 +1,6 @@ title: HackTool - SharpMove Tool Execution id: 055fb54c-a8f4-4aee-bd44-f74cf30a0d9d -status: experimental +status: test description: | Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options. references: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml b/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml index 1e2c088a370..bd889915fe5 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml @@ -1,6 +1,6 @@ title: HackTool - Stracciatella Execution id: 7a4d9232-92fc-404d-8ce1-4c92e7caf539 -status: experimental +status: test description: Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics. references: - https://github.com/mgeeky/Stracciatella diff --git a/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml b/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml index b71d35ca7dd..2075f4ae83b 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml @@ -3,7 +3,7 @@ id: d557dc06-62e8-4468-a8e8-7984124908ce related: - id: 851fd622-b675-4d26-b803-14bc7baa517a type: similar -status: experimental +status: test description: | Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation. author: Swachchhanda Shrawan Poudel diff --git a/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml index 52264203ade..96f92213c10 100644 --- a/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml @@ -1,6 +1,6 @@ title: Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location id: b2b048b0-7857-4380-b0fb-d3f0ab820b71 -status: experimental +status: test description: | Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations. This behavior has been observed in-the-wild by different threat actors. diff --git a/rules/windows/process_creation/proc_creation_win_imewbdld_download.yml b/rules/windows/process_creation/proc_creation_win_imewbdld_download.yml index b1865c6cb8b..0e87ea45ff7 100644 --- a/rules/windows/process_creation/proc_creation_win_imewbdld_download.yml +++ b/rules/windows/process_creation/proc_creation_win_imewbdld_download.yml @@ -3,7 +3,7 @@ id: 863218bd-c7d0-4c52-80cd-0a96c09f54af related: - id: 8d7e392e-9b28-49e1-831d-5949c6281228 type: derived -status: experimental +status: test description: Detects usage of "IMEWDBLD.exe" to download arbitrary files references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download diff --git a/rules/windows/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml index d9029e28239..ea60e620f0a 100644 --- a/rules/windows/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml @@ -1,6 +1,6 @@ title: Suspicious Child Process Of Manage Engine ServiceDesk id: cea2b7ea-792b-405f-95a1-b903ea06458f -status: experimental +status: test description: Detects suspicious child processes of the "Manage Engine ServiceDesk Plus" Java web service references: - https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/ diff --git a/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml index 76637ef15c9..bd4b1284460 100644 --- a/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml @@ -3,7 +3,7 @@ id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d related: - id: dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0 type: similar -status: experimental +status: test description: Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j) references: - https://www.lunasec.io/docs/blog/log4j-zero-day/ diff --git a/rules/windows/process_creation/proc_creation_win_kd_execution.yml b/rules/windows/process_creation/proc_creation_win_kd_execution.yml index 6196c0846ba..e9476b6a45e 100644 --- a/rules/windows/process_creation/proc_creation_win_kd_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_kd_execution.yml @@ -1,6 +1,6 @@ title: Windows Kernel Debugger Execution id: 27ee9438-90dc-4bef-904b-d3ef927f5e7e -status: experimental +status: test description: Detects execution of the Windows Kernel Debugger "kd.exe". references: - Internal Research diff --git a/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml b/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml index 44ab5aaf403..216d599c982 100644 --- a/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml +++ b/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml @@ -1,6 +1,6 @@ title: Rebuild Performance Counter Values Via Lodctr.EXE id: cc9d3712-6310-4320-b2df-7cb408274d53 -status: experimental +status: test description: Detects the execution of "lodctr.exe" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions. references: - https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml b/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml index 208bbcd9111..36d81aad8ca 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml @@ -1,6 +1,6 @@ title: Gpscript Execution id: 1e59c230-6670-45bf-83b0-98903780607e -status: experimental +status: test description: Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy references: - https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/ diff --git a/rules/windows/process_creation/proc_creation_win_mftrace_child_process.yml b/rules/windows/process_creation/proc_creation_win_mftrace_child_process.yml index 77eedc78148..ad226cb9e86 100644 --- a/rules/windows/process_creation/proc_creation_win_mftrace_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_mftrace_child_process.yml @@ -1,6 +1,6 @@ title: Potential Mftrace.EXE Abuse id: 3d48c9d3-1aa6-418d-98d3-8fd3c01a564e -status: experimental +status: test description: Detects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries. references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/ diff --git a/rules/windows/process_creation/proc_creation_win_mode_codepage_russian.yml b/rules/windows/process_creation/proc_creation_win_mode_codepage_russian.yml index 39590a6ad32..9b614031155 100644 --- a/rules/windows/process_creation/proc_creation_win_mode_codepage_russian.yml +++ b/rules/windows/process_creation/proc_creation_win_mode_codepage_russian.yml @@ -3,7 +3,7 @@ id: 12fbff88-16b5-4b42-9754-cd001a789fb3 related: - id: d48c5ffa-3b02-4c0f-9a9e-3c275650dd0e type: derived -status: experimental +status: test description: | Detects a CodePage modification using the "mode.com" utility to Russian language. This behavior has been used by threat actors behind Dharma ransomware. diff --git a/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml b/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml index d1c6e2f0068..b8a80266171 100644 --- a/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml @@ -1,6 +1,6 @@ title: Potential Suspicious Mofcomp Execution id: 1dd05363-104e-4b4a-b963-196a534b03a1 -status: experimental +status: test description: | Detects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline. The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. diff --git a/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml b/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml index 9d898c2822e..f52b0cd9d29 100644 --- a/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml +++ b/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml @@ -3,7 +3,7 @@ id: 7002aa10-b8d4-47ae-b5ba-51ab07e228b9 related: - id: 418dc89a-9808-4b87-b1d7-e5ae0cb6effc type: similar -status: experimental +status: test description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory. references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool diff --git a/rules/windows/process_creation/proc_creation_win_msedge_proxy_download.yml b/rules/windows/process_creation/proc_creation_win_msedge_proxy_download.yml index c3368ab67cc..d2c6b46075b 100644 --- a/rules/windows/process_creation/proc_creation_win_msedge_proxy_download.yml +++ b/rules/windows/process_creation/proc_creation_win_msedge_proxy_download.yml @@ -1,6 +1,6 @@ title: Arbitrary File Download Via MSEDGE_PROXY.EXE id: e84d89c4-f544-41ca-a6af-4b92fd38b023 -status: experimental +status: test description: Detects usage of "msedge_proxy.exe" to download arbitrary files references: - https://lolbas-project.github.io/lolbas/Binaries/msedge_proxy/ diff --git a/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml b/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml index 4d24a13ae30..590edb8d363 100644 --- a/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml +++ b/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml @@ -1,6 +1,6 @@ title: Wscript Shell Run In CommandLine id: 2c28c248-7f50-417a-9186-a85b223010ee -status: experimental +status: test description: Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity references: - https://web.archive.org/web/20220830122045/http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html diff --git a/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml index 384920f5e15..8b5fcb0cea9 100644 --- a/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml @@ -3,7 +3,7 @@ id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445 related: - id: 344482e4-a477-436c-aa70-7536d18a48c7 type: obsoletes -status: experimental +status: test description: Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection. references: - Internal Research diff --git a/rules/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml index ca24ec639b3..6b1139af9f2 100644 --- a/rules/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml @@ -3,7 +3,7 @@ id: d55b793d-f847-4eea-b59a-5ab09908ac90 related: - id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445 type: similar -status: experimental +status: test description: Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection. references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers diff --git a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml index 42b946752de..f3bcbfeeb4e 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml @@ -1,6 +1,6 @@ title: Mstsc.EXE Execution With Local RDP File id: 5fdce3ac-e7f9-4ecd-a3aa-a4d78ebbf0af -status: experimental +status: test description: Detects potential RDP connection via Mstsc using a local ".rdp" file references: - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/ diff --git a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml index f1baf59d25e..0b064545d4f 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml @@ -1,6 +1,6 @@ title: Suspicious Mstsc.EXE Execution With Local RDP File id: 6e22722b-dfb1-4508-a911-49ac840b40f8 -status: experimental +status: test description: Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations. references: - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/ diff --git a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml index 9a48f8a1596..cb1c7ff8d59 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml @@ -1,6 +1,6 @@ title: Mstsc.EXE Execution From Uncommon Parent id: ff3b6b39-e765-42f9-bb2c-ea6761e0e0f6 -status: experimental +status: test description: Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations. references: - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/ diff --git a/rules/windows/process_creation/proc_creation_win_msxsl_remote_execution.yml b/rules/windows/process_creation/proc_creation_win_msxsl_remote_execution.yml index 8a0af8241dd..14e2bb95e34 100644 --- a/rules/windows/process_creation/proc_creation_win_msxsl_remote_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_msxsl_remote_execution.yml @@ -1,6 +1,6 @@ title: Remote XSL Execution Via Msxsl.EXE id: 75d0a94e-6252-448d-a7be-d953dff527bb -status: experimental +status: test description: Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md diff --git a/rules/windows/process_creation/proc_creation_win_net_use_mount_internet_share.yml b/rules/windows/process_creation/proc_creation_win_net_use_mount_internet_share.yml index 181b37f2fe5..b352bf0463b 100644 --- a/rules/windows/process_creation/proc_creation_win_net_use_mount_internet_share.yml +++ b/rules/windows/process_creation/proc_creation_win_net_use_mount_internet_share.yml @@ -1,6 +1,6 @@ title: Windows Internet Hosted WebDav Share Mount Via Net.EXE id: 7e6237fe-3ddb-438f-9381-9bf9de5af8d0 -status: experimental +status: test description: Detects when an internet hosted webdav share is mounted using the "net.exe" utility references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml index 1fe4dff9bac..ec7f321d364 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml @@ -1,6 +1,6 @@ title: Firewall Configuration Discovery Via Netsh.EXE id: 0e4164da-94bc-450d-a7be-a4b176179f1f -status: experimental +status: test description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml index 87209a5ad14..21a46d9cee6 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml @@ -3,7 +3,7 @@ id: 3f5491e2-8db8-496b-9e95-1029fce852d4 related: - id: cb0fe7c5-f3a3-484d-aa25-d350a7912729 type: similar -status: experimental +status: test description: Detects execution of "odbcconf" with "INSTALLDRIVER" which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs. references: - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/ diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml index 301b8671331..0cc790e45eb 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml @@ -3,7 +3,7 @@ id: cb0fe7c5-f3a3-484d-aa25-d350a7912729 related: - id: 3f5491e2-8db8-496b-9e95-1029fce852d4 type: derived -status: experimental +status: test description: Detects execution of "odbcconf" with the "INSTALLDRIVER" action where the driver doesn't contain a ".dll" extension. This is often used as a defense evasion method. references: - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/ diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml index 8ec5dee90e7..04cd26a89cd 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml @@ -1,6 +1,6 @@ title: Odbcconf.EXE Suspicious DLL Location id: 6b65c28e-11f3-46cb-902a-68f2cafaf474 -status: experimental +status: test description: Detects execution of "odbcconf" where the path of the DLL being registered is located in a potentially suspicious location. references: - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml index 48340151f01..3e49b8e2975 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml @@ -3,7 +3,7 @@ id: 9f0a8bf3-a65b-440a-8c1e-5cb1547c8e70 related: - id: ba4cfc11-d0fa-4d94-bf20-7c332c412e76 type: similar -status: experimental +status: test description: Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs. references: - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml index 0440dd860af..37973aa0b86 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml @@ -3,7 +3,7 @@ id: ba4cfc11-d0fa-4d94-bf20-7c332c412e76 related: - id: 9f0a8bf3-a65b-440a-8c1e-5cb1547c8e70 type: derived -status: experimental +status: test description: Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses. references: - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml index e212750eef1..6f5416ea95c 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml @@ -5,7 +5,7 @@ related: type: similar - id: 65d2be45-8600-4042-b4c0-577a1ff8a60e type: obsoletes -status: experimental +status: test description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action. references: - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml index a853b9c7098..b49b496dec6 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml @@ -5,7 +5,7 @@ related: type: derived - id: 65d2be45-8600-4042-b4c0-577a1ff8a60e type: obsoletes -status: experimental +status: test description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension. references: - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml index cf2b81b8f77..7259f168abc 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml @@ -1,6 +1,6 @@ title: Uncommon Child Process Spawned By Odbcconf.EXE id: 8e3c7994-131e-4ba5-b6ea-804d49113a26 -status: experimental +status: test description: Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes. references: - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 diff --git a/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml b/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml index 8f093751a20..d903fa06b39 100644 --- a/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml +++ b/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml @@ -3,7 +3,7 @@ id: 4ae3e30b-b03f-43aa-87e3-b622f4048eed related: - id: 0c79148b-118e-472b-bdb7-9b57b444cc19 type: obsoletes -status: experimental +status: test description: Detects potential arbitrary file download using a Microsoft Office application references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/ diff --git a/rules/windows/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml b/rules/windows/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml index a6b29db2175..32440250f75 100644 --- a/rules/windows/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml +++ b/rules/windows/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml @@ -1,6 +1,6 @@ title: Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp id: 551d9c1f-816c-445b-a7a6-7a3864720d60 -status: experimental +status: test description: | Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object. references: diff --git a/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml b/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml index a8b2a2338ce..8f6cc5458dc 100644 --- a/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious Office Document Executed From Trusted Location id: f99abdf0-6283-4e71-bd2b-b5c048a94743 -status: experimental +status: test description: Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code. references: - Internal Research diff --git a/rules/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yml b/rules/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yml index 7767ae28327..473f05fa149 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yml @@ -3,7 +3,7 @@ id: b36d01a3-ddaf-4804-be18-18a6247adfcd related: - id: 155c7fd5-47b4-49b2-bbeb-eb4fab335429 type: similar -status: experimental +status: test description: Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others. references: - https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell diff --git a/rules/windows/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml b/rules/windows/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml index e751c0e37de..2efc33ed96f 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml @@ -3,7 +3,7 @@ id: 92a974db-ab84-457f-9ec0-55db83d7a825 related: - id: fa2559c8-1197-471d-9cdd-05a0273d4522 type: similar -status: experimental +status: test description: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities references: - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cl_loadassembly.yml b/rules/windows/process_creation/proc_creation_win_powershell_cl_loadassembly.yml index 8ed2e5dc43c..06beed98a58 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cl_loadassembly.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cl_loadassembly.yml @@ -1,6 +1,6 @@ title: Assembly Loading Via CL_LoadAssembly.ps1 id: c57872c7-614f-4d7f-a40d-b78c8df2d30d -status: experimental +status: test description: Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls. references: - https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/ diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yml b/rules/windows/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yml index f1a55bf3ff9..7fb441be922 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yml @@ -1,6 +1,6 @@ title: Potential Script Proxy Execution Via CL_Mutexverifiers.ps1 id: 1e0e1a81-e79b-44bc-935b-ddb9c8006b3d -status: experimental +status: test description: Detects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional PowerShell script commands references: - https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/ diff --git a/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml b/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml index d4a23895abd..73b6325c78d 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml @@ -1,6 +1,6 @@ title: PowerShell Execution With Potential Decryption Capabilities id: 434c08ba-8406-4d15-8b24-782cb071a691 -status: experimental +status: test description: Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware. references: - https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/ diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml index a792c5e754d..e129a0565af 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml @@ -1,6 +1,6 @@ title: PowerShell Download and Execution Cradles id: 85b0b087-eddf-4a2b-b033-d771fa2b9775 -status: experimental +status: test description: Detects PowerShell download and execution cradles. references: - https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd diff --git a/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml b/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml index 0ad8ddbc4a5..9f158a8ba81 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml @@ -3,7 +3,7 @@ id: 9e716b33-63b2-46da-86a4-bd3c3b9b5dfb related: - id: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c type: similar -status: experimental +status: test description: Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines. references: - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a diff --git a/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml b/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml index 96e512c03e2..1ba2ad95114 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml @@ -1,6 +1,6 @@ title: Suspicious Invoke-WebRequest Execution With DirectIP id: 1edff897-9146-48d2-9066-52e8d8f80a2f -status: experimental +status: test description: Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access references: - https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software diff --git a/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml b/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml index bf6cc03c811..f9604ea97e0 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml @@ -3,7 +3,7 @@ id: 5e3cc4d8-3e68-43db-8656-eaaeefdec9cc related: - id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 type: derived -status: experimental +status: test description: Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/ diff --git a/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml b/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml index 0c74b947205..948d9ae80af 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml @@ -5,7 +5,7 @@ related: type: derived - id: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c type: similar -status: experimental +status: test description: Detects Commandlet names from well-known PowerShell exploitation frameworks references: - https://adsecurity.org/?p=2921 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml index 62b0471b5f5..dbf7baf8eee 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious PowerShell Child Processes id: e4b6d2a7-d8a4-4f19-acbd-943c16d90647 -status: experimental +status: test description: Detects potentially suspicious child processes spawned by PowerShell references: - https://twitter.com/ankit_anubhav/status/1518835408502620162 diff --git a/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml b/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml index b0307ffde0d..a13ba06b803 100644 --- a/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml @@ -7,7 +7,7 @@ related: type: similar - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry type: similar -status: experimental +status: test description: Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution. references: - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ diff --git a/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml index b0d6a0d3ef4..9c01e150268 100644 --- a/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml @@ -7,7 +7,7 @@ related: type: similar - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry type: similar -status: experimental +status: test description: Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution. references: - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ diff --git a/rules/windows/process_creation/proc_creation_win_pua_crassus.yml b/rules/windows/process_creation/proc_creation_win_pua_crassus.yml index dde52fca85b..5af7f9b90aa 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_crassus.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_crassus.yml @@ -1,6 +1,6 @@ title: PUA - Crassus Execution id: 2c32b543-1058-4808-91c6-5b31b8bed6c5 -status: experimental +status: test description: Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics. references: - https://github.com/vu-ls/Crassus diff --git a/rules/windows/process_creation/proc_creation_win_pua_pingcastle.yml b/rules/windows/process_creation/proc_creation_win_pua_pingcastle.yml index 47e79e61075..06c2117b7a1 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_pingcastle.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_pingcastle.yml @@ -3,7 +3,7 @@ id: b1cb4ab6-ac31-43f4-adf1-d9d08957419c related: - id: b37998de-a70b-4f33-b219-ec36bf433dc0 type: derived -status: experimental +status: test description: Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level. references: - https://github.com/vletoux/pingcastle diff --git a/rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml b/rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml index bad28cede13..a704b482c31 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml @@ -3,7 +3,7 @@ id: b37998de-a70b-4f33-b219-ec36bf433dc0 related: - id: b1cb4ab6-ac31-43f4-adf1-d9d08957419c type: derived -status: experimental +status: test description: | Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location. references: diff --git a/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml b/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml index 394c8a241de..04ddf2bde6e 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml @@ -3,7 +3,7 @@ id: 811e0002-b13b-4a15-9d00-a613fce66e42 related: - id: 5722dff1-4bdd-4949-86ab-fbaf707e767a type: similar -status: experimental +status: test description: | Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. diff --git a/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml b/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml index ebe83fdc672..3aaa59f44c5 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml @@ -3,7 +3,7 @@ id: 5722dff1-4bdd-4949-86ab-fbaf707e767a related: - id: 811e0002-b13b-4a15-9d00-a613fce66e42 type: similar -status: experimental +status: test description: Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations references: - https://github.com/winsiderss/systeminformer diff --git a/rules/windows/process_creation/proc_creation_win_rar_susp_greedy_compression.yml b/rules/windows/process_creation/proc_creation_win_rar_susp_greedy_compression.yml index e564b321303..a5d329af575 100644 --- a/rules/windows/process_creation/proc_creation_win_rar_susp_greedy_compression.yml +++ b/rules/windows/process_creation/proc_creation_win_rar_susp_greedy_compression.yml @@ -1,6 +1,6 @@ title: Suspicious Greedy Compression Using Rar.EXE id: afe52666-401e-4a02-b4ff-5d128990b8cb -status: experimental +status: test description: Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes references: - https://decoded.avast.io/martinchlumecky/png-steganography diff --git a/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml b/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml index 9bf476f1e9e..d8081a95775 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml @@ -3,7 +3,7 @@ id: 8cbc9475-8d05-4e27-9c32-df960716c701 related: - id: 85b88e05-dadc-430b-8a9e-53ff1cd30aae type: similar -status: experimental +status: test description: | Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image. diff --git a/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml b/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml index ca933be8387..c0887bc7d13 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml @@ -1,6 +1,6 @@ title: Suspicious Windows Defender Registry Key Tampering Via Reg.EXE id: 452bce90-6fb0-43cc-97a5-affc283139b3 -status: experimental +status: test description: Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection references: - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/ diff --git a/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml b/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml index 100bbf7440c..0a8231ab477 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml @@ -3,7 +3,7 @@ id: 10344bb3-7f65-46c2-b915-2d00d47be5b0 related: - id: 3fd4c8d7-8362-4557-a8e6-83b29cc0d724 type: similar -status: experimental +status: test description: | Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally. references: diff --git a/rules/windows/process_creation/proc_creation_win_registry_logon_script.yml b/rules/windows/process_creation/proc_creation_win_registry_logon_script.yml index 2d3ca3f40a7..dd6ed188311 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_logon_script.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_logon_script.yml @@ -3,7 +3,7 @@ id: 21d856f9-9281-4ded-9377-51a1a6e2a432 related: - id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458 type: derived -status: experimental +status: test description: Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence references: - https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html diff --git a/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml b/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml index 9c6e44ecca5..761f9f9d8cd 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml @@ -7,7 +7,7 @@ related: type: similar - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry type: similar -status: experimental +status: test description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe". references: - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml index d07d11d61eb..397ae87bcd9 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious Regsvr32 HTTP IP Pattern id: 2dd2c217-bf68-437a-b57c-fe9fd01d5de8 -status: experimental +status: test description: Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address. references: - https://twitter.com/mrd0x/status/1461041276514623491 diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml index 4f27725b4e4..2a99c64e6cd 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml @@ -3,7 +3,7 @@ id: 867356ee-9352-41c9-a8f2-1be690d78216 related: - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d type: obsoletes -status: experimental +status: test description: Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers. references: - https://twitter.com/mrd0x/status/1461041276514623491 diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml index b2d1a88fc9d..27463a9d971 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml @@ -3,7 +3,7 @@ id: 6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca related: - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d type: obsoletes -status: experimental +status: test description: Detects potentially suspicious child processes of "regsvr32.exe". references: - https://redcanary.com/blog/intelligence-insights-april-2022/ diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml index f3417695657..75dcf5b0a21 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml @@ -3,7 +3,7 @@ id: 9525dc73-0327-438c-8c04-13c0e037e9da related: - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d type: obsoletes -status: experimental +status: test description: Detects execution of regsvr32 where the DLL is located in a potentially suspicious location. references: - https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml index fe7c1501991..7cf9cc245d8 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml @@ -1,6 +1,6 @@ title: Regsvr32 Execution From Highly Suspicious Location id: 327ff235-94eb-4f06-b9de-aaee571324be -status: experimental +status: test description: Detects execution of regsvr32 where the DLL is located in a highly suspicious locations references: - Internal Research diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml index 851256ec488..30f7c594b67 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml @@ -3,7 +3,7 @@ id: 089fc3d2-71e8-4763-a8a5-c97fbb0a403e related: - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d type: obsoletes -status: experimental +status: test description: Detects the execution of REGSVR32.exe with DLL files masquerading as other files references: - https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/ diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml index d0d5927f069..ccd0f9a82d5 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml @@ -3,7 +3,7 @@ id: ab37a6ec-6068-432b-a64e-2c7bf95b1d22 related: - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d type: obsoletes -status: experimental +status: test description: Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance. references: - https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml index 4d59ef141e8..830aa19a347 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml @@ -1,6 +1,6 @@ title: Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate id: 41f407b5-3096-44ea-a74f-96d04fbc41be -status: experimental +status: test description: | Detects the execution of an AnyDesk binary with a version prior to 8.0.8. Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors. diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_exec.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_exec.yml index 31b2dbf2574..660ab10caf1 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_exec.yml @@ -1,6 +1,6 @@ title: Remote Access Tool - ScreenConnect Remote Command Execution id: b1f73849-6329-4069-bc8f-78a604bb8b23 -status: experimental +status: test description: Detects the execution of a system command via the ScreenConnect RMM service. references: - https://github.com/SigmaHQ/sigma/pull/4467 diff --git a/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml b/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml index 1e509d4011a..2d9869469d7 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml @@ -1,6 +1,6 @@ title: Renamed AutoIt Execution id: f4264e47-f522-4c38-a420-04525d5b880f -status: experimental +status: test description: | Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe. AutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks. diff --git a/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml b/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml index ed52ec7a261..33ac22de638 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml @@ -1,6 +1,6 @@ title: Renamed Cloudflared.EXE Execution id: e0c69ebd-b54f-4aed-8ae3-e3467843f3f0 -status: experimental +status: test description: Detects the execution of a renamed "cloudflared" binary. references: - https://github.com/cloudflare/cloudflared/releases diff --git a/rules/windows/process_creation/proc_creation_win_renamed_curl.yml b/rules/windows/process_creation/proc_creation_win_renamed_curl.yml index 4690f440adb..2cea5034a03 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_curl.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_curl.yml @@ -1,6 +1,6 @@ title: Renamed CURL.EXE Execution id: 7530cd3d-7671-43e3-b209-976966f6ea48 -status: experimental +status: test description: Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields references: - https://twitter.com/Kostastsale/status/1700965142828290260 diff --git a/rules/windows/process_creation/proc_creation_win_renamed_gpg4win.yml b/rules/windows/process_creation/proc_creation_win_renamed_gpg4win.yml index bf29e2ae341..08b10c7459f 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_gpg4win.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_gpg4win.yml @@ -1,6 +1,6 @@ title: Renamed Gpg.EXE Execution id: ec0722a3-eb5c-4a56-8ab2-bf6f20708592 -status: experimental +status: test description: Detects the execution of a renamed "gpg.exe". Often used by ransomware and loaders to decrypt/encrypt data. references: - https://securelist.com/locked-out/68960/ diff --git a/rules/windows/process_creation/proc_creation_win_renamed_pingcastle.yml b/rules/windows/process_creation/proc_creation_win_renamed_pingcastle.yml index 00d3989d232..1a2967a2552 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_pingcastle.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_pingcastle.yml @@ -1,6 +1,6 @@ title: Renamed PingCastle Binary Execution id: 2433a154-bb3d-42e4-86c3-a26bdac91c45 -status: experimental +status: test description: Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields. references: - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/ diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml b/rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml index 023daafc86b..811448ab2b6 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml @@ -1,6 +1,6 @@ title: Suspicious Advpack Call Via Rundll32.EXE id: a1473adb-5338-4a20-b4c3-126763e2d3d3 -status: experimental +status: test description: Detects execution of "rundll32" calling "advpack.dll" with potential obfuscated ordinal calls in order to leverage the "RegisterOCX" function references: - https://twitter.com/Hexacorn/status/1224848930795552769 diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml b/rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml index 3d1c2d569de..39893387247 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml @@ -1,6 +1,6 @@ title: Rundll32 Execution Without CommandLine Parameters id: 1775e15e-b61b-4d14-a1a3-80981298085a -status: experimental +status: test description: Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity references: - https://www.cobaltstrike.com/help-opsec diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml b/rules/windows/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml index 3f65c881960..3209b188dd0 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml @@ -1,6 +1,6 @@ title: Potential Obfuscated Ordinal Call Via Rundll32 id: 43fa5350-db63-4b8f-9a01-789a427074e1 -status: experimental +status: test description: Detects execution of "rundll32" with potential obfuscated ordinal calls references: - Internal Research diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml index 05d1f3f4a6c..ed28458bb19 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml @@ -1,6 +1,6 @@ title: Rundll32 Spawned Via Explorer.EXE id: 1723e720-616d-4ddc-ab02-f7e3685a4713 -status: experimental +status: test description: Detects execution of "rundll32.exe" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary. references: - https://redcanary.com/blog/raspberry-robin/ diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml b/rules/windows/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml index 38f3a68df2a..cdec3852b05 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml @@ -1,6 +1,6 @@ title: Potential ShellDispatch.DLL Functionality Abuse id: 82343930-652f-43f5-ab70-2ee9fdd6d5e9 -status: experimental +status: test description: Detects potential "ShellDispatch.dll" functionality abuse to execute arbitrary binaries via "ShellExecute" references: - https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml b/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml index 8725e532d05..8e477b7f476 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml @@ -1,6 +1,6 @@ title: Rundll32 Execution With Uncommon DLL Extension id: c3a99af4-35a9-4668-879e-c09aeb4f2bdf -status: experimental +status: test description: Detects the execution of rundll32 with a command line that doesn't contain a common extension references: - https://twitter.com/mrd0x/status/1481630810495139841?s=12 diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml index fc312f152eb..610c2e6f2e0 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml @@ -1,6 +1,6 @@ title: Suspicious WebDav Client Execution Via Rundll32.EXE id: 982e9f2d-1a85-4d5b-aea4-31f5e97c6555 -status: experimental +status: test description: | Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397 references: diff --git a/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml b/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml index 565e70fbe28..29f68ce94f6 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml @@ -1,6 +1,6 @@ title: Interesting Service Enumeration Via Sc.EXE id: e83e8899-c9b2-483b-b355-5decc942b959 -status: experimental +status: test description: | Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe". Attackers often try to enumerate the services currently running on a system in order to find different attack vectors. diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml b/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml index cab01e54852..b1593ceb899 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml @@ -3,7 +3,7 @@ id: 81325ce1-be01-4250-944f-b4789644556f related: - id: 43f487f0-755f-4c2a-bce7-d6d2eec2fcf8 # TODO: Recreate after baseline type: derived -status: experimental +status: test description: Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware references: - https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/ diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml index 9a3e9a0a2ed..d2bea93c3f9 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml @@ -3,7 +3,7 @@ id: 86588b36-c6d3-465f-9cee-8f9093e07798 related: - id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78 type: derived -status: experimental +status: test description: Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell. references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml index c99b4e9a91b..5efda8a852d 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml @@ -1,6 +1,6 @@ title: Suspicious Scheduled Task Creation via Masqueraded XML File id: dd2a821e-3b07-4d3b-a9ac-929fe4c6ca0c -status: experimental +status: test description: Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence references: - https://docs.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml- diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml b/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml index 34371191361..f9c18e1777a 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml @@ -1,6 +1,6 @@ title: Suspicious Command Patterns In Scheduled Task Creation id: f2c64357-b1d2-41b7-849f-34d2682c0fad -status: experimental +status: test description: Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands references: - https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/ diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_system.yml b/rules/windows/process_creation/proc_creation_win_schtasks_system.yml index 9e7d9d330a4..0364b432985 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_system.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_system.yml @@ -1,6 +1,6 @@ title: Schtasks Creation Or Modification With SYSTEM Privileges id: 89ca78fd-b37c-4310-b3d3-81a023f83936 -status: experimental +status: test description: Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges references: - https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern diff --git a/rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml index 993df932ee6..991912bbd5a 100644 --- a/rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml @@ -1,6 +1,6 @@ title: Uncommon Child Processes Of SndVol.exe id: ba42babc-0666-4393-a4f7-ceaf5a69191e -status: experimental +status: test description: Detects potentially uncommon child processes of SndVol.exe (the Windows volume mixer) references: - https://twitter.com/Max_Mal_/status/1661322732456353792 diff --git a/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml b/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml index f6fc2cd6f99..694df291501 100644 --- a/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml @@ -1,6 +1,6 @@ title: Veeam Backup Database Suspicious Query id: 696bfb54-227e-4602-ac5b-30d9d2053312 -status: experimental +status: test description: Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information. references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers diff --git a/rules/windows/process_creation/proc_creation_win_squirrel_download.yml b/rules/windows/process_creation/proc_creation_win_squirrel_download.yml index f12306af17c..d6807d501ec 100644 --- a/rules/windows/process_creation/proc_creation_win_squirrel_download.yml +++ b/rules/windows/process_creation/proc_creation_win_squirrel_download.yml @@ -5,7 +5,7 @@ related: type: similar - id: fa4b21c9-0057-4493-b289-2556416ae4d7 type: obsoletes -status: experimental +status: test description: | Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.) references: diff --git a/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml b/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml index 706757b4ca3..65031980305 100644 --- a/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml @@ -5,7 +5,7 @@ related: type: similar - id: fa4b21c9-0057-4493-b289-2556416ae4d7 type: obsoletes -status: experimental +status: test description: | Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.) references: diff --git a/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml b/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml index 6d5fbdb84a1..72dd4ffded9 100644 --- a/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml +++ b/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml @@ -1,6 +1,6 @@ title: Port Forwarding Activity Via SSH.EXE id: 327f48c1-a6db-4eb8-875a-f6981f1b0183 -status: experimental +status: test description: Detects port forwarding activity via SSH.exe references: - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ diff --git a/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml b/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml index 9756c4c0042..c10b673d119 100644 --- a/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml @@ -1,6 +1,6 @@ title: Potential Amazon SSM Agent Hijacking id: d20ee2f4-822c-4827-9e15-41500b1fff10 -status: experimental +status: test description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report. references: - https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan diff --git a/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml index 72ef4268797..eb0cd776317 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious Windows App Activity id: f91ed517-a6ba-471d-9910-b3b4a398c0f3 -status: experimental +status: test description: Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution references: - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ diff --git a/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml index 07a9efd1170..8eba22f706f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml @@ -3,7 +3,7 @@ id: a7c3d773-caef-227e-a7e7-c2f13c622329 related: - id: f5647edc-a7bf-4737-ab50-ef8c60dc3add type: obsoletes -status: experimental +status: test description: | Detects attackers using tooling with bad opsec defaults. E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. diff --git a/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml b/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml index 645d0b0d6e9..3ce4b2cb29d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml @@ -3,7 +3,7 @@ id: 47147b5b-9e17-4d76-b8d2-7bac24c5ce1b related: - id: fc028194-969d-4122-8abe-0470d5b8f12f type: derived -status: experimental +status: test description: | Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. diff --git a/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml b/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml index 294c3b99dde..49fb0c5537e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml @@ -3,7 +3,7 @@ id: f5d19838-41b5-476c-98d8-ba8af4929ee2 related: - id: fff9d2b7-e11c-4a69-93d3-40ef66189767 type: derived -status: experimental +status: test description: | Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations. references: diff --git a/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml b/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml index f56bb811e0c..d9a4141405c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml @@ -1,6 +1,6 @@ title: Potential Data Exfiltration Activity Via CommandLine Tools id: 7d1aaf3d-4304-425c-b7c3-162055e0b3ab -status: experimental +status: test description: Detects the use of various CLI utilities exfiltrating data via web requests references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/ diff --git a/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml b/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml index 7c94d76b5d4..6d5b7f6bf56 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml @@ -3,7 +3,7 @@ id: f26eb764-fd89-464b-85e2-dc4a8e6e77b8 related: - id: 378a05d8-963c-46c9-bcce-13c7657eac99 type: similar -status: experimental +status: test description: | Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of ".asar" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule) references: diff --git a/rules/windows/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml b/rules/windows/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml index ef096ea1cac..d6493ffb2b7 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml @@ -3,7 +3,7 @@ id: 378a05d8-963c-46c9-bcce-13c7657eac99 related: - id: f26eb764-fd89-464b-85e2-dc4a8e6e77b8 type: similar -status: experimental +status: test description: Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary. references: - https://positive.security/blog/ms-officecmd-rce diff --git a/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml b/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml index ef9da018271..f4fee9ceec8 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml @@ -3,7 +3,7 @@ id: 178e615d-e666-498b-9630-9ed363038101 related: - id: 61065c72-5d7d-44ef-bf41-6a36684b545f type: similar -status: experimental +status: test description: Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location. references: - https://github.com/Wh04m1001/SysmonEoP diff --git a/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml b/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml index 2f5d69fbd88..fd2b3a3ad55 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml @@ -3,7 +3,7 @@ id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf related: - id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f type: derived -status: experimental +status: test description: | Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs. This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc. diff --git a/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml b/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml index f7e821ad2dd..443e795cc5b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml @@ -3,7 +3,7 @@ id: 0900463c-b33b-49a8-be1d-552a3b553dae related: - id: a8f866e1-bdd4-425e-a27a-37619238d9c7 type: similar -status: experimental +status: test description: | Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe" references: diff --git a/rules/windows/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml b/rules/windows/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml index dae5610c1d2..06788d19cae 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml @@ -1,6 +1,6 @@ title: Potential Homoglyph Attack Using Lookalike Characters id: 32e280f1-8ad4-46ef-9e80-910657611fbc -status: experimental +status: test description: | Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that diff --git a/rules/windows/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml b/rules/windows/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml index 98220bde896..2de20c405aa 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml @@ -3,7 +3,7 @@ id: 180c7c5c-d64b-4a63-86e9-68910451bc8b related: - id: 7cff77e1-9663-46a3-8260-17f2e1aa9d0a type: derived -status: experimental +status: test description: | Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\" diff --git a/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml b/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml index 6e01e7f5d9c..77227a25013 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml @@ -1,6 +1,6 @@ title: Execution of Suspicious File Type Extension id: c09dad97-1c78-4f71-b127-7edb2b8e491a -status: experimental +status: test description: | Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process. This rule might require some initial baselining to align with some third party tooling in the user environment. diff --git a/rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml b/rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml index 7fef7623c6f..cbd83ab9f82 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml @@ -3,7 +3,7 @@ id: caf201a9-c2ce-4a26-9c3a-2b9525413711 related: - id: e2812b49-bae0-4b21-b366-7c142eafcde2 type: similar -status: experimental +status: test description: Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script references: - https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85) diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml index cb59f01fabd..2256975f81e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml @@ -3,7 +3,7 @@ id: 3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b related: - id: dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795 type: similar -status: experimental +status: test description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection references: - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ diff --git a/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml b/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml index 6b0cba323fc..9cac44c2147 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml @@ -1,6 +1,6 @@ title: Obfuscated IP Via CLI id: 56d19cb4-6414-4769-9644-1ed35ffbb148 -status: experimental +status: test description: Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line references: - https://h.43z.one/ipconverter/ diff --git a/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml index 214c2a20c5e..ffa6402da05 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml @@ -3,7 +3,7 @@ id: 5ce0f04e-3efc-42af-839d-5b3a543b76c0 related: - id: cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca type: derived -status: experimental +status: test description: Detects process execution from a fake recycle bin folder, often used to avoid security solution. references: - https://www.mandiant.com/resources/blog/infected-usb-steal-secrets diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml index 8628cf7b7e4..98d3f570a16 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml @@ -7,7 +7,7 @@ related: type: obsoletes - id: 7fd4bb39-12d0-45ab-bb36-cebabc73dc7b type: obsoletes -status: experimental +status: test description: Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts references: - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg diff --git a/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml b/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml index 5af203cdbfa..f273a2082b6 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml @@ -1,6 +1,6 @@ title: System File Execution Location Anomaly id: e4a6b256-3e47-40fc-89d2-7a477edd6915 -status: experimental +status: test description: Detects a Windows program executable started from a suspicious folder references: - https://twitter.com/GelosSnake/status/934900723426439170 diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_execution.yml index aff51dc1e55..3f5b5531501 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_execution.yml @@ -1,6 +1,6 @@ title: Potential Memory Dumping Activity Via LiveKD id: a85f7765-698a-4088-afa0-ecfbf8d01fa4 -status: experimental +status: test description: Detects execution of LiveKD based on PE metadata or image name references: - https://learn.microsoft.com/en-us/sysinternals/downloads/livekd diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml index 2ed92160ffa..7cb9d7b1f4e 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml @@ -1,6 +1,6 @@ title: Kernel Memory Dump Via LiveKD id: c7746f1c-47d3-43d6-8c45-cd1e54b6b0a2 -status: experimental +status: test description: Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory references: - https://learn.microsoft.com/en-us/sysinternals/downloads/livekd diff --git a/rules/windows/process_creation/proc_creation_win_tar_compression.yml b/rules/windows/process_creation/proc_creation_win_tar_compression.yml index 873f9fc8607..2a9dd55c4b4 100644 --- a/rules/windows/process_creation/proc_creation_win_tar_compression.yml +++ b/rules/windows/process_creation/proc_creation_win_tar_compression.yml @@ -1,6 +1,6 @@ title: Compressed File Creation Via Tar.EXE id: 418a3163-3247-4b7b-9933-dcfcb7c52ea9 -status: experimental +status: test description: | Detects execution of "tar.exe" in order to create a compressed file. Adversaries may abuse various utilities to compress or encrypt data before exfiltration. diff --git a/rules/windows/process_creation/proc_creation_win_tar_extraction.yml b/rules/windows/process_creation/proc_creation_win_tar_extraction.yml index d9135d1b724..ceadf7f765a 100644 --- a/rules/windows/process_creation/proc_creation_win_tar_extraction.yml +++ b/rules/windows/process_creation/proc_creation_win_tar_extraction.yml @@ -1,6 +1,6 @@ title: Compressed File Extraction Via Tar.EXE id: bf361876-6620-407a-812f-bfe11e51e924 -status: experimental +status: test description: | Detects execution of "tar.exe" in order to extract compressed file. Adversaries may abuse various utilities in order to decompress data to avoid detection. diff --git a/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml b/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml index ba84150d26b..17a3ff8d809 100644 --- a/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml +++ b/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml @@ -1,6 +1,6 @@ title: Loaded Module Enumeration Via Tasklist.EXE id: 34275eb8-fa19-436b-b959-3d9ecd53fa1f -status: experimental +status: test description: | Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe". This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question. diff --git a/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml b/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml index 8cda14f9e73..a33c231a1f4 100644 --- a/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml +++ b/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious Command Targeting Teams Sensitive Files id: d2eb17db-1d39-41dc-b57f-301f6512fa75 -status: experimental +status: test description: | Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams. The database might contain authentication tokens and other sensitive information about the logged in accounts. diff --git a/rules/windows/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml b/rules/windows/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml index 21165f1691a..78fb7387ad8 100644 --- a/rules/windows/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml +++ b/rules/windows/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml @@ -1,6 +1,6 @@ title: New Virtual Smart Card Created Via TpmVscMgr.EXE id: c633622e-cab9-4eaa-bb13-66a1d68b3e47 -status: experimental +status: test description: Detects execution of "Tpmvscmgr.exe" to create a new virtual smart card. references: - https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr diff --git a/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml b/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml index 89dcaf75f3a..2a2c1446123 100644 --- a/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml @@ -3,7 +3,7 @@ id: 7aa4e81a-a65c-4e10-9f81-b200eb229d7d related: - id: 236d8e89-ed95-4789-a982-36f4643738ba type: derived -status: experimental +status: test description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state references: - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/ diff --git a/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml b/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml index af3330d57cc..65225d628bf 100644 --- a/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml +++ b/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml @@ -3,7 +3,7 @@ id: 236d8e89-ed95-4789-a982-36f4643738ba related: - id: 7aa4e81a-a65c-4e10-9f81-b200eb229d7d type: derived -status: experimental +status: test description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state references: - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/ diff --git a/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml index 49b1ea77895..bc3751e4ec8 100644 --- a/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml @@ -1,6 +1,6 @@ title: VMToolsd Suspicious Child Process id: 5687f942-867b-4578-ade7-1e341c46e99a -status: experimental +status: test description: Detects suspicious child process creations of VMware Tools process which may indicate persistence setup references: - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/ diff --git a/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml b/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml index 19360242f74..25e09bf7b23 100644 --- a/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml +++ b/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious Child Process Of VsCode id: 5a3164f2-b373-4152-93cf-090b13c12d27 -status: experimental +status: test description: Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles. references: - https://twitter.com/nas_bench/status/1618021838407495681 diff --git a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml index e3607a306f9..bc67db31d05 100644 --- a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml @@ -1,6 +1,6 @@ title: Visual Studio Code Tunnel Execution id: 90d6bd71-dffb-4989-8d86-a827fedd6624 -status: experimental +status: test description: Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel references: - https://ipfyx.fr/post/visual-studio-code-tunnel/ diff --git a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml index 177d912b9a1..058656265d9 100644 --- a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml +++ b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml @@ -1,6 +1,6 @@ title: Visual Studio Code Tunnel Shell Execution id: f4a623c2-4ef5-4c33-b811-0642f702c9f1 -status: experimental +status: test description: Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system. references: - https://ipfyx.fr/post/visual-studio-code-tunnel/ diff --git a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml index da5704365c3..bf46de2ab8c 100644 --- a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml @@ -1,6 +1,6 @@ title: Renamed Visual Studio Code Tunnel Execution id: 2cf29f11-e356-4f61-98c0-1bdb9393d6da -status: experimental +status: test description: Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel references: - https://ipfyx.fr/post/visual-studio-code-tunnel/ diff --git a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml index 8026d5d8d86..ccbab199b8f 100644 --- a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml +++ b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml @@ -1,6 +1,6 @@ title: Visual Studio Code Tunnel Service Installation id: 30bf1789-379d-4fdc-900f-55cd0a90a801 -status: experimental +status: test description: Detects the installation of VsCode tunnel (code-tunnel) as a service. references: - https://ipfyx.fr/post/visual-studio-code-tunnel/ diff --git a/rules/windows/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml b/rules/windows/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml index c3716f59a96..0eb26551840 100644 --- a/rules/windows/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml +++ b/rules/windows/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml @@ -1,6 +1,6 @@ title: Potential Binary Proxy Execution Via VSDiagnostics.EXE id: ac1c92b4-ac81-405a-9978-4604d78cc47e -status: experimental +status: test description: Detects execution of "VSDiagnostics.exe" with the "start" command in order to launch and proxy arbitrary binaries. references: - https://twitter.com/0xBoku/status/1679200664013135872 diff --git a/rules/windows/process_creation/proc_creation_win_webdav_lnk_execution.yml b/rules/windows/process_creation/proc_creation_win_webdav_lnk_execution.yml index cb1caed52e6..991c86b7762 100644 --- a/rules/windows/process_creation/proc_creation_win_webdav_lnk_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_webdav_lnk_execution.yml @@ -3,7 +3,7 @@ id: 1412aa78-a24c-4abd-83df-767dfb2c5bbe related: - id: f0507c0f-a3a2-40f5-acc6-7f543c334993 type: similar -status: experimental +status: test description: Detects possible execution via LNK file accessed on a WebDAV server. references: - https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html diff --git a/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml b/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml index e0e058805a7..53acd9cfb71 100644 --- a/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml @@ -3,7 +3,7 @@ id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd related: - id: 0cf2e1c6-8d10-4273-8059-738778f981ad type: derived -status: experimental +status: test description: Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow references: - https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html diff --git a/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml index 31fc12b12d8..1e8d6a6f0c5 100644 --- a/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml @@ -3,7 +3,7 @@ id: 396f6630-f3ac-44e3-bfc8-1b161bc00c4e related: - id: 5394fcc7-aeb2-43b5-9a09-cac9fc5edcd5 type: similar -status: experimental +status: test description: Detects suspicious Windows Error Reporting manager (wermgr.exe) child process references: - https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html diff --git a/rules/windows/process_creation/proc_creation_win_wermgr_susp_exec_location.yml b/rules/windows/process_creation/proc_creation_win_wermgr_susp_exec_location.yml index c8490ba9ee6..1f6f63ff445 100644 --- a/rules/windows/process_creation/proc_creation_win_wermgr_susp_exec_location.yml +++ b/rules/windows/process_creation/proc_creation_win_wermgr_susp_exec_location.yml @@ -3,7 +3,7 @@ id: 5394fcc7-aeb2-43b5-9a09-cac9fc5edcd5 related: - id: 396f6630-f3ac-44e3-bfc8-1b161bc00c4e type: similar -status: experimental +status: test description: Detects suspicious Windows Error Reporting manager (wermgr.exe) execution location. references: - https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html diff --git a/rules/windows/process_creation/proc_creation_win_wget_download_direct_ip.yml b/rules/windows/process_creation/proc_creation_win_wget_download_direct_ip.yml index 05195a8178d..f1ec536beb7 100644 --- a/rules/windows/process_creation/proc_creation_win_wget_download_direct_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_wget_download_direct_ip.yml @@ -1,6 +1,6 @@ title: Suspicious File Download From IP Via Wget.EXE id: 17f0c0a8-8bd5-4ee0-8c5f-a342c0199f35 -status: experimental +status: test description: Detects potentially suspicious file downloads directly from IP addresses using Wget.exe references: - https://www.gnu.org/software/wget/manual/wget.html diff --git a/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml index 005aef2c940..ded5dbe6cdf 100644 --- a/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml @@ -1,6 +1,6 @@ title: Suspicious File Download From File Sharing Domain Via Wget.EXE id: a0d7e4d2-bede-4141-8896-bc6e237e977c -status: experimental +status: test description: Detects potentially suspicious file downloads from file sharing domains using wget.exe references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers diff --git a/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml b/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml index f851592fb96..9d70e63cbcf 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml @@ -1,6 +1,6 @@ title: Enumerate All Information With Whoami.EXE id: c248c896-e412-4279-8c15-1c558067b6fa -status: experimental +status: test description: Detects the execution of "whoami.exe" with the "/all" flag references: - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/ diff --git a/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml b/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml index ca3d55e499d..c9a19b3b3ef 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml @@ -3,7 +3,7 @@ id: 79ce34ca-af29-4d0e-b832-fc1b377020db related: - id: 80167ada-7a12-41ed-b8e9-aa47195c66a1 type: obsoletes -status: experimental +status: test description: Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment diff --git a/rules/windows/process_creation/proc_creation_win_whoami_output.yml b/rules/windows/process_creation/proc_creation_win_whoami_output.yml index 2d74a28c74f..a2b6b882636 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_output.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_output.yml @@ -1,6 +1,6 @@ title: Whoami.EXE Execution With Output Option id: c30fb093-1109-4dc8-88a8-b30d11c95a5d -status: experimental +status: test description: Detects the execution of "whoami.exe" with the "/FO" flag to choose CSV as output format or with redirection options to export the results to a file for later use. references: - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/ diff --git a/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml b/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml index ccdd36a49bb..29f567afc77 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml @@ -1,6 +1,6 @@ title: Whoami.EXE Execution Anomaly id: 8de1cbe8-d6f5-496d-8237-5f44a721c7a0 -status: experimental +status: test description: Detects the execution of whoami.exe with suspicious parent processes. references: - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/ diff --git a/rules/windows/process_creation/proc_creation_win_winget_add_custom_source.yml b/rules/windows/process_creation/proc_creation_win_winget_add_custom_source.yml index f590025cc26..4efffd1d2ed 100644 --- a/rules/windows/process_creation/proc_creation_win_winget_add_custom_source.yml +++ b/rules/windows/process_creation/proc_creation_win_winget_add_custom_source.yml @@ -5,7 +5,7 @@ related: type: similar - id: c15a46a0-07d4-4c87-b4b6-89207835a83b type: similar -status: experimental +status: test description: Detects usage of winget to add new additional download sources references: - https://learn.microsoft.com/en-us/windows/package-manager/winget/source diff --git a/rules/windows/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml b/rules/windows/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml index 3eff20d90b9..33e3ddd4bbb 100644 --- a/rules/windows/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml +++ b/rules/windows/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml @@ -5,7 +5,7 @@ related: type: similar - id: c15a46a0-07d4-4c87-b4b6-89207835a83b type: similar -status: experimental +status: test description: | Detects usage of winget to add a new insecure (http) download source. Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos) diff --git a/rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml b/rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml index c1ac79f6754..e5e295eb47a 100644 --- a/rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml +++ b/rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml @@ -5,7 +5,7 @@ related: type: similar - id: 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2 type: similar -status: experimental +status: test description: Detects usage of winget to add new potentially suspicious download sources references: - https://learn.microsoft.com/en-us/windows/package-manager/winget/source diff --git a/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml b/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml index ce25c5c2015..9ffd2a92461 100644 --- a/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml +++ b/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml @@ -1,6 +1,6 @@ title: Install New Package Via Winget Local Manifest id: 313d6012-51a0-4d93-8dfc-de8553239e25 -status: experimental +status: test description: | Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them. The manifest option enables you to install an application by passing in a YAML file directly to the client. diff --git a/rules/windows/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml b/rules/windows/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml index 13783e8cd28..fa562799e67 100644 --- a/rules/windows/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml +++ b/rules/windows/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml @@ -3,7 +3,7 @@ id: 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc related: - id: ec570e53-4c76-45a9-804d-dc3f355ff7a7 type: similar -status: experimental +status: test description: Detects execution of WinRAR in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration. references: - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ diff --git a/rules/windows/process_creation/proc_creation_win_winrar_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_winrar_susp_child_process.yml index 076f4a9f988..da37d2210aa 100644 --- a/rules/windows/process_creation/proc_creation_win_winrar_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_winrar_susp_child_process.yml @@ -3,7 +3,7 @@ id: 146aace8-9bd6-42ba-be7a-0070d8027b76 related: - id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343 type: similar -status: experimental +status: test description: Detects potentially suspicious child processes of WinRAR.exe. references: - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml index de18684dca9..0c36479fd43 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml @@ -3,7 +3,7 @@ id: 9d5a1274-922a-49d0-87f3-8c653483b909 related: - id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e type: derived -status: experimental +status: test description: | Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml index 5126343f1eb..b3d54f81abf 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml @@ -5,7 +5,7 @@ related: type: similar - id: 76f55eaa-d27f-4213-9d45-7b0e4b60bbae type: similar -status: experimental +status: test description: Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts references: - https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_volume.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_volume.yml index 0100dffb16b..565dc932416 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_volume.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_volume.yml @@ -3,7 +3,7 @@ id: c79da740-5030-45ec-a2e0-479e824a562c related: - id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e type: similar -status: experimental +status: test description: | An adversary might use WMI to discover information about the system, such as the volume name, size, free space, and other disk information. This can be done using the `wmic` command-line utility and has been diff --git a/rules/windows/process_creation/proc_creation_win_wmic_terminate_application.yml b/rules/windows/process_creation/proc_creation_win_wmic_terminate_application.yml index 26ee602fa51..8dd0fe238a8 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_terminate_application.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_terminate_application.yml @@ -3,7 +3,7 @@ id: 49d9671b-0a0a-4c09-8280-d215bfd30662 related: - id: 847d5ff3-8a31-4737-a970-aeae8fe21765 # Uninstall Security Products type: derived -status: experimental +status: test description: Detects calls to the "terminate" function via wmic in order to kill an application references: - https://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/ diff --git a/rules/windows/process_creation/proc_creation_win_wscript_cscript_dropper.yml b/rules/windows/process_creation/proc_creation_win_wscript_cscript_dropper.yml index 91f3d93f2c6..22f3c4b4d20 100644 --- a/rules/windows/process_creation/proc_creation_win_wscript_cscript_dropper.yml +++ b/rules/windows/process_creation/proc_creation_win_wscript_cscript_dropper.yml @@ -3,7 +3,7 @@ id: cea72823-df4d-4567-950c-0b579eaf0846 related: - id: 1e33157c-53b1-41ad-bbcc-780b80b58288 type: similar -status: experimental +status: test description: Detects wscript/cscript executions of scripts located in user directories references: - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/ diff --git a/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml index aefacd9afad..11a2811f395 100644 --- a/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml @@ -1,6 +1,6 @@ title: Cscript/Wscript Potentially Suspicious Child Process id: b6676963-0353-4f88-90f5-36c20d443c6a -status: experimental +status: test description: | Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32. Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others. diff --git a/rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml b/rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml index e790dde4544..5f25f325917 100644 --- a/rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml @@ -1,6 +1,6 @@ title: Cscript/Wscript Uncommon Script Extension Execution id: 99b7460d-c9f1-40d7-a316-1f36f61d52ee -status: experimental +status: test description: Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension references: - Internal Research diff --git a/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml b/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml index 4a0f186e31e..65491ff776b 100644 --- a/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml +++ b/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml @@ -3,7 +3,7 @@ id: 2267fe65-0681-42ad-9a6d-46553d3f3480 related: - id: dec44ca7-61ad-493c-bfd7-8819c5faa09b # LOLBIN Rule type: derived -status: experimental +status: test description: Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/ diff --git a/rules/windows/process_creation/proc_creation_win_wusa_susp_parent_execution.yml b/rules/windows/process_creation/proc_creation_win_wusa_susp_parent_execution.yml index a095bb9900b..5b90d7bb7da 100644 --- a/rules/windows/process_creation/proc_creation_win_wusa_susp_parent_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_wusa_susp_parent_execution.yml @@ -1,6 +1,6 @@ title: Wusa.EXE Executed By Parent Process Located In Suspicious Location id: ef64fc9c-a45e-43cc-8fd8-7d75d73b4c99 -status: experimental +status: test description: | Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location. references: diff --git a/rules/windows/process_tampering/proc_tampering_susp_process_hollowing.yml b/rules/windows/process_tampering/proc_tampering_susp_process_hollowing.yml index d1c2be162ee..9e679f60aad 100644 --- a/rules/windows/process_tampering/proc_tampering_susp_process_hollowing.yml +++ b/rules/windows/process_tampering/proc_tampering_susp_process_hollowing.yml @@ -1,6 +1,6 @@ title: Potential Process Hollowing Activity id: c4b890e5-8d8c-4496-8c66-c805753817cd -status: experimental +status: test description: Detects when a memory process image does not match the disk image, indicative of process hollowing. references: - https://twitter.com/SecurePeacock/status/1486054048390332423?s=20 diff --git a/rules/windows/registry/registry_event/registry_set_enable_anonymous_connection.yml b/rules/windows/registry/registry_event/registry_set_enable_anonymous_connection.yml index 900365dd141..a0876aaf209 100644 --- a/rules/windows/registry/registry_event/registry_set_enable_anonymous_connection.yml +++ b/rules/windows/registry/registry_event/registry_set_enable_anonymous_connection.yml @@ -1,6 +1,6 @@ title: Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback id: 4d431012-2ab5-4db7-a84e-b29809da2172 -status: experimental +status: test description: Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship. references: - https://learn.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-remotely-starting-with-vista diff --git a/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml b/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml index af8f2b071e3..c92fcc2539e 100644 --- a/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml +++ b/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml @@ -1,6 +1,6 @@ title: Registry Persistence via Service in Safe Mode id: 1547e27c-3974-43e2-a7d7-7f484fb928ec -status: experimental +status: test description: Detects the modification of the registry to allow a driver or service to persist in Safe Mode. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network diff --git a/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml b/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml index 379c0ce4d2c..de1103d8b73 100644 --- a/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml +++ b/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml @@ -1,6 +1,6 @@ title: Add Port Monitor Persistence in Registry id: 944e8941-f6f6-4ee8-ac05-1c224e923c0e -status: experimental +status: test description: | Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. diff --git a/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml b/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml index 64316504627..3e5e31cba92 100644 --- a/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml @@ -1,6 +1,6 @@ title: Add Debugger Entry To AeDebug For Persistence id: 092af964-4233-4373-b4ba-d86ea2890288 -status: experimental +status: test description: Detects when an attacker adds a new "Debugger" value to the "AeDebug" key in order to achieve persistence which will get invoked when an application crashes references: - https://persistence-info.github.io/Data/aedebug.html diff --git a/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml b/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml index 7348e6e3fad..3eda2311854 100644 --- a/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml +++ b/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml @@ -1,6 +1,6 @@ title: Allow RDP Remote Assistance Feature id: 37b437cf-3fc5-4c8e-9c94-1d7c9aff842b -status: experimental +status: test description: Detect enable rdp feature to allow specific user to rdp connect on the targeted machine references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md diff --git a/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml b/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml index 4fe68b3d3a6..c78f4fe4eb0 100644 --- a/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml +++ b/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml @@ -1,6 +1,6 @@ title: Potential AMSI COM Server Hijacking id: 160d2780-31f7-4922-8b3a-efce30e63e96 -status: experimental +status: test description: Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless references: - https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/ diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml index 09b521472b5..f4c3a6e8a12 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml @@ -3,7 +3,7 @@ id: 9df5f547-c86a-433e-b533-f2794357e242 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c type: obsoletes -status: experimental +status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml index 8266a28d503..7dccae04bd3 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml @@ -3,7 +3,7 @@ id: f59c3faf-50f3-464b-9f4c-1b67ab512d99 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c type: obsoletes -status: experimental +status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml index 44c64026a8e..d30b50a8a75 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml @@ -3,7 +3,7 @@ id: f674e36a-4b91-431e-8aef-f8a96c2aca35 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c type: obsoletes -status: experimental +status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml index d71a8ae380a..decacbab88e 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml @@ -3,7 +3,7 @@ id: 20f0ee37-5942-4e45-b7d5-c5b5db9df5cd related: - id: 17f878b8-9968-4578-b814-c4217fc5768c type: obsoletes -status: experimental +status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml index 02b8cd40d6f..b7a665399f4 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml @@ -3,7 +3,7 @@ id: cbf93e5d-ca6c-4722-8bea-e9119007c248 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c type: obsoletes -status: experimental +status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml index a20da226862..be13624af19 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml @@ -3,7 +3,7 @@ id: baecf8fb-edbf-429f-9ade-31fc3f22b970 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c type: obsoletes -status: experimental +status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml index 87310ceba94..cdb28f29052 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml @@ -3,7 +3,7 @@ id: b29aed60-ebd1-442b-9cb5-16a1d0324adb related: - id: 17f878b8-9968-4578-b814-c4217fc5768c type: obsoletes -status: experimental +status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml index 796cf174f77..4249f5e19b7 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml @@ -3,7 +3,7 @@ id: 480421f9-417f-4d3b-9552-fd2728443ec8 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c type: obsoletes -status: experimental +status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md diff --git a/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml b/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml index a94e9bf5b5d..fb87c2fca27 100644 --- a/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml +++ b/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml @@ -1,6 +1,6 @@ title: New BgInfo.EXE Custom DB Path Registry Configuration id: 53330955-dc52-487f-a3a2-da24dcff99b5 -status: experimental +status: test description: Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information. references: - Internal Research diff --git a/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml b/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml index 692590c376a..49defb4a9f1 100644 --- a/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml +++ b/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml @@ -3,7 +3,7 @@ id: 992dd79f-dde8-4bb0-9085-6350ba97cfb3 related: - id: cd277474-5c52-4423-a52b-ac2d7969902f type: similar -status: experimental +status: test description: Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via "BgInfo.exe" references: - Internal Research diff --git a/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml b/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml index 1ee4681fd0b..f3469c63fee 100644 --- a/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml +++ b/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml @@ -3,7 +3,7 @@ id: cd277474-5c52-4423-a52b-ac2d7969902f related: - id: 992dd79f-dde8-4bb0-9085-6350ba97cfb3 type: similar -status: experimental +status: test description: Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe" references: - Internal Research diff --git a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml index 28b518ee340..1566e450ffc 100644 --- a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml +++ b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml @@ -1,6 +1,6 @@ title: Bypass UAC Using Event Viewer id: 674202d0-b22a-4af4-ae5f-2eda1f3da1af -status: experimental +status: test description: Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification references: - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ diff --git a/rules/windows/registry/registry_set/registry_set_change_security_zones.yml b/rules/windows/registry/registry_set/registry_set_change_security_zones.yml index a82e61629ab..ad9043c6e7b 100644 --- a/rules/windows/registry/registry_set/registry_set_change_security_zones.yml +++ b/rules/windows/registry/registry_set/registry_set_change_security_zones.yml @@ -3,7 +3,7 @@ id: 45e112d0-7759-4c2a-aa36-9f8fb79d3393 related: - id: d88d0ab2-e696-4d40-a2ed-9790064e66b3 type: derived -status: experimental +status: test description: Hides the file extension through modification of the registry references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone diff --git a/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml b/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml index 50fff15fd47..f032c0a3736 100644 --- a/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml +++ b/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml @@ -1,6 +1,6 @@ title: Disable Sysmon Event Logging Via Registry id: 4916a35e-bfc4-47d0-8e25-a003d7067061 -status: experimental +status: test description: Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot. references: - https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650 diff --git a/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml b/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml index af15ebe1edf..048fa7ace07 100644 --- a/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml +++ b/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml @@ -1,6 +1,6 @@ title: Change Winevt Event Access Permission Via Registry id: 7d9263bd-dc47-4a58-bc92-5474abab390c -status: experimental +status: test description: Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel references: - https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/ diff --git a/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml b/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml index 95ce42d104b..d04bfa4f3a3 100644 --- a/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml +++ b/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml @@ -1,6 +1,6 @@ title: ClickOnce Trust Prompt Tampering id: ac9159cc-c364-4304-8f0a-d63fc1a0aabb -status: experimental +status: test description: Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet. references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 diff --git a/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml b/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml index e1f315009cc..a7c710e5be0 100644 --- a/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml @@ -1,6 +1,6 @@ title: CrashControl CrashDump Disabled id: 2ff692c2-4594-41ec-8fcb-46587de769e0 -status: experimental +status: test description: Detects disabling the CrashDump per registry (as used by HermeticWiper) references: - https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/ diff --git a/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml b/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml index 6da8b9abd56..6ab02f4c16a 100644 --- a/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml +++ b/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml @@ -3,7 +3,7 @@ id: a07f0359-4c90-4dc4-a681-8ffea40b4f47 related: - id: c0abc838-36b0-47c9-b3b3-a90c39455382 type: obsoletes -status: experimental +status: test description: Detect the creation of a service with a service binary located in a suspicious directory references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md diff --git a/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml b/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml index a4b9e0f9d71..c5941e0dfa3 100644 --- a/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml +++ b/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml @@ -1,6 +1,6 @@ title: Service Binary in Uncommon Folder id: 277dc340-0540-42e7-8efb-5ff460045e07 -status: experimental +status: test description: Detect the creation of a service with a service binary located in a uncommon directory references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md diff --git a/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml b/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml index 5dfc8b5f455..17190aee47c 100644 --- a/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml +++ b/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml @@ -1,6 +1,6 @@ title: Custom File Open Handler Executes PowerShell id: 7530b96f-ad8e-431d-a04d-ac85cc461fdc -status: experimental +status: test description: Detects the abuse of custom file open handler, executing powershell references: - https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/?cmp=30728 diff --git a/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml b/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml index 4982a1573b4..6ca04e90e11 100644 --- a/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml @@ -1,6 +1,6 @@ title: Potential Registry Persistence Attempt Via DbgManagedDebugger id: 9827ae57-3802-418f-994b-d5ecf5cd974b -status: experimental +status: test description: Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes references: - https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ diff --git a/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml b/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml index e64ed2fe0f6..b8affc9187e 100644 --- a/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml +++ b/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml @@ -3,7 +3,7 @@ id: 85b88e05-dadc-430b-8a9e-53ff1cd30aae related: - id: 8cbc9475-8d05-4e27-9c32-df960716c701 type: similar -status: experimental +status: test description: | Detects regsitry value settings that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image. diff --git a/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml b/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml index 3f4a02e52f6..3798d82077e 100644 --- a/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml @@ -1,6 +1,6 @@ title: Hypervisor Enforced Code Integrity Disabled id: 8b7273a4-ba5d-4d8a-b04f-11f2900d043a -status: experimental +status: test description: Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel references: - https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/ diff --git a/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml b/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml index aa8567d3bf5..a40b5f8410f 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml @@ -1,6 +1,6 @@ title: Potential AutoLogger Sessions Tampering id: f37b4bce-49d0-4087-9f5b-58bffda77316 -status: experimental +status: test description: Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging references: - https://twitter.com/MichalKoczwara/status/1553634816016498688 diff --git a/rules/windows/registry/registry_set/registry_set_disable_function_user.yml b/rules/windows/registry/registry_set/registry_set_disable_function_user.yml index 88a0ca6686e..dc97b94f0c7 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_function_user.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_function_user.yml @@ -1,6 +1,6 @@ title: Disable Internal Tools or Feature in Registry id: e2482f8d-3443-4237-b906-cc145d87a076 -status: experimental +status: test description: Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md diff --git a/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml b/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml index 3502ab28e5c..8208a430d20 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml @@ -1,7 +1,7 @@ title: Disable Macro Runtime Scan Scope id: ab871450-37dc-4a3a-997f-6662aa8ae0f1 description: Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros -status: experimental +status: test date: 2022/10/25 modified: 2023/08/17 author: Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml b/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml index 9a11da231c1..652eb65dfd1 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml @@ -1,6 +1,6 @@ title: Disable Privacy Settings Experience in Registry id: 0372e1f9-0fd2-40f7-be1b-a7b2b848fa7b -status: experimental +status: test description: Detects registry modifications that disable Privacy Settings Experience references: - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1562.001/T1562.001.md diff --git a/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml b/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml index f0231eca820..2f2abbbd1cf 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml @@ -1,6 +1,6 @@ title: Disable Windows Security Center Notifications id: 3ae1a046-f7db-439d-b7ce-b8b366b81fa6 -status: experimental +status: test description: Detect set UseActionCenterExperience to 0 to disable the Windows security center notification references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md diff --git a/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml b/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml index 54434474ff5..d002b7a5ae5 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml @@ -1,6 +1,6 @@ title: Registry Disable System Restore id: 5de03871-5d46-4539-a82d-3aa992a69a83 -status: experimental +status: test description: Detects the modification of the registry to disable a system restore on the computer references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry diff --git a/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml b/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml index 23ed376e407..ac7987ba8a6 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml @@ -1,6 +1,6 @@ title: Disable UAC Using Registry id: 48437c39-9e5f-47fb-af95-3d663c3f2919 -status: experimental +status: test description: Detects when an attacker tries to disable User Account Control (UAC) by changing its registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-8---disable-uac-using-regexe diff --git a/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml b/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml index 22bd8681847..cf9b9969c22 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml @@ -1,6 +1,6 @@ title: Windows Defender Service Disabled id: e1aa95de-610a-427d-b9e7-9b46cfafbe6a -status: experimental +status: test description: Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ diff --git a/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml b/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml index 1ac85cc6d27..7a36346450e 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml @@ -1,6 +1,6 @@ title: Disable Windows Firewall by Registry id: e78c408a-e2ea-43cd-b5ea-51975cf358c0 -status: experimental +status: test description: Detect set EnableFirewall to 0 to disable the Windows firewall references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.004/T1562.004.md diff --git a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml index 6c760ba5f22..55748eb93b0 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml @@ -1,6 +1,6 @@ title: Disable Windows Event Logging Via Registry id: 2f78da12-f7c7-430b-8b19-a28f269b77a3 -status: experimental +status: test description: Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel references: - https://twitter.com/WhichbufferArda/status/1543900539280293889 diff --git a/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml b/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml index 781e6a9a4c9..cbf4d6474ef 100644 --- a/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml +++ b/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml @@ -1,6 +1,6 @@ title: Disable Exploit Guard Network Protection on Windows Defender id: bf9e1387-b040-4393-9851-1598f8ecfae9 -status: experimental +status: test description: Detects disabling Windows Defender Exploit Guard Network Protection references: - https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html diff --git a/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml b/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml index 0f8f898567c..d6ed06a3389 100644 --- a/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml +++ b/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml @@ -1,6 +1,6 @@ title: Disabled Windows Defender Eventlog id: fcddca7c-b9c0-4ddf-98da-e1e2d18b0157 -status: experimental +status: test description: Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections references: - https://twitter.com/WhichbufferArda/status/1543900539280293889/photo/2 diff --git a/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml b/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml index 5e221c7ebc5..edae0b44863 100644 --- a/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml +++ b/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml @@ -1,6 +1,6 @@ title: Disable PUA Protection on Windows Defender id: 8ffc5407-52e3-478f-9596-0a7371eafe13 -status: experimental +status: test description: Detects disabling Windows Defender PUA protection references: - https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html diff --git a/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml b/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml index 318153dd3db..ab8b138eb5f 100644 --- a/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml +++ b/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml @@ -1,6 +1,6 @@ title: Disable Tamper Protection on Windows Defender id: 93d298a1-d28f-47f1-a468-d971e7796679 -status: experimental +status: test description: Detects disabling Windows Defender Tamper Protection references: - https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html diff --git a/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml b/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml index 3a1f3119253..7f209fa3f23 100644 --- a/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml +++ b/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml @@ -1,6 +1,6 @@ title: Add DisallowRun Execution to Registry id: 275641a5-a492-45e2-a817-7c81e9d9d3e9 -status: experimental +status: test description: Detect set DisallowRun to 1 to prevent user running specific computer program references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md diff --git a/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml b/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml index a20d1d63925..ccc7551f5b6 100644 --- a/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml @@ -1,6 +1,6 @@ title: Persistence Via Disk Cleanup Handler - Autorun id: d4e2745c-f0c6-4bde-a3ab-b553b3f693cc -status: experimental +status: test description: | Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun. The disk cleanup manager is part of the operating system. diff --git a/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml b/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml index ca032002d17..85c35451d0c 100644 --- a/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml +++ b/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml @@ -5,7 +5,7 @@ related: type: derived - id: f63b56ee-3f79-4b8a-97fb-5c48007e8573 type: derived -status: experimental +status: test description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required) references: - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 diff --git a/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml b/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml index f5bbeafbdd1..4357c02879a 100644 --- a/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml +++ b/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml @@ -1,6 +1,6 @@ title: Scripted Diagnostics Turn Off Check Enabled - Registry id: 7d995e63-ec83-4aa3-89d5-8a17b5c87c86 -status: experimental +status: test description: Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability references: - https://twitter.com/wdormann/status/1537075968568877057?s=20&t=0lr18OAnmAGoGpma6grLUw diff --git a/rules/windows/registry/registry_set/registry_set_evtx_file_key_tamper.yml b/rules/windows/registry/registry_set/registry_set_evtx_file_key_tamper.yml index 9f564a05efe..d5fa767e55f 100644 --- a/rules/windows/registry/registry_set/registry_set_evtx_file_key_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_evtx_file_key_tamper.yml @@ -1,6 +1,6 @@ title: Potential EventLog File Location Tampering id: 0cb8d736-995d-4ce7-a31e-1e8d452a1459 -status: experimental +status: test description: Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting references: - https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key diff --git a/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml b/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml index 0d10a533b95..ba3932f2c74 100644 --- a/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml +++ b/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml @@ -1,6 +1,6 @@ title: Suspicious Application Allowed Through Exploit Guard id: 42205c73-75c8-4a63-9db1-e3782e06fda0 -status: experimental +status: test description: Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings references: - https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ diff --git a/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml b/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml index eb1d4c3e8f3..401a14e51bf 100644 --- a/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml @@ -1,6 +1,6 @@ title: Add Debugger Entry To Hangs Key For Persistence id: 833ef470-fa01-4631-a79b-6f291c9ac498 -status: experimental +status: test description: Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes references: - https://persistence-info.github.io/Data/wer_debugger.html diff --git a/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml b/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml index 57ce7ac0b5b..633e83856ca 100644 --- a/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml @@ -1,6 +1,6 @@ title: Persistence Via Hhctrl.ocx id: f10ed525-97fe-4fed-be7c-2feecca941b1 -status: experimental +status: test description: Detects when an attacker modifies the registry value of the "hhctrl" to point to a custom binary references: - https://persistence-info.github.io/Data/hhctrl.html diff --git a/rules/windows/registry/registry_set/registry_set_hide_file.yml b/rules/windows/registry/registry_set/registry_set_hide_file.yml index f0ef3461329..6d2ceb0c306 100644 --- a/rules/windows/registry/registry_set/registry_set_hide_file.yml +++ b/rules/windows/registry/registry_set/registry_set_hide_file.yml @@ -1,6 +1,6 @@ title: Modification of Explorer Hidden Keys id: 5a5152f1-463f-436b-b2f5-8eceb3964b42 -status: experimental +status: test description: Detects modifications to the hidden files keys in registry. This technique is abused by several malware families to hide their files from normal users. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-8---hide-files-through-registry diff --git a/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml b/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml index b86d129786b..76c1c3232b6 100644 --- a/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml @@ -5,7 +5,7 @@ related: type: similar - id: 526cc8bc-1cdc-48ad-8b26-f19bff969cec type: similar -status: experimental +status: test description: | Detects when the "index" value of a scheduled task is modified from the registry Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique) diff --git a/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml b/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml index 19d7840bd8a..fcb619000b7 100644 --- a/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml +++ b/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml @@ -3,7 +3,7 @@ id: 3fd4c8d7-8362-4557-a8e6-83b29cc0d724 related: - id: 10344bb3-7f65-46c2-b915-2d00d47be5b0 type: similar -status: experimental +status: test description: | Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally. references: diff --git a/rules/windows/registry/registry_set/registry_set_ime_non_default_extension.yml b/rules/windows/registry/registry_set/registry_set_ime_non_default_extension.yml index 8d8b5e9469f..3f0fa900c7e 100644 --- a/rules/windows/registry/registry_set/registry_set_ime_non_default_extension.yml +++ b/rules/windows/registry/registry_set/registry_set_ime_non_default_extension.yml @@ -3,7 +3,7 @@ id: b888e3f2-224d-4435-b00b-9dd66e9ea1f1 related: - id: 9d8f9bb8-01af-4e15-a3a2-349071530530 type: derived -status: experimental +status: test description: | Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. diff --git a/rules/windows/registry/registry_set/registry_set_ime_suspicious_paths.yml b/rules/windows/registry/registry_set/registry_set_ime_suspicious_paths.yml index 83f6c752e75..7cd82b5aaa0 100644 --- a/rules/windows/registry/registry_set/registry_set_ime_suspicious_paths.yml +++ b/rules/windows/registry/registry_set/registry_set_ime_suspicious_paths.yml @@ -3,7 +3,7 @@ id: 9d8f9bb8-01af-4e15-a3a2-349071530530 related: - id: b888e3f2-224d-4435-b00b-9dd66e9ea1f1 type: derived -status: experimental +status: test description: | Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. diff --git a/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml b/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml index c79aa73e298..e0297e85699 100644 --- a/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml +++ b/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml @@ -1,6 +1,6 @@ title: New Root or CA or AuthRoot Certificate to Store id: d223b46b-5621-4037-88fe-fda32eead684 -status: experimental +status: test description: Detects the addition of new root, CA or AuthRoot certificates to the Windows registry references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store diff --git a/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml b/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml index 0f6af474145..219d8230b36 100644 --- a/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml +++ b/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml @@ -1,6 +1,6 @@ title: Internet Explorer DisableFirstRunCustomize Enabled id: ab567429-1dfb-4674-b6d2-979fd2f9d125 -status: experimental +status: test description: | Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows. references: diff --git a/rules/windows/registry/registry_set/registry_set_legalnotice_susp_message.yml b/rules/windows/registry/registry_set/registry_set_legalnotice_susp_message.yml index 2ab2dd1b5bd..9a8cb300b5a 100644 --- a/rules/windows/registry/registry_set/registry_set_legalnotice_susp_message.yml +++ b/rules/windows/registry/registry_set/registry_set_legalnotice_susp_message.yml @@ -1,6 +1,6 @@ title: Potential Ransomware Activity Using LegalNotice Message id: 8b9606c9-28be-4a38-b146-0e313cc232c1 -status: experimental +status: test description: Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages references: - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1491.001/T1491.001.md diff --git a/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml b/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml index acefd0a6b0f..a00b28cab11 100644 --- a/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml +++ b/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml @@ -1,6 +1,6 @@ title: Lolbas OneDriveStandaloneUpdater.exe Proxy Download id: 3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d -status: experimental +status: test description: | Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json diff --git a/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml b/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml index df75d08f2a6..28b17cb00af 100644 --- a/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml +++ b/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml @@ -3,7 +3,7 @@ id: d6ce7ebd-260b-4323-9768-a9631c8d4db2 related: - id: 28ac00d6-22d9-4a3c-927f-bbd770104573 # process_creation type: similar -status: experimental +status: test description: | Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. diff --git a/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml b/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml index a6f8760091e..5ec29f14783 100644 --- a/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml +++ b/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml @@ -1,6 +1,6 @@ title: Lsass Full Dump Request Via DumpType Registry Settings id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f719 -status: experimental +status: test description: Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS. references: - https://github.com/deepinstinct/Lsass-Shtinkering diff --git a/rules/windows/registry/registry_set/registry_set_mal_adwind.yml b/rules/windows/registry/registry_set/registry_set_mal_adwind.yml index 0a0a23d9193..c3dbad96fdf 100644 --- a/rules/windows/registry/registry_set/registry_set_mal_adwind.yml +++ b/rules/windows/registry/registry_set/registry_set_mal_adwind.yml @@ -3,7 +3,7 @@ id: 42f0e038-767e-4b85-9d96-2c6335bad0b5 related: - id: 1fac1481-2dbc-48b2-9096-753c49b4ec71 type: derived -status: experimental +status: test description: Detects javaw.exe in AppData folder as used by Adwind / JRAT references: - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100 diff --git a/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml b/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml index e3942261aa6..2f8b0c8af9f 100644 --- a/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml +++ b/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml @@ -3,7 +3,7 @@ id: 92b0b372-a939-44ed-a11b-5136cf680e27 related: - id: c3198a27-23a0-4c2c-af19-e5328d49680e type: derived -status: experimental +status: test description: Attempts to detect system changes made by Blue Mockingbird references: - https://redcanary.com/blog/blue-mockingbird-cryptominer/ diff --git a/rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml b/rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml index 42e6ac51d49..bf347afaf4f 100644 --- a/rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml +++ b/rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml @@ -1,6 +1,6 @@ title: NET NGenAssemblyUsageLog Registry Key Tamper id: 28036918-04d3-423d-91c0-55ecf99fb892 -status: experimental +status: test description: | Detects changes to the NGenAssemblyUsageLog registry key. .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section). diff --git a/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml b/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml index f6fa8daf7c4..66a8be9eb24 100644 --- a/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml +++ b/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml @@ -5,7 +5,7 @@ related: type: similar - id: c90362e0-2df3-4e61-94fe-b37615814cb1 type: similar -status: experimental +status: test description: | Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper references: diff --git a/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml b/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml index 61c0586bc77..b7fad722651 100644 --- a/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml @@ -5,7 +5,7 @@ related: type: similar - id: e7b18879-676e-4a0e-ae18-27039185a8e7 type: similar -status: experimental +status: test description: | Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper references: diff --git a/rules/windows/registry/registry_set/registry_set_new_network_provider.yml b/rules/windows/registry/registry_set/registry_set_new_network_provider.yml index 2e1fb51b396..0da51be40c5 100644 --- a/rules/windows/registry/registry_set/registry_set_new_network_provider.yml +++ b/rules/windows/registry/registry_set/registry_set_new_network_provider.yml @@ -3,7 +3,7 @@ id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701 related: - id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77 type: similar -status: experimental +status: test description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it references: - https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade diff --git a/rules/windows/registry/registry_set/registry_set_odbc_driver_registered.yml b/rules/windows/registry/registry_set/registry_set_odbc_driver_registered.yml index e17cb3267df..5194a35d429 100644 --- a/rules/windows/registry/registry_set/registry_set_odbc_driver_registered.yml +++ b/rules/windows/registry/registry_set/registry_set_odbc_driver_registered.yml @@ -1,6 +1,6 @@ title: New ODBC Driver Registered id: 3390fbef-c98d-4bdd-a863-d65ed7c610dd -status: experimental +status: test description: Detects the registration of a new ODBC driver. references: - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ diff --git a/rules/windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml b/rules/windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml index 4de12f53003..b40cb96248e 100644 --- a/rules/windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml +++ b/rules/windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious ODBC Driver Registered id: e4d22291-f3d5-4b78-9a0c-a1fbaf32a6a4 -status: experimental +status: test description: Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location references: - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ diff --git a/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml b/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml index e0ebb00103c..919485c555e 100644 --- a/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml +++ b/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting id: 396ae3eb-4174-4b9b-880e-dc0364d78a19 -status: experimental +status: test description: Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53 diff --git a/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml b/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml index e41e49e1fd9..cba1062f071 100644 --- a/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml +++ b/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml @@ -5,7 +5,7 @@ related: type: similar - id: 55f0a3a1-846e-40eb-8273-677371b8d912 # ProcCreation variation type: similar -status: experimental +status: test description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros references: - https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048 diff --git a/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml b/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml index e6f2dd451fe..ebcc2a7cb68 100644 --- a/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml +++ b/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml @@ -3,7 +3,7 @@ id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd related: - id: 295a59c1-7b79-4b47-a930-df12c15fc9c2 type: derived -status: experimental +status: test description: Detects registry changes to Office trust records where the path is located in a potentially suspicious location references: - https://twitter.com/inversecos/status/1494174785621819397 diff --git a/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml b/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml index 917eaffdd61..c0f7b532125 100644 --- a/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml +++ b/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml @@ -3,7 +3,7 @@ id: f742bde7-9528-42e5-bd82-84f51a8387d2 related: - id: a0bed973-45fa-4625-adb5-6ecdf9be70ac type: derived -status: experimental +status: test description: Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions. references: - Internal Research diff --git a/rules/windows/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml b/rules/windows/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml index a9bed453b32..1194b14c95c 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via AppCompat RegisterAppRestart Layer id: b86852fb-4c77-48f9-8519-eb1b2c308b59 -status: experimental +status: test description: | Detects the setting of the REGISTERAPPRESTART compatibility layer on an application. This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API. diff --git a/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml b/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml index b6ffaa73218..311b5a788c2 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via App Paths Default Property id: 707e097c-e20f-4f67-8807-1f72ff4500d6 -status: experimental +status: test description: | Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence The entries found under App Paths are used primarily for the following purposes. diff --git a/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml b/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml index cb5a0260a99..4c7af534f55 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml @@ -1,6 +1,6 @@ title: Potential Persistence Using DebugPath id: df4dc653-1029-47ba-8231-3c44238cc0ae -status: experimental +status: test description: Detects potential persistence using Appx DebugPath references: - https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/ diff --git a/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml b/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml index 6489943cd2b..9403fb0c822 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via AutodialDLL id: e6fe26ee-d063-4f5b-b007-39e90aaf50e3 -status: experimental +status: test description: Detects change the the "AutodialDLL" key which could be used as a persistence method to load custom DLL via the "ws2_32" library references: - https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ diff --git a/rules/windows/registry/registry_set/registry_set_persistence_chm.yml b/rules/windows/registry/registry_set/registry_set_persistence_chm.yml index 7bb5afdb685..63480e3104f 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_chm.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_chm.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via CHM Helper DLL id: 976dd1f2-a484-45ec-aa1d-0e87e882262b -status: experimental +status: test description: Detects when an attacker modifies the registry key "HtmlHelp Author" to achieve persistence references: - https://persistence-info.github.io/Data/htmlhelpauthor.html diff --git a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml index b1b6c4c57c3..91f333fefdf 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via COM Hijacking From Suspicious Locations id: 3d968d17-ffa4-4bc0-bfdc-f139de76ce77 -status: experimental +status: test description: Detects potential COM object hijacking where the "Server" (In/Out) is pointing to a suspicious or unsuale location references: - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea) diff --git a/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml b/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml index b1561e6ac9e..078b977cbf8 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml @@ -1,6 +1,6 @@ title: Potential PSFactoryBuffer COM Hijacking id: 243380fa-11eb-4141-af92-e14925e77c1b -status: experimental +status: test description: Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL. references: - https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine diff --git a/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml b/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml index 5090b01265d..5cd432a87bd 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via Custom Protocol Handler id: fdbf0b9d-0182-4c43-893b-a1eaab92d085 -status: experimental +status: test description: Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism. references: - https://ladydebug.com/blog/2019/06/21/custom-protocol-handler-cph/ diff --git a/rules/windows/registry/registry_set/registry_set_persistence_ie.yml b/rules/windows/registry/registry_set/registry_set_persistence_ie.yml index 20a89a75d6d..70108639d40 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_ie.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_ie.yml @@ -1,6 +1,6 @@ title: Modification of IE Registry Settings id: d88d0ab2-e696-4d40-a2ed-9790064e66b3 -status: experimental +status: test description: Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert javascript for persistence references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone diff --git a/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml b/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml index 68943d718db..eeb47876fe9 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml @@ -1,6 +1,6 @@ title: Register New IFiltre For Persistence id: b23818c7-e575-4d13-8012-332075ec0a2b -status: experimental +status: test description: Detects when an attacker register a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files references: - https://persistence-info.github.io/Data/ifilters.html diff --git a/rules/windows/registry/registry_set/registry_set_persistence_lsa_extension.yml b/rules/windows/registry/registry_set/registry_set_persistence_lsa_extension.yml index 1c7656f5225..26c034ce8ae 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_lsa_extension.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_lsa_extension.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via LSA Extensions id: 41f6531d-af6e-4c6e-918f-b946f2b85a36 -status: experimental +status: test description: | Detects when an attacker modifies the "REG_MULTI_SZ" value named "Extensions" to include a custom DLL to achieve persistence via lsass. The "Extensions" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading. diff --git a/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml b/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml index 801240e4dbd..7155db954e0 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via Mpnotify id: 92772523-d9c1-4c93-9547-b0ca500baba3 -status: experimental +status: test description: Detects when an attacker register a new SIP provider for persistence and defense evasion references: - https://persistence-info.github.io/Data/mpnotify.html diff --git a/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml b/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml index 37ed60e828d..dc70710ade6 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via MyComputer Registry Keys id: 8fbe98a8-8f9d-44f8-aa71-8c572e29ef06 -status: experimental +status: test description: Detects modification to the "Default" value of the "MyComputer" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example) references: - https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ diff --git a/rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml b/rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml index bd6dd1aad79..55b80796bd6 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via DLLPathOverride id: a1b1fd53-9c4a-444c-bae0-34a330fc7aa8 -status: experimental +status: test description: Detects when an attacker adds a new "DLLPathOverride" value to the "Natural Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" process references: - https://persistence-info.github.io/Data/naturallanguage6.html diff --git a/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml b/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml index 94dc3ffc2cc..f6a5ec1fce0 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via Visual Studio Tools for Office id: 9d15044a-7cfe-4d23-8085-6ebc11df7685 -status: experimental +status: test description: Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications. references: - https://twitter.com/_vivami/status/1347925307643355138 diff --git a/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml b/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml index 60812a0d404..c98cf92c712 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via Outlook Home Page id: ddd171b5-2cc6-4975-9e78-f0eccd08cc76 -status: experimental +status: test description: Detects potential persistence activity via outlook home pages. references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70 diff --git a/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml b/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml index af9b7f01a79..66ebe5debc2 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via Outlook Today Pages id: 487bb375-12ef-41f6-baae-c6a1572b4dd1 -status: experimental +status: test description: Detects potential persistence activity via outlook today pages. An attacker can set a custom page to execute arbitrary code and link to it via the registry key "UserDefinedUrl". references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74 diff --git a/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml b/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml index 791736e4365..0be6813dbf2 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml @@ -3,7 +3,7 @@ id: 0cf2e1c6-8d10-4273-8059-738778f981ad related: - id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd type: derived -status: experimental +status: test description: Detects potential WerFault "ReflectDebugger" registry value abuse for persistence. references: - https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html diff --git a/rules/windows/registry/registry_set/registry_set_persistence_scrobj_dll.yml b/rules/windows/registry/registry_set/registry_set_persistence_scrobj_dll.yml index 5ed42f59429..013622adfde 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_scrobj_dll.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_scrobj_dll.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via Scrobj.dll COM Hijacking id: fe20dda1-6f37-4379-bbe0-a98d400cae90 -status: experimental +status: test description: Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md diff --git a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml index f33bacadc52..9f0efd19884 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via COM Search Order Hijacking id: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12 -status: experimental +status: test description: Detects potential COM object hijacking leveraging the COM Search Order references: - https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/ diff --git a/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml b/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml index 2fa819da2bf..a533eeae8b6 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via Shim Database Modification id: dfb5b4e8-91d0-4291-b40a-e3b0d3942c45 -status: experimental +status: test description: | Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time diff --git a/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml b/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml index b844fc617fa..ccbf3bcfbb4 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml @@ -1,6 +1,6 @@ title: Suspicious Shim Database Patching Activity id: bf344fea-d947-4ef4-9192-34d008315d3a -status: experimental +status: test description: Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence. references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/ diff --git a/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml b/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml index bf0b8d6223a..e5ee4a4eeeb 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via Shim Database In Uncommon Location id: 6b6976a3-b0e6-4723-ac24-ae38a737af41 -status: experimental +status: test description: Detects the installation of a new shim database where the file is located in a non-default location references: - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html diff --git a/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml b/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml index f7f261339ac..dc1f06d839f 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via TypedPaths id: 086ae989-9ca6-4fe7-895a-759c5544f247 -status: experimental +status: test description: Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt references: - https://twitter.com/dez_/status/1560101453150257154 diff --git a/rules/windows/registry/registry_set/registry_set_persistence_xll.yml b/rules/windows/registry/registry_set/registry_set_persistence_xll.yml index 0b65397e85f..d83a980835e 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_xll.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_xll.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via Excel Add-in - Registry id: 961e33d1-4f86-4fcf-80ab-930a708b2f82 -status: experimental +status: test description: Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started. references: - https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md diff --git a/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml b/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml index e387869c616..12a299fc4f1 100644 --- a/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml @@ -1,6 +1,6 @@ title: Potential Attachment Manager Settings Associations Tamper id: a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47 -status: experimental +status: test description: Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information) references: - https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 diff --git a/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml b/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml index dec092f2ff6..9df32c117f1 100644 --- a/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml @@ -1,6 +1,6 @@ title: Potential Attachment Manager Settings Attachments Tamper id: ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a -status: experimental +status: test description: Detects tampering with attachment manager settings policies attachments (See reference for more information) references: - https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 diff --git a/rules/windows/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml b/rules/windows/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml index 3a1e71bd1c1..43d0eebee43 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml @@ -3,7 +3,7 @@ id: 8218c875-90b9-42e2-b60d-0b0069816d10 related: - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 type: derived -status: experimental +status: test description: Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed. references: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScripts diff --git a/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml b/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml index 7b887ab6506..8064c1ae9e4 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml @@ -7,7 +7,7 @@ related: type: similar - id: 61d0475c-173f-4844-86f7-f3eebae1c66b # PowerShell ScriptBlock type: similar -status: experimental +status: test description: Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3 diff --git a/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml b/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml index e6d5968f2bb..6ed5827916f 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml @@ -1,6 +1,6 @@ title: Suspicious Powershell In Registry Run Keys id: 8d85cf08-bf97-4260-ba49-986a2a65129c -status: experimental +status: test description: Detects potential PowerShell commands or code within registry run keys references: - https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry diff --git a/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml b/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml index 1fefb76a094..ebab3cb5a81 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml @@ -1,6 +1,6 @@ title: PowerShell Logging Disabled Via Registry Key Tampering id: fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7 -status: experimental +status: test description: Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-32---windows-powershell-logging-disabled diff --git a/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml b/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml index 66585215a48..c59e88c8844 100644 --- a/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml +++ b/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml @@ -7,7 +7,7 @@ related: type: similar - id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry type: similar -status: experimental +status: test description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe". references: - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ diff --git a/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml b/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml index 45d1f547fe9..7ab2871c752 100644 --- a/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml +++ b/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml @@ -5,7 +5,7 @@ related: type: derived - id: f50f3c09-557d-492d-81db-9064a8d4e211 type: similar -status: experimental +status: test description: Detects non-sysinternals tools setting the "accepteula" key which normally is set on sysinternals tool execution references: - Internal Research diff --git a/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml index 00df857fee5..fa0f016169e 100644 --- a/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml @@ -1,6 +1,6 @@ title: ETW Logging Disabled For rpcrt4.dll id: 90f342e1-1aaa-4e43-b092-39fda57ed11e -status: experimental +status: test description: Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll references: - http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html diff --git a/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml b/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml index 5adb113758c..25dc01e4e00 100644 --- a/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml +++ b/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml @@ -1,6 +1,6 @@ title: ScreenSaver Registry Key Set id: 40b6e656-4e11-4c0c-8772-c1cc6dae34ce -status: experimental +status: test description: Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl references: - https://twitter.com/VakninHai/status/1517027824984547329 diff --git a/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml b/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml index 4161b1f3cee..865b9396a14 100644 --- a/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml +++ b/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml @@ -1,6 +1,6 @@ title: ServiceDll Hijack id: 612e47e9-8a59-43a6-b404-f48683f45bd6 -status: experimental +status: test description: Detects changes to the "ServiceDLL" value related to a service in the registry. This is often used as a method of persistence. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time diff --git a/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml index 01d5d45f10a..1b78e5b1d1d 100644 --- a/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml @@ -1,6 +1,6 @@ title: ETW Logging Disabled For SCM id: 4f281b83-0200-4b34-bf35-d24687ea57c2 -status: experimental +status: test description: Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM) references: - http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html diff --git a/rules/windows/registry/registry_set/registry_set_sip_persistence.yml b/rules/windows/registry/registry_set/registry_set_sip_persistence.yml index e59f7be598b..1b5539655d7 100644 --- a/rules/windows/registry/registry_set/registry_set_sip_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_sip_persistence.yml @@ -1,6 +1,6 @@ title: Persistence Via New SIP Provider id: 5a2b21ee-6aaa-4234-ac9d-59a59edf90a1 -status: experimental +status: test description: Detects when an attacker register a new SIP provider for persistence and defense evasion references: - https://persistence-info.github.io/Data/codesigning.html diff --git a/rules/windows/registry/registry_set/registry_set_sophos_av_tamper.yml b/rules/windows/registry/registry_set/registry_set_sophos_av_tamper.yml index 10cf2243a3f..da9081de68a 100644 --- a/rules/windows/registry/registry_set/registry_set_sophos_av_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_sophos_av_tamper.yml @@ -1,6 +1,6 @@ title: Tamper With Sophos AV Registry Keys id: 9f4662ac-17ca-43aa-8f12-5d7b989d0101 -status: experimental +status: test description: Detects tamper attempts to sophos av functionality via registry key modification references: - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/ diff --git a/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml b/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml index 4e4457dbf90..fe1029069e9 100644 --- a/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml +++ b/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml @@ -1,6 +1,6 @@ title: Activate Suppression of Windows Security Center Notifications id: 0c93308a-3f1b-40a9-b649-57ea1a1c1d63 -status: experimental +status: test description: Detect set Notification_Suppress to 1 to disable the Windows security center notification references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md diff --git a/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml b/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml index e3db6238361..36263af77ad 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml @@ -1,6 +1,6 @@ title: New RUN Key Pointing to Suspicious Folder id: 02ee49e2-e294-4d0f-9278-f5b3212fc588 -status: experimental +status: test description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder references: - https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html diff --git a/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders.yml b/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders.yml index bba7d81c43e..e5bf14bd728 100644 --- a/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders.yml @@ -1,6 +1,6 @@ title: Modify User Shell Folders Startup Value id: 9c226817-8dc9-46c2-a58d-66655aafd7dc -status: experimental +status: test description: Detect modification of the startup key to a path where a payload could be stored to be launched during startup references: - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1547.001/T1547.001.md diff --git a/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml b/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml index 72a748c8d16..f4899521648 100644 --- a/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml +++ b/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml @@ -3,7 +3,7 @@ id: c420410f-c2d8-4010-856b-dffe21866437 related: - id: 98dedfdd-8333-49d4-9f23-d7018cccae53 # process_creation type: similar -status: experimental +status: test description: | Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases. diff --git a/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml b/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml index e2587359281..9a0e400605c 100644 --- a/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml +++ b/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml @@ -1,6 +1,6 @@ title: Scheduled TaskCache Change by Uncommon Program id: 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d -status: experimental +status: test description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ diff --git a/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml b/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml index c27f8459f77..1a6ab8b724a 100644 --- a/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml +++ b/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml @@ -1,6 +1,6 @@ title: Set TimeProviders DllName id: e88a6ddc-74f7-463b-9b26-f69fc0d2ce85 -status: experimental +status: test description: | Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. Adversaries may abuse time providers to execute DLLs when the system boots. diff --git a/rules/windows/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml b/rules/windows/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml index 6a02c0cc6db..a558027d01d 100644 --- a/rules/windows/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml +++ b/rules/windows/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml @@ -1,6 +1,6 @@ title: Old TLS1.0/TLS1.1 Protocol Version Enabled id: 439957a7-ad86-4a8f-9705-a28131c6821b -status: experimental +status: test description: Detects applications or users re-enabling old TLS versions by setting the "Enabled" value to "1" for the "Protocols" registry key. references: - https://techcommunity.microsoft.com/t5/windows-it-pro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/ba-p/3887947 diff --git a/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml b/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml index c8bef6af7f9..6cbb89226a4 100644 --- a/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml @@ -1,6 +1,6 @@ title: COM Hijacking via TreatAs id: dc5c24af-6995-49b2-86eb-a9ff62199e82 -status: experimental +status: test description: Detect modification of TreatAs key to enable "rundll32.exe -sta" command references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md diff --git a/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml b/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml index 51170b1e55f..a02443607a7 100644 --- a/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml +++ b/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml @@ -3,7 +3,7 @@ id: b110ebaf-697f-4da1-afd5-b536fa27a2c1 related: - id: a383dec4-deec-4e6e-913b-ed9249670848 type: similar -status: experimental +status: test description: Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages. references: - https://twitter.com/malmoeb/status/1560536653709598721 diff --git a/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml b/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml index 9d96673befa..e57b719f791 100755 --- a/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml @@ -1,6 +1,6 @@ title: UAC Bypass via Event Viewer id: 7c81fec3-1c1d-43b0-996a-46753041b1b6 -status: experimental +status: test description: Detects UAC bypass method using Windows event viewer references: - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ diff --git a/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml b/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml index 42b8644aa8c..f7bdc8b8567 100755 --- a/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml @@ -1,6 +1,6 @@ title: UAC Bypass via Sdclt id: 5b872a46-3b90-45c1-8419-f675db8053aa -status: experimental +status: test description: Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53) references: - https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ diff --git a/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml b/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml index 6eff31daaae..7d69e14ef76 100644 --- a/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml +++ b/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml @@ -1,6 +1,6 @@ title: VBScript Payload Stored in Registry id: 46490193-1b22-4c29-bdd6-5bf63907216f -status: experimental +status: test description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group references: - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ diff --git a/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml b/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml index 87a4f610455..2e3a19dd0dd 100644 --- a/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml @@ -5,7 +5,7 @@ related: type: obsoletes - id: fd115e64-97c7-491f-951c-fc8da7e042fa type: obsoletes -status: experimental +status: test description: Detects when attackers or tools disable Windows Defender functionalities via the Windows registry references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ diff --git a/rules/windows/registry/registry_set/registry_set_winget_admin_settings_tampering.yml b/rules/windows/registry/registry_set/registry_set_winget_admin_settings_tampering.yml index 019119e66c2..22d667fe9ef 100644 --- a/rules/windows/registry/registry_set/registry_set_winget_admin_settings_tampering.yml +++ b/rules/windows/registry/registry_set/registry_set_winget_admin_settings_tampering.yml @@ -1,6 +1,6 @@ title: Winget Admin Settings Modification id: 6db5eaf9-88f7-4ed9-af7d-9ef2ad12f236 -status: experimental +status: test description: Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks references: - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget diff --git a/rules/windows/registry/registry_set/registry_set_winget_enable_local_manifest.yml b/rules/windows/registry/registry_set/registry_set_winget_enable_local_manifest.yml index abcaff4779a..56aedbcd7d2 100644 --- a/rules/windows/registry/registry_set/registry_set_winget_enable_local_manifest.yml +++ b/rules/windows/registry/registry_set/registry_set_winget_enable_local_manifest.yml @@ -1,6 +1,6 @@ title: Enable Local Manifest Installation With Winget id: fa277e82-9b78-42dd-b05c-05555c7b6015 -status: experimental +status: test description: Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests. references: - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget diff --git a/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml b/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml index 236a8bab761..2434a5aa43c 100644 --- a/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml +++ b/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml @@ -1,6 +1,6 @@ title: Winlogon AllowMultipleTSSessions Enable id: f7997770-92c3-4ec9-b112-774c4ef96f96 -status: experimental +status: test description: | Detects when the 'AllowMultipleTSSessions' value is enabled. Which allows for multiple Remote Desktop connection sessions to be opened at once. diff --git a/rules/windows/sysmon/sysmon_file_block_executable.yml b/rules/windows/sysmon/sysmon_file_block_executable.yml index 2dd947a46e4..0768df81a14 100644 --- a/rules/windows/sysmon/sysmon_file_block_executable.yml +++ b/rules/windows/sysmon/sysmon_file_block_executable.yml @@ -1,6 +1,6 @@ title: Sysmon Blocked Executable id: 23b71bc5-953e-4971-be4c-c896cda73fc2 -status: experimental +status: test description: Triggers on any Sysmon "FileBlockExecutable" event, which indicates a violation of the configured block policy references: - https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e diff --git a/rules/windows/sysmon/sysmon_file_block_shredding.yml b/rules/windows/sysmon/sysmon_file_block_shredding.yml index 36353c30790..65d8823c85f 100644 --- a/rules/windows/sysmon/sysmon_file_block_shredding.yml +++ b/rules/windows/sysmon/sysmon_file_block_shredding.yml @@ -1,6 +1,6 @@ title: Sysmon Blocked File Shredding id: c3e5c1b1-45e9-4632-b242-27939c170239 -status: experimental +status: test description: Triggers on any Sysmon "FileBlockShredding" event, which indicates a violation of the configured shredding policy. references: - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon diff --git a/rules/windows/sysmon/sysmon_file_executable_detected.yml b/rules/windows/sysmon/sysmon_file_executable_detected.yml index 37eeae7e857..3d42f54130d 100644 --- a/rules/windows/sysmon/sysmon_file_executable_detected.yml +++ b/rules/windows/sysmon/sysmon_file_executable_detected.yml @@ -1,6 +1,6 @@ title: Sysmon File Executable Creation Detected id: 693a44e9-7f26-4cb6-b787-214867672d3a -status: experimental +status: test description: Triggers on any Sysmon "FileExecutableDetected" event, which triggers every time a PE that is monitored by the config is created. references: - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon diff --git a/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml b/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml index 335ef9b8fb2..23dfd17be25 100644 --- a/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml +++ b/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml @@ -1,6 +1,6 @@ title: Suspicious Scripting in a WMI Consumer id: fe21810c-2a8c-478f-8dd3-5a287fb2a0e0 -status: experimental +status: test description: Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers references: - https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/