diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 7285edfe81d..6f207e83dca 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -62,7 +62,7 @@ jobs: run: | pip install pysigma pip install sigma-cli - pip install pySigma-validators-sigmahq==0.10.* + pip install pySigma-validators-sigmahq==0.11.* - name: Test Sigma Rule Syntax run: | sigma check --fail-on-error --fail-on-issues --validation-config tests/sigma_cli_conf.yml rules* diff --git a/rules-emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml b/rules-emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml index 9f11fc0186c..767f5ef9995 100644 --- a/rules-emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml +++ b/rules-emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml @@ -10,6 +10,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-07-19 modified: 2023-01-02 tags: + - attack.persistence - attack.initial-access - attack.t1190 - attack.t1505.003 diff --git a/rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml b/rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml index c912f3e8321..99dbbe1af8f 100644 --- a/rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml +++ b/rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml @@ -8,6 +8,9 @@ author: Florian Roth (Nextron Systems) date: 2020-05-26 modified: 2021-11-27 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.g0010 - attack.execution - attack.t1059.001 diff --git a/rules-emerging-threats/2017/Malware/CosmicDuke/win_security_mal_cosmik_duke_persistence.yml b/rules-emerging-threats/2017/Malware/CosmicDuke/win_security_mal_cosmik_duke_persistence.yml index d6f85a435e9..db6d67a5250 100644 --- a/rules-emerging-threats/2017/Malware/CosmicDuke/win_security_mal_cosmik_duke_persistence.yml +++ b/rules-emerging-threats/2017/Malware/CosmicDuke/win_security_mal_cosmik_duke_persistence.yml @@ -13,6 +13,8 @@ author: Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (upd date: 2017-03-27 modified: 2022-10-09 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.t1543.003 - attack.t1569.002 diff --git a/rules-emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml b/rules-emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml index 4dc76bf88b3..b7f25af0cd7 100644 --- a/rules-emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml +++ b/rules-emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml @@ -9,6 +9,8 @@ author: Florian Roth (Nextron Systems) date: 2017-06-12 modified: 2023-02-03 tags: + - attack.privilege-escalation + - attack.persistence - attack.s0013 - attack.defense-evasion - attack.t1574.001 diff --git a/rules-emerging-threats/2017/Malware/StoneDrill/win_system_apt_stonedrill.yml b/rules-emerging-threats/2017/Malware/StoneDrill/win_system_apt_stonedrill.yml index 526e33f1d28..1cba6ccc7df 100644 --- a/rules-emerging-threats/2017/Malware/StoneDrill/win_system_apt_stonedrill.yml +++ b/rules-emerging-threats/2017/Malware/StoneDrill/win_system_apt_stonedrill.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2017-03-07 modified: 2021-11-30 tags: + - attack.privilege-escalation - attack.persistence - attack.g0064 - attack.t1543.003 diff --git a/rules-emerging-threats/2017/TA/Equation-Group/net_firewall_apt_equationgroup_c2.yml b/rules-emerging-threats/2017/TA/Equation-Group/net_firewall_apt_equationgroup_c2.yml index 626ef71ea8c..e5098c8fba3 100644 --- a/rules-emerging-threats/2017/TA/Equation-Group/net_firewall_apt_equationgroup_c2.yml +++ b/rules-emerging-threats/2017/TA/Equation-Group/net_firewall_apt_equationgroup_c2.yml @@ -9,6 +9,7 @@ author: Florian Roth (Nextron Systems) date: 2017-04-15 modified: 2021-11-27 tags: + - attack.exfiltration - attack.command-and-control - attack.g0020 - attack.t1041 diff --git a/rules-emerging-threats/2017/TA/Turla/win_system_apt_carbonpaper_turla.yml b/rules-emerging-threats/2017/TA/Turla/win_system_apt_carbonpaper_turla.yml index 1fed02ec236..db7c79d499e 100644 --- a/rules-emerging-threats/2017/TA/Turla/win_system_apt_carbonpaper_turla.yml +++ b/rules-emerging-threats/2017/TA/Turla/win_system_apt_carbonpaper_turla.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2017-03-31 modified: 2021-11-30 tags: + - attack.privilege-escalation - attack.persistence - attack.g0010 - attack.t1543.003 diff --git a/rules-emerging-threats/2017/TA/Turla/win_system_apt_turla_service_png.yml b/rules-emerging-threats/2017/TA/Turla/win_system_apt_turla_service_png.yml index b1b89ef6824..9ea1ed53936 100644 --- a/rules-emerging-threats/2017/TA/Turla/win_system_apt_turla_service_png.yml +++ b/rules-emerging-threats/2017/TA/Turla/win_system_apt_turla_service_png.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2018-11-23 modified: 2021-11-30 tags: + - attack.privilege-escalation - attack.persistence - attack.g0010 - attack.t1543.003 diff --git a/rules-emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yml b/rules-emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yml index 41ae313cbab..b226632ea27 100644 --- a/rules-emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yml +++ b/rules-emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yml @@ -10,6 +10,8 @@ author: Florian Roth (Nextron Systems) date: 2018-09-03 modified: 2023-03-09 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 - attack.g0027 diff --git a/rules-emerging-threats/2018/TA/APT32-Oceanlotus/registry_event_apt_oceanlotus_registry.yml b/rules-emerging-threats/2018/TA/APT32-Oceanlotus/registry_event_apt_oceanlotus_registry.yml index 93af1448760..123fa28ffa0 100644 --- a/rules-emerging-threats/2018/TA/APT32-Oceanlotus/registry_event_apt_oceanlotus_registry.yml +++ b/rules-emerging-threats/2018/TA/APT32-Oceanlotus/registry_event_apt_oceanlotus_registry.yml @@ -9,6 +9,7 @@ author: megan201296, Jonhnathan Ribeiro date: 2019-04-14 modified: 2023-09-28 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 - detection.emerging-threats diff --git a/rules-emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml b/rules-emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml index 9887fdd3fe6..e63a3424a12 100644 --- a/rules-emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml +++ b/rules-emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml @@ -15,6 +15,8 @@ author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil date: 2018-03-23 modified: 2023-03-08 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.g0049 - attack.t1053.005 diff --git a/rules-emerging-threats/2018/TA/OilRig/registry_event_apt_oilrig_mar18.yml b/rules-emerging-threats/2018/TA/OilRig/registry_event_apt_oilrig_mar18.yml index 677e3d762d3..47792f21411 100644 --- a/rules-emerging-threats/2018/TA/OilRig/registry_event_apt_oilrig_mar18.yml +++ b/rules-emerging-threats/2018/TA/OilRig/registry_event_apt_oilrig_mar18.yml @@ -15,6 +15,8 @@ author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil date: 2018-03-23 modified: 2023-03-08 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.g0049 - attack.t1053.005 diff --git a/rules-emerging-threats/2018/TA/OilRig/win_security_apt_oilrig_mar18.yml b/rules-emerging-threats/2018/TA/OilRig/win_security_apt_oilrig_mar18.yml index d797c0193af..8a1127aea1a 100644 --- a/rules-emerging-threats/2018/TA/OilRig/win_security_apt_oilrig_mar18.yml +++ b/rules-emerging-threats/2018/TA/OilRig/win_security_apt_oilrig_mar18.yml @@ -15,6 +15,8 @@ author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil date: 2018-03-23 modified: 2023-03-08 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.g0049 - attack.t1053.005 diff --git a/rules-emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml b/rules-emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml index ea748e64f55..f15798a150a 100644 --- a/rules-emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml +++ b/rules-emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml @@ -15,6 +15,8 @@ author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil date: 2018-03-23 modified: 2023-03-08 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.g0049 - attack.t1053.005 diff --git a/rules-emerging-threats/2018/TA/Slingshot/proc_creation_win_apt_slingshot.yml b/rules-emerging-threats/2018/TA/Slingshot/proc_creation_win_apt_slingshot.yml index fe275344b6c..64c240df7ea 100644 --- a/rules-emerging-threats/2018/TA/Slingshot/proc_creation_win_apt_slingshot.yml +++ b/rules-emerging-threats/2018/TA/Slingshot/proc_creation_win_apt_slingshot.yml @@ -8,6 +8,8 @@ author: Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1) date: 2019-03-04 modified: 2022-10-09 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.t1053.005 - attack.s0111 diff --git a/rules-emerging-threats/2018/TA/Slingshot/win_security_apt_slingshot.yml b/rules-emerging-threats/2018/TA/Slingshot/win_security_apt_slingshot.yml index c5c66cf4c3b..f011348887e 100644 --- a/rules-emerging-threats/2018/TA/Slingshot/win_security_apt_slingshot.yml +++ b/rules-emerging-threats/2018/TA/Slingshot/win_security_apt_slingshot.yml @@ -11,6 +11,8 @@ author: Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1) date: 2019-03-04 modified: 2022-11-27 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.t1053 - attack.s0111 diff --git a/rules-emerging-threats/2019/Exploits/BearLPE-Exploit/proc_creation_win_exploit_other_bearlpe.yml b/rules-emerging-threats/2019/Exploits/BearLPE-Exploit/proc_creation_win_exploit_other_bearlpe.yml index d41cc4f1d82..a4d7cd4eecd 100644 --- a/rules-emerging-threats/2019/Exploits/BearLPE-Exploit/proc_creation_win_exploit_other_bearlpe.yml +++ b/rules-emerging-threats/2019/Exploits/BearLPE-Exploit/proc_creation_win_exploit_other_bearlpe.yml @@ -8,6 +8,8 @@ author: Olaf Hartong date: 2019-05-22 modified: 2023-01-26 tags: + - attack.persistence + - attack.execution - attack.privilege-escalation - attack.t1053.005 - car.2013-08-001 diff --git a/rules-emerging-threats/2019/Exploits/CVE-2019-1378/proc_creation_win_exploit_cve_2019_1378.yml b/rules-emerging-threats/2019/Exploits/CVE-2019-1378/proc_creation_win_exploit_cve_2019_1378.yml index e84490ea8c2..0dccbb91b1a 100644 --- a/rules-emerging-threats/2019/Exploits/CVE-2019-1378/proc_creation_win_exploit_cve_2019_1378.yml +++ b/rules-emerging-threats/2019/Exploits/CVE-2019-1378/proc_creation_win_exploit_cve_2019_1378.yml @@ -8,6 +8,8 @@ author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro date: 2019-11-15 modified: 2021-11-27 tags: + - attack.persistence + - attack.defense-evasion - attack.privilege-escalation - attack.t1068 - attack.execution diff --git a/rules-emerging-threats/2019/Malware/Ryuk/proc_creation_win_malware_ryuk.yml b/rules-emerging-threats/2019/Malware/Ryuk/proc_creation_win_malware_ryuk.yml index 8ec78b3feb0..1cf848e06b2 100644 --- a/rules-emerging-threats/2019/Malware/Ryuk/proc_creation_win_malware_ryuk.yml +++ b/rules-emerging-threats/2019/Malware/Ryuk/proc_creation_win_malware_ryuk.yml @@ -14,6 +14,7 @@ author: Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali ( date: 2019-12-16 modified: 2023-02-03 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 - detection.emerging-threats diff --git a/rules-emerging-threats/2019/Malware/Ursnif/registry_add_malware_ursnif.yml b/rules-emerging-threats/2019/Malware/Ursnif/registry_add_malware_ursnif.yml index 13245e218c8..9f1b06fedb3 100644 --- a/rules-emerging-threats/2019/Malware/Ursnif/registry_add_malware_ursnif.yml +++ b/rules-emerging-threats/2019/Malware/Ursnif/registry_add_malware_ursnif.yml @@ -9,6 +9,8 @@ author: megan201296 date: 2019-02-13 modified: 2023-02-07 tags: + - attack.persistence + - attack.defense-evasion - attack.execution - attack.t1112 - detection.emerging-threats diff --git a/rules-emerging-threats/2019/TA/APT31/proc_creation_win_apt_apt31_judgement_panda.yml b/rules-emerging-threats/2019/TA/APT31/proc_creation_win_apt_apt31_judgement_panda.yml index 69a560650a8..989023ffa3b 100644 --- a/rules-emerging-threats/2019/TA/APT31/proc_creation_win_apt_apt31_judgement_panda.yml +++ b/rules-emerging-threats/2019/TA/APT31/proc_creation_win_apt_apt31_judgement_panda.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2019-02-21 modified: 2023-03-10 tags: + - attack.collection - attack.lateral-movement - attack.credential-access - attack.g0128 diff --git a/rules-emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml b/rules-emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml index 22a24d09e71..094caf27b80 100644 --- a/rules-emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml +++ b/rules-emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml @@ -12,6 +12,8 @@ author: Florian Roth (Nextron Systems), frack113 date: 2019-12-20 modified: 2022-10-09 tags: + - attack.privilege-escalation + - attack.persistence - attack.discovery - attack.t1012 - attack.defense-evasion diff --git a/rules-emerging-threats/2019/TA/Operation-Wocao/win_security_apt_wocao.yml b/rules-emerging-threats/2019/TA/Operation-Wocao/win_security_apt_wocao.yml index 4507c1bb2bf..f43960fa781 100644 --- a/rules-emerging-threats/2019/TA/Operation-Wocao/win_security_apt_wocao.yml +++ b/rules-emerging-threats/2019/TA/Operation-Wocao/win_security_apt_wocao.yml @@ -10,6 +10,8 @@ author: Florian Roth (Nextron Systems), frack113 date: 2019-12-20 modified: 2022-11-27 tags: + - attack.privilege-escalation + - attack.persistence - attack.discovery - attack.t1012 - attack.defense-evasion diff --git a/rules-emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yml b/rules-emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yml index 49aa7d15a71..bfe71e3269c 100644 --- a/rules-emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yml +++ b/rules-emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yml @@ -11,6 +11,8 @@ author: Trent Liffick (@tliffick) date: 2020-05-14 modified: 2022-10-09 tags: + - attack.persistence + - attack.defense-evasion - attack.execution - attack.t1112 - attack.t1047 diff --git a/rules-emerging-threats/2020/Malware/FlowCloud/registry_event_malware_flowcloud_markers.yml b/rules-emerging-threats/2020/Malware/FlowCloud/registry_event_malware_flowcloud_markers.yml index cbb841a4019..5cc2c99bec7 100644 --- a/rules-emerging-threats/2020/Malware/FlowCloud/registry_event_malware_flowcloud_markers.yml +++ b/rules-emerging-threats/2020/Malware/FlowCloud/registry_event_malware_flowcloud_markers.yml @@ -10,6 +10,7 @@ author: NVISO date: 2020-06-09 modified: 2024-03-20 tags: + - attack.defense-evasion - attack.persistence - attack.t1112 - detection.emerging-threats diff --git a/rules-emerging-threats/2020/TA/Leviathan/registry_event_apt_leviathan.yml b/rules-emerging-threats/2020/TA/Leviathan/registry_event_apt_leviathan.yml index da0ce128255..6c2c95a49bb 100644 --- a/rules-emerging-threats/2020/TA/Leviathan/registry_event_apt_leviathan.yml +++ b/rules-emerging-threats/2020/TA/Leviathan/registry_event_apt_leviathan.yml @@ -8,6 +8,7 @@ author: Aidan Bracher date: 2020-07-07 modified: 2023-09-19 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 - detection.emerging-threats diff --git a/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_vbscript_pattern.yml b/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_vbscript_pattern.yml index 64db6e2a668..c13dfec9b52 100644 --- a/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_vbscript_pattern.yml +++ b/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_vbscript_pattern.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2021-03-05 modified: 2022-10-09 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 - detection.emerging-threats diff --git a/rules-emerging-threats/2020/TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yml b/rules-emerging-threats/2020/TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yml index 389743136a4..36c89789334 100644 --- a/rules-emerging-threats/2020/TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yml +++ b/rules-emerging-threats/2020/TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yml @@ -8,6 +8,8 @@ author: Florian Roth (Nextron Systems) date: 2020-07-30 modified: 2021-11-27 tags: + - attack.privilege-escalation + - attack.defense-evasion - attack.execution - attack.t1055.001 - detection.emerging-threats diff --git a/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yml b/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yml index 5b0cc6e8834..8a06ce04c13 100644 --- a/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yml +++ b/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yml @@ -8,6 +8,8 @@ author: Florian Roth (Nextron Systems), Markus Neis date: 2020-02-01 modified: 2021-11-27 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 - attack.g0044 diff --git a/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_pipemon.yml b/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_pipemon.yml index ab2f4486df0..f283f5018ca 100644 --- a/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_pipemon.yml +++ b/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_pipemon.yml @@ -8,6 +8,8 @@ author: Florian Roth (Nextron Systems), oscd.community date: 2020-07-30 modified: 2021-11-27 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 - attack.g0044 diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/av_printernightmare_cve_2021_34527.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/av_printernightmare_cve_2021_34527.yml index 4111e51622a..e077fc20d57 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/av_printernightmare_cve_2021_34527.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/av_printernightmare_cve_2021_34527.yml @@ -10,6 +10,7 @@ author: Sittikorn S, Nuttakorn T, Tim Shelton date: 2021-07-01 modified: 2023-10-23 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1055 - detection.emerging-threats diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-33771/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-33771/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml index 1fc3b0f0756..0abb090032a 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-33771/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-33771/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml @@ -9,6 +9,8 @@ author: Sittikorn S date: 2021-07-16 modified: 2022-10-09 tags: + - attack.initial-access + - attack.execution - attack.credential-access - attack.t1566 - attack.t1203 diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-33771/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-33771/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml index 16223daa0cd..60d4af2bb9f 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-33771/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-33771/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml @@ -9,6 +9,8 @@ author: Sittikorn S, frack113 date: 2021-07-16 modified: 2023-08-17 tags: + - attack.initial-access + - attack.execution - attack.credential-access - attack.t1566 - attack.t1203 diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yml index 2371c969299..a72e134329f 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2021-12-22 modified: 2022-12-25 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.persistence - attack.t1036 diff --git a/rules-emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml b/rules-emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml index 725e9025d78..042d43a1628 100644 --- a/rules-emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml +++ b/rules-emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml @@ -9,6 +9,7 @@ author: Florian Roth (Nextron Systems), Maxime Thiebaut date: 2021-08-23 modified: 2024-12-01 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1553 - detection.emerging-threats diff --git a/rules-emerging-threats/2021/Malware/BlackByte/registry_set_win_malware_blackbyte_privesc_registry.yml b/rules-emerging-threats/2021/Malware/BlackByte/registry_set_win_malware_blackbyte_privesc_registry.yml index e007f9280b3..3ef31cd94d0 100644 --- a/rules-emerging-threats/2021/Malware/BlackByte/registry_set_win_malware_blackbyte_privesc_registry.yml +++ b/rules-emerging-threats/2021/Malware/BlackByte/registry_set_win_malware_blackbyte_privesc_registry.yml @@ -12,6 +12,7 @@ author: frack113 date: 2022-01-24 modified: 2025-10-21 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 - detection.emerging-threats diff --git a/rules-emerging-threats/2021/Malware/Pingback/file_event_win_malware_pingback_backdoor.yml b/rules-emerging-threats/2021/Malware/Pingback/file_event_win_malware_pingback_backdoor.yml index 0abc66e0466..f023e2d9be9 100644 --- a/rules-emerging-threats/2021/Malware/Pingback/file_event_win_malware_pingback_backdoor.yml +++ b/rules-emerging-threats/2021/Malware/Pingback/file_event_win_malware_pingback_backdoor.yml @@ -14,6 +14,8 @@ author: Bhabesh Raj date: 2021-05-05 modified: 2023-02-17 tags: + - attack.privilege-escalation + - attack.defense-evasion - attack.persistence - attack.t1574.001 - detection.emerging-threats diff --git a/rules-emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml b/rules-emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml index 8c00d5ef04b..766f4abcaf9 100644 --- a/rules-emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml +++ b/rules-emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml @@ -14,6 +14,8 @@ author: Bhabesh Raj date: 2021-05-05 modified: 2023-02-17 tags: + - attack.privilege-escalation + - attack.defense-evasion - attack.persistence - attack.t1574.001 - detection.emerging-threats diff --git a/rules-emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml b/rules-emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml index 0e132ce404d..dd9a4e30f34 100644 --- a/rules-emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml +++ b/rules-emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml @@ -14,6 +14,8 @@ author: Bhabesh Raj date: 2021-05-05 modified: 2023-02-17 tags: + - attack.privilege-escalation + - attack.defense-evasion - attack.persistence - attack.t1574.001 - detection.emerging-threats diff --git a/rules-emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml b/rules-emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml index 086615fd328..b6b59c3f686 100644 --- a/rules-emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml +++ b/rules-emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml @@ -7,6 +7,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-05-19 tags: + - attack.privilege-escalation + - attack.defense-evasion - attack.persistence - attack.t1574.001 - detection.emerging-threats diff --git a/rules-emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml b/rules-emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml index df22ca9ee5a..783c8502f02 100644 --- a/rules-emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml +++ b/rules-emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml @@ -12,6 +12,8 @@ author: Florian Roth (Nextron Systems) date: 2021-03-09 modified: 2023-03-09 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.t1546 - attack.t1053 diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-24527/file_event_win_cve_2022_24527_lpe.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-24527/file_event_win_cve_2022_24527_lpe.yml index de600e03baa..e69ae4afe2d 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-24527/file_event_win_cve_2022_24527_lpe.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-24527/file_event_win_cve_2022_24527_lpe.yml @@ -7,6 +7,7 @@ references: author: Florian Roth (Nextron Systems) date: 2022-04-13 tags: + - attack.execution - attack.privilege-escalation - attack.t1059.001 - cve.2022-24527 diff --git a/rules-emerging-threats/2022/Malware/ChromeLoader/proc_creation_win_malware_chrome_loader_execution.yml b/rules-emerging-threats/2022/Malware/ChromeLoader/proc_creation_win_malware_chrome_loader_execution.yml index 64fac0615e6..c84181884b6 100644 --- a/rules-emerging-threats/2022/Malware/ChromeLoader/proc_creation_win_malware_chrome_loader_execution.yml +++ b/rules-emerging-threats/2022/Malware/ChromeLoader/proc_creation_win_malware_chrome_loader_execution.yml @@ -10,6 +10,7 @@ references: author: '@kostastsale' date: 2022-01-10 tags: + - attack.privilege-escalation - attack.execution - attack.persistence - attack.t1053.005 diff --git a/rules-emerging-threats/2022/Malware/Serpent-Backdoor/proc_creation_win_malware_serpent_backdoor_payload_execution.yml b/rules-emerging-threats/2022/Malware/Serpent-Backdoor/proc_creation_win_malware_serpent_backdoor_payload_execution.yml index 72962ce2f2c..4954b6667f7 100644 --- a/rules-emerging-threats/2022/Malware/Serpent-Backdoor/proc_creation_win_malware_serpent_backdoor_payload_execution.yml +++ b/rules-emerging-threats/2022/Malware/Serpent-Backdoor/proc_creation_win_malware_serpent_backdoor_payload_execution.yml @@ -10,6 +10,7 @@ references: author: '@kostastsale' date: 2022-03-21 tags: + - attack.privilege-escalation - attack.execution - attack.persistence - attack.t1053.005 diff --git a/rules-emerging-threats/2022/Malware/win_mssql_sp_maggie.yml b/rules-emerging-threats/2022/Malware/win_mssql_sp_maggie.yml index 523d724076a..6f944e61085 100644 --- a/rules-emerging-threats/2022/Malware/win_mssql_sp_maggie.yml +++ b/rules-emerging-threats/2022/Malware/win_mssql_sp_maggie.yml @@ -7,6 +7,7 @@ references: author: Denis Szadkowski, DIRT / DCSO CyTec date: 2022-10-09 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546 - detection.emerging-threats diff --git a/rules-emerging-threats/2022/TA/ACTINIUM/proc_creation_win_apt_actinium_persistence.yml b/rules-emerging-threats/2022/TA/ACTINIUM/proc_creation_win_apt_actinium_persistence.yml index d8f9daa99c2..ebea2bbd1af 100644 --- a/rules-emerging-threats/2022/TA/ACTINIUM/proc_creation_win_apt_actinium_persistence.yml +++ b/rules-emerging-threats/2022/TA/ACTINIUM/proc_creation_win_apt_actinium_persistence.yml @@ -8,6 +8,8 @@ author: Andreas Hunkeler (@Karneades) date: 2022-02-07 modified: 2023-03-18 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.t1053 - attack.t1053.005 diff --git a/rules-emerging-threats/2023/Malware/GuLoader/proc_creation_win_malware_guloader_execution.yml b/rules-emerging-threats/2023/Malware/GuLoader/proc_creation_win_malware_guloader_execution.yml index ad63c36c688..8b09f5e0f56 100644 --- a/rules-emerging-threats/2023/Malware/GuLoader/proc_creation_win_malware_guloader_execution.yml +++ b/rules-emerging-threats/2023/Malware/GuLoader/proc_creation_win_malware_guloader_execution.yml @@ -9,6 +9,7 @@ references: author: '@kostastsale' date: 2023-08-07 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1055 - detection.emerging-threats diff --git a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml index 86c1d3920cb..d05d96155a4 100644 --- a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml +++ b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml @@ -11,6 +11,8 @@ references: author: Alejandro Houspanossian ('@lekz86') date: 2024-01-02 tags: + - attack.defense-evasion + - attack.command-and-control - attack.execution - attack.t1059.003 - attack.t1105 diff --git a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml index 8e9bf8d435d..f62ee3dab7c 100644 --- a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml +++ b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml @@ -12,6 +12,7 @@ author: Andreas Braathen (mnemonic.io) date: 2023-10-27 modified: 2024-01-26 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1055.012 - detection.emerging-threats diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml index f0967eb28b7..c2f0253b404 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml @@ -25,6 +25,7 @@ date: 2023-03-29 tags: - attack.command-and-control - attack.execution + - attack.defense-evasion - attack.t1218 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml b/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml index 2e6a251e0a1..db6e3d96715 100644 --- a/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml +++ b/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml @@ -8,6 +8,8 @@ author: CISA date: 2023-12-18 tags: - attack.defense-evasion + - attack.persistence + - attack.privilege-escalation - attack.t1574.001 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml index ce5de1300a2..9b4989d0be1 100644 --- a/rules-emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml @@ -8,6 +8,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-10-24 tags: - attack.defense-evasion + - attack.persistence + - attack.privilege-escalation - attack.t1574.001 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml b/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml index 0cc0a8b1b10..c8cc16e68e6 100644 --- a/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml +++ b/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml @@ -10,6 +10,7 @@ date: 2023-10-18 tags: - attack.defense-evasion - attack.privilege-escalation + - attack.persistence - attack.t1574.001 - attack.g0032 - detection.emerging-threats diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-49113/win_application_error_exploit_cve_2024_49113_ldap_nightmare.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-49113/win_application_error_exploit_cve_2024_49113_ldap_nightmare.yml index 466d0708209..df6c66344cb 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-49113/win_application_error_exploit_cve_2024_49113_ldap_nightmare.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-49113/win_application_error_exploit_cve_2024_49113_ldap_nightmare.yml @@ -1,6 +1,6 @@ title: CVE-2024-49113 Exploitation Attempt - LDAP Nightmare id: 3f2c93c7-7b2a-4d58-bb8d-6f39422d8148 -status: experimental +status: test description: | Detects exploitation attempt of CVE-2024-49113 known as LDAP Nightmare, based on "Application Error" log where the faulting application is "lsass.exe" and the faulting module is "WLDAP32.dll". references: diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-50623/proc_creation_win_exploit_cve_2024_50623_cleo.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-50623/proc_creation_win_exploit_cve_2024_50623_cleo.yml index f55b327e60e..b40557ec726 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-50623/proc_creation_win_exploit_cve_2024_50623_cleo.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-50623/proc_creation_win_exploit_cve_2024_50623_cleo.yml @@ -1,6 +1,6 @@ title: CVE-2024-50623 Exploitation Attempt - Cleo id: f007b877-02e3-45b7-8501-1b78c2864029 -status: experimental +status: test description: | Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline. references: @@ -8,6 +8,7 @@ references: author: Tanner Filip, Austin Worline, Chad Hudson, Matt Anderson date: 2024-12-09 tags: + - attack.initial-access - attack.execution - attack.t1190 - cve.2024-50623 diff --git a/rules-emerging-threats/2024/Malware/Generic/file_event_win_malware_generic_creation_configuration_rats.yml b/rules-emerging-threats/2024/Malware/Generic/file_event_win_malware_generic_creation_configuration_rats.yml index d341da03ad5..0f553981bdb 100644 --- a/rules-emerging-threats/2024/Malware/Generic/file_event_win_malware_generic_creation_configuration_rats.yml +++ b/rules-emerging-threats/2024/Malware/Generic/file_event_win_malware_generic_creation_configuration_rats.yml @@ -1,6 +1,6 @@ title: File Creation Related To RAT Clients id: 2f3039c8-e8fe-43a9-b5cf-dcd424a2522d -status: experimental +status: test description: | File .conf created related to VenomRAT, AsyncRAT and Lummac samples observed in the wild. references: diff --git a/rules-emerging-threats/2024/Malware/KamiKakaBot/registry_set_malware_kamikakabot_winlogon_persistence.yml b/rules-emerging-threats/2024/Malware/KamiKakaBot/registry_set_malware_kamikakabot_winlogon_persistence.yml index f60f41bdc3e..63440d697ad 100644 --- a/rules-emerging-threats/2024/Malware/KamiKakaBot/registry_set_malware_kamikakabot_winlogon_persistence.yml +++ b/rules-emerging-threats/2024/Malware/KamiKakaBot/registry_set_malware_kamikakabot_winlogon_persistence.yml @@ -8,6 +8,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems), X__Junior date: 2024-03-22 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 - detection.emerging-threats diff --git a/rules-emerging-threats/2024/Malware/Lummac-Stealer/proc_creation_win_malware_lummac_more_vbc.yml b/rules-emerging-threats/2024/Malware/Lummac-Stealer/proc_creation_win_malware_lummac_more_vbc.yml index 2f19a9cb0e5..43dc4fff489 100644 --- a/rules-emerging-threats/2024/Malware/Lummac-Stealer/proc_creation_win_malware_lummac_more_vbc.yml +++ b/rules-emerging-threats/2024/Malware/Lummac-Stealer/proc_creation_win_malware_lummac_more_vbc.yml @@ -1,6 +1,6 @@ title: Lummac Stealer Activity - Execution Of More.com And Vbc.exe id: 19b3806e-46f2-4b4c-9337-e3d8653245ea -status: experimental +status: test description: | Detects the execution of more.com and vbc.exe in the process tree. This behavior was observed by a set of samples related to Lummac Stealer. @@ -13,6 +13,7 @@ references: author: Joseliyo Sanchez, @Joseliyo_Jstnk date: 2024-12-19 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1055 - detection.emerging-threats diff --git a/rules-emerging-threats/2024/Malware/Raspberry-Robin/image_load_malware_raspberry_robin_side_load_aclui_oleview.yml b/rules-emerging-threats/2024/Malware/Raspberry-Robin/image_load_malware_raspberry_robin_side_load_aclui_oleview.yml index 0281d3f9e07..1c05db50cec 100644 --- a/rules-emerging-threats/2024/Malware/Raspberry-Robin/image_load_malware_raspberry_robin_side_load_aclui_oleview.yml +++ b/rules-emerging-threats/2024/Malware/Raspberry-Robin/image_load_malware_raspberry_robin_side_load_aclui_oleview.yml @@ -12,6 +12,7 @@ references: author: Swachchhanda Shrawan Poudel date: 2024-07-31 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules-emerging-threats/2024/Malware/Raspberry-Robin/registry_set_malware_raspberry_robin_internet_settings_zonemap_tamper.yml b/rules-emerging-threats/2024/Malware/Raspberry-Robin/registry_set_malware_raspberry_robin_internet_settings_zonemap_tamper.yml index fcd30907941..80a7329bfed 100644 --- a/rules-emerging-threats/2024/Malware/Raspberry-Robin/registry_set_malware_raspberry_robin_internet_settings_zonemap_tamper.yml +++ b/rules-emerging-threats/2024/Malware/Raspberry-Robin/registry_set_malware_raspberry_robin_internet_settings_zonemap_tamper.yml @@ -15,6 +15,7 @@ references: author: Swachchhanda Shrawan Poudel date: 2024-07-31 tags: + - attack.persistence - attack.t1112 - attack.defense-evasion - detection.emerging-threats diff --git a/rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_persistence.yml b/rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_persistence.yml index cea5c8a79a4..1a1337d6a23 100644 --- a/rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_persistence.yml +++ b/rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_persistence.yml @@ -14,6 +14,8 @@ references: author: Swachchhanda Shrawan Poudel date: 2024-07-03 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.t1053.005 - detection.emerging-threats diff --git a/rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_autorun_persistence.yml b/rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_autorun_persistence.yml index f6e58212250..ed86d6ae179 100644 --- a/rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_autorun_persistence.yml +++ b/rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_autorun_persistence.yml @@ -11,6 +11,7 @@ references: author: Swachchhanda Shrawan Poudel date: 2024-07-03 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 - detection.emerging-threats diff --git a/rules-emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml b/rules-emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml index fc8e078fe7c..a64b919fe07 100644 --- a/rules-emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml +++ b/rules-emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml @@ -1,6 +1,6 @@ title: Forest Blizzard APT - Process Creation Activity id: 07db928c-8632-488e-ac7d-3db847489175 -status: experimental +status: test description: | Detects the execution of specific processes and command line combination. These were seen being created by Forest Blizzard as described by MSFT. diff --git a/rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler.yml b/rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler.yml index 639217c3358..9edd10739de 100644 --- a/rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler.yml +++ b/rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler.yml @@ -9,6 +9,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2024-04-23 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 - detection.emerging-threats diff --git a/rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler_dll.yml b/rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler_dll.yml index 8f32311b5ae..db12f36a826 100644 --- a/rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler_dll.yml +++ b/rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler_dll.yml @@ -9,6 +9,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2024-04-23 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 - detection.emerging-threats diff --git a/rules-emerging-threats/2025/Exploits/CVE-2025-30406/proc_creation_win_exploit_cve_2025_30406_centrestack_portal_child_process.yml b/rules-emerging-threats/2025/Exploits/CVE-2025-30406/proc_creation_win_exploit_cve_2025_30406_centrestack_portal_child_process.yml index c923e155acf..0a945f81653 100644 --- a/rules-emerging-threats/2025/Exploits/CVE-2025-30406/proc_creation_win_exploit_cve_2025_30406_centrestack_portal_child_process.yml +++ b/rules-emerging-threats/2025/Exploits/CVE-2025-30406/proc_creation_win_exploit_cve_2025_30406_centrestack_portal_child_process.yml @@ -11,6 +11,7 @@ references: author: Jason Rathbun (Blackpoint Cyber) date: 2025-04-17 tags: + - attack.persistence - attack.execution - attack.t1059.003 - attack.t1505.003 diff --git a/rules-emerging-threats/2025/Exploits/CVE-2025-31324/file_event_lnx_sap_netweaver_webshell_creation.yml b/rules-emerging-threats/2025/Exploits/CVE-2025-31324/file_event_lnx_sap_netweaver_webshell_creation.yml index 381dfea353c..d2c4c9b56b5 100644 --- a/rules-emerging-threats/2025/Exploits/CVE-2025-31324/file_event_lnx_sap_netweaver_webshell_creation.yml +++ b/rules-emerging-threats/2025/Exploits/CVE-2025-31324/file_event_lnx_sap_netweaver_webshell_creation.yml @@ -11,6 +11,7 @@ references: author: Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-04-28 tags: + - attack.execution - attack.initial-access - attack.t1190 - attack.persistence diff --git a/rules-emerging-threats/2025/Exploits/CVE-2025-31324/file_event_win_sap_netweaver_webshell_creation.yml b/rules-emerging-threats/2025/Exploits/CVE-2025-31324/file_event_win_sap_netweaver_webshell_creation.yml index 8def10536f2..f4607fc47de 100644 --- a/rules-emerging-threats/2025/Exploits/CVE-2025-31324/file_event_win_sap_netweaver_webshell_creation.yml +++ b/rules-emerging-threats/2025/Exploits/CVE-2025-31324/file_event_win_sap_netweaver_webshell_creation.yml @@ -11,6 +11,7 @@ references: author: Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-04-28 tags: + - attack.execution - attack.initial-access - attack.t1190 - attack.persistence diff --git a/rules-emerging-threats/2025/Exploits/CVE-2025-31324/proc_creation_lnx_sap_netweaver_susp_child_process.yml b/rules-emerging-threats/2025/Exploits/CVE-2025-31324/proc_creation_lnx_sap_netweaver_susp_child_process.yml index 5d0d47fa599..b10091d256f 100644 --- a/rules-emerging-threats/2025/Exploits/CVE-2025-31324/proc_creation_lnx_sap_netweaver_susp_child_process.yml +++ b/rules-emerging-threats/2025/Exploits/CVE-2025-31324/proc_creation_lnx_sap_netweaver_susp_child_process.yml @@ -7,6 +7,7 @@ description: | author: Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-04-28 tags: + - attack.execution - attack.initial-access - attack.t1190 - attack.persistence diff --git a/rules-emerging-threats/2025/Exploits/CVE-2025-31324/proc_creation_win_sap_netweaver_susp_child_process.yml b/rules-emerging-threats/2025/Exploits/CVE-2025-31324/proc_creation_win_sap_netweaver_susp_child_process.yml index c531b74ce9d..ddfe2f75c51 100644 --- a/rules-emerging-threats/2025/Exploits/CVE-2025-31324/proc_creation_win_sap_netweaver_susp_child_process.yml +++ b/rules-emerging-threats/2025/Exploits/CVE-2025-31324/proc_creation_win_sap_netweaver_susp_child_process.yml @@ -7,6 +7,7 @@ description: | author: Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-04-28 tags: + - attack.execution - attack.initial-access - attack.t1190 - attack.persistence diff --git a/rules-emerging-threats/2025/Exploits/CVE-2025-33053/image_load_win_exploit_cve_2025_33053.yml b/rules-emerging-threats/2025/Exploits/CVE-2025-33053/image_load_win_exploit_cve_2025_33053.yml index 36fe9c85642..a1b498c4259 100644 --- a/rules-emerging-threats/2025/Exploits/CVE-2025-33053/image_load_win_exploit_cve_2025_33053.yml +++ b/rules-emerging-threats/2025/Exploits/CVE-2025-33053/image_load_win_exploit_cve_2025_33053.yml @@ -16,6 +16,7 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-06-13 tags: + - attack.command-and-control - attack.execution - attack.defense-evasion - attack.t1218 diff --git a/rules-emerging-threats/2025/Exploits/CVE-2025-33053/proc_access_win_exploit_cve_2025_33053.yml b/rules-emerging-threats/2025/Exploits/CVE-2025-33053/proc_access_win_exploit_cve_2025_33053.yml index 1c3a5ec0600..e1919d9d964 100644 --- a/rules-emerging-threats/2025/Exploits/CVE-2025-33053/proc_access_win_exploit_cve_2025_33053.yml +++ b/rules-emerging-threats/2025/Exploits/CVE-2025-33053/proc_access_win_exploit_cve_2025_33053.yml @@ -19,6 +19,7 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-06-13 tags: + - attack.command-and-control - attack.execution - attack.defense-evasion - attack.t1218 diff --git a/rules-emerging-threats/2025/Exploits/CVE-2025-33053/proc_creation_win_exploit_cve_2025_33053.yml b/rules-emerging-threats/2025/Exploits/CVE-2025-33053/proc_creation_win_exploit_cve_2025_33053.yml index e0194dee447..be0a641ae30 100644 --- a/rules-emerging-threats/2025/Exploits/CVE-2025-33053/proc_creation_win_exploit_cve_2025_33053.yml +++ b/rules-emerging-threats/2025/Exploits/CVE-2025-33053/proc_creation_win_exploit_cve_2025_33053.yml @@ -19,6 +19,7 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-06-13 tags: + - attack.command-and-control - attack.execution - attack.defense-evasion - attack.t1218 diff --git a/rules-emerging-threats/2025/Exploits/CVE-2025-49144/proc_creation_win_exploit_cve_2025_49144.yml b/rules-emerging-threats/2025/Exploits/CVE-2025-49144/proc_creation_win_exploit_cve_2025_49144.yml index 0290f3985b9..57ecd307e67 100644 --- a/rules-emerging-threats/2025/Exploits/CVE-2025-49144/proc_creation_win_exploit_cve_2025_49144.yml +++ b/rules-emerging-threats/2025/Exploits/CVE-2025-49144/proc_creation_win_exploit_cve_2025_49144.yml @@ -11,6 +11,7 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-06-26 tags: + - attack.persistence - attack.privilege-escalation - attack.defense-evasion - attack.t1574.008 diff --git a/rules-emerging-threats/2025/Exploits/CVE-2025-54309/proc_creation_win_exploit_cve_2025_54309.yml b/rules-emerging-threats/2025/Exploits/CVE-2025-54309/proc_creation_win_exploit_cve_2025_54309.yml index c82ecba5f1e..bf46ea2b273 100644 --- a/rules-emerging-threats/2025/Exploits/CVE-2025-54309/proc_creation_win_exploit_cve_2025_54309.yml +++ b/rules-emerging-threats/2025/Exploits/CVE-2025-54309/proc_creation_win_exploit_cve_2025_54309.yml @@ -9,6 +9,7 @@ references: author: Nisarg Suthar date: 2025-08-01 tags: + - attack.privilege-escalation - attack.initial-access - attack.execution - attack.t1059.001 diff --git a/rules-emerging-threats/2025/Exploits/CVE-2025-57788/proc_creation_win_exploit_cve_2025_57788.yml b/rules-emerging-threats/2025/Exploits/CVE-2025-57788/proc_creation_win_exploit_cve_2025_57788.yml index c6586c165c8..d23a97ea9bb 100644 --- a/rules-emerging-threats/2025/Exploits/CVE-2025-57788/proc_creation_win_exploit_cve_2025_57788.yml +++ b/rules-emerging-threats/2025/Exploits/CVE-2025-57788/proc_creation_win_exploit_cve_2025_57788.yml @@ -9,6 +9,9 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-10-20 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.t1078.001 - detection.emerging-threats diff --git a/rules-emerging-threats/2025/Malware/file_event_win_malware_funklocker_ransomware_extension.yml b/rules-emerging-threats/2025/Malware/file_event_win_malware_funklocker_ransomware_extension.yml index 79ce424fa0a..f5d79dca41c 100644 --- a/rules-emerging-threats/2025/Malware/file_event_win_malware_funklocker_ransomware_extension.yml +++ b/rules-emerging-threats/2025/Malware/file_event_win_malware_funklocker_ransomware_extension.yml @@ -8,6 +8,7 @@ references: author: Saiprashanth Pulisetti ( @Prashanthblogs) date: 2025-08-08 tags: + - attack.impact - attack.t1486 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2025/Malware/proc_creation_win_malware_kalambur_curl_socks_tor.yml b/rules-emerging-threats/2025/Malware/proc_creation_win_malware_kalambur_curl_socks_tor.yml index f127888cc37..da8d31bf2d7 100644 --- a/rules-emerging-threats/2025/Malware/proc_creation_win_malware_kalambur_curl_socks_tor.yml +++ b/rules-emerging-threats/2025/Malware/proc_creation_win_malware_kalambur_curl_socks_tor.yml @@ -7,6 +7,7 @@ references: author: Arda Buyukkaya (EclecticIQ) date: 2025-02-11 tags: + - attack.execution - attack.command-and-control - attack.t1090 - attack.t1573 diff --git a/rules-placeholder/cloud/aws/cloudtrail/aws_cloudtrail_console_login_success_from_susp_locations.yml b/rules-placeholder/cloud/aws/cloudtrail/aws_cloudtrail_console_login_success_from_susp_locations.yml index db2de905f66..dc57d4148bc 100644 --- a/rules-placeholder/cloud/aws/cloudtrail/aws_cloudtrail_console_login_success_from_susp_locations.yml +++ b/rules-placeholder/cloud/aws/cloudtrail/aws_cloudtrail_console_login_success_from_susp_locations.yml @@ -10,6 +10,9 @@ author: Ivan Saakov date: 2025-10-19 tags: - attack.privilege-escalation + - attack.defense-evasion + - attack.initial-access + - attack.persistence - attack.t1078.004 logsource: product: aws diff --git a/rules-placeholder/cloud/azure/azure_ad_account_created_deleted_nonapproved_user.yml b/rules-placeholder/cloud/azure/azure_ad_account_created_deleted_nonapproved_user.yml index f0b367d0490..7d6a24509d7 100644 --- a/rules-placeholder/cloud/azure/azure_ad_account_created_deleted_nonapproved_user.yml +++ b/rules-placeholder/cloud/azure/azure_ad_account_created_deleted_nonapproved_user.yml @@ -9,6 +9,9 @@ date: 2022-08-11 modified: 2023-12-15 tags: - attack.defense-evasion + - attack.initial-access + - attack.persistence + - attack.privilege-escalation - attack.t1078 logsource: product: azure diff --git a/rules-placeholder/cloud/azure/azure_ad_account_signin_outside_hours.yml b/rules-placeholder/cloud/azure/azure_ad_account_signin_outside_hours.yml index 1705bafb17d..ad1ed138861 100644 --- a/rules-placeholder/cloud/azure/azure_ad_account_signin_outside_hours.yml +++ b/rules-placeholder/cloud/azure/azure_ad_account_signin_outside_hours.yml @@ -9,6 +9,9 @@ date: 2022-08-11 modified: 2023-12-15 tags: - attack.persistence + - attack.defense-evasion + - attack.initial-access + - attack.privilege-escalation - attack.t1078 logsource: product: azure diff --git a/rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml b/rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml index 6a5c87b898d..12f7a11a1cc 100644 --- a/rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml +++ b/rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml @@ -10,6 +10,8 @@ modified: 2023-12-15 tags: - attack.defense-evasion - attack.privilege-escalation + - attack.initial-access + - attack.persistence - attack.t1078 logsource: product: azure diff --git a/rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml b/rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml index a9e85a7862a..2fb3fc614a0 100644 --- a/rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml +++ b/rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml @@ -9,6 +9,9 @@ date: 2022-08-11 modified: 2023-12-15 tags: - attack.defense-evasion + - attack.initial-access + - attack.persistence + - attack.privilege-escalation - attack.t1078 logsource: product: azure diff --git a/rules-placeholder/cloud/azure/azure_privileged_account_signin_outside_hours.yml b/rules-placeholder/cloud/azure/azure_privileged_account_signin_outside_hours.yml index 86c1029e676..ec70d6ce654 100644 --- a/rules-placeholder/cloud/azure/azure_privileged_account_signin_outside_hours.yml +++ b/rules-placeholder/cloud/azure/azure_privileged_account_signin_outside_hours.yml @@ -9,6 +9,9 @@ date: 2022-08-11 modified: 2023-12-15 tags: - attack.persistence + - attack.defense-evasion + - attack.initial-access + - attack.privilege-escalation - attack.t1078 logsource: product: azure diff --git a/rules-placeholder/windows/builtin/security/win_security_potential_pass_the_hash.yml b/rules-placeholder/windows/builtin/security/win_security_potential_pass_the_hash.yml index b1bce3bb40a..f9bd1e2ad0b 100644 --- a/rules-placeholder/windows/builtin/security/win_security_potential_pass_the_hash.yml +++ b/rules-placeholder/windows/builtin/security/win_security_potential_pass_the_hash.yml @@ -9,6 +9,7 @@ date: 2017-03-08 modified: 2023-12-15 tags: - attack.lateral-movement + - attack.defense-evasion - attack.t1550.002 - car.2016-04-004 logsource: diff --git a/rules-placeholder/windows/builtin/security/win_security_remote_registry_management_via_reg.yml b/rules-placeholder/windows/builtin/security/win_security_remote_registry_management_via_reg.yml index a76fd16a654..89bd8872b14 100644 --- a/rules-placeholder/windows/builtin/security/win_security_remote_registry_management_via_reg.yml +++ b/rules-placeholder/windows/builtin/security/win_security_remote_registry_management_via_reg.yml @@ -10,6 +10,7 @@ modified: 2023-12-15 tags: - attack.credential-access - attack.defense-evasion + - attack.persistence - attack.discovery - attack.s0075 - attack.t1012 diff --git a/rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml b/rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml index 165e78f1d0f..6467d75d729 100644 --- a/rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml +++ b/rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml @@ -9,6 +9,10 @@ date: 2017-03-17 modified: 2023-12-15 tags: - attack.lateral-movement + - attack.defense-evasion + - attack.initial-access + - attack.persistence + - attack.privilege-escalation - attack.t1078 logsource: product: windows diff --git a/rules-threat-hunting/windows/builtin/security/win_security_scheduled_task_deletion.yml b/rules-threat-hunting/windows/builtin/security/win_security_scheduled_task_deletion.yml index 3c0619b8ba7..3e8e3d4a4fb 100644 --- a/rules-threat-hunting/windows/builtin/security/win_security_scheduled_task_deletion.yml +++ b/rules-threat-hunting/windows/builtin/security/win_security_scheduled_task_deletion.yml @@ -11,6 +11,7 @@ modified: 2023-01-20 tags: - attack.execution - attack.privilege-escalation + - attack.persistence - car.2013-08-001 - attack.t1053.005 - detection.threat-hunting diff --git a/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml b/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml index da7b5d252fb..ebae49d4bd6 100644 --- a/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml +++ b/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml @@ -9,6 +9,7 @@ date: 2019-08-11 modified: 2024-01-22 tags: - attack.defense-evasion + - attack.privilege-escalation - attack.t1055.001 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_susp_target_shell_application.yml b/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_susp_target_shell_application.yml index a9cf2f3bbf0..82033bae09d 100644 --- a/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_susp_target_shell_application.yml +++ b/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_susp_target_shell_application.yml @@ -12,6 +12,7 @@ date: 2024-07-29 modified: 2025-07-04 tags: - attack.defense-evasion + - attack.privilege-escalation - attack.t1055 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/file/file_access/file_access_win_susp_reg_and_hive.yml b/rules-threat-hunting/windows/file/file_access/file_access_win_susp_reg_and_hive.yml index 3864c282ae6..c53dd2a439e 100644 --- a/rules-threat-hunting/windows/file/file_access/file_access_win_susp_reg_and_hive.yml +++ b/rules-threat-hunting/windows/file/file_access/file_access_win_susp_reg_and_hive.yml @@ -10,6 +10,7 @@ modified: 2024-07-29 tags: - attack.t1112 - attack.defense-evasion + - attack.persistence - detection.threat-hunting logsource: category: file_access diff --git a/rules-threat-hunting/windows/file/file_event/file_event_win_wdac_policy_creation_in_codeintegrity_folder.yml b/rules-threat-hunting/windows/file/file_event/file_event_win_wdac_policy_creation_in_codeintegrity_folder.yml index 54ae1b45b83..3da71cbdb48 100644 --- a/rules-threat-hunting/windows/file/file_event/file_event_win_wdac_policy_creation_in_codeintegrity_folder.yml +++ b/rules-threat-hunting/windows/file/file_event/file_event_win_wdac_policy_creation_in_codeintegrity_folder.yml @@ -1,6 +1,6 @@ title: WDAC Policy File Creation In CodeIntegrity Folder id: 121b25f7-b9d6-4b37-afa0-cba317ec52f3 -status: experimental +status: test description: | Attackers can craft a custom Windows Defender Application Control (WDAC) policy that blocks Endpoint Detection and Response (EDR) components while allowing their own malicious code. The policy is placed in the privileged Windows Code Integrity folder (C:\Windows\System32\CodeIntegrity\). Upon reboot, the policy prevents EDR drivers from loading, effectively bypassing security measures and may further enable undetected lateral movement within an Active Directory environment. references: diff --git a/rules-threat-hunting/windows/file/file_event/file_event_win_webdav_tmpfile_creation.yml b/rules-threat-hunting/windows/file/file_event/file_event_win_webdav_tmpfile_creation.yml index 696765cc497..3d9d54dee2d 100644 --- a/rules-threat-hunting/windows/file/file_event/file_event_win_webdav_tmpfile_creation.yml +++ b/rules-threat-hunting/windows/file/file_event/file_event_win_webdav_tmpfile_creation.yml @@ -13,6 +13,7 @@ author: Micah Babinski date: 2023-08-21 tags: - attack.initial-access + - attack.resource-development - attack.t1584 - attack.t1566 - detection.threat-hunting diff --git a/rules-threat-hunting/windows/image_load/image_load_dll_taskschd_by_process_in_potentially_suspicious_location.yml b/rules-threat-hunting/windows/image_load/image_load_dll_taskschd_by_process_in_potentially_suspicious_location.yml index c04e44df68d..0824f6a2d73 100644 --- a/rules-threat-hunting/windows/image_load/image_load_dll_taskschd_by_process_in_potentially_suspicious_location.yml +++ b/rules-threat-hunting/windows/image_load/image_load_dll_taskschd_by_process_in_potentially_suspicious_location.yml @@ -13,6 +13,7 @@ date: 2024-09-02 tags: - attack.persistence - attack.execution + - attack.privilege-escalation - attack.t1053.005 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/network_connection/net_connection_win_susp_azurefd_connection.yml b/rules-threat-hunting/windows/network_connection/net_connection_win_susp_azurefd_connection.yml index cad7984689c..38a8720cf26 100644 --- a/rules-threat-hunting/windows/network_connection/net_connection_win_susp_azurefd_connection.yml +++ b/rules-threat-hunting/windows/network_connection/net_connection_win_susp_azurefd_connection.yml @@ -11,6 +11,7 @@ references: author: Isaac Dunham date: 2024-11-07 tags: + - attack.command-and-control - attack.t1102.002 - attack.t1090.004 - detection.threat-hunting diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_compress_archive_usage.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_compress_archive_usage.yml index 8fa81f9354c..8bc98a67d56 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_compress_archive_usage.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_compress_archive_usage.yml @@ -11,6 +11,7 @@ date: 2019-10-21 modified: 2023-12-15 tags: - attack.exfiltration + - attack.collection - attack.t1560 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_conhost_headless_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_conhost_headless_execution.yml index 39f4cd5b4e9..d7ed21d40fb 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_conhost_headless_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_conhost_headless_execution.yml @@ -13,6 +13,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2024-07-23 tags: - attack.defense-evasion + - attack.execution - attack.t1059.001 - attack.t1059.003 - detection.threat-hunting diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_fileupload.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_fileupload.yml index 98ad58c77a4..fad4ff4664d 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_fileupload.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_fileupload.yml @@ -12,6 +12,7 @@ date: 2020-07-03 modified: 2023-05-02 tags: - attack.exfiltration + - attack.command-and-control - attack.t1567 - attack.t1105 - detection.threat-hunting diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml index 6146715441c..e3352f88f23 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml @@ -13,6 +13,7 @@ author: Andreas Braathen (mnemonic.io) date: 2023-12-01 tags: - attack.defense-evasion + - attack.execution - attack.t1059.001 - attack.t1027.010 - detection.threat-hunting diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_new_netfirewallrule_allow.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_new_netfirewallrule_allow.yml index 04551a2c363..4334b1c0452 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_new_netfirewallrule_allow.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_new_netfirewallrule_allow.yml @@ -13,6 +13,7 @@ references: author: frack113 date: 2024-05-03 tags: + - attack.defense-evasion - attack.t1562.004 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_schtasks_creation_from_susp_parent.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_schtasks_creation_from_susp_parent.yml index 647f988983d..bb2989de32a 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_schtasks_creation_from_susp_parent.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_schtasks_creation_from_susp_parent.yml @@ -11,6 +11,8 @@ date: 2022-02-23 modified: 2024-05-13 tags: - attack.execution + - attack.persistence + - attack.privilege-escalation - attack.t1053.005 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_webdav_process_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_webdav_process_execution.yml index ee9c647630d..9464ead5ae6 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_webdav_process_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_webdav_process_execution.yml @@ -11,6 +11,7 @@ author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-06-13 tags: - attack.execution + - attack.command-and-control - attack.lateral-movement - attack.t1105 - detection.threat-hunting diff --git a/rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml b/rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml index 3d0365a1218..d22744cc09f 100644 --- a/rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml +++ b/rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml @@ -12,6 +12,7 @@ date: 2023-06-21 modified: 2023-08-17 tags: - attack.defense-evasion + - attack.persistence - attack.t1112 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml b/rules-threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml index 3d19e70b7c5..e761849b92d 100644 --- a/rules-threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml +++ b/rules-threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml @@ -12,6 +12,9 @@ author: Andreas Braathen (mnemonic.io) date: 2023-12-01 tags: - attack.defense-evasion + - attack.execution + - attack.persistence + - attack.privilege-escalation - attack.t1059.001 - attack.t1027.010 - attack.t1547.001 diff --git a/rules-threat-hunting/windows/registry/registry_set/registry_set_service_image_path_user_controlled_folder.yml b/rules-threat-hunting/windows/registry/registry_set/registry_set_service_image_path_user_controlled_folder.yml index a0673f43ad3..00c664593ca 100644 --- a/rules-threat-hunting/windows/registry/registry_set/registry_set_service_image_path_user_controlled_folder.yml +++ b/rules-threat-hunting/windows/registry/registry_set/registry_set_service_image_path_user_controlled_folder.yml @@ -16,6 +16,7 @@ date: 2022-05-02 modified: 2024-03-25 tags: - attack.defense-evasion + - attack.persistence - attack.t1112 - detection.threat-hunting logsource: diff --git a/rules/application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml b/rules/application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml index ac3e766637d..5c39f9f5ea9 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml @@ -12,6 +12,9 @@ references: author: kelnage date: 2024-07-11 tags: + - attack.privilege-escalation + - attack.initial-access + - attack.defense-evasion - attack.persistence - attack.t1078 - attack.credential-access diff --git a/rules/application/opencanary/opencanary_ssh_login_attempt.yml b/rules/application/opencanary/opencanary_ssh_login_attempt.yml index 0e15724263a..0704ee1baaf 100644 --- a/rules/application/opencanary/opencanary_ssh_login_attempt.yml +++ b/rules/application/opencanary/opencanary_ssh_login_attempt.yml @@ -8,6 +8,8 @@ references: author: Security Onion Solutions date: 2024-03-08 tags: + - attack.privilege-escalation + - attack.defense-evasion - attack.initial-access - attack.lateral-movement - attack.persistence diff --git a/rules/application/opencanary/opencanary_ssh_new_connection.yml b/rules/application/opencanary/opencanary_ssh_new_connection.yml index f3656da4c7e..34f7db373dd 100644 --- a/rules/application/opencanary/opencanary_ssh_new_connection.yml +++ b/rules/application/opencanary/opencanary_ssh_new_connection.yml @@ -8,6 +8,8 @@ references: author: Security Onion Solutions date: 2024-03-08 tags: + - attack.privilege-escalation + - attack.defense-evasion - attack.initial-access - attack.lateral-movement - attack.persistence diff --git a/rules/application/opencanary/opencanary_telnet_login_attempt.yml b/rules/application/opencanary/opencanary_telnet_login_attempt.yml index 0d4aca20261..d9c97304735 100644 --- a/rules/application/opencanary/opencanary_telnet_login_attempt.yml +++ b/rules/application/opencanary/opencanary_telnet_login_attempt.yml @@ -8,6 +8,9 @@ references: author: Security Onion Solutions date: 2024-03-08 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.command-and-control - attack.t1133 diff --git a/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml index b4b14bcfb5c..72c7ebf3439 100644 --- a/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml @@ -10,6 +10,7 @@ references: author: Sagie Dulce, Dekel Paz date: 2022-01-01 tags: + - attack.privilege-escalation - attack.lateral-movement - attack.execution - attack.persistence diff --git a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml index 8b2dc0c102e..f0bc075fe98 100644 --- a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml @@ -10,6 +10,9 @@ references: author: Sagie Dulce, Dekel Paz date: 2022-01-01 tags: + - attack.privilege-escalation + - attack.persistence + - attack.execution - attack.lateral-movement - attack.t1053 - attack.t1053.002 diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml index aca3985811b..801d633ad85 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml @@ -10,6 +10,7 @@ references: author: Sagie Dulce, Dekel Paz date: 2022-01-01 tags: + - attack.defense-evasion - attack.lateral-movement - attack.t1112 - attack.persistence diff --git a/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml index 272e1a21d0b..a0a76648868 100644 --- a/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml @@ -10,6 +10,7 @@ references: author: Sagie Dulce, Dekel Paz date: 2022-01-01 tags: + - attack.privilege-escalation - attack.lateral-movement - attack.execution - attack.persistence diff --git a/rules/cloud/aws/cloudtrail/aws_cloudtrail_console_login_success_without_mfa.yml b/rules/cloud/aws/cloudtrail/aws_cloudtrail_console_login_success_without_mfa.yml index e51d9865f69..b800b4f8442 100644 --- a/rules/cloud/aws/cloudtrail/aws_cloudtrail_console_login_success_without_mfa.yml +++ b/rules/cloud/aws/cloudtrail/aws_cloudtrail_console_login_success_without_mfa.yml @@ -12,6 +12,9 @@ date: 2025-10-18 modified: 2025-10-21 tags: - attack.initial-access + - attack.defense-evasion + - attack.persistence + - attack.privilege-escalation - attack.t1078.004 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml b/rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml index 7f7367ce894..b08c11de618 100644 --- a/rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml +++ b/rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml @@ -13,6 +13,8 @@ date: 2024-07-11 tags: - attack.privilege-escalation - attack.defense-evasion + - attack.initial-access + - attack.persistence - attack.t1078 - attack.t1078.002 logsource: diff --git a/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml b/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml index 4c9e9d3de9b..e360d5d5262 100644 --- a/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml +++ b/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml @@ -11,6 +11,7 @@ author: Chester Le Bron (@123Le_Bron) date: 2024-02-26 tags: - attack.lateral-movement + - attack.defense-evasion - attack.t1021.007 - attack.t1550.001 logsource: diff --git a/rules/cloud/aws/cloudtrail/aws_delete_saml_provider.yml b/rules/cloud/aws/cloudtrail/aws_delete_saml_provider.yml index 0a527ddbcba..bb05665bfb2 100644 --- a/rules/cloud/aws/cloudtrail/aws_delete_saml_provider.yml +++ b/rules/cloud/aws/cloudtrail/aws_delete_saml_provider.yml @@ -1,6 +1,6 @@ title: AWS SAML Provider Deletion Activity id: ccd6a6c8-bb4e-4a91-9d2a-07e632819374 -status: experimental +status: test description: | Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access. An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it. @@ -11,6 +11,9 @@ date: 2024-12-19 tags: - attack.t1078.004 - attack.privilege-escalation + - attack.defense-evasion + - attack.initial-access + - attack.persistence - attack.t1531 - attack.impact logsource: diff --git a/rules/cloud/aws/cloudtrail/aws_ec2_import_key_pair_activity.yml b/rules/cloud/aws/cloudtrail/aws_ec2_import_key_pair_activity.yml index 0130118809f..fc72564f7d3 100644 --- a/rules/cloud/aws/cloudtrail/aws_ec2_import_key_pair_activity.yml +++ b/rules/cloud/aws/cloudtrail/aws_ec2_import_key_pair_activity.yml @@ -1,6 +1,6 @@ title: AWS Key Pair Import Activity id: 92f84194-8d9a-4ee0-8699-c30bfac59780 -status: experimental +status: test description: | Detects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead to initial access, persistence, or privilege escalation, potentially compromising sensitive data and operations. references: @@ -9,6 +9,7 @@ author: Ivan Saakov date: 2024-12-19 tags: - attack.initial-access + - attack.defense-evasion - attack.t1078 - attack.persistence - attack.privilege-escalation diff --git a/rules/cloud/aws/cloudtrail/aws_iam_backdoor_users_keys.yml b/rules/cloud/aws/cloudtrail/aws_iam_backdoor_users_keys.yml index e3734e6a985..13728aa9f13 100644 --- a/rules/cloud/aws/cloudtrail/aws_iam_backdoor_users_keys.yml +++ b/rules/cloud/aws/cloudtrail/aws_iam_backdoor_users_keys.yml @@ -12,6 +12,7 @@ date: 2020-02-12 modified: 2022-10-09 tags: - attack.persistence + - attack.privilege-escalation - attack.t1098 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml index ca9d50ae7ac..3fb226e3624 100644 --- a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml +++ b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml @@ -9,6 +9,9 @@ date: 2023-05-17 tags: - attack.execution - attack.persistence + - attack.defense-evasion + - attack.initial-access + - attack.privilege-escalation - attack.t1059.009 - attack.t1078.004 logsource: diff --git a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml index 55d29d2b573..a634c0a3cb2 100644 --- a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml +++ b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml @@ -10,6 +10,9 @@ tags: - attack.execution - attack.t1059.009 - attack.persistence + - attack.defense-evasion + - attack.initial-access + - attack.privilege-escalation - attack.t1078.004 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml index fd4bf7a39a3..6e248f44bb8 100644 --- a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml +++ b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml @@ -7,8 +7,11 @@ references: author: daniel.bohannon@permiso.io (@danielhbohannon) date: 2023-05-17 tags: + - attack.privilege-escalation - attack.execution - attack.persistence + - attack.defense-evasion + - attack.initial-access - attack.t1059.009 - attack.t1078.004 logsource: diff --git a/rules/cloud/aws/cloudtrail/aws_lambda_function_url.yml b/rules/cloud/aws/cloudtrail/aws_lambda_function_url.yml index 5d611b64ade..15597ab9c4f 100644 --- a/rules/cloud/aws/cloudtrail/aws_lambda_function_url.yml +++ b/rules/cloud/aws/cloudtrail/aws_lambda_function_url.yml @@ -1,6 +1,6 @@ title: New AWS Lambda Function URL Configuration Created id: ec541962-c05a-4420-b9ea-84de072d18f4 -status: experimental +status: test description: | Detects when a user creates a Lambda function URL configuration, which could be used to expose the function to the internet and potentially allow unauthorized access to the function's IAM role for AWS API calls. This could give an adversary access to the privileges associated with the Lambda service role that is attached to that function. diff --git a/rules/cloud/aws/cloudtrail/aws_rds_dbcluster_actions.yml b/rules/cloud/aws/cloudtrail/aws_rds_dbcluster_actions.yml index 875c8697180..c7bcd131188 100644 --- a/rules/cloud/aws/cloudtrail/aws_rds_dbcluster_actions.yml +++ b/rules/cloud/aws/cloudtrail/aws_rds_dbcluster_actions.yml @@ -1,6 +1,6 @@ title: Modification or Deletion of an AWS RDS Cluster id: 457cc9ac-d8e6-4d1d-8c0e-251d0f11a74c -status: experimental +status: test description: Detects modifications to an RDS cluster or its deletion, which may indicate potential data exfiltration attempts, unauthorized access, or exposure of sensitive information. references: - https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBCluster.html diff --git a/rules/cloud/aws/cloudtrail/aws_root_account_usage.yml b/rules/cloud/aws/cloudtrail/aws_root_account_usage.yml index 0127c7b60d7..97d0a15b0d6 100644 --- a/rules/cloud/aws/cloudtrail/aws_root_account_usage.yml +++ b/rules/cloud/aws/cloudtrail/aws_root_account_usage.yml @@ -9,6 +9,9 @@ date: 2020-01-21 modified: 2022-10-09 tags: - attack.privilege-escalation + - attack.defense-evasion + - attack.initial-access + - attack.persistence - attack.t1078.004 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml b/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml index 4e809335422..72a16387cee 100644 --- a/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml +++ b/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml @@ -11,6 +11,7 @@ date: 2021-07-22 modified: 2022-10-09 tags: - attack.persistence + - attack.privilege-escalation - attack.credential-access - attack.t1098 logsource: diff --git a/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_to_another_account.yml b/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_to_another_account.yml index 9bfe871a868..a5e3a588f28 100644 --- a/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_to_another_account.yml +++ b/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_to_another_account.yml @@ -10,6 +10,7 @@ modified: 2022-10-09 tags: - attack.persistence - attack.credential-access + - attack.privilege-escalation - attack.t1098 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml b/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml index 1bb277fc1eb..36ee10fa3cf 100644 --- a/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml +++ b/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml @@ -12,6 +12,8 @@ author: Michael McIntyre @wtfender date: 2023-09-27 tags: - attack.persistence + - attack.credential-access + - attack.defense-evasion - attack.t1556 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_sts_assumerole_misuse.yml b/rules/cloud/aws/cloudtrail/aws_sts_assumerole_misuse.yml index 88ce08bd6d3..cc02fccb139 100644 --- a/rules/cloud/aws/cloudtrail/aws_sts_assumerole_misuse.yml +++ b/rules/cloud/aws/cloudtrail/aws_sts_assumerole_misuse.yml @@ -11,6 +11,7 @@ modified: 2022-10-09 tags: - attack.lateral-movement - attack.privilege-escalation + - attack.defense-evasion - attack.t1548 - attack.t1550 - attack.t1550.001 diff --git a/rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml b/rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml index a0dece9ed56..fac3dd9e977 100644 --- a/rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml +++ b/rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml @@ -11,6 +11,7 @@ modified: 2022-10-09 tags: - attack.lateral-movement - attack.privilege-escalation + - attack.defense-evasion - attack.t1548 - attack.t1550 - attack.t1550.001 diff --git a/rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml b/rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml index 2d60672a72f..39cca9da165 100644 --- a/rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml +++ b/rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml @@ -9,11 +9,13 @@ author: Austin Songer date: 2021-09-22 modified: 2022-12-18 tags: + - attack.defense-evasion - attack.initial-access - - attack.t1078 - attack.lateral-movement - - attack.t1548 + - attack.persistence - attack.privilege-escalation + - attack.t1078 + - attack.t1548 - attack.t1550 - attack.t1550.001 logsource: diff --git a/rules/cloud/aws/cloudtrail/aws_update_login_profile.yml b/rules/cloud/aws/cloudtrail/aws_update_login_profile.yml index 7e9abb1baec..88f1532d535 100644 --- a/rules/cloud/aws/cloudtrail/aws_update_login_profile.yml +++ b/rules/cloud/aws/cloudtrail/aws_update_login_profile.yml @@ -11,6 +11,7 @@ date: 2021-08-09 modified: 2024-04-26 tags: - attack.persistence + - attack.privilege-escalation - attack.t1098 logsource: product: aws diff --git a/rules/cloud/azure/activity_logs/azure_ad_user_added_to_admin_role.yml b/rules/cloud/azure/activity_logs/azure_ad_user_added_to_admin_role.yml index cbd52eb85d3..1c46196e534 100644 --- a/rules/cloud/azure/activity_logs/azure_ad_user_added_to_admin_role.yml +++ b/rules/cloud/azure/activity_logs/azure_ad_user_added_to_admin_role.yml @@ -8,6 +8,8 @@ author: Raphaël CALVET, @MetallicHack date: 2021-10-04 modified: 2022-10-09 tags: + - attack.initial-access + - attack.defense-evasion - attack.persistence - attack.privilege-escalation - attack.t1098.003 diff --git a/rules/cloud/azure/activity_logs/azure_creating_number_of_resources_detection.yml b/rules/cloud/azure/activity_logs/azure_creating_number_of_resources_detection.yml index 895337e6f62..854efc0d549 100644 --- a/rules/cloud/azure/activity_logs/azure_creating_number_of_resources_detection.yml +++ b/rules/cloud/azure/activity_logs/azure_creating_number_of_resources_detection.yml @@ -8,6 +8,7 @@ author: sawwinnnaung date: 2020-05-07 modified: 2023-10-11 tags: + - attack.privilege-escalation - attack.persistence - attack.t1098 logsource: diff --git a/rules/cloud/azure/activity_logs/azure_granting_permission_detection.yml b/rules/cloud/azure/activity_logs/azure_granting_permission_detection.yml index db30c8f5810..15342cee52e 100644 --- a/rules/cloud/azure/activity_logs/azure_granting_permission_detection.yml +++ b/rules/cloud/azure/activity_logs/azure_granting_permission_detection.yml @@ -8,6 +8,7 @@ author: sawwinnnaung date: 2020-05-07 modified: 2023-10-11 tags: + - attack.privilege-escalation - attack.persistence - attack.t1098.003 logsource: diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_admission_controller.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_admission_controller.yml index 0576c63b9c0..b9e05943f77 100644 --- a/rules/cloud/azure/activity_logs/azure_kubernetes_admission_controller.yml +++ b/rules/cloud/azure/activity_logs/azure_kubernetes_admission_controller.yml @@ -15,6 +15,9 @@ author: Austin Songer @austinsonger date: 2021-11-25 modified: 2022-12-18 tags: + - attack.privilege-escalation + - attack.initial-access + - attack.defense-evasion - attack.persistence - attack.t1078 - attack.credential-access diff --git a/rules/cloud/azure/activity_logs/azure_mfa_disabled.yml b/rules/cloud/azure/activity_logs/azure_mfa_disabled.yml index 09ffe08efc1..2dcffa0b349 100644 --- a/rules/cloud/azure/activity_logs/azure_mfa_disabled.yml +++ b/rules/cloud/azure/activity_logs/azure_mfa_disabled.yml @@ -7,6 +7,8 @@ references: author: '@ionsor' date: 2022-02-08 tags: + - attack.defense-evasion + - attack.credential-access - attack.persistence - attack.t1556 logsource: diff --git a/rules/cloud/azure/activity_logs/azure_subscription_permissions_elevation_via_activitylogs.yml b/rules/cloud/azure/activity_logs/azure_subscription_permissions_elevation_via_activitylogs.yml index b646976e511..0b7045ff951 100644 --- a/rules/cloud/azure/activity_logs/azure_subscription_permissions_elevation_via_activitylogs.yml +++ b/rules/cloud/azure/activity_logs/azure_subscription_permissions_elevation_via_activitylogs.yml @@ -11,6 +11,9 @@ author: Austin Songer @austinsonger date: 2021-11-26 modified: 2022-08-23 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.t1078.004 logsource: diff --git a/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_removedby_bad_actor.yml b/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_removedby_bad_actor.yml index a7872f2d1c6..39460f6d278 100644 --- a/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_removedby_bad_actor.yml +++ b/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_removedby_bad_actor.yml @@ -7,6 +7,8 @@ references: author: Corissa Koopmans, '@corissalea' date: 2022-07-19 tags: + - attack.privilege-escalation + - attack.credential-access - attack.defense-evasion - attack.persistence - attack.t1548 diff --git a/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_updatedby_bad_actor.yml b/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_updatedby_bad_actor.yml index 09903cbc1c9..c7743421326 100644 --- a/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_updatedby_bad_actor.yml +++ b/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_updatedby_bad_actor.yml @@ -8,6 +8,8 @@ author: Corissa Koopmans, '@corissalea' date: 2022-07-19 modified: 2024-05-28 tags: + - attack.privilege-escalation + - attack.credential-access - attack.defense-evasion - attack.persistence - attack.t1548 diff --git a/rules/cloud/azure/audit_logs/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml b/rules/cloud/azure/audit_logs/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml index 6ad71d86ce8..5b317edd465 100644 --- a/rules/cloud/azure/audit_logs/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml +++ b/rules/cloud/azure/audit_logs/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml @@ -7,6 +7,7 @@ references: author: Corissa Koopmans, '@corissalea' date: 2022-07-18 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1548 logsource: diff --git a/rules/cloud/azure/audit_logs/azure_ad_account_created_deleted.yml b/rules/cloud/azure/audit_logs/azure_ad_account_created_deleted.yml index 87506b737e8..a35058e3033 100644 --- a/rules/cloud/azure/audit_logs/azure_ad_account_created_deleted.yml +++ b/rules/cloud/azure/audit_logs/azure_ad_account_created_deleted.yml @@ -8,6 +8,9 @@ author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton date: 2022-08-11 modified: 2022-08-18 tags: + - attack.privilege-escalation + - attack.persistence + - attack.initial-access - attack.defense-evasion - attack.t1078 logsource: diff --git a/rules/cloud/azure/audit_logs/azure_ad_bitlocker_key_retrieval.yml b/rules/cloud/azure/audit_logs/azure_ad_bitlocker_key_retrieval.yml index f6dddd75104..5b6db360b87 100644 --- a/rules/cloud/azure/audit_logs/azure_ad_bitlocker_key_retrieval.yml +++ b/rules/cloud/azure/audit_logs/azure_ad_bitlocker_key_retrieval.yml @@ -7,6 +7,9 @@ references: author: Michael Epping, '@mepples21' date: 2022-06-28 tags: + - attack.privilege-escalation + - attack.persistence + - attack.initial-access - attack.defense-evasion - attack.t1078.004 logsource: diff --git a/rules/cloud/azure/audit_logs/azure_ad_certificate_based_authencation_enabled.yml b/rules/cloud/azure/audit_logs/azure_ad_certificate_based_authencation_enabled.yml index 109fbc699c0..e7159d27d75 100644 --- a/rules/cloud/azure/audit_logs/azure_ad_certificate_based_authencation_enabled.yml +++ b/rules/cloud/azure/audit_logs/azure_ad_certificate_based_authencation_enabled.yml @@ -8,6 +8,8 @@ references: author: Harjot Shah Singh, '@cyb3rjy0t' date: 2024-03-26 tags: + - attack.defense-evasion + - attack.credential-access - attack.persistence - attack.privilege-escalation - attack.t1556 diff --git a/rules/cloud/azure/audit_logs/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml b/rules/cloud/azure/audit_logs/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml index 4191de418b6..9961cff9699 100644 --- a/rules/cloud/azure/audit_logs/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml +++ b/rules/cloud/azure/audit_logs/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml @@ -7,6 +7,9 @@ references: author: MikeDuddington, '@dudders1' date: 2022-07-28 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.t1078 logsource: diff --git a/rules/cloud/azure/audit_logs/azure_ad_new_root_ca_added.yml b/rules/cloud/azure/audit_logs/azure_ad_new_root_ca_added.yml index e440d33a786..9c21a1164d3 100644 --- a/rules/cloud/azure/audit_logs/azure_ad_new_root_ca_added.yml +++ b/rules/cloud/azure/audit_logs/azure_ad_new_root_ca_added.yml @@ -8,6 +8,8 @@ references: author: Harjot Shah Singh, '@cyb3rjy0t' date: 2024-03-26 tags: + - attack.defense-evasion + - attack.credential-access - attack.persistence - attack.privilege-escalation - attack.t1556 diff --git a/rules/cloud/azure/audit_logs/azure_ad_users_added_to_device_admin_roles.yml b/rules/cloud/azure/audit_logs/azure_ad_users_added_to_device_admin_roles.yml index 6e78827ae02..5923f0a10be 100644 --- a/rules/cloud/azure/audit_logs/azure_ad_users_added_to_device_admin_roles.yml +++ b/rules/cloud/azure/audit_logs/azure_ad_users_added_to_device_admin_roles.yml @@ -7,6 +7,8 @@ references: author: Michael Epping, '@mepples21' date: 2022-06-28 tags: + - attack.persistence + - attack.initial-access - attack.defense-evasion - attack.privilege-escalation - attack.t1078.004 diff --git a/rules/cloud/azure/audit_logs/azure_app_appid_uri_changes.yml b/rules/cloud/azure/audit_logs/azure_app_appid_uri_changes.yml index 778913cd8d1..b3cda28b3ef 100644 --- a/rules/cloud/azure/audit_logs/azure_app_appid_uri_changes.yml +++ b/rules/cloud/azure/audit_logs/azure_app_appid_uri_changes.yml @@ -7,6 +7,8 @@ references: author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' date: 2022-06-02 tags: + - attack.initial-access + - attack.defense-evasion - attack.persistence - attack.credential-access - attack.privilege-escalation diff --git a/rules/cloud/azure/audit_logs/azure_app_credential_added.yml b/rules/cloud/azure/audit_logs/azure_app_credential_added.yml index b46323ec681..d3c7b79e72d 100644 --- a/rules/cloud/azure/audit_logs/azure_app_credential_added.yml +++ b/rules/cloud/azure/audit_logs/azure_app_credential_added.yml @@ -8,6 +8,7 @@ author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' date: 2022-05-26 modified: 2025-07-18 tags: + - attack.privilege-escalation - attack.t1098.001 - attack.persistence logsource: diff --git a/rules/cloud/azure/audit_logs/azure_app_uri_modifications.yml b/rules/cloud/azure/audit_logs/azure_app_uri_modifications.yml index 1913528e04e..ebe85c31112 100644 --- a/rules/cloud/azure/audit_logs/azure_app_uri_modifications.yml +++ b/rules/cloud/azure/audit_logs/azure_app_uri_modifications.yml @@ -9,6 +9,8 @@ references: author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' date: 2022-06-02 tags: + - attack.initial-access + - attack.defense-evasion - attack.t1528 - attack.t1078.004 - attack.persistence diff --git a/rules/cloud/azure/audit_logs/azure_change_to_authentication_method.yml b/rules/cloud/azure/audit_logs/azure_change_to_authentication_method.yml index 65c1be6c9b2..160f1d519e8 100644 --- a/rules/cloud/azure/audit_logs/azure_change_to_authentication_method.yml +++ b/rules/cloud/azure/audit_logs/azure_change_to_authentication_method.yml @@ -8,6 +8,7 @@ author: AlertIQ date: 2021-10-10 modified: 2022-12-25 tags: + - attack.privilege-escalation - attack.credential-access - attack.t1556 - attack.persistence diff --git a/rules/cloud/azure/audit_logs/azure_federation_modified.yml b/rules/cloud/azure/audit_logs/azure_federation_modified.yml index ce6330749a8..56a43c15f2b 100644 --- a/rules/cloud/azure/audit_logs/azure_federation_modified.yml +++ b/rules/cloud/azure/audit_logs/azure_federation_modified.yml @@ -8,6 +8,9 @@ author: Austin Songer date: 2021-09-06 modified: 2022-06-08 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.t1078 logsource: diff --git a/rules/cloud/azure/audit_logs/azure_group_user_addition_ca_modification.yml b/rules/cloud/azure/audit_logs/azure_group_user_addition_ca_modification.yml index 89d51accc4b..de4f5edb2af 100644 --- a/rules/cloud/azure/audit_logs/azure_group_user_addition_ca_modification.yml +++ b/rules/cloud/azure/audit_logs/azure_group_user_addition_ca_modification.yml @@ -7,6 +7,8 @@ references: author: Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner' date: 2022-08-04 tags: + - attack.privilege-escalation + - attack.credential-access - attack.defense-evasion - attack.persistence - attack.t1548 diff --git a/rules/cloud/azure/audit_logs/azure_group_user_removal_ca_modification.yml b/rules/cloud/azure/audit_logs/azure_group_user_removal_ca_modification.yml index 8b8d5506875..c465c2dbf55 100644 --- a/rules/cloud/azure/audit_logs/azure_group_user_removal_ca_modification.yml +++ b/rules/cloud/azure/audit_logs/azure_group_user_removal_ca_modification.yml @@ -7,6 +7,8 @@ references: author: Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner' date: 2022-08-04 tags: + - attack.privilege-escalation + - attack.credential-access - attack.defense-evasion - attack.persistence - attack.t1548 diff --git a/rules/cloud/azure/audit_logs/azure_guest_invite_failure.yml b/rules/cloud/azure/audit_logs/azure_guest_invite_failure.yml index 5e9d2abde0b..8e4fd8cd8b5 100644 --- a/rules/cloud/azure/audit_logs/azure_guest_invite_failure.yml +++ b/rules/cloud/azure/audit_logs/azure_guest_invite_failure.yml @@ -7,6 +7,8 @@ references: author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' date: 2022-08-10 tags: + - attack.privilege-escalation + - attack.initial-access - attack.persistence - attack.defense-evasion - attack.t1078.004 diff --git a/rules/cloud/azure/audit_logs/azure_guest_to_member.yml b/rules/cloud/azure/audit_logs/azure_guest_to_member.yml index 63d4ca7c664..566a0e0469c 100644 --- a/rules/cloud/azure/audit_logs/azure_guest_to_member.yml +++ b/rules/cloud/azure/audit_logs/azure_guest_to_member.yml @@ -7,6 +7,8 @@ references: author: MikeDuddington, '@dudders1' date: 2022-06-30 tags: + - attack.persistence + - attack.defense-evasion - attack.privilege-escalation - attack.initial-access - attack.t1078.004 diff --git a/rules/cloud/azure/audit_logs/azure_pim_activation_approve_deny.yml b/rules/cloud/azure/audit_logs/azure_pim_activation_approve_deny.yml index 3a55d20216e..8e28844a813 100644 --- a/rules/cloud/azure/audit_logs/azure_pim_activation_approve_deny.yml +++ b/rules/cloud/azure/audit_logs/azure_pim_activation_approve_deny.yml @@ -7,6 +7,9 @@ references: author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' date: 2022-08-09 tags: + - attack.persistence + - attack.initial-access + - attack.defense-evasion - attack.privilege-escalation - attack.t1078.004 logsource: diff --git a/rules/cloud/azure/audit_logs/azure_pim_alerts_disabled.yml b/rules/cloud/azure/audit_logs/azure_pim_alerts_disabled.yml index b12ef942497..07f90274a7f 100644 --- a/rules/cloud/azure/audit_logs/azure_pim_alerts_disabled.yml +++ b/rules/cloud/azure/audit_logs/azure_pim_alerts_disabled.yml @@ -7,6 +7,8 @@ references: author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' date: 2022-08-09 tags: + - attack.initial-access + - attack.defense-evasion - attack.persistence - attack.privilege-escalation - attack.t1078 diff --git a/rules/cloud/azure/audit_logs/azure_pim_change_settings.yml b/rules/cloud/azure/audit_logs/azure_pim_change_settings.yml index 1f3db29d25f..2a911214715 100644 --- a/rules/cloud/azure/audit_logs/azure_pim_change_settings.yml +++ b/rules/cloud/azure/audit_logs/azure_pim_change_settings.yml @@ -7,6 +7,8 @@ references: author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' date: 2022-08-09 tags: + - attack.initial-access + - attack.defense-evasion - attack.privilege-escalation - attack.persistence - attack.t1078.004 diff --git a/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_add.yml b/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_add.yml index 31c4513202f..81f13baf278 100644 --- a/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_add.yml +++ b/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_add.yml @@ -7,6 +7,8 @@ references: author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' date: 2022-08-06 tags: + - attack.persistence + - attack.initial-access - attack.privilege-escalation - attack.defense-evasion - attack.t1078.004 diff --git a/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_bulk_change.yml b/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_bulk_change.yml index 6ce06e8eece..62823d88130 100644 --- a/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_bulk_change.yml +++ b/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_bulk_change.yml @@ -7,6 +7,7 @@ references: author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' date: 2022-08-05 tags: + - attack.privilege-escalation - attack.persistence - attack.t1098 logsource: diff --git a/rules/cloud/azure/audit_logs/azure_privileged_account_creation.yml b/rules/cloud/azure/audit_logs/azure_privileged_account_creation.yml index faf5fcfb0ae..7172839fe12 100644 --- a/rules/cloud/azure/audit_logs/azure_privileged_account_creation.yml +++ b/rules/cloud/azure/audit_logs/azure_privileged_account_creation.yml @@ -8,6 +8,8 @@ author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H', Tim She date: 2022-08-11 modified: 2022-08-16 tags: + - attack.initial-access + - attack.defense-evasion - attack.persistence - attack.privilege-escalation - attack.t1078.004 diff --git a/rules/cloud/azure/audit_logs/azure_subscription_permissions_elevation_via_auditlogs.yml b/rules/cloud/azure/audit_logs/azure_subscription_permissions_elevation_via_auditlogs.yml index 0f545eee16f..601cbd3cb08 100644 --- a/rules/cloud/azure/audit_logs/azure_subscription_permissions_elevation_via_auditlogs.yml +++ b/rules/cloud/azure/audit_logs/azure_subscription_permissions_elevation_via_auditlogs.yml @@ -11,6 +11,9 @@ author: Austin Songer @austinsonger date: 2021-11-26 modified: 2022-12-25 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.t1078 logsource: diff --git a/rules/cloud/azure/audit_logs/azure_tap_added.yml b/rules/cloud/azure/audit_logs/azure_tap_added.yml index 7bf89b16413..acfb3c07315 100644 --- a/rules/cloud/azure/audit_logs/azure_tap_added.yml +++ b/rules/cloud/azure/audit_logs/azure_tap_added.yml @@ -7,6 +7,9 @@ references: author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' date: 2022-08-10 tags: + - attack.privilege-escalation + - attack.initial-access + - attack.defense-evasion - attack.persistence - attack.t1078.004 logsource: diff --git a/rules/cloud/azure/audit_logs/azure_user_password_change.yml b/rules/cloud/azure/audit_logs/azure_user_password_change.yml index 6b51691ac37..ce6fb841ab2 100644 --- a/rules/cloud/azure/audit_logs/azure_user_password_change.yml +++ b/rules/cloud/azure/audit_logs/azure_user_password_change.yml @@ -7,6 +7,9 @@ references: author: YochanaHenderson, '@Yochana-H' date: 2022-08-03 tags: + - attack.privilege-escalation + - attack.initial-access + - attack.defense-evasion - attack.persistence - attack.credential-access - attack.t1078.004 diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml index e20d60d2cb5..2a6426e2290 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml @@ -8,6 +8,7 @@ references: author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023-09-03 tags: + - attack.privilege-escalation - attack.t1098 - attack.persistence logsource: diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml index c6bf45cc8aa..b17c8eb21f6 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml @@ -7,6 +7,8 @@ references: author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023-09-14 tags: + - attack.initial-access + - attack.defense-evasion - attack.t1078 - attack.persistence - attack.privilege-escalation diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml index dfcef1f54ff..c883a09953d 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml @@ -7,6 +7,8 @@ references: author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023-09-14 tags: + - attack.initial-access + - attack.defense-evasion - attack.t1078 - attack.persistence - attack.privilege-escalation diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml index 33f0d647f8b..abf5b40eaac 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml @@ -7,6 +7,8 @@ references: author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023-09-14 tags: + - attack.initial-access + - attack.defense-evasion - attack.t1078 - attack.persistence - attack.privilege-escalation diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml index ae57b20f480..023c7f534ba 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml @@ -7,6 +7,8 @@ references: author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023-09-14 tags: + - attack.initial-access + - attack.defense-evasion - attack.t1078 - attack.persistence - attack.privilege-escalation diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml index eda10ef3b1d..3832dc4fdeb 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml @@ -7,6 +7,8 @@ references: author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023-09-14 tags: + - attack.initial-access + - attack.defense-evasion - attack.t1078 - attack.persistence - attack.privilege-escalation diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml index 066bc8cc74f..66703cb1d2a 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml @@ -7,6 +7,8 @@ references: author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023-09-14 tags: + - attack.initial-access + - attack.defense-evasion - attack.t1078 - attack.persistence - attack.privilege-escalation diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml index 4d783c3397f..e0882458c3c 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml @@ -7,6 +7,8 @@ references: author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023-09-14 tags: + - attack.initial-access + - attack.defense-evasion - attack.t1078 - attack.persistence - attack.privilege-escalation diff --git a/rules/cloud/azure/signin_logs/azure_ad_auth_failure_increase.yml b/rules/cloud/azure/signin_logs/azure_ad_auth_failure_increase.yml index 79f8cd90b97..2912d87b116 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_auth_failure_increase.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_auth_failure_increase.yml @@ -7,6 +7,9 @@ references: author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1' date: 2022-08-11 tags: + - attack.privilege-escalation + - attack.persistence + - attack.initial-access - attack.defense-evasion - attack.t1078 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_ad_auth_sucess_increase.yml b/rules/cloud/azure/signin_logs/azure_ad_auth_sucess_increase.yml index 3655641d13d..0d3fcd8da69 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_auth_sucess_increase.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_auth_sucess_increase.yml @@ -8,6 +8,9 @@ author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton date: 2022-08-11 modified: 2022-08-18 tags: + - attack.privilege-escalation + - attack.persistence + - attack.initial-access - attack.defense-evasion - attack.t1078 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_ad_auth_to_important_apps_using_single_factor_auth.yml b/rules/cloud/azure/signin_logs/azure_ad_auth_to_important_apps_using_single_factor_auth.yml index 218170dec84..08cadadcb0b 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_auth_to_important_apps_using_single_factor_auth.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_auth_to_important_apps_using_single_factor_auth.yml @@ -7,6 +7,9 @@ references: author: MikeDuddington, '@dudders1' date: 2022-07-28 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.t1078 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml b/rules/cloud/azure/signin_logs/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml index 3232199473c..bb4e75667da 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml @@ -7,6 +7,9 @@ references: author: MikeDuddington, '@dudders1' date: 2022-07-28 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.credential-access - attack.t1078.004 diff --git a/rules/cloud/azure/signin_logs/azure_ad_device_registration_or_join_without_mfa.yml b/rules/cloud/azure/signin_logs/azure_ad_device_registration_or_join_without_mfa.yml index 53ebb0788e3..f7c24815229 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_device_registration_or_join_without_mfa.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_device_registration_or_join_without_mfa.yml @@ -7,6 +7,9 @@ references: author: Michael Epping, '@mepples21' date: 2022-06-28 tags: + - attack.privilege-escalation + - attack.persistence + - attack.initial-access - attack.defense-evasion - attack.t1078.004 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml b/rules/cloud/azure/signin_logs/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml index 45ffc7ed427..1169640e3e0 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml @@ -7,6 +7,9 @@ references: author: MikeDuddington, '@dudders1' date: 2022-07-28 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.credential-access - attack.t1078.004 diff --git a/rules/cloud/azure/signin_logs/azure_ad_only_single_factor_auth_required.yml b/rules/cloud/azure/signin_logs/azure_ad_only_single_factor_auth_required.yml index ef13cded4fe..b3a615aa8b2 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_only_single_factor_auth_required.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_only_single_factor_auth_required.yml @@ -7,6 +7,9 @@ references: author: MikeDuddington, '@dudders1' date: 2022-07-27 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.credential-access - attack.t1078.004 diff --git a/rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml b/rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml index ecfc71fde7f..00434abe663 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml @@ -8,6 +8,9 @@ author: Harjot Singh, '@cyb3rjy0t' date: 2023-01-10 modified: 2025-07-02 tags: + - attack.privilege-escalation + - attack.persistence + - attack.initial-access - attack.defense-evasion - attack.t1078 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_noncompliant_devices.yml b/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_noncompliant_devices.yml index 1d3d97c9ee3..526c1345cf0 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_noncompliant_devices.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_noncompliant_devices.yml @@ -7,6 +7,9 @@ references: author: Michael Epping, '@mepples21' date: 2022-06-28 tags: + - attack.privilege-escalation + - attack.persistence + - attack.initial-access - attack.defense-evasion - attack.t1078.004 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_unknown_devices.yml b/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_unknown_devices.yml index 3b48259961e..5f02ec3fc2a 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_unknown_devices.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_unknown_devices.yml @@ -8,6 +8,9 @@ author: Michael Epping, '@mepples21' date: 2022-06-28 modified: 2022-10-05 tags: + - attack.privilege-escalation + - attack.persistence + - attack.initial-access - attack.defense-evasion - attack.t1078.004 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml b/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml index f09a59aadee..80e68e1a899 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml @@ -8,6 +8,9 @@ references: author: Harjot Singh, '@cyb3rjy0t' date: 2023-03-20 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.credential-access - attack.t1078.004 diff --git a/rules/cloud/azure/signin_logs/azure_blocked_account_attempt.yml b/rules/cloud/azure/signin_logs/azure_blocked_account_attempt.yml index d648bff0b6d..c2efa92c37e 100644 --- a/rules/cloud/azure/signin_logs/azure_blocked_account_attempt.yml +++ b/rules/cloud/azure/signin_logs/azure_blocked_account_attempt.yml @@ -7,6 +7,9 @@ references: author: Yochana Henderson, '@Yochana-H' date: 2022-06-17 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.t1078.004 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_conditional_access_failure.yml b/rules/cloud/azure/signin_logs/azure_conditional_access_failure.yml index 5cb94a415b1..8321c18b91d 100644 --- a/rules/cloud/azure/signin_logs/azure_conditional_access_failure.yml +++ b/rules/cloud/azure/signin_logs/azure_conditional_access_failure.yml @@ -7,6 +7,9 @@ references: author: Yochana Henderson, '@Yochana-H' date: 2022-06-01 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.credential-access - attack.t1110 diff --git a/rules/cloud/azure/signin_logs/azure_legacy_authentication_protocols.yml b/rules/cloud/azure/signin_logs/azure_legacy_authentication_protocols.yml index 271bcdb9896..8219a0e4ad4 100644 --- a/rules/cloud/azure/signin_logs/azure_legacy_authentication_protocols.yml +++ b/rules/cloud/azure/signin_logs/azure_legacy_authentication_protocols.yml @@ -7,6 +7,9 @@ references: author: Yochana Henderson, '@Yochana-H' date: 2022-06-17 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.credential-access - attack.t1078.004 diff --git a/rules/cloud/azure/signin_logs/azure_login_to_disabled_account.yml b/rules/cloud/azure/signin_logs/azure_login_to_disabled_account.yml index 009484b495f..ad08b7a4658 100644 --- a/rules/cloud/azure/signin_logs/azure_login_to_disabled_account.yml +++ b/rules/cloud/azure/signin_logs/azure_login_to_disabled_account.yml @@ -8,6 +8,9 @@ author: AlertIQ date: 2021-10-10 modified: 2022-12-25 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.t1078.004 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_mfa_denies.yml b/rules/cloud/azure/signin_logs/azure_mfa_denies.yml index 189524079f5..34769129914 100644 --- a/rules/cloud/azure/signin_logs/azure_mfa_denies.yml +++ b/rules/cloud/azure/signin_logs/azure_mfa_denies.yml @@ -7,6 +7,9 @@ references: author: AlertIQ date: 2022-03-24 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.credential-access - attack.t1078.004 diff --git a/rules/cloud/azure/signin_logs/azure_mfa_interrupted.yml b/rules/cloud/azure/signin_logs/azure_mfa_interrupted.yml index a4edd40a054..673f500321b 100644 --- a/rules/cloud/azure/signin_logs/azure_mfa_interrupted.yml +++ b/rules/cloud/azure/signin_logs/azure_mfa_interrupted.yml @@ -8,6 +8,9 @@ author: AlertIQ date: 2021-10-10 modified: 2022-12-18 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.credential-access - attack.t1078.004 diff --git a/rules/cloud/azure/signin_logs/azure_unusual_authentication_interruption.yml b/rules/cloud/azure/signin_logs/azure_unusual_authentication_interruption.yml index 586aa6bbbab..3833ad043b2 100644 --- a/rules/cloud/azure/signin_logs/azure_unusual_authentication_interruption.yml +++ b/rules/cloud/azure/signin_logs/azure_unusual_authentication_interruption.yml @@ -8,6 +8,9 @@ author: Austin Songer @austinsonger date: 2021-11-26 modified: 2022-12-18 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.t1078 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_user_login_blocked_by_conditional_access.yml b/rules/cloud/azure/signin_logs/azure_user_login_blocked_by_conditional_access.yml index a2f503b2876..56441bfe23d 100644 --- a/rules/cloud/azure/signin_logs/azure_user_login_blocked_by_conditional_access.yml +++ b/rules/cloud/azure/signin_logs/azure_user_login_blocked_by_conditional_access.yml @@ -10,6 +10,9 @@ author: AlertIQ date: 2021-10-10 modified: 2022-12-25 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.credential-access - attack.initial-access - attack.t1110 diff --git a/rules/cloud/azure/signin_logs/azure_users_authenticating_to_other_azure_ad_tenants.yml b/rules/cloud/azure/signin_logs/azure_users_authenticating_to_other_azure_ad_tenants.yml index 88f9060785c..4afdee73f0b 100644 --- a/rules/cloud/azure/signin_logs/azure_users_authenticating_to_other_azure_ad_tenants.yml +++ b/rules/cloud/azure/signin_logs/azure_users_authenticating_to_other_azure_ad_tenants.yml @@ -7,6 +7,9 @@ references: author: MikeDuddington, '@dudders1' date: 2022-06-30 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.t1078.004 logsource: diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml index 4fad0d31bae..bd758e0455b 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml @@ -9,6 +9,9 @@ references: author: Muhammad Faisal (@faisalusuf) date: 2024-02-25 tags: + - attack.privilege-escalation + - attack.persistence + - attack.initial-access - attack.defense-evasion - attack.credential-access - attack.t1078.004 diff --git a/rules/cloud/gcp/audit/gcp_breakglass_container_workload_deployed.yml b/rules/cloud/gcp/audit/gcp_breakglass_container_workload_deployed.yml index cf675d705ef..97322b641a5 100644 --- a/rules/cloud/gcp/audit/gcp_breakglass_container_workload_deployed.yml +++ b/rules/cloud/gcp/audit/gcp_breakglass_container_workload_deployed.yml @@ -8,6 +8,7 @@ references: author: Bryan Lim date: 2024-01-12 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1548 logsource: diff --git a/rules/cloud/gcp/audit/gcp_kubernetes_admission_controller.yml b/rules/cloud/gcp/audit/gcp_kubernetes_admission_controller.yml index 09434b208af..4b952588ab4 100644 --- a/rules/cloud/gcp/audit/gcp_kubernetes_admission_controller.yml +++ b/rules/cloud/gcp/audit/gcp_kubernetes_admission_controller.yml @@ -14,6 +14,9 @@ author: Austin Songer @austinsonger date: 2021-11-25 modified: 2022-12-18 tags: + - attack.privilege-escalation + - attack.initial-access + - attack.defense-evasion - attack.persistence - attack.t1078 - attack.credential-access diff --git a/rules/cloud/gcp/gworkspace/gcp_gworkspace_granted_domain_api_access.yml b/rules/cloud/gcp/gworkspace/gcp_gworkspace_granted_domain_api_access.yml index 9bc68121ac2..e9f4a1db32a 100644 --- a/rules/cloud/gcp/gworkspace/gcp_gworkspace_granted_domain_api_access.yml +++ b/rules/cloud/gcp/gworkspace/gcp_gworkspace_granted_domain_api_access.yml @@ -9,6 +9,7 @@ author: Austin Songer date: 2021-08-23 modified: 2023-10-11 tags: + - attack.privilege-escalation - attack.persistence - attack.t1098 logsource: diff --git a/rules/cloud/gcp/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml b/rules/cloud/gcp/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml index ddb75111782..95e27d20efd 100644 --- a/rules/cloud/gcp/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml +++ b/rules/cloud/gcp/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml @@ -9,6 +9,7 @@ author: Austin Songer date: 2021-08-23 modified: 2023-10-11 tags: + - attack.privilege-escalation - attack.persistence - attack.t1098 logsource: diff --git a/rules/cloud/github/github_outside_collaborator_detected.yml b/rules/cloud/github/github_outside_collaborator_detected.yml index d9c35e5325a..ada535c5ecd 100644 --- a/rules/cloud/github/github_outside_collaborator_detected.yml +++ b/rules/cloud/github/github_outside_collaborator_detected.yml @@ -9,6 +9,7 @@ references: - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization tags: + - attack.privilege-escalation - attack.persistence - attack.collection - attack.t1098.001 diff --git a/rules/cloud/github/github_ssh_certificate_config_changed.yml b/rules/cloud/github/github_ssh_certificate_config_changed.yml index 03f8a0b2cf6..f0ab5a824cd 100644 --- a/rules/cloud/github/github_ssh_certificate_config_changed.yml +++ b/rules/cloud/github/github_ssh_certificate_config_changed.yml @@ -8,6 +8,8 @@ references: author: Romain Gaillard (@romain-gaillard) date: 2024-07-29 tags: + - attack.initial-access + - attack.defense-evasion - attack.persistence - attack.privilege-escalation - attack.t1078.004 diff --git a/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml b/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml index ea65230b335..ae0c8d2d23d 100644 --- a/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml +++ b/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml @@ -1,6 +1,6 @@ title: Azure Login Bypassing Conditional Access Policies id: 13f2d3f5-6497-44a7-bf5f-dc13ffafe5dc -status: experimental +status: test description: | Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith. author: Josh Nickels, Marius Rothenbücher @@ -9,6 +9,9 @@ references: - https://github.com/JumpsecLabs/TokenSmith date: 2025-01-08 tags: + - attack.privilege-escalation + - attack.persistence + - attack.initial-access - attack.defense-evasion - attack.t1078 logsource: diff --git a/rules/cloud/m365/threat_management/microsoft365_impossible_travel_activity.yml b/rules/cloud/m365/threat_management/microsoft365_impossible_travel_activity.yml index 196109e677d..4a67a123005 100644 --- a/rules/cloud/m365/threat_management/microsoft365_impossible_travel_activity.yml +++ b/rules/cloud/m365/threat_management/microsoft365_impossible_travel_activity.yml @@ -9,6 +9,9 @@ author: Austin Songer @austinsonger date: 2020-07-06 modified: 2021-11-27 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.t1078 logsource: diff --git a/rules/cloud/m365/threat_management/microsoft365_logon_from_risky_ip_address.yml b/rules/cloud/m365/threat_management/microsoft365_logon_from_risky_ip_address.yml index 776e8140b8c..d58a715ac32 100644 --- a/rules/cloud/m365/threat_management/microsoft365_logon_from_risky_ip_address.yml +++ b/rules/cloud/m365/threat_management/microsoft365_logon_from_risky_ip_address.yml @@ -9,6 +9,9 @@ author: Austin Songer @austinsonger date: 2021-08-23 modified: 2022-10-09 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.t1078 logsource: diff --git a/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml b/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml index 4a2e0abf3a4..c7018eef52f 100644 --- a/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml +++ b/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml @@ -9,6 +9,7 @@ author: Austin Songer @austinsonger date: 2021-09-12 modified: 2022-10-09 tags: + - attack.privilege-escalation - attack.persistence - attack.t1098.003 logsource: diff --git a/rules/cloud/okta/okta_identity_provider_created.yml b/rules/cloud/okta/okta_identity_provider_created.yml index 9cdb42b5df3..9432b6f38ec 100644 --- a/rules/cloud/okta/okta_identity_provider_created.yml +++ b/rules/cloud/okta/okta_identity_provider_created.yml @@ -8,6 +8,7 @@ references: author: kelnage date: 2023-09-07 tags: + - attack.privilege-escalation - attack.persistence - attack.t1098.001 logsource: diff --git a/rules/cloud/okta/okta_new_behaviours_admin_console.yml b/rules/cloud/okta/okta_new_behaviours_admin_console.yml index ae403e461c5..b4d90fc06ac 100644 --- a/rules/cloud/okta/okta_new_behaviours_admin_console.yml +++ b/rules/cloud/okta/okta_new_behaviours_admin_console.yml @@ -9,6 +9,9 @@ author: kelnage date: 2023-09-07 modified: 2024-06-26 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.t1078.004 logsource: diff --git a/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml b/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml index 1102264f1d9..22369015513 100644 --- a/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml +++ b/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml @@ -11,6 +11,7 @@ author: 'Pawel Mazur' date: 2021-11-28 modified: 2022-12-25 tags: + - attack.defense-evasion - attack.collection - attack.privilege-escalation - attack.t1123 diff --git a/rules/linux/auditd/lnx_auditd_disable_aslr_protection.yml b/rules/linux/auditd/lnx_auditd_disable_aslr_protection.yml index c61110e6ea7..fb925de1f4b 100644 --- a/rules/linux/auditd/lnx_auditd_disable_aslr_protection.yml +++ b/rules/linux/auditd/lnx_auditd_disable_aslr_protection.yml @@ -15,6 +15,7 @@ author: Milad Cheraghi date: 2025-05-26 modified: 2025-06-05 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1562.001 - attack.t1055.009 diff --git a/rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml b/rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml index d0ae6033ece..8e3c766e0ce 100644 --- a/rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml +++ b/rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml @@ -10,6 +10,8 @@ references: author: David Burkett, @signalblur date: 2022-12-30 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 logsource: diff --git a/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml b/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml index 0e74a32ccf8..2fd8fefefd2 100644 --- a/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml +++ b/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml @@ -11,6 +11,7 @@ author: 'Pawel Mazur' date: 2021-05-24 modified: 2022-12-18 tags: + - attack.collection - attack.credential-access - attack.t1003 - attack.t1056.001 diff --git a/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml b/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml index 63b46b9de6b..fc2ae8ecea5 100644 --- a/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml +++ b/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml @@ -9,6 +9,8 @@ author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd date: 2019-10-24 modified: 2021-11-27 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.006 logsource: diff --git a/rules/linux/auditd/lnx_auditd_susp_service_reload_or_restart.yml b/rules/linux/auditd/lnx_auditd_susp_service_reload_or_restart.yml index 06b599a71ae..8226ea3ec4b 100644 --- a/rules/linux/auditd/lnx_auditd_susp_service_reload_or_restart.yml +++ b/rules/linux/auditd/lnx_auditd_susp_service_reload_or_restart.yml @@ -8,6 +8,7 @@ author: Jakob Weinzettl, oscd.community, CheraghiMilad date: 2019-09-23 modified: 2025-03-03 tags: + - attack.privilege-escalation - attack.persistence - attack.t1543.002 logsource: diff --git a/rules/linux/auditd/lnx_auditd_susp_special_file_creation_via_mknod_syscall.yml b/rules/linux/auditd/lnx_auditd_susp_special_file_creation_via_mknod_syscall.yml index 0691f07bf62..b3315cd2099 100644 --- a/rules/linux/auditd/lnx_auditd_susp_special_file_creation_via_mknod_syscall.yml +++ b/rules/linux/auditd/lnx_auditd_susp_special_file_creation_via_mknod_syscall.yml @@ -13,6 +13,7 @@ references: author: Milad Cheraghi date: 2025-05-31 tags: + - attack.privilege-escalation - attack.persistence - attack.t1543.003 logsource: diff --git a/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml b/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml index 528056f660b..d1d9e0a9975 100644 --- a/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml +++ b/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml @@ -8,6 +8,7 @@ author: 'Pawel Mazur' date: 2022-02-03 modified: 2022-02-06 tags: + - attack.privilege-escalation - attack.persistence - attack.t1543.002 logsource: diff --git a/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml b/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml index 541b7fce57b..5e22ceaaa0f 100644 --- a/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml +++ b/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml @@ -13,6 +13,7 @@ author: Peter Matkovski, IAI date: 2023-03-06 modified: 2023-03-15 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.004 logsource: diff --git a/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml b/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml index b392939d01e..87d37c33c69 100644 --- a/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml +++ b/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml @@ -8,6 +8,7 @@ author: Sreeman date: 2022-01-26 modified: 2024-09-11 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1548.001 logsource: diff --git a/rules/linux/builtin/cron/lnx_cron_crontab_file_modification.yml b/rules/linux/builtin/cron/lnx_cron_crontab_file_modification.yml index 480ae81f646..cbe51a14529 100644 --- a/rules/linux/builtin/cron/lnx_cron_crontab_file_modification.yml +++ b/rules/linux/builtin/cron/lnx_cron_crontab_file_modification.yml @@ -7,6 +7,8 @@ references: author: Pawel Mazur date: 2022-04-16 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.t1053.003 logsource: diff --git a/rules/linux/builtin/lnx_ldso_preload_injection.yml b/rules/linux/builtin/lnx_ldso_preload_injection.yml index 6f3bddb5380..f40de872860 100644 --- a/rules/linux/builtin/lnx_ldso_preload_injection.yml +++ b/rules/linux/builtin/lnx_ldso_preload_injection.yml @@ -8,6 +8,7 @@ author: Christian Burkard (Nextron Systems) date: 2021-05-05 modified: 2022-10-09 tags: + - attack.defense-evasion - attack.persistence - attack.privilege-escalation - attack.t1574.006 diff --git a/rules/linux/builtin/lnx_privileged_user_creation.yml b/rules/linux/builtin/lnx_privileged_user_creation.yml index 3c87d942851..3c6dcc4ccc1 100644 --- a/rules/linux/builtin/lnx_privileged_user_creation.yml +++ b/rules/linux/builtin/lnx_privileged_user_creation.yml @@ -10,6 +10,7 @@ author: Pawel Mazur date: 2022-12-21 modified: 2025-01-21 tags: + - attack.privilege-escalation - attack.persistence - attack.t1136.001 - attack.t1098 diff --git a/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml b/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml index d2df0e0e8dd..c5ec998e096 100644 --- a/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml +++ b/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml @@ -13,6 +13,7 @@ author: Florian Roth (Nextron Systems) date: 2019-10-15 modified: 2022-11-26 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1068 - attack.t1548.003 diff --git a/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml b/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml index f92735f301d..a4f7365e443 100644 --- a/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml +++ b/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml @@ -9,6 +9,7 @@ author: Sittikorn S, Teoderick Contreras date: 2022-01-20 modified: 2022-12-31 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1548 logsource: diff --git a/rules/linux/file_event/file_event_lnx_persistence_cron_files.yml b/rules/linux/file_event/file_event_lnx_persistence_cron_files.yml index e02b5abf5fb..30a676175b0 100644 --- a/rules/linux/file_event/file_event_lnx_persistence_cron_files.yml +++ b/rules/linux/file_event/file_event_lnx_persistence_cron_files.yml @@ -8,6 +8,8 @@ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC date: 2021-10-15 modified: 2022-12-31 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.t1053.003 logsource: diff --git a/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml b/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml index 27dca4e9c42..0ec367ad460 100644 --- a/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml +++ b/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml @@ -8,6 +8,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-07-05 modified: 2022-12-31 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.t1053.003 logsource: diff --git a/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml b/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml index 317ebc444e8..4563758563d 100644 --- a/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml +++ b/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml @@ -8,6 +8,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-07-05 modified: 2022-12-31 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.defense-evasion - attack.t1053.003 diff --git a/rules/linux/process_creation/proc_creation_lnx_at_command.yml b/rules/linux/process_creation/proc_creation_lnx_at_command.yml index d2126c9e0c8..6267fabcd53 100644 --- a/rules/linux/process_creation/proc_creation_lnx_at_command.yml +++ b/rules/linux/process_creation/proc_creation_lnx_at_command.yml @@ -10,6 +10,8 @@ author: Ömer Günal, oscd.community date: 2020-10-06 modified: 2022-07-07 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.t1053.002 logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml b/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml index 38d01030647..2dab1677663 100644 --- a/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml +++ b/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml @@ -8,6 +8,7 @@ references: author: Joseph Kamau date: 2023-12-01 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1055.009 logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml b/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml index 900d56296e6..9b786a75aea 100644 --- a/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml @@ -8,6 +8,7 @@ references: author: Sittikorn S, Teoderick Contreras date: 2022-01-20 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1548 logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml index 1219b5a07dc..6b3c91b68e7 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml @@ -7,6 +7,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-09-04 tags: + - attack.persistence - attack.execution - attack.privilege-escalation - attack.t1059.012 diff --git a/rules/linux/process_creation/proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml b/rules/linux/process_creation/proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml index 6a344a515e2..bda4b4b7d66 100644 --- a/rules/linux/process_creation/proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml +++ b/rules/linux/process_creation/proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml @@ -14,6 +14,7 @@ references: author: Josh Nickels, Qi Nan date: 2024-03-11 tags: + - attack.persistence - attack.initial-access - attack.t1133 logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_rsync_shell_execution.yml b/rules/linux/process_creation/proc_creation_lnx_rsync_shell_execution.yml index 6fdd74444d2..5fffefe77ab 100644 --- a/rules/linux/process_creation/proc_creation_lnx_rsync_shell_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_rsync_shell_execution.yml @@ -1,6 +1,6 @@ title: Shell Execution via Rsync - Linux id: e2326866-609f-4015-aea9-7ec634e8aa04 -status: experimental +status: test description: | Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. references: diff --git a/rules/linux/process_creation/proc_creation_lnx_rsync_shell_spawn.yml b/rules/linux/process_creation/proc_creation_lnx_rsync_shell_spawn.yml index d75fc682da0..5b0cb8cbcb8 100644 --- a/rules/linux/process_creation/proc_creation_lnx_rsync_shell_spawn.yml +++ b/rules/linux/process_creation/proc_creation_lnx_rsync_shell_spawn.yml @@ -1,6 +1,6 @@ title: Suspicious Invocation of Shell via Rsync id: 297241f3-8108-4b3a-8c15-2dda9f844594 -status: experimental +status: test description: | Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation. references: diff --git a/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml b/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml index 723a159906c..d9e77b3dba0 100644 --- a/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml +++ b/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml @@ -8,6 +8,7 @@ author: Ömer Günal date: 2020-06-16 modified: 2022-10-05 tags: + - attack.defense-evasion - attack.persistence - attack.privilege-escalation - attack.t1548.001 diff --git a/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml b/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml index 5cf978a1d1b..1a439819d08 100644 --- a/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml +++ b/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml @@ -10,6 +10,7 @@ author: Florian Roth (Nextron Systems) date: 2019-10-15 modified: 2022-10-05 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1068 - attack.t1548.003 diff --git a/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml b/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml index b07a2082ea6..d97f66fa35e 100644 --- a/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml +++ b/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml @@ -11,6 +11,8 @@ references: author: Sohan G (D4rkCiph3r) date: 2023-03-19 tags: + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.privilege-escalation - attack.t1078.003 diff --git a/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml b/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml index 7750a439aa5..0ef190f50f6 100644 --- a/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml +++ b/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml @@ -8,6 +8,8 @@ references: author: Sohan G (D4rkCiph3r) date: 2023-08-22 tags: + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.privilege-escalation - attack.t1078.003 diff --git a/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml b/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml index 8c65fef061e..cea9afe802c 100644 --- a/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml +++ b/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml @@ -9,6 +9,8 @@ references: author: Sohan G (D4rkCiph3r) date: 2023-08-22 tags: + - attack.privilege-escalation + - attack.defense-evasion - attack.t1078 - attack.t1078.001 - attack.t1078.003 diff --git a/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml b/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml index dd931957b18..74b08316db7 100644 --- a/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml +++ b/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml @@ -9,6 +9,7 @@ author: remotephone, oscd.community date: 2020-10-13 modified: 2022-12-25 tags: + - attack.collection - attack.credential-access - attack.t1056.002 logsource: diff --git a/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml b/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml index 744eed45ffd..750a52af100 100644 --- a/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml +++ b/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml @@ -11,6 +11,7 @@ references: author: Pratinav Chandra date: 2024-05-13 tags: + - attack.privilege-escalation - attack.execution - attack.persistence - attack.t1569.001 diff --git a/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml b/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml index b69e77d7b68..282677dcd9f 100644 --- a/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml +++ b/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml @@ -8,6 +8,7 @@ references: author: Sohan G (D4rkCiph3r) date: 2023-02-18 tags: + - attack.privilege-escalation - attack.persistence - attack.t1543.001 - attack.t1543.004 diff --git a/rules/macos/process_creation/proc_creation_macos_remote_access_tools_teamviewer_incoming_connection.yml b/rules/macos/process_creation/proc_creation_macos_remote_access_tools_teamviewer_incoming_connection.yml index 088ffdb2098..e0b101e1361 100644 --- a/rules/macos/process_creation/proc_creation_macos_remote_access_tools_teamviewer_incoming_connection.yml +++ b/rules/macos/process_creation/proc_creation_macos_remote_access_tools_teamviewer_incoming_connection.yml @@ -14,6 +14,7 @@ references: author: Josh Nickels, Qi Nan date: 2024-03-11 tags: + - attack.persistence - attack.initial-access - attack.t1133 logsource: diff --git a/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml b/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml index 17b0026dc1a..f78c22dc8fe 100644 --- a/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml +++ b/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml @@ -11,6 +11,8 @@ references: author: Sohan G (D4rkCiph3r) date: 2023-03-19 tags: + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.privilege-escalation - attack.t1078.003 diff --git a/rules/macos/process_creation/proc_creation_macos_sysadminctl_enable_guest_account.yml b/rules/macos/process_creation/proc_creation_macos_sysadminctl_enable_guest_account.yml index 354dcb77b5a..1545bd73a5e 100644 --- a/rules/macos/process_creation/proc_creation_macos_sysadminctl_enable_guest_account.yml +++ b/rules/macos/process_creation/proc_creation_macos_sysadminctl_enable_guest_account.yml @@ -7,6 +7,9 @@ references: author: Sohan G (D4rkCiph3r) date: 2023-02-18 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.t1078 - attack.t1078.001 diff --git a/rules/network/cisco/aaa/cisco_cli_local_accounts.yml b/rules/network/cisco/aaa/cisco_cli_local_accounts.yml index e1d47c0bcfc..f6c3b0043ec 100644 --- a/rules/network/cisco/aaa/cisco_cli_local_accounts.yml +++ b/rules/network/cisco/aaa/cisco_cli_local_accounts.yml @@ -6,6 +6,7 @@ author: Austin Clark date: 2019-08-12 modified: 2023-01-04 tags: + - attack.privilege-escalation - attack.persistence - attack.t1136.001 - attack.t1098 diff --git a/rules/network/cisco/aaa/cisco_cli_modify_config.yml b/rules/network/cisco/aaa/cisco_cli_modify_config.yml index 897399a8101..31865e0b887 100644 --- a/rules/network/cisco/aaa/cisco_cli_modify_config.yml +++ b/rules/network/cisco/aaa/cisco_cli_modify_config.yml @@ -6,6 +6,8 @@ author: Austin Clark date: 2019-08-12 modified: 2025-04-28 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.impact - attack.t1490 diff --git a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml index 0df94623804..dc9010c36d5 100644 --- a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml +++ b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml @@ -8,6 +8,8 @@ author: '@neu5ron, SOC Prime' date: 2020-03-19 modified: 2021-11-27 tags: + - attack.privilege-escalation + - attack.persistence - attack.execution - attack.t1047 - attack.t1053.002 diff --git a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml index 31fa8d65f26..dca699aa1d6 100644 --- a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml +++ b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml @@ -8,6 +8,7 @@ author: '@neu5ron, SOC Prime' date: 2020-03-19 modified: 2021-11-27 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.004 logsource: diff --git a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml index 3c9c83f8dae..60cdf454df8 100644 --- a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml +++ b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml @@ -15,6 +15,7 @@ author: '@neu5ron, @Antonlovesdnb, Mike Remen' date: 2021-08-17 modified: 2022-11-28 tags: + - attack.collection - attack.credential-access - attack.t1557.001 - attack.t1187 diff --git a/rules/network/zeek/zeek_dns_kerberos_coercion_via_dns_object_spn_spoofing.yml b/rules/network/zeek/zeek_dns_kerberos_coercion_via_dns_object_spn_spoofing.yml index 65f501755a2..aea0c282609 100644 --- a/rules/network/zeek/zeek_dns_kerberos_coercion_via_dns_object_spn_spoofing.yml +++ b/rules/network/zeek/zeek_dns_kerberos_coercion_via_dns_object_spn_spoofing.yml @@ -18,6 +18,7 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-06-20 tags: + - attack.collection - attack.credential-access - attack.persistence - attack.privilege-escalation diff --git a/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml b/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml index 65c68a83198..a4385ade2d5 100644 --- a/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml +++ b/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml @@ -11,6 +11,8 @@ author: 'Samir Bousseaden, @neu5rn' date: 2020-04-03 modified: 2022-12-27 tags: + - attack.privilege-escalation + - attack.execution - attack.lateral-movement - attack.persistence - car.2013-05-004 diff --git a/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml b/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml index 36f7535dc62..52f8cecb972 100644 --- a/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml +++ b/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml @@ -9,6 +9,7 @@ references: author: Gavin Knapp date: 2023-03-16 tags: + - attack.collection - attack.credential-access - attack.t1056 logsource: diff --git a/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml b/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml index 0df2c011dd6..7c9da1ca0b2 100644 --- a/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml +++ b/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml @@ -8,6 +8,8 @@ references: author: frack113 date: 2023-01-12 tags: + - attack.lateral-movement + - attack.execution - attack.defense-evasion - attack.t1072 logsource: diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml index f3c8172ecc8..df5c2ba4250 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml @@ -1,6 +1,6 @@ title: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation id: f8931561-97f5-4c46-907f-0a4a592e47a7 -status: experimental +status: test description: | Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired. This event is best correlated with EID 3089 to determine the error of the validation. diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml index 4b31e41651a..7f0d192d9e2 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml @@ -10,6 +10,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-11-10 modified: 2023-06-07 tags: + - attack.persistence - attack.privilege-escalation - attack.t1543 logsource: diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml index c85104a1cae..9a920e45ce8 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml @@ -9,6 +9,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-06-06 tags: + - attack.persistence - attack.privilege-escalation - attack.t1543 logsource: diff --git a/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml b/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml index 5b1c2bc5ec2..cb15f1d810c 100644 --- a/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml +++ b/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml @@ -15,6 +15,8 @@ author: Florian Roth (Nextron Systems) date: 2017-05-08 modified: 2023-02-05 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 logsource: diff --git a/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml b/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml index 856952d4e05..1dd486c61fc 100644 --- a/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml +++ b/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2018-06-08 modified: 2024-07-22 tags: + - attack.defense-evasion - attack.lateral-movement - attack.t1550.002 logsource: diff --git a/rules/windows/builtin/security/account_management/win_security_admin_rdp_login.yml b/rules/windows/builtin/security/account_management/win_security_admin_rdp_login.yml index d2f3e298b5f..9fd93bb1318 100644 --- a/rules/windows/builtin/security/account_management/win_security_admin_rdp_login.yml +++ b/rules/windows/builtin/security/account_management/win_security_admin_rdp_login.yml @@ -8,6 +8,9 @@ author: juju4 date: 2017-10-29 modified: 2022-10-09 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.lateral-movement - attack.initial-access - attack.t1078.001 diff --git a/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml b/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml index 49ab072e347..96b6bdb1bc8 100644 --- a/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml +++ b/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml @@ -14,6 +14,7 @@ references: author: Alexandr Yampolskyi, SOC Prime date: 2023-04-26 tags: + - attack.privilege-escalation - attack.persistence - attack.t1098 logsource: diff --git a/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml b/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml index b19f83a08fc..a2b8cf81801 100644 --- a/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml +++ b/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml @@ -14,6 +14,7 @@ references: author: Alexandr Yampolskyi, SOC Prime date: 2023-04-26 tags: + - attack.privilege-escalation - attack.persistence - attack.t1098 logsource: diff --git a/rules/windows/builtin/security/account_management/win_security_overpass_the_hash.yml b/rules/windows/builtin/security/account_management/win_security_overpass_the_hash.yml index 1983e0316d1..c0aad5df72e 100644 --- a/rules/windows/builtin/security/account_management/win_security_overpass_the_hash.yml +++ b/rules/windows/builtin/security/account_management/win_security_overpass_the_hash.yml @@ -8,6 +8,7 @@ author: Roberto Rodriguez (source), Dominik Schaudel (rule) date: 2018-02-12 modified: 2021-11-27 tags: + - attack.defense-evasion - attack.lateral-movement - attack.s0002 - attack.t1550.002 diff --git a/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml b/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml index 9a011cfe146..1ce63f070fa 100644 --- a/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml +++ b/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml @@ -10,6 +10,7 @@ author: Dave Kennedy, Jeff Warren (method) / David Vassallo (rule) date: 2019-06-14 modified: 2022-10-05 tags: + - attack.defense-evasion - attack.lateral-movement - attack.t1550.002 logsource: diff --git a/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml b/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml index 99720325b99..30a947717f3 100644 --- a/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml +++ b/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml @@ -14,6 +14,7 @@ references: author: Alexandr Yampolskyi, SOC Prime date: 2023-04-26 tags: + - attack.privilege-escalation - attack.persistence - attack.t1098 logsource: diff --git a/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml b/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml index b55315b33b3..ac86bbbe637 100644 --- a/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml +++ b/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml @@ -12,6 +12,9 @@ author: Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity) date: 2023-01-19 modified: 2024-03-11 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.credential-access - attack.t1133 diff --git a/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml b/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml index 9457318f6d9..dafa835a029 100644 --- a/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml +++ b/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml @@ -12,6 +12,9 @@ author: Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity) date: 2023-01-19 modified: 2024-03-11 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.credential-access - attack.t1133 diff --git a/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml b/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml index 25409436cab..57dddbe73c5 100644 --- a/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml +++ b/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml @@ -8,6 +8,8 @@ author: NVISO date: 2020-05-06 modified: 2024-03-11 tags: + - attack.privilege-escalation + - attack.defense-evasion - attack.initial-access - attack.persistence - attack.t1078 diff --git a/rules/windows/builtin/security/account_management/win_security_susp_privesc_kerberos_relay_over_ldap.yml b/rules/windows/builtin/security/account_management/win_security_susp_privesc_kerberos_relay_over_ldap.yml index b1694d3d211..992e0f4644f 100644 --- a/rules/windows/builtin/security/account_management/win_security_susp_privesc_kerberos_relay_over_ldap.yml +++ b/rules/windows/builtin/security/account_management/win_security_susp_privesc_kerberos_relay_over_ldap.yml @@ -11,6 +11,7 @@ author: Elastic, @SBousseaden date: 2022-04-27 modified: 2024-08-13 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.credential-access - attack.t1548 diff --git a/rules/windows/builtin/security/account_management/win_security_susp_rottenpotato.yml b/rules/windows/builtin/security/account_management/win_security_susp_rottenpotato.yml index e53c6f5fcae..998976a2685 100644 --- a/rules/windows/builtin/security/account_management/win_security_susp_rottenpotato.yml +++ b/rules/windows/builtin/security/account_management/win_security_susp_rottenpotato.yml @@ -8,6 +8,7 @@ author: '@SBousseaden, Florian Roth' date: 2019-11-15 modified: 2022-12-22 tags: + - attack.collection - attack.privilege-escalation - attack.credential-access - attack.t1557.001 diff --git a/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml b/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml index 09362d1ba9e..aff5ab7042d 100644 --- a/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml +++ b/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml @@ -9,6 +9,7 @@ author: Samir Bousseaden, Roberto Rodriguez @Cyb3rWard0g, oscd.community, Tim Sh date: 2019-04-03 modified: 2022-08-16 tags: + - attack.privilege-escalation - attack.persistence - attack.t1098 logsource: diff --git a/rules/windows/builtin/security/win_security_alert_active_directory_user_control.yml b/rules/windows/builtin/security/win_security_alert_active_directory_user_control.yml index 1e3cb336565..abe40918a60 100644 --- a/rules/windows/builtin/security/win_security_alert_active_directory_user_control.yml +++ b/rules/windows/builtin/security/win_security_alert_active_directory_user_control.yml @@ -8,6 +8,7 @@ author: '@neu5ron' date: 2017-07-30 modified: 2021-12-02 tags: + - attack.privilege-escalation - attack.persistence - attack.t1098 logsource: diff --git a/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml b/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml index fb9a78d5f0c..36ac159a5f9 100644 --- a/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml +++ b/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml @@ -10,6 +10,7 @@ author: '@neu5ron' date: 2017-04-13 modified: 2024-02-26 tags: + - attack.privilege-escalation - attack.t1098 - attack.persistence logsource: diff --git a/rules/windows/builtin/security/win_security_alert_ruler.yml b/rules/windows/builtin/security/win_security_alert_ruler.yml index 8db4d5e5e3b..4bc220a0fd0 100644 --- a/rules/windows/builtin/security/win_security_alert_ruler.yml +++ b/rules/windows/builtin/security/win_security_alert_ruler.yml @@ -12,6 +12,7 @@ author: Florian Roth (Nextron Systems) date: 2017-05-31 modified: 2022-10-09 tags: + - attack.defense-evasion - attack.discovery - attack.execution - attack.collection diff --git a/rules/windows/builtin/security/win_security_atsvc_task.yml b/rules/windows/builtin/security/win_security_atsvc_task.yml index 4aaa0440edc..1b96ff007e8 100644 --- a/rules/windows/builtin/security/win_security_atsvc_task.yml +++ b/rules/windows/builtin/security/win_security_atsvc_task.yml @@ -8,6 +8,8 @@ author: Samir Bousseaden date: 2019-04-03 modified: 2024-08-01 tags: + - attack.privilege-escalation + - attack.execution - attack.lateral-movement - attack.persistence - car.2013-05-004 diff --git a/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml b/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml index 9efcab107bc..0d81e083518 100644 --- a/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml +++ b/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml @@ -13,6 +13,7 @@ author: Florian Roth (Nextron Systems), Wojciech Lesicki date: 2021-05-26 modified: 2022-11-27 tags: + - attack.persistence - attack.execution - attack.privilege-escalation - attack.lateral-movement diff --git a/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml b/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml index 5de777d3d31..06b0cbd73b9 100644 --- a/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml +++ b/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml @@ -20,6 +20,7 @@ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020-06-05 modified: 2022-12-20 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 - attack.t1562 diff --git a/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml b/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml index a7f5b3467e3..6ec2df1be9c 100644 --- a/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml +++ b/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml @@ -10,6 +10,8 @@ author: Samir Bousseaden date: 2019-04-03 modified: 2024-09-04 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.lateral-movement - attack.t1053.005 diff --git a/rules/windows/builtin/security/win_security_hktl_nofilter.yml b/rules/windows/builtin/security/win_security_hktl_nofilter.yml index b1fa4617257..12d1d0a00f0 100644 --- a/rules/windows/builtin/security/win_security_hktl_nofilter.yml +++ b/rules/windows/builtin/security/win_security_hktl_nofilter.yml @@ -11,6 +11,7 @@ references: author: Stamatis Chatzimangou (st0pp3r) date: 2024-01-05 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1134 - attack.t1134.001 diff --git a/rules/windows/builtin/security/win_security_kerberos_coercion_via_dns_object.yml b/rules/windows/builtin/security/win_security_kerberos_coercion_via_dns_object.yml index 5ff688de15a..bc36a82fb6d 100644 --- a/rules/windows/builtin/security/win_security_kerberos_coercion_via_dns_object.yml +++ b/rules/windows/builtin/security/win_security_kerberos_coercion_via_dns_object.yml @@ -21,6 +21,7 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-06-20 tags: + - attack.collection - attack.credential-access - attack.t1557.003 - attack.persistence diff --git a/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml b/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml index 6611647728a..489e468253e 100644 --- a/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml +++ b/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml @@ -12,6 +12,7 @@ author: Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems) date: 2019-10-26 modified: 2023-11-15 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1134.001 - attack.t1134.002 diff --git a/rules/windows/builtin/security/win_security_net_ntlm_downgrade.yml b/rules/windows/builtin/security/win_security_net_ntlm_downgrade.yml index 8f89ffb5c8e..21ef19f0ee1 100644 --- a/rules/windows/builtin/security/win_security_net_ntlm_downgrade.yml +++ b/rules/windows/builtin/security/win_security_net_ntlm_downgrade.yml @@ -11,6 +11,7 @@ author: Florian Roth (Nextron Systems), wagga date: 2018-03-20 modified: 2022-10-09 tags: + - attack.persistence - attack.defense-evasion - attack.t1562.001 - attack.t1112 diff --git a/rules/windows/builtin/security/win_security_net_share_obj_susp_desktop_ini.yml b/rules/windows/builtin/security/win_security_net_share_obj_susp_desktop_ini.yml index 5d72c067ad3..5b6387c434c 100755 --- a/rules/windows/builtin/security/win_security_net_share_obj_susp_desktop_ini.yml +++ b/rules/windows/builtin/security/win_security_net_share_obj_susp_desktop_ini.yml @@ -8,6 +8,7 @@ author: Tim Shelton (HAWK.IO) date: 2021-12-06 modified: 2022-01-16 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.009 logsource: diff --git a/rules/windows/builtin/security/win_security_scm_database_privileged_operation.yml b/rules/windows/builtin/security/win_security_scm_database_privileged_operation.yml index 4fe9c2da3f6..def8aac3b3c 100644 --- a/rules/windows/builtin/security/win_security_scm_database_privileged_operation.yml +++ b/rules/windows/builtin/security/win_security_scm_database_privileged_operation.yml @@ -8,6 +8,7 @@ author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton date: 2019-08-15 modified: 2022-09-18 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1548 logsource: diff --git a/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml b/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml index c2ebdc3ea0c..f3a4d4f5858 100644 --- a/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml +++ b/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml @@ -11,6 +11,7 @@ author: Connor Martin, Nasreddine Bencherchali (Nextron Systems) date: 2022-12-23 modified: 2024-12-07 tags: + - attack.privilege-escalation - attack.persistence - attack.execution - attack.t1543.003 diff --git a/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml b/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml index 6b7dcfc1cd8..20ec0efecb4 100644 --- a/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml +++ b/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml @@ -13,6 +13,7 @@ author: Tim Rauch (Nextron Systems), Elastic (idea) date: 2022-09-15 modified: 2023-01-04 tags: + - attack.persistence - attack.privilege-escalation - attack.t1543 logsource: diff --git a/rules/windows/builtin/security/win_security_susp_add_domain_trust.yml b/rules/windows/builtin/security/win_security_susp_add_domain_trust.yml index 4f5388a2a84..cb5529dd86f 100644 --- a/rules/windows/builtin/security/win_security_susp_add_domain_trust.yml +++ b/rules/windows/builtin/security/win_security_susp_add_domain_trust.yml @@ -8,6 +8,7 @@ author: Thomas Patzke date: 2019-12-03 modified: 2024-01-16 tags: + - attack.privilege-escalation - attack.persistence - attack.t1098 logsource: diff --git a/rules/windows/builtin/security/win_security_susp_add_sid_history.yml b/rules/windows/builtin/security/win_security_susp_add_sid_history.yml index 9019ef076b7..0420eb090eb 100644 --- a/rules/windows/builtin/security/win_security_susp_add_sid_history.yml +++ b/rules/windows/builtin/security/win_security_susp_add_sid_history.yml @@ -7,6 +7,7 @@ references: author: Thomas Patzke, @atc_project (improvements) date: 2017-02-19 tags: + - attack.defense-evasion - attack.persistence - attack.privilege-escalation - attack.t1134.005 diff --git a/rules/windows/builtin/security/win_security_susp_computer_name.yml b/rules/windows/builtin/security/win_security_susp_computer_name.yml index 9d37600fd75..e9d793d01d9 100644 --- a/rules/windows/builtin/security/win_security_susp_computer_name.yml +++ b/rules/windows/builtin/security/win_security_susp_computer_name.yml @@ -9,6 +9,8 @@ author: elhoim date: 2022-09-09 modified: 2023-01-04 tags: + - attack.initial-access + - attack.defense-evasion - cve.2021-42278 - cve.2021-42287 - attack.persistence diff --git a/rules/windows/builtin/security/win_security_susp_dsrm_password_change.yml b/rules/windows/builtin/security/win_security_susp_dsrm_password_change.yml index 6875253228c..6516a3f40e9 100644 --- a/rules/windows/builtin/security/win_security_susp_dsrm_password_change.yml +++ b/rules/windows/builtin/security/win_security_susp_dsrm_password_change.yml @@ -15,6 +15,7 @@ author: Thomas Patzke date: 2017-02-19 modified: 2020-08-23 tags: + - attack.privilege-escalation - attack.persistence - attack.t1098 logsource: diff --git a/rules/windows/builtin/security/win_security_susp_group_policy_abuse_privilege_addition.yml b/rules/windows/builtin/security/win_security_susp_group_policy_abuse_privilege_addition.yml index 77735eb32bf..13b37591876 100644 --- a/rules/windows/builtin/security/win_security_susp_group_policy_abuse_privilege_addition.yml +++ b/rules/windows/builtin/security/win_security_susp_group_policy_abuse_privilege_addition.yml @@ -8,6 +8,7 @@ references: - https://www.elastic.co/guide/en/security/current/group-policy-abuse-for-privilege-addition.html#_setup_275 date: 2024-09-04 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1484.001 logsource: diff --git a/rules/windows/builtin/security/win_security_susp_group_policy_startup_script_added_to_gpo.yml b/rules/windows/builtin/security/win_security_susp_group_policy_startup_script_added_to_gpo.yml index 0ec841bc772..3578a7fb20c 100644 --- a/rules/windows/builtin/security/win_security_susp_group_policy_startup_script_added_to_gpo.yml +++ b/rules/windows/builtin/security/win_security_susp_group_policy_startup_script_added_to_gpo.yml @@ -8,6 +8,8 @@ references: author: Elastic, Josh Nickels, Marius Rothenbücher date: 2024-09-06 tags: + - attack.persistence + - attack.defense-evasion - attack.privilege-escalation - attack.t1484.001 - attack.t1547 diff --git a/rules/windows/builtin/security/win_security_susp_logon_explicit_credentials.yml b/rules/windows/builtin/security/win_security_susp_logon_explicit_credentials.yml index 5e6a3c0dcfa..06138f399c6 100644 --- a/rules/windows/builtin/security/win_security_susp_logon_explicit_credentials.yml +++ b/rules/windows/builtin/security/win_security_susp_logon_explicit_credentials.yml @@ -8,6 +8,10 @@ author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0 date: 2020-10-05 modified: 2022-08-03 tags: + - attack.privilege-escalation + - attack.persistence + - attack.initial-access + - attack.defense-evasion - attack.t1078 - attack.lateral-movement logsource: diff --git a/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml b/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml index fe014d71341..b3dabac2286 100644 --- a/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml +++ b/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml @@ -9,6 +9,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems), Elastic (idea) date: 2022-10-17 tags: + - attack.persistence + - attack.defense-evasion - attack.credential-access - attack.t1556 logsource: diff --git a/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml b/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml index 7ce6334c6da..a6e0ac7fac0 100644 --- a/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml +++ b/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml @@ -11,6 +11,7 @@ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020-07-14 modified: 2025-10-22 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml b/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml index d570c0c0345..017d69c16d4 100644 --- a/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml +++ b/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml @@ -9,6 +9,8 @@ author: Florian Roth (Nextron Systems) date: 2017-03-14 modified: 2021-01-17 tags: + - attack.initial-access + - attack.defense-evasion - attack.privilege-escalation - attack.t1078 - attack.persistence diff --git a/rules/windows/builtin/security/win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml b/rules/windows/builtin/security/win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml index 922817af3b7..5adbc5e1293 100644 --- a/rules/windows/builtin/security/win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml +++ b/rules/windows/builtin/security/win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml @@ -8,6 +8,7 @@ author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community date: 2019-10-24 modified: 2022-12-25 tags: + - attack.credential-access - attack.lateral-movement - attack.privilege-escalation - attack.t1558.003 diff --git a/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml b/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml index b08a018ab0b..8bb7aa63f3a 100644 --- a/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml +++ b/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml @@ -8,6 +8,8 @@ author: Bhabesh Raj date: 2022-08-02 modified: 2022-09-28 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 logsource: diff --git a/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml b/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml index 4cb8287ea18..66857f237b8 100644 --- a/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml +++ b/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml @@ -8,6 +8,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-03 modified: 2022-09-28 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 logsource: diff --git a/rules/windows/builtin/system/microsoft_windows_Iphlpsvc/win_system_isatap_router_address_set.yml b/rules/windows/builtin/system/microsoft_windows_Iphlpsvc/win_system_isatap_router_address_set.yml index 774d74d4486..fd76743543d 100644 --- a/rules/windows/builtin/system/microsoft_windows_Iphlpsvc/win_system_isatap_router_address_set.yml +++ b/rules/windows/builtin/system/microsoft_windows_Iphlpsvc/win_system_isatap_router_address_set.yml @@ -13,6 +13,9 @@ references: author: hamid date: 2025-10-19 tags: + - attack.impact + - attack.credential-access + - attack.collection - attack.initial-access - attack.privilege-escalation - attack.execution diff --git a/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml b/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml index 42a96b60cb3..b19d4ac9510 100644 --- a/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml +++ b/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml @@ -10,6 +10,8 @@ author: Dimitrios Slamaris date: 2017-05-15 modified: 2022-12-25 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 logsource: diff --git a/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml b/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml index e15dabe5952..f158ddb987b 100644 --- a/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml +++ b/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml @@ -10,6 +10,8 @@ author: 'Dimitrios Slamaris, @atc_project (fix)' date: 2017-05-15 modified: 2022-12-25 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 logsource: diff --git a/rules/windows/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml b/rules/windows/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml index 1b85ee70f6d..06e64363745 100644 --- a/rules/windows/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml +++ b/rules/windows/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2022-10-07 modified: 2023-04-14 tags: + - attack.collection - attack.execution - attack.credential-access - attack.t1557.001 diff --git a/rules/windows/builtin/system/netlogon/win_system_vul_cve_2020_1472.yml b/rules/windows/builtin/system/netlogon/win_system_vul_cve_2020_1472.yml index 95c8eaecffd..ce5b4a28d67 100644 --- a/rules/windows/builtin/system/netlogon/win_system_vul_cve_2020_1472.yml +++ b/rules/windows/builtin/system/netlogon/win_system_vul_cve_2020_1472.yml @@ -8,6 +8,7 @@ author: NVISO date: 2020-09-15 modified: 2022-12-25 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1548 logsource: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml b/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml index cfc58dc46bc..74c4cd03f09 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml @@ -10,6 +10,7 @@ author: Florian Roth (Nextron Systems), Wojciech Lesicki date: 2021-05-26 modified: 2022-11-27 tags: + - attack.persistence - attack.execution - attack.privilege-escalation - attack.lateral-movement diff --git a/rules/windows/builtin/system/service_control_manager/win_system_krbrelayup_service_installation.yml b/rules/windows/builtin/system/service_control_manager/win_system_krbrelayup_service_installation.yml index b19f342ab5e..7d31d91fe50 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_krbrelayup_service_installation.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_krbrelayup_service_installation.yml @@ -8,6 +8,7 @@ author: Sittikorn S, Tim Shelton date: 2022-05-11 modified: 2022-10-05 tags: + - attack.persistence - attack.privilege-escalation - attack.t1543 logsource: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index 6292f812565..c47ac6f5909 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -9,6 +9,7 @@ author: Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems) date: 2019-10-26 modified: 2023-11-15 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1134.001 - attack.t1134.002 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy.yml index 0297275ba7f..eeb4b142f39 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy.yml @@ -9,6 +9,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-07-22 tags: + - attack.persistence - attack.privilege-escalation - attack.t1543.003 logsource: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy_runner.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy_runner.yml index e73fdcdd425..d4aba251cce 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy_runner.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy_runner.yml @@ -9,6 +9,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-07-22 tags: + - attack.persistence - attack.privilege-escalation - attack.t1543.003 logsource: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_pua_proceshacker.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_pua_proceshacker.yml index ca7f6c3bef3..60bd7d49d7e 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_pua_proceshacker.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_pua_proceshacker.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2021-05-27 modified: 2022-12-25 tags: + - attack.persistence - attack.execution - attack.privilege-escalation - attack.t1543.003 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml index 79cc776502c..b56ea2fd90b 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml @@ -11,6 +11,7 @@ author: Connor Martin, Nasreddine Bencherchali date: 2022-12-23 modified: 2023-06-22 tags: + - attack.privilege-escalation - attack.persistence - attack.execution - attack.t1543.003 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml index cfbdb8c8401..ebcc5734174 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml @@ -8,6 +8,7 @@ references: author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2022-08-25 tags: + - attack.persistence - attack.execution - attack.privilege-escalation - attack.t1543.003 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_sups_unusal_client.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sups_unusal_client.yml index ad3fc9e5082..64bb631ff02 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_sups_unusal_client.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sups_unusal_client.yml @@ -11,6 +11,7 @@ author: Tim Rauch (Nextron Systems), Elastic (idea) date: 2022-09-15 modified: 2023-01-04 tags: + - attack.persistence - attack.privilege-escalation - attack.t1543 logsource: diff --git a/rules/windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml b/rules/windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml index 247c55c6ec2..7e65b6939ea 100644 --- a/rules/windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml +++ b/rules/windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml @@ -8,6 +8,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-12-05 modified: 2023-02-07 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.t1053.005 logsource: diff --git a/rules/windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml b/rules/windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml index 98b48af795a..81fd92e32d4 100644 --- a/rules/windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml +++ b/rules/windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml @@ -8,6 +8,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-12-05 modified: 2023-02-07 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.t1053.005 logsource: diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml b/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml index 1605c54ba0d..6b4f8497792 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml @@ -9,6 +9,7 @@ author: '@SBousseaden (detection), Thomas Patzke (rule)' date: 2019-02-01 modified: 2023-05-05 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.execution - attack.t1055.012 diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml b/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml index 06da54deb50..d3810300abc 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml @@ -9,6 +9,7 @@ author: Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.comm date: 2018-11-30 modified: 2023-05-05 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1055.001 logsource: diff --git a/rules/windows/dns_query/dns_query_win_kerberos_coercion_via_dns_object_spoofing.yml b/rules/windows/dns_query/dns_query_win_kerberos_coercion_via_dns_object_spoofing.yml index 8424731df9c..df964137536 100644 --- a/rules/windows/dns_query/dns_query_win_kerberos_coercion_via_dns_object_spoofing.yml +++ b/rules/windows/dns_query/dns_query_win_kerberos_coercion_via_dns_object_spoofing.yml @@ -18,6 +18,7 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-06-20 tags: + - attack.collection - attack.credential-access - attack.persistence - attack.privilege-escalation diff --git a/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml b/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml index bb67b6b82d0..917a9043cef 100644 --- a/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml +++ b/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml @@ -11,6 +11,7 @@ references: author: Josh Nickels date: 2024-02-26 tags: + - attack.credential-access - attack.collection - attack.t1056 logsource: diff --git a/rules/windows/dns_query/dns_query_win_quickassist.yml b/rules/windows/dns_query/dns_query_win_quickassist.yml index 5ab11aded6d..e150b925e72 100644 --- a/rules/windows/dns_query/dns_query_win_quickassist.yml +++ b/rules/windows/dns_query/dns_query_win_quickassist.yml @@ -1,6 +1,6 @@ title: DNS Query Request By QuickAssist.EXE id: 882e858a-3233-4ba8-855e-2f3d3575803d -status: experimental +status: test description: | Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session. references: diff --git a/rules/windows/driver_load/driver_load_win_mal_drivers.yml b/rules/windows/driver_load/driver_load_win_mal_drivers.yml index 3c29bb1168b..1bbc6d55446 100644 --- a/rules/windows/driver_load/driver_load_win_mal_drivers.yml +++ b/rules/windows/driver_load/driver_load_win_mal_drivers.yml @@ -8,6 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-18 modified: 2023-12-02 tags: + - attack.persistence - attack.privilege-escalation - attack.t1543.003 - attack.t1068 diff --git a/rules/windows/driver_load/driver_load_win_mal_drivers_names.yml b/rules/windows/driver_load/driver_load_win_mal_drivers_names.yml index 49c631b5ac8..5444e72b9e6 100644 --- a/rules/windows/driver_load/driver_load_win_mal_drivers_names.yml +++ b/rules/windows/driver_load/driver_load_win_mal_drivers_names.yml @@ -8,6 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-10-03 modified: 2023-12-02 tags: + - attack.persistence - attack.privilege-escalation - attack.t1543.003 - attack.t1068 diff --git a/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml b/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml index e6987a0829a..1cd38bbfd7b 100644 --- a/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml +++ b/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml @@ -11,6 +11,7 @@ author: Florian Roth (Nextron Systems) date: 2022-11-16 modified: 2024-11-23 tags: + - attack.persistence - attack.privilege-escalation - cve.2021-21551 - attack.t1543 diff --git a/rules/windows/driver_load/driver_load_win_pua_system_informer.yml b/rules/windows/driver_load/driver_load_win_pua_system_informer.yml index 27b135255ad..bde7c567590 100644 --- a/rules/windows/driver_load/driver_load_win_pua_system_informer.yml +++ b/rules/windows/driver_load/driver_load_win_pua_system_informer.yml @@ -12,6 +12,7 @@ author: Florian Roth (Nextron Systems) date: 2023-05-08 modified: 2024-11-23 tags: + - attack.persistence - attack.privilege-escalation - attack.t1543 logsource: diff --git a/rules/windows/driver_load/driver_load_win_vuln_drivers.yml b/rules/windows/driver_load/driver_load_win_vuln_drivers.yml index 3909b7b6e06..b9f6bcdc55f 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_drivers.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_drivers.yml @@ -8,6 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-18 modified: 2023-12-02 tags: + - attack.persistence - attack.privilege-escalation - attack.t1543.003 - attack.t1068 diff --git a/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml b/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml index e56a0c68a71..c0bfc2dae9b 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml @@ -8,6 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-10-03 modified: 2023-12-02 tags: + - attack.persistence - attack.privilege-escalation - attack.t1543.003 - attack.t1068 diff --git a/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml index 6ea75fa8223..c1f7d2eaae7 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml @@ -8,6 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-18 modified: 2024-11-23 tags: + - attack.persistence - attack.privilege-escalation - attack.t1543.003 logsource: diff --git a/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml index a844938bbf0..c735587824d 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml @@ -9,6 +9,7 @@ author: Florian Roth (Nextron Systems) date: 2022-07-26 modified: 2024-11-23 tags: + - attack.persistence - attack.privilege-escalation - attack.t1543.003 logsource: diff --git a/rules/windows/driver_load/driver_load_win_windivert.yml b/rules/windows/driver_load/driver_load_win_windivert.yml index 2b08c4ac885..68e1757c30c 100644 --- a/rules/windows/driver_load/driver_load_win_windivert.yml +++ b/rules/windows/driver_load/driver_load_win_windivert.yml @@ -9,6 +9,7 @@ author: Florian Roth (Nextron Systems) date: 2021-07-30 modified: 2024-11-23 tags: + - attack.credential-access - attack.collection - attack.defense-evasion - attack.t1599.001 diff --git a/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml b/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml index 31e14a9e7af..3dd0d466b05 100644 --- a/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml +++ b/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml @@ -10,6 +10,7 @@ references: author: Tim Rauch (Nextron Systems), Elastic (idea) date: 2022-09-27 tags: + - attack.persistence - attack.initial-access - attack.t1133 logsource: diff --git a/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml b/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml index ff86977218e..bc01aed878c 100644 --- a/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml +++ b/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml @@ -11,6 +11,7 @@ author: Tim Rauch (Nextron Systems), Elastic (idea) date: 2022-09-27 modified: 2023-02-15 tags: + - attack.persistence - attack.initial-access - attack.t1133 logsource: diff --git a/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml b/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml index 6c030c135aa..850807c43be 100644 --- a/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml +++ b/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml @@ -13,6 +13,7 @@ author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2021-12-29 modified: 2023-12-06 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.009 logsource: diff --git a/rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml b/rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml index 6690529518c..7a687d5cd5a 100644 --- a/rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml +++ b/rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml @@ -10,6 +10,7 @@ author: frack113 date: 2021-12-29 modified: 2022-11-08 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.002 logsource: diff --git a/rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml b/rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml index 0ba1c9bcf14..360654d083e 100644 --- a/rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml +++ b/rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml @@ -9,6 +9,7 @@ references: author: frack113 date: 2021-12-30 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.009 logsource: diff --git a/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml b/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml index a7f0f0d4877..5b73a99e43e 100644 --- a/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml +++ b/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml @@ -8,6 +8,8 @@ references: author: Tim Rauch (rule), Elastic (idea) date: 2022-10-21 tags: + - attack.privilege-escalation + - attack.persistence - attack.t1566 - attack.t1566.001 - attack.initial-access diff --git a/rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml b/rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml index e19e5061d7c..aa8bfaab28f 100644 --- a/rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml +++ b/rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml @@ -9,6 +9,7 @@ author: Vadim Varganov, Florian Roth (Nextron Systems) date: 2022-08-24 modified: 2023-02-23 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 - cve.2022-30190 diff --git a/rules/windows/file/file_event/file_event_win_office_outlook_macro_creation.yml b/rules/windows/file/file_event/file_event_win_office_outlook_macro_creation.yml index 8331239e983..afab9e8d8c5 100644 --- a/rules/windows/file/file_event/file_event_win_office_outlook_macro_creation.yml +++ b/rules/windows/file/file_event/file_event_win_office_outlook_macro_creation.yml @@ -11,6 +11,7 @@ author: '@ScoubiMtl' date: 2021-04-05 modified: 2023-02-08 tags: + - attack.privilege-escalation - attack.persistence - attack.command-and-control - attack.t1137 diff --git a/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml b/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml index 31b2b1cf19a..ef6b56314c2 100644 --- a/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml +++ b/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml @@ -12,6 +12,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-02-08 tags: + - attack.privilege-escalation - attack.persistence - attack.command-and-control - attack.t1137 diff --git a/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml b/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml index a8b62397fbe..cdbc73b3d1a 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml @@ -13,6 +13,7 @@ author: Christopher Peacock '@securepeacock', SCYTHE date: 2021-10-24 modified: 2023-02-23 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/file/file_event/file_event_win_ripzip_attack.yml b/rules/windows/file/file_event/file_event_win_ripzip_attack.yml index e342ee952fd..e958abb2857 100644 --- a/rules/windows/file/file_event/file_event_win_ripzip_attack.yml +++ b/rules/windows/file/file_event/file_event_win_ripzip_attack.yml @@ -11,6 +11,7 @@ author: Greg (rule) date: 2022-07-21 modified: 2023-01-05 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547 logsource: diff --git a/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml b/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml index 962fd859ab5..96ed228914b 100644 --- a/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml +++ b/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml @@ -12,6 +12,7 @@ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020-05-02 modified: 2025-10-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml b/rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml index ce5a5563961..24fe4d9a7a5 100644 --- a/rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml +++ b/rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml @@ -8,6 +8,7 @@ author: elhoim date: 2022-04-28 modified: 2022-06-02 tags: + - attack.privilege-escalation - attack.t1055 - attack.t1218 - attack.execution diff --git a/rules/windows/file/file_event/file_event_win_susp_desktop_ini.yml b/rules/windows/file/file_event/file_event_win_susp_desktop_ini.yml index 1f52f96a14e..158bb9b6092 100755 --- a/rules/windows/file/file_event/file_event_win_susp_desktop_ini.yml +++ b/rules/windows/file/file_event/file_event_win_susp_desktop_ini.yml @@ -8,6 +8,7 @@ author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO) date: 2020-03-19 modified: 2022-10-07 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.009 logsource: diff --git a/rules/windows/file/file_event/file_event_win_susp_get_variable.yml b/rules/windows/file/file_event/file_event_win_susp_get_variable.yml index 762cb5bb474..b59d21bfadb 100644 --- a/rules/windows/file/file_event/file_event_win_susp_get_variable.yml +++ b/rules/windows/file/file_event/file_event_win_susp_get_variable.yml @@ -11,6 +11,7 @@ references: author: frack113 date: 2022-04-23 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546 - attack.defense-evasion diff --git a/rules/windows/file/file_event/file_event_win_susp_public_folder_extension.yml b/rules/windows/file/file_event/file_event_win_susp_public_folder_extension.yml index 826214e9bda..f5f2bba2e16 100644 --- a/rules/windows/file/file_event/file_event_win_susp_public_folder_extension.yml +++ b/rules/windows/file/file_event/file_event_win_susp_public_folder_extension.yml @@ -1,6 +1,6 @@ title: Suspicious Binaries and Scripts in Public Folder id: b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e -status: experimental +status: test description: Detects the creation of a file with a suspicious extension in the public folder, which could indicate potential malicious activity. references: - https://intel.thedfirreport.com/events/view/30032 # Private Report diff --git a/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml b/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml index 52dfad20789..b15537203c8 100644 --- a/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml +++ b/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml @@ -16,6 +16,7 @@ author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel ( date: 2022-08-10 modified: 2025-10-12 tags: + - attack.privilege-escalation - attack.execution - attack.t1204.002 - attack.persistence diff --git a/rules/windows/file/file_event/file_event_win_susp_task_write.yml b/rules/windows/file/file_event/file_event_win_susp_task_write.yml index ac377be2935..178455aef70 100644 --- a/rules/windows/file/file_event/file_event_win_susp_task_write.yml +++ b/rules/windows/file/file_event/file_event_win_susp_task_write.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2021-11-16 modified: 2022-01-12 tags: + - attack.privilege-escalation - attack.persistence - attack.execution - attack.t1053 diff --git a/rules/windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml b/rules/windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml index d633343a48b..c45da5fb54b 100644 --- a/rules/windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml +++ b/rules/windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml @@ -8,6 +8,7 @@ references: author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2023-07-22 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.015 logsource: diff --git a/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml b/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml index dc64f6d294c..bde7198d578 100644 --- a/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml +++ b/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml @@ -8,6 +8,7 @@ author: frack113 date: 2022-05-09 modified: 2024-11-28 tags: + - attack.privilege-escalation - attack.persistence - attack.defense-evasion - attack.t1574.001 diff --git a/rules/windows/file/file_event/file_event_win_winrar_file_creation_in_startup_folder.yml b/rules/windows/file/file_event/file_event_win_winrar_file_creation_in_startup_folder.yml index 70e539b6436..f62ea99650a 100644 --- a/rules/windows/file/file_event/file_event_win_winrar_file_creation_in_startup_folder.yml +++ b/rules/windows/file/file_event/file_event_win_winrar_file_creation_in_startup_folder.yml @@ -11,6 +11,7 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-07-16 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml b/rules/windows/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml index ca9c5ded3fe..a6e8282bba4 100755 --- a/rules/windows/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml +++ b/rules/windows/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml @@ -8,6 +8,7 @@ author: Thomas Patzke date: 2018-03-07 modified: 2021-11-27 tags: + - attack.privilege-escalation - attack.t1546.003 - attack.persistence logsource: diff --git a/rules/windows/file/file_event/file_event_win_writing_local_admin_share.yml b/rules/windows/file/file_event/file_event_win_writing_local_admin_share.yml index 009f3dae58d..5f4e443753b 100644 --- a/rules/windows/file/file_event/file_event_win_writing_local_admin_share.yml +++ b/rules/windows/file/file_event/file_event_win_writing_local_admin_share.yml @@ -10,6 +10,8 @@ author: frack113 date: 2022-01-01 modified: 2022-08-13 tags: + - attack.privilege-escalation + - attack.persistence - attack.lateral-movement - attack.t1546.002 logsource: diff --git a/rules/windows/image_load/image_load_clfs_load.yml b/rules/windows/image_load/image_load_clfs_load.yml index 9e615a91cae..6e1762bcd9c 100644 --- a/rules/windows/image_load/image_load_clfs_load.yml +++ b/rules/windows/image_load/image_load_clfs_load.yml @@ -1,6 +1,6 @@ title: Clfs.SYS Loaded By Process Located In a Potential Suspicious Location id: fb4e2211-6d08-426b-8e6f-0d4a161e3b1d -status: experimental +status: test description: Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File. references: - https://ssd-disclosure.com/ssd-advisory-common-log-file-system-clfs-driver-pe/ diff --git a/rules/windows/image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.yml b/rules/windows/image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.yml index b7a1970276d..02b023a5774 100644 --- a/rules/windows/image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.yml +++ b/rules/windows/image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.yml @@ -10,6 +10,7 @@ author: Den Iuzvyk date: 2020-07-15 modified: 2023-04-18 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_appverifui.yml b/rules/windows/image_load/image_load_side_load_appverifui.yml index 600bfd5eb1d..6044538f110 100644 --- a/rules/windows/image_load/image_load_side_load_appverifui.yml +++ b/rules/windows/image_load/image_load_side_load_appverifui.yml @@ -7,6 +7,7 @@ references: author: X__Junior (Nextron Systems) date: 2023-06-20 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml b/rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml index 3305cd8fce9..56fe989b808 100644 --- a/rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml +++ b/rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml @@ -8,6 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-01-22 modified: 2023-03-15 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.persistence - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_avkkid.yml b/rules/windows/image_load/image_load_side_load_avkkid.yml index e0c0487c507..f4052a4a004 100644 --- a/rules/windows/image_load/image_load_side_load_avkkid.yml +++ b/rules/windows/image_load/image_load_side_load_avkkid.yml @@ -7,6 +7,7 @@ references: author: X__Junior (Nextron Systems) date: 2023-08-03 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_coregen.yml b/rules/windows/image_load/image_load_side_load_coregen.yml index 55fdb35e29f..64dc35a5a41 100644 --- a/rules/windows/image_load/image_load_side_load_coregen.yml +++ b/rules/windows/image_load/image_load_side_load_coregen.yml @@ -7,6 +7,7 @@ references: author: frack113 date: 2022-12-31 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1218 - attack.t1055 diff --git a/rules/windows/image_load/image_load_side_load_dbgmodel.yml b/rules/windows/image_load/image_load_side_load_dbgmodel.yml index d53e57dd0e7..2a076e9f4c5 100644 --- a/rules/windows/image_load/image_load_side_load_dbgmodel.yml +++ b/rules/windows/image_load/image_load_side_load_dbgmodel.yml @@ -8,6 +8,8 @@ author: Gary Lobermier date: 2024-07-11 modified: 2024-07-22 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 logsource: diff --git a/rules/windows/image_load/image_load_side_load_eacore.yml b/rules/windows/image_load/image_load_side_load_eacore.yml index 52b90f93480..e4fb13c02bb 100644 --- a/rules/windows/image_load/image_load_side_load_eacore.yml +++ b/rules/windows/image_load/image_load_side_load_eacore.yml @@ -7,6 +7,7 @@ references: author: X__Junior (Nextron Systems) date: 2023-08-03 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_edputil.yml b/rules/windows/image_load/image_load_side_load_edputil.yml index e14b8f6f283..0be84bd965c 100644 --- a/rules/windows/image_load/image_load_side_load_edputil.yml +++ b/rules/windows/image_load/image_load_side_load_edputil.yml @@ -7,6 +7,7 @@ references: author: X__Junior (Nextron Systems) date: 2023-06-09 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_goopdate.yml b/rules/windows/image_load/image_load_side_load_goopdate.yml index 4b1e455e5fb..a92834ba150 100644 --- a/rules/windows/image_load/image_load_side_load_goopdate.yml +++ b/rules/windows/image_load/image_load_side_load_goopdate.yml @@ -8,6 +8,7 @@ author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2023-05-15 modified: 2025-10-07 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_iviewers.yml b/rules/windows/image_load/image_load_side_load_iviewers.yml index 19a3d64affa..c22f86e349b 100644 --- a/rules/windows/image_load/image_load_side_load_iviewers.yml +++ b/rules/windows/image_load/image_load_side_load_iviewers.yml @@ -7,6 +7,7 @@ references: author: X__Junior (Nextron Systems) date: 2023-03-21 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_keyscrambler.yml b/rules/windows/image_load/image_load_side_load_keyscrambler.yml index 722e80738de..6b3bca73a37 100644 --- a/rules/windows/image_load/image_load_side_load_keyscrambler.yml +++ b/rules/windows/image_load/image_load_side_load_keyscrambler.yml @@ -16,6 +16,7 @@ references: author: Swachchhanda Shrawan Poudel date: 2024-04-15 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_mfdetours.yml b/rules/windows/image_load/image_load_side_load_mfdetours.yml index 8df9b617c67..eef04981ab7 100644 --- a/rules/windows/image_load/image_load_side_load_mfdetours.yml +++ b/rules/windows/image_load/image_load_side_load_mfdetours.yml @@ -7,6 +7,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-08-03 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml b/rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml index ad485c892c7..fce67c510fe 100644 --- a/rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml +++ b/rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml @@ -10,6 +10,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-08-11 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_mpsvc.yml b/rules/windows/image_load/image_load_side_load_mpsvc.yml index 66b2298b571..058fa4308cc 100644 --- a/rules/windows/image_load/image_load_side_load_mpsvc.yml +++ b/rules/windows/image_load/image_load_side_load_mpsvc.yml @@ -7,6 +7,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema date: 2024-07-11 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 logsource: diff --git a/rules/windows/image_load/image_load_side_load_mscorsvc.yml b/rules/windows/image_load/image_load_side_load_mscorsvc.yml index ceaa4ef25fa..15de52ddb0c 100644 --- a/rules/windows/image_load/image_load_side_load_mscorsvc.yml +++ b/rules/windows/image_load/image_load_side_load_mscorsvc.yml @@ -8,6 +8,8 @@ author: Wietze Beukema date: 2024-07-11 modified: 2025-02-26 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 logsource: diff --git a/rules/windows/image_load/image_load_side_load_python.yml b/rules/windows/image_load/image_load_side_load_python.yml index c1e4fe34387..920437331a2 100644 --- a/rules/windows/image_load/image_load_side_load_python.yml +++ b/rules/windows/image_load/image_load_side_load_python.yml @@ -10,6 +10,8 @@ author: Swachchhanda Shrawan Poudel date: 2024-10-06 modified: 2025-08-18 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 logsource: diff --git a/rules/windows/image_load/image_load_side_load_rcdll.yml b/rules/windows/image_load/image_load_side_load_rcdll.yml index 0ea5027d572..610e53d92f2 100644 --- a/rules/windows/image_load/image_load_side_load_rcdll.yml +++ b/rules/windows/image_load/image_load_side_load_rcdll.yml @@ -8,6 +8,7 @@ author: X__Junior (Nextron Systems) date: 2023-03-13 modified: 2023-03-15 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_rjvplatform_default_location.yml b/rules/windows/image_load/image_load_side_load_rjvplatform_default_location.yml index e99ab2883ce..9628b7c7ba2 100644 --- a/rules/windows/image_load/image_load_side_load_rjvplatform_default_location.yml +++ b/rules/windows/image_load/image_load_side_load_rjvplatform_default_location.yml @@ -7,6 +7,7 @@ references: author: X__Junior (Nextron Systems) date: 2023-06-09 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yml b/rules/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yml index 8f1bbc41987..ac675c66bef 100644 --- a/rules/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yml +++ b/rules/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yml @@ -7,6 +7,7 @@ references: author: X__Junior (Nextron Systems) date: 2023-06-09 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_robform.yml b/rules/windows/image_load/image_load_side_load_robform.yml index 787ad6c977a..e1973606c8a 100644 --- a/rules/windows/image_load/image_load_side_load_robform.yml +++ b/rules/windows/image_load/image_load_side_load_robform.yml @@ -9,6 +9,7 @@ references: author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2023-05-14 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_shelldispatch.yml b/rules/windows/image_load/image_load_side_load_shelldispatch.yml index aa953f957ee..23a5373e6b9 100644 --- a/rules/windows/image_load/image_load_side_load_shelldispatch.yml +++ b/rules/windows/image_load/image_load_side_load_shelldispatch.yml @@ -7,6 +7,7 @@ references: author: X__Junior (Nextron Systems) date: 2023-06-20 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_smadhook.yml b/rules/windows/image_load/image_load_side_load_smadhook.yml index f89d39abd59..f60ff84a4e5 100644 --- a/rules/windows/image_load/image_load_side_load_smadhook.yml +++ b/rules/windows/image_load/image_load_side_load_smadhook.yml @@ -8,6 +8,7 @@ references: author: X__Junior (Nextron Systems) date: 2023-06-01 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_solidpdfcreator.yml b/rules/windows/image_load/image_load_side_load_solidpdfcreator.yml index 14fe9478fdf..975b728079a 100644 --- a/rules/windows/image_load/image_load_side_load_solidpdfcreator.yml +++ b/rules/windows/image_load/image_load_side_load_solidpdfcreator.yml @@ -7,6 +7,7 @@ references: author: X__Junior (Nextron Systems) date: 2023-05-07 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_ualapi.yml b/rules/windows/image_load/image_load_side_load_ualapi.yml index c5585deda96..c1f454cf650 100644 --- a/rules/windows/image_load/image_load_side_load_ualapi.yml +++ b/rules/windows/image_load/image_load_side_load_ualapi.yml @@ -8,6 +8,7 @@ author: NVISO date: 2020-05-04 modified: 2022-06-02 tags: + - attack.privilege-escalation - attack.persistence - attack.defense-evasion - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_vivaldi_elf.yml b/rules/windows/image_load/image_load_side_load_vivaldi_elf.yml index 958768ef488..0ceb195e7e6 100644 --- a/rules/windows/image_load/image_load_side_load_vivaldi_elf.yml +++ b/rules/windows/image_load/image_load_side_load_vivaldi_elf.yml @@ -7,6 +7,7 @@ references: author: X__Junior (Nextron Systems) date: 2023-08-03 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_vmware_xfer.yml b/rules/windows/image_load/image_load_side_load_vmware_xfer.yml index 3f6f04a4644..ade77083e73 100644 --- a/rules/windows/image_load/image_load_side_load_vmware_xfer.yml +++ b/rules/windows/image_load/image_load_side_load_vmware_xfer.yml @@ -8,6 +8,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-02 modified: 2023-02-17 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 logsource: diff --git a/rules/windows/image_load/image_load_side_load_waveedit.yml b/rules/windows/image_load/image_load_side_load_waveedit.yml index f826169b2a1..3984fab9a9c 100644 --- a/rules/windows/image_load/image_load_side_load_waveedit.yml +++ b/rules/windows/image_load/image_load_side_load_waveedit.yml @@ -7,6 +7,7 @@ references: author: X__Junior (Nextron Systems) date: 2023-06-14 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_side_load_windows_defender.yml b/rules/windows/image_load/image_load_side_load_windows_defender.yml index b16e9577e5e..08c37f90434 100644 --- a/rules/windows/image_load/image_load_side_load_windows_defender.yml +++ b/rules/windows/image_load/image_load_side_load_windows_defender.yml @@ -11,6 +11,8 @@ author: Bhabesh Raj date: 2022-08-02 modified: 2023-08-04 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 logsource: diff --git a/rules/windows/image_load/image_load_side_load_wwlib.yml b/rules/windows/image_load/image_load_side_load_wwlib.yml index 8b51f0355b4..95f22de9721 100644 --- a/rules/windows/image_load/image_load_side_load_wwlib.yml +++ b/rules/windows/image_load/image_load_side_load_wwlib.yml @@ -9,6 +9,7 @@ references: author: X__Junior (Nextron Systems) date: 2023-05-18 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml b/rules/windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml index 1ec3baba9bf..d6f8dd14e04 100644 --- a/rules/windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml +++ b/rules/windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml @@ -7,6 +7,8 @@ references: author: '@SerkinValery' date: 2023-06-08 tags: + - attack.privilege-escalation + - attack.defense-evasion - attack.persistence - attack.t1574.001 logsource: diff --git a/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml b/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml index 81117a5f3e1..ff993e82c39 100644 --- a/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml +++ b/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml @@ -11,6 +11,7 @@ author: omkar72, oscd.community date: 2020-10-14 modified: 2023-02-23 tags: + - attack.defense-evasion - attack.execution - attack.privilege-escalation - attack.t1055 diff --git a/rules/windows/image_load/image_load_thor_unsigned_execution.yml b/rules/windows/image_load/image_load_thor_unsigned_execution.yml index 1a11357006a..49d671b22f4 100644 --- a/rules/windows/image_load/image_load_thor_unsigned_execution.yml +++ b/rules/windows/image_load/image_load_thor_unsigned_execution.yml @@ -7,6 +7,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-10-29 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 logsource: diff --git a/rules/windows/image_load/image_load_win_trusted_path_bypass.yml b/rules/windows/image_load/image_load_win_trusted_path_bypass.yml index 9bfb518498b..2b8d5828a26 100644 --- a/rules/windows/image_load/image_load_win_trusted_path_bypass.yml +++ b/rules/windows/image_load/image_load_win_trusted_path_bypass.yml @@ -12,6 +12,7 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-06-17 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1574.007 diff --git a/rules/windows/image_load/image_load_wmi_persistence_commandline_event_consumer.yml b/rules/windows/image_load/image_load_wmi_persistence_commandline_event_consumer.yml index 3f27a9f9625..d56068df671 100755 --- a/rules/windows/image_load/image_load_wmi_persistence_commandline_event_consumer.yml +++ b/rules/windows/image_load/image_load_wmi_persistence_commandline_event_consumer.yml @@ -8,6 +8,7 @@ author: Thomas Patzke date: 2018-03-07 modified: 2021-11-27 tags: + - attack.privilege-escalation - attack.t1546.003 - attack.persistence logsource: diff --git a/rules/windows/network_connection/net_connection_win_notepad.yml b/rules/windows/network_connection/net_connection_win_notepad.yml index eba8e4b2108..2f999dcbacf 100644 --- a/rules/windows/network_connection/net_connection_win_notepad.yml +++ b/rules/windows/network_connection/net_connection_win_notepad.yml @@ -12,6 +12,7 @@ author: EagleEye Team date: 2020-05-14 modified: 2024-02-02 tags: + - attack.privilege-escalation - attack.command-and-control - attack.execution - attack.defense-evasion diff --git a/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml b/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml index 46380d22f7d..972faa40492 100755 --- a/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml +++ b/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml @@ -12,6 +12,7 @@ author: Ilyas Ochkov, oscd.community date: 2019-10-24 modified: 2024-03-15 tags: + - attack.defense-evasion - attack.credential-access - attack.t1558 - attack.lateral-movement diff --git a/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml b/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml index 4297d9aa2b6..5bc9e0718b5 100644 --- a/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml +++ b/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml @@ -8,6 +8,7 @@ author: elhoim date: 2022-04-28 modified: 2024-03-12 tags: + - attack.privilege-escalation - attack.t1055 - attack.t1218 - attack.execution diff --git a/rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml b/rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml index d0e50988d39..da13d9652eb 100644 --- a/rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml @@ -8,6 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-07-08 modified: 2023-08-07 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.credential-access - attack.t1528 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml index 0bf434c52db..5e379cee32d 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml @@ -10,6 +10,9 @@ references: author: frack113 date: 2022-02-21 tags: + - attack.privilege-escalation + - attack.persistence + - attack.defense-evasion - attack.initial-access - attack.t1078 logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml b/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml index 0916328f800..9bd9d7e3208 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml @@ -9,6 +9,8 @@ author: frack113 date: 2021-12-28 modified: 2025-10-07 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.t1053.005 logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml b/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml index 7619adb069d..1ddfaa7ad61 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml @@ -8,6 +8,8 @@ author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2021-12-27 modified: 2024-01-22 tags: + - attack.persistence + - attack.defense-evasion - attack.credential-access - attack.t1556.002 logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml b/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml index 5698717009e..e1593fb846d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml @@ -12,6 +12,8 @@ references: author: frack113 date: 2021-12-30 tags: + - attack.privilege-escalation + - attack.defense-evasion - attack.persistence - attack.t1574.012 logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml b/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml index 5969b4001f0..20798897b18 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml @@ -11,6 +11,7 @@ author: frack113, Duc.Le-GTSC date: 2021-08-03 modified: 2022-03-03 tags: + - attack.discovery - attack.defense-evasion - attack.t1497.001 logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml b/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml index fccff1d2fdc..10c2b77b85d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml @@ -11,6 +11,8 @@ references: author: frack113 date: 2021-12-30 tags: + - attack.privilege-escalation + - attack.defense-evasion - attack.persistence - attack.t1574.011 - stp.2a diff --git a/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml b/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml index 1c525bf0d5f..e8910689486 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml @@ -12,6 +12,7 @@ references: author: Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems) date: 2023-04-27 tags: + - attack.defense-evasion - attack.credential-access - attack.t1003 - attack.t1558.003 diff --git a/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml b/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml index 8a6ee575d1c..7b50a8da44f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml @@ -9,6 +9,7 @@ author: frack113 date: 2021-07-30 modified: 2022-07-11 tags: + - attack.credential-access - attack.collection - attack.t1056.001 logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_localuser.yml b/rules/windows/powershell/powershell_script/posh_ps_localuser.yml index daa33de6cd6..da7263b41d2 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_localuser.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_localuser.yml @@ -10,6 +10,7 @@ references: author: frack113 date: 2021-12-28 tags: + - attack.privilege-escalation - attack.persistence - attack.t1098 logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml b/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml index d27184e87ca..4903991ca26 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml @@ -12,6 +12,7 @@ author: Timur Zinniatullin, oscd.community date: 2019-10-21 modified: 2022-07-07 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.004 logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml b/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml index 65e4256eb98..2f7ce46e9b2 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml @@ -9,6 +9,7 @@ author: frack113 date: 2021-08-19 modified: 2022-12-25 tags: + - attack.persistence - attack.privilege-escalation - attack.t1546.003 logsource: diff --git a/rules/windows/process_access/proc_access_win_hktl_littlecorporal_generated_maldoc.yml b/rules/windows/process_access/proc_access_win_hktl_littlecorporal_generated_maldoc.yml index 6ff15466dc4..5b68dfe5f6f 100644 --- a/rules/windows/process_access/proc_access_win_hktl_littlecorporal_generated_maldoc.yml +++ b/rules/windows/process_access/proc_access_win_hktl_littlecorporal_generated_maldoc.yml @@ -8,6 +8,7 @@ author: Christian Burkard (Nextron Systems) date: 2021-08-09 modified: 2023-11-28 tags: + - attack.defense-evasion - attack.execution - attack.privilege-escalation - attack.t1204.002 diff --git a/rules/windows/process_access/proc_access_win_svchost_credential_dumping.yml b/rules/windows/process_access/proc_access_win_svchost_credential_dumping.yml index 303d1d51d51..69eaedb8ac6 100644 --- a/rules/windows/process_access/proc_access_win_svchost_credential_dumping.yml +++ b/rules/windows/process_access/proc_access_win_svchost_credential_dumping.yml @@ -8,6 +8,7 @@ author: Florent Labouyrie date: 2021-04-30 modified: 2022-10-09 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1548 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml b/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml index ec59ed03d04..c0386597bac 100644 --- a/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml @@ -9,6 +9,8 @@ author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.comm date: 2019-10-24 modified: 2021-11-27 tags: + - attack.persistence + - attack.execution - attack.privilege-escalation - attack.t1053.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_autorun_registry_modified_via_wmic.yml b/rules/windows/process_creation/proc_creation_win_autorun_registry_modified_via_wmic.yml index 0185a7ffa5a..9576c22f729 100644 --- a/rules/windows/process_creation/proc_creation_win_autorun_registry_modified_via_wmic.yml +++ b/rules/windows/process_creation/proc_creation_win_autorun_registry_modified_via_wmic.yml @@ -9,6 +9,7 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-02-17 tags: + - attack.privilege-escalation - attack.execution - attack.persistence - attack.t1547.001 diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml index f450bd6d2fc..7280155a0e8 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml @@ -14,6 +14,7 @@ author: Sreeman date: 2020-10-29 modified: 2024-01-25 tags: + - attack.persistence - attack.defense-evasion - attack.t1197 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml index c74d5cf2e41..233ad4734f8 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml @@ -13,6 +13,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-12-23 tags: + - attack.defense-evasion - attack.credential-access - attack.collection - attack.t1185 diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml index b16c2ee3721..f97e9385c8b 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml @@ -11,6 +11,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-09-12 tags: + - attack.defense-evasion - attack.command-and-control - attack.t1105 - attack.t1564.003 diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml index b09b9b5e4da..fe39b2885a5 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml @@ -12,6 +12,7 @@ author: Sreeman, Florian Roth (Nextron Systems) date: 2022-01-04 modified: 2025-10-07 tags: + - attack.defense-evasion - attack.command-and-control - attack.t1105 - attack.t1564.003 diff --git a/rules/windows/process_creation/proc_creation_win_cmd_assoc_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_assoc_execution.yml index 15f2e831274..1203d07a8ed 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_assoc_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_assoc_execution.yml @@ -13,6 +13,7 @@ author: Timur Zinniatullin, oscd.community date: 2019-10-21 modified: 2023-03-06 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml b/rules/windows/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml index b0ab2ab46e4..68de9e82b50 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml @@ -13,6 +13,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-06-28 modified: 2023-03-06 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml b/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml index e838850bc4e..5d93fb3168d 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml @@ -12,6 +12,7 @@ author: Sreeman date: 2020-02-18 modified: 2023-03-07 tags: + - attack.persistence - attack.t1546.008 - attack.privilege-escalation logsource: diff --git a/rules/windows/process_creation/proc_creation_win_control_panel_item.yml b/rules/windows/process_creation/proc_creation_win_control_panel_item.yml index fe73817dfcb..bf77a087809 100644 --- a/rules/windows/process_creation/proc_creation_win_control_panel_item.yml +++ b/rules/windows/process_creation/proc_creation_win_control_panel_item.yml @@ -8,6 +8,7 @@ author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_) date: 2020-06-22 modified: 2023-10-11 tags: + - attack.privilege-escalation - attack.execution - attack.defense-evasion - attack.t1218.002 diff --git a/rules/windows/process_creation/proc_creation_win_csi_execution.yml b/rules/windows/process_creation/proc_creation_win_csi_execution.yml index a3f5e0697c3..f26f4824011 100644 --- a/rules/windows/process_creation/proc_creation_win_csi_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_csi_execution.yml @@ -11,6 +11,7 @@ author: Konstantin Grishchenko, oscd.community date: 2020-10-17 modified: 2022-07-11 tags: + - attack.lateral-movement - attack.execution - attack.t1072 - attack.defense-evasion diff --git a/rules/windows/process_creation/proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml b/rules/windows/process_creation/proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml index fc560bb5b62..b6faa6ded42 100644 --- a/rules/windows/process_creation/proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml @@ -12,6 +12,7 @@ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems date: 2020-01-28 modified: 2025-01-22 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1055.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml b/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml index 391cc212fd7..176cd343492 100644 --- a/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml +++ b/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml @@ -14,6 +14,8 @@ author: '@gott_cyber' date: 2022-08-29 modified: 2023-02-04 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_dism_enable_powershell_web_access_feature.yml b/rules/windows/process_creation/proc_creation_win_dism_enable_powershell_web_access_feature.yml index f10fe04711e..f332d6054da 100644 --- a/rules/windows/process_creation/proc_creation_win_dism_enable_powershell_web_access_feature.yml +++ b/rules/windows/process_creation/proc_creation_win_dism_enable_powershell_web_access_feature.yml @@ -9,6 +9,8 @@ references: author: Michael Haag date: 2024-09-03 tags: + - attack.privilege-escalation + - attack.defense-evasion - attack.persistence - attack.t1548.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml b/rules/windows/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml index 4142faea960..f2c69fe7ce1 100644 --- a/rules/windows/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml +++ b/rules/windows/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml @@ -7,6 +7,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-02 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml b/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml index 0caeaa9b743..2d0236e3132 100644 --- a/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml @@ -10,6 +10,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-06-27 modified: 2023-05-15 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1055 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml index 296b9029203..ca892a803b6 100644 --- a/rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml @@ -8,6 +8,7 @@ author: Tim Rauch, Elastic (idea) date: 2022-09-27 modified: 2023-02-05 tags: + - attack.persistence - attack.initial-access - attack.t1133 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml b/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml index ea80cbbdff3..ec611ecf562 100644 --- a/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml @@ -14,6 +14,8 @@ author: Florian Roth (Nextron Systems) date: 2017-05-08 modified: 2023-02-05 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 - attack.t1112 diff --git a/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml b/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml index de68050b9db..3e9bb69819d 100644 --- a/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml +++ b/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml @@ -13,6 +13,7 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-04-09 tags: + - attack.persistence - attack.defense-evasion - attack.t1562.002 - attack.t1112 diff --git a/rules/windows/process_creation/proc_creation_win_explorer_nouaccheck.yml b/rules/windows/process_creation/proc_creation_win_explorer_nouaccheck.yml index 71ef80b1b5e..053ce4adc5e 100644 --- a/rules/windows/process_creation/proc_creation_win_explorer_nouaccheck.yml +++ b/rules/windows/process_creation/proc_creation_win_explorer_nouaccheck.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2022-02-23 modified: 2022-04-21 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1548.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_gup_suspicious_execution.yml b/rules/windows/process_creation/proc_creation_win_gup_suspicious_execution.yml index bc8c5c1264a..f2439674a7c 100644 --- a/rules/windows/process_creation/proc_creation_win_gup_suspicious_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_gup_suspicious_execution.yml @@ -8,6 +8,8 @@ author: Florian Roth (Nextron Systems) date: 2019-02-06 modified: 2022-08-13 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_adcspwn.yml b/rules/windows/process_creation/proc_creation_win_hktl_adcspwn.yml index c81e653fc50..f4d861da3bc 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_adcspwn.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_adcspwn.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2021-07-31 modified: 2023-02-04 tags: + - attack.collection - attack.credential-access - attack.t1557.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yml b/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yml index dbcd9463f8b..ae9c07e82b4 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yml @@ -8,6 +8,8 @@ author: Thomas Patzke date: 2020-05-22 modified: 2023-11-06 tags: + - attack.privilege-escalation + - attack.persistence - attack.execution - attack.t1047 - attack.t1053 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_dinjector.yml b/rules/windows/process_creation/proc_creation_win_hktl_dinjector.yml index 021d1341f1a..21ece4e180f 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_dinjector.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_dinjector.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2021-12-07 modified: 2023-02-04 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1055 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_hollowreaper.yml b/rules/windows/process_creation/proc_creation_win_hktl_hollowreaper.yml index af788288638..508bcf01fb4 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_hollowreaper.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_hollowreaper.yml @@ -9,6 +9,7 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-07-01 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1055.012 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_impacket_tools.yml b/rules/windows/process_creation/proc_creation_win_hktl_impacket_tools.yml index 651136c5088..0480aa7626c 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_impacket_tools.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_impacket_tools.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2021-07-24 modified: 2023-02-07 tags: + - attack.collection - attack.execution - attack.credential-access - attack.t1557.001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml b/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml index 46f3cb68ee5..02a796ed1ed 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2022-04-26 modified: 2023-02-04 tags: + - attack.defense-evasion - attack.credential-access - attack.t1558.003 - attack.lateral-movement diff --git a/rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml b/rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml index 3594d11157a..54ae1d840f0 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml @@ -9,6 +9,7 @@ author: Teymur Kheirkhabarov, Ecco, Florian Roth date: 2019-10-26 modified: 2023-02-05 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1134.001 - attack.t1134.002 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml b/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml index 94db90c0774..55bb2169419 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml @@ -13,6 +13,7 @@ author: Florian Roth (Nextron Systems) date: 2021-07-24 modified: 2023-02-14 tags: + - attack.collection - attack.execution - attack.credential-access - attack.t1557.001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml b/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml index 97f88c95311..d7b4453c70c 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml @@ -13,6 +13,7 @@ author: Florian Roth (Nextron Systems) date: 2018-12-19 modified: 2023-04-20 tags: + - attack.defense-evasion - attack.credential-access - attack.t1003 - attack.t1558.003 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml b/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml index 619cac573fc..56d9fb93a8e 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml @@ -11,6 +11,7 @@ author: Florian Roth (Nextron Systems) date: 2022-07-23 modified: 2024-11-23 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1134.004 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml index c6d3e2565d5..53c78414494 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml @@ -9,6 +9,8 @@ author: Florian Roth (Nextron Systems) date: 2022-09-15 modified: 2023-02-04 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.t1053 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml index c971a46b28a..333089a4323 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml @@ -8,6 +8,8 @@ author: Florian Roth (Nextron Systems) date: 2022-08-20 modified: 2023-02-13 tags: + - attack.persistence + - attack.defense-evasion - attack.privilege-escalation - attack.discovery - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml b/rules/windows/process_creation/proc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml index 17815d5c17f..7ef36f1139d 100644 --- a/rules/windows/process_creation/proc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml +++ b/rules/windows/process_creation/proc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml @@ -18,6 +18,7 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-06-20 tags: + - attack.collection - attack.credential-access - attack.persistence - attack.privilege-escalation diff --git a/rules/windows/process_creation/proc_creation_win_keyscrambler_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_keyscrambler_susp_child_process.yml index 5cb81648eb3..999c74df4db 100644 --- a/rules/windows/process_creation/proc_creation_win_keyscrambler_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_keyscrambler_susp_child_process.yml @@ -10,6 +10,7 @@ references: author: Swachchhanda Shrawan Poudel date: 2024-05-13 tags: + - attack.persistence - attack.execution - attack.defense-evasion - attack.privilege-escalation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_settingsynchost.yml b/rules/windows/process_creation/proc_creation_win_lolbin_settingsynchost.yml index b19ba6b5a76..e4b71be868b 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_settingsynchost.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_settingsynchost.yml @@ -8,6 +8,8 @@ author: Anton Kutepov, oscd.community date: 2020-02-05 modified: 2021-11-27 tags: + - attack.privilege-escalation + - attack.persistence - attack.execution - attack.defense-evasion - attack.t1574.008 diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml index 17eade9ef38..fa735982f07 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml @@ -9,6 +9,7 @@ author: Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @a date: 2021-09-30 modified: 2022-10-09 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml index 3710a87605f..06c2fabaa6e 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml @@ -7,6 +7,7 @@ references: author: Florian Roth (Nextron Systems) date: 2022-05-19 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml b/rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml index eb80b979d0f..daa1b9a5920 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml @@ -8,6 +8,7 @@ author: 'Avneet Singh @v3t0_, oscd.community' date: 2020-10-18 modified: 2023-01-09 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1055.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml b/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml index 16fa80ec30f..bf697f6c1e4 100644 --- a/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml +++ b/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml @@ -11,6 +11,8 @@ author: Bhabesh Raj date: 2022-08-01 modified: 2023-08-04 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml b/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml index d6f3c55de6e..a1518440c1e 100644 --- a/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml +++ b/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml @@ -9,6 +9,7 @@ author: Alexander McDonald date: 2022-06-24 modified: 2023-02-03 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1055 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_pktmon_execution.yml b/rules/windows/process_creation/proc_creation_win_pktmon_execution.yml index f5c4db2b222..9173be47e01 100644 --- a/rules/windows/process_creation/proc_creation_win_pktmon_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_pktmon_execution.yml @@ -8,6 +8,7 @@ author: frack113 date: 2022-03-17 modified: 2023-06-23 tags: + - attack.discovery - attack.credential-access - attack.t1040 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml b/rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml index 5f7cebbeaae..b3cbb2f74af 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml @@ -11,6 +11,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-10-18 tags: + - attack.privilege-escalation - attack.persistence - attack.t1543.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_quickassist_execution.yml b/rules/windows/process_creation/proc_creation_win_quickassist_execution.yml index 922387bda9f..ddef5f6b7db 100644 --- a/rules/windows/process_creation/proc_creation_win_quickassist_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_quickassist_execution.yml @@ -1,6 +1,6 @@ title: QuickAssist Execution id: e20b5b14-ce93-4230-88af-981983ef6e74 -status: experimental +status: test description: | Detects the execution of Microsoft Quick Assist tool "QuickAssist.exe". This utility can be used by attackers to gain remote access. references: diff --git a/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml b/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml index 9e84a681d7f..9140fb4ab01 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml @@ -10,6 +10,7 @@ author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Sys date: 2021-06-28 modified: 2025-02-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml b/rules/windows/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml index 1af51441abb..6b7ca4798df 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml @@ -9,6 +9,8 @@ author: Sreeman date: 2020-10-29 modified: 2022-10-09 tags: + - attack.persistence + - attack.defense-evasion - attack.credential-access - attack.t1556.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml b/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml index fcb0e03b63e..20a2685d8fd 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml @@ -17,6 +17,7 @@ references: author: Stephen Lincoln @slincoln-aiq (AttackIQ) date: 2023-12-21 tags: + - attack.persistence - attack.defense-evasion - attack.impact - attack.t1112 diff --git a/rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml b/rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml index f74975989ec..03f1d45116e 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml @@ -9,6 +9,7 @@ author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community, Swachchhanda Shrawa date: 2019-10-25 modified: 2025-02-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml b/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml index bd55d92cd84..1f476c77200 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml @@ -11,6 +11,7 @@ author: frack113, Nasreddine Bencherchali date: 2022-08-01 modified: 2023-02-05 tags: + - attack.persistence - attack.t1112 - attack.defense-evasion logsource: diff --git a/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml b/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml index 3a4ec330b9d..65d488a2eb5 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml @@ -16,6 +16,7 @@ author: frack113 date: 2023-01-13 modified: 2025-08-28 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml b/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml index 85b3c92b64a..2c54f61f1eb 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml @@ -15,6 +15,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-12-15 modified: 2023-12-22 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml b/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml index 713c59829cb..9c8ec9b37d4 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml @@ -8,6 +8,7 @@ author: pH-T (Nextron Systems), @Kostastsale, TheDFIRReport date: 2022-02-12 modified: 2023-02-05 tags: + - attack.persistence - attack.defense-evasion - attack.lateral-movement - attack.t1021.001 diff --git a/rules/windows/process_creation/proc_creation_win_reg_screensaver.yml b/rules/windows/process_creation/proc_creation_win_reg_screensaver.yml index b16ba1acd5a..7be25680c0f 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_screensaver.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_screensaver.yml @@ -11,6 +11,7 @@ author: frack113 date: 2021-08-19 modified: 2022-06-02 tags: + - attack.persistence - attack.privilege-escalation - attack.t1546.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml b/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml index aa688ab7009..7a7e81fb2bd 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml @@ -11,6 +11,8 @@ author: frack113 date: 2021-12-30 modified: 2024-03-13 tags: + - attack.privilege-escalation + - attack.defense-evasion - attack.persistence - attack.t1574.011 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml b/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml index f07bd00e776..ff558683e33 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml @@ -10,6 +10,7 @@ author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2022-08-19 modified: 2022-10-10 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 - attack.t1562.001 diff --git a/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml b/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml index 3fdee181efe..18adb6776da 100644 --- a/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml +++ b/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml @@ -12,6 +12,7 @@ author: Oddvar Moe, Sander Wiebing, oscd.community date: 2020-10-07 modified: 2024-03-13 tags: + - attack.persistence - attack.t1112 - attack.defense-evasion logsource: diff --git a/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml b/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml index f7fa00e5e31..5b7d20b78ed 100644 --- a/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml +++ b/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml @@ -12,6 +12,7 @@ author: Oddvar Moe, Sander Wiebing, oscd.community date: 2020-10-12 modified: 2024-03-13 tags: + - attack.persistence - attack.t1112 - attack.defense-evasion logsource: diff --git a/rules/windows/process_creation/proc_creation_win_regedit_trustedinstaller.yml b/rules/windows/process_creation/proc_creation_win_regedit_trustedinstaller.yml index 983759d1bb3..b434b694539 100644 --- a/rules/windows/process_creation/proc_creation_win_regedit_trustedinstaller.yml +++ b/rules/windows/process_creation/proc_creation_win_regedit_trustedinstaller.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2021-05-27 modified: 2022-10-09 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1548 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_regini_ads.yml b/rules/windows/process_creation/proc_creation_win_regini_ads.yml index 8be1f4f7b2e..8f268cb793a 100644 --- a/rules/windows/process_creation/proc_creation_win_regini_ads.yml +++ b/rules/windows/process_creation/proc_creation_win_regini_ads.yml @@ -13,6 +13,7 @@ author: Eli Salem, Sander Wiebing, oscd.community date: 2020-10-12 modified: 2023-02-08 tags: + - attack.persistence - attack.t1112 - attack.defense-evasion logsource: diff --git a/rules/windows/process_creation/proc_creation_win_regini_execution.yml b/rules/windows/process_creation/proc_creation_win_regini_execution.yml index 21b40aacf7b..04f465f1b59 100644 --- a/rules/windows/process_creation/proc_creation_win_regini_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_regini_execution.yml @@ -13,6 +13,7 @@ author: Eli Salem, Sander Wiebing, oscd.community date: 2020-10-08 modified: 2023-02-08 tags: + - attack.persistence - attack.t1112 - attack.defense-evasion logsource: diff --git a/rules/windows/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml b/rules/windows/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml index 4d37473fba9..25c4b2ecf54 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml @@ -9,6 +9,8 @@ author: Ivan Dyachkov, Yulia Fomina, oscd.community date: 2020-10-07 modified: 2021-11-27 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_registry_logon_script.yml b/rules/windows/process_creation/proc_creation_win_registry_logon_script.yml index f194259c9f7..87599ace766 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_logon_script.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_logon_script.yml @@ -11,6 +11,7 @@ author: Tom Ueltschi (@c_APT_ure) date: 2019-01-12 modified: 2023-06-09 tags: + - attack.privilege-escalation - attack.persistence - attack.t1037.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml b/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml index 5882e2661c8..926d8bdea37 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml @@ -9,6 +9,8 @@ author: Teymur Kheirkhabarov date: 2019-10-26 modified: 2024-12-01 tags: + - attack.persistence + - attack.defense-evasion - attack.privilege-escalation - attack.t1574.011 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml index 85799d495e8..9bb8488071f 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml @@ -8,6 +8,8 @@ author: Florian Roth (Nextron Systems) date: 2019-07-17 modified: 2023-05-24 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574 - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.yml index 6a823017d89..8e97b07712d 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2021-02-11 modified: 2024-02-26 tags: + - attack.persistence - attack.initial-access - attack.t1133 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml index 5c3cee11b09..b487f7b289c 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml @@ -14,6 +14,7 @@ references: author: Josh Nickels, Qi Nan date: 2024-03-11 tags: + - attack.persistence - attack.initial-access - attack.t1133 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml b/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml index e851300f40c..855a3a11428 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml @@ -12,6 +12,7 @@ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems date: 2020-01-28 modified: 2025-01-22 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1036 - attack.t1055.001 diff --git a/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml b/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml index 5c239bea734..216434f1aa3 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml @@ -8,6 +8,8 @@ author: elhoim date: 2022-09-09 modified: 2023-02-03 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_inline_vbs.yml b/rules/windows/process_creation/proc_creation_win_rundll32_inline_vbs.yml index df306b41dfb..5ac05e97d97 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_inline_vbs.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_inline_vbs.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2021-03-05 modified: 2022-10-09 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1055 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml b/rules/windows/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml index 5a0ec908dcf..950729948d1 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml @@ -7,6 +7,7 @@ references: author: Florian Roth (Nextron Systems) date: 2021-02-01 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_runonce_execution.yml b/rules/windows/process_creation/proc_creation_win_runonce_execution.yml index 06388ff4750..ad12be4acab 100644 --- a/rules/windows/process_creation/proc_creation_win_runonce_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_runonce_execution.yml @@ -10,6 +10,7 @@ author: 'Avneet Singh @v3t0_, oscd.community, Christopher Peacock @SecurePeacock date: 2020-10-18 modified: 2022-12-13 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml b/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml index 0c575bd8719..9a3e91a3566 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml @@ -13,6 +13,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-02-28 modified: 2025-10-22 tags: + - attack.privilege-escalation - attack.persistence - attack.t1543.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml b/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml index d10b3de7cf2..0d246b74a5a 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml @@ -15,6 +15,7 @@ author: Jonhnathan Ribeiro, oscd.community date: 2020-10-16 modified: 2023-02-28 tags: + - attack.privilege-escalation - attack.persistence - attack.t1543.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml b/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml index b2c29769fbb..0b9cf254dfb 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml @@ -8,6 +8,8 @@ author: Sreeman date: 2020-09-29 modified: 2023-02-04 tags: + - attack.privilege-escalation + - attack.defense-evasion - attack.persistence - attack.t1543.003 - attack.t1574.011 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml b/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml index 9ff4c256b44..c83196d5fbe 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml @@ -8,6 +8,7 @@ author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2022-03-15 modified: 2022-07-28 tags: + - attack.privilege-escalation - attack.execution - attack.persistence - attack.t1053.005 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_change.yml b/rules/windows/process_creation/proc_creation_win_schtasks_change.yml index d6ae42d41d1..f348ecd4308 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_change.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_change.yml @@ -15,6 +15,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-07-28 modified: 2022-11-18 tags: + - attack.privilege-escalation + - attack.persistence - attack.execution - attack.t1053.005 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml b/rules/windows/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml index e79bc2c631a..d5f5269d3c7 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2021-03-11 modified: 2022-10-09 tags: + - attack.privilege-escalation - attack.execution - attack.persistence - attack.t1053.005 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_curl_and_powershell_combo.yml b/rules/windows/process_creation/proc_creation_win_schtasks_curl_and_powershell_combo.yml index eda76075523..b238f764af9 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_curl_and_powershell_combo.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_curl_and_powershell_combo.yml @@ -9,6 +9,8 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-02-05 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.t1053.005 - attack.defense-evasion diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml b/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml index 6529c5d0fb4..1f1159d4508 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml @@ -13,6 +13,8 @@ author: Florian Roth (Nextron Systems) date: 2022-02-21 modified: 2025-10-07 tags: + - attack.privilege-escalation + - attack.persistence - attack.execution - attack.t1053.005 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_folder_combos.yml b/rules/windows/process_creation/proc_creation_win_schtasks_folder_combos.yml index bfe2883eef3..51f8430748c 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_folder_combos.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_folder_combos.yml @@ -8,6 +8,8 @@ author: Florian Roth (Nextron Systems) date: 2022-04-15 modified: 2022-11-18 tags: + - attack.privilege-escalation + - attack.persistence - attack.execution - attack.t1053.005 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_guid_task_name.yml b/rules/windows/process_creation/proc_creation_win_schtasks_guid_task_name.yml index f4b7ec16a7e..d1f802cde49 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_guid_task_name.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_guid_task_name.yml @@ -8,6 +8,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-10-31 tags: + - attack.privilege-escalation + - attack.persistence - attack.execution - attack.t1053.005 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_openssh_tunnelling.yml b/rules/windows/process_creation/proc_creation_win_schtasks_openssh_tunnelling.yml index 3821b2c60ce..2b11d0316b5 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_openssh_tunnelling.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_openssh_tunnelling.yml @@ -8,6 +8,7 @@ references: author: Rory Duncan date: 2025-07-14 tags: + - attack.privilege-escalation - attack.persistence - attack.execution - attack.t1053.005 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml b/rules/windows/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml index a65cee2b88e..2f71abf7463 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml @@ -13,6 +13,8 @@ author: Sreeman date: 2020-09-29 modified: 2023-02-10 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.t1053.005 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_powershell_persistence.yml b/rules/windows/process_creation/proc_creation_win_schtasks_powershell_persistence.yml index 87bb266a3e4..def1f25af27 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_powershell_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_powershell_persistence.yml @@ -11,6 +11,7 @@ author: pH-T (Nextron Systems), Florian Roth (Nextron Systems) date: 2022-04-08 modified: 2023-02-03 tags: + - attack.privilege-escalation - attack.execution - attack.persistence - attack.t1053.005 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml index 99163716862..353c2ab523b 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml @@ -10,6 +10,7 @@ references: author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2023-07-18 tags: + - attack.privilege-escalation - attack.execution - attack.persistence - attack.t1053.005 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml index 7d2ec04b680..21370b047e1 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml @@ -8,6 +8,7 @@ author: pH-T (Nextron Systems), @Kostastsale, TheDFIRReport, X__Junior (Nextron date: 2022-02-12 modified: 2023-02-04 tags: + - attack.privilege-escalation - attack.execution - attack.persistence - attack.t1053.005 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml index 26dd70113b2..ee56a617b72 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml @@ -12,6 +12,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-09-09 tags: + - attack.privilege-escalation + - attack.persistence - attack.execution - attack.t1053.005 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml index 512b2356ddb..4338f343ae7 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml @@ -11,6 +11,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-31 tags: + - attack.privilege-escalation + - attack.persistence - attack.execution - attack.t1053.005 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml index 541d8fc096b..492319dd973 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml @@ -9,6 +9,8 @@ author: Swachchhanda Shrawan Poudel, Elastic (idea) date: 2023-04-20 modified: 2024-12-01 tags: + - attack.privilege-escalation + - attack.execution - attack.defense-evasion - attack.persistence - attack.t1036.005 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml b/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml index 70ed5f6d156..9904fcaa1eb 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml @@ -10,6 +10,8 @@ author: Florian Roth (Nextron Systems) date: 2022-02-23 modified: 2024-03-19 tags: + - attack.privilege-escalation + - attack.persistence - attack.execution - attack.t1053.005 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_system.yml b/rules/windows/process_creation/proc_creation_win_schtasks_system.yml index c92da25882a..c8bc36e6599 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_system.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_system.yml @@ -9,6 +9,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-07-28 modified: 2025-02-15 tags: + - attack.privilege-escalation - attack.execution - attack.persistence - attack.t1053.005 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_system_process.yml b/rules/windows/process_creation/proc_creation_win_schtasks_system_process.yml index 2723c7d595d..3639f409b6f 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_system_process.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_system_process.yml @@ -7,6 +7,8 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-02-05 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.t1053.005 - attack.defense-evasion diff --git a/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml b/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml index 9863eb337ac..ebb556620ec 100644 --- a/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml @@ -9,6 +9,7 @@ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020-05-02 modified: 2021-11-27 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_secedit_execution.yml b/rules/windows/process_creation/proc_creation_win_secedit_execution.yml index bd6dba03349..80fa5ea9371 100644 --- a/rules/windows/process_creation/proc_creation_win_secedit_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_secedit_execution.yml @@ -9,6 +9,7 @@ author: Janantha Marasinghe date: 2022-11-18 modified: 2022-12-30 tags: + - attack.collection - attack.discovery - attack.persistence - attack.defense-evasion diff --git a/rules/windows/process_creation/proc_creation_win_setup16_custom_lst_execution.yml b/rules/windows/process_creation/proc_creation_win_setup16_custom_lst_execution.yml index 8ecb9a572dc..d6647c5f695 100644 --- a/rules/windows/process_creation/proc_creation_win_setup16_custom_lst_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_setup16_custom_lst_execution.yml @@ -10,6 +10,8 @@ references: author: frack113 date: 2024-12-01 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.005 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml b/rules/windows/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml index 2ab8fb6b9fa..ecc8299418d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml @@ -8,6 +8,7 @@ author: 'Semanur Guneysu @semanurtg, oscd.community' date: 2020-10-28 modified: 2022-11-11 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1548 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml b/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml index a76b7c779bd..3a0b8b58824 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml @@ -13,6 +13,7 @@ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems date: 2022-08-12 modified: 2023-03-02 tags: + - attack.privilege-escalation - attack.persistence - attack.t1098 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_add_user_privileged_group.yml b/rules/windows/process_creation/proc_creation_win_susp_add_user_privileged_group.yml index c15579cb9b7..4d297da421a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_add_user_privileged_group.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_add_user_privileged_group.yml @@ -12,6 +12,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2024-02-23 tags: + - attack.privilege-escalation - attack.persistence - attack.t1098 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml b/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml index 4ff9dcceb21..2e30bcee23f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml @@ -13,6 +13,7 @@ author: Florian Roth (Nextron Systems) date: 2021-12-06 modified: 2022-09-09 tags: + - attack.initial-access - attack.persistence - attack.lateral-movement - attack.t1133 diff --git a/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml b/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml index 8e4efb8d4c8..28696232725 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml @@ -8,6 +8,7 @@ author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community date: 2020-10-13 modified: 2024-12-01 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml b/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml index 1234c122754..ad52a7053ac 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml @@ -11,6 +11,7 @@ author: Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Rese date: 2019-10-26 modified: 2024-12-01 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1134.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yml b/rules/windows/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yml index db394807ff1..082202c9596 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yml @@ -8,6 +8,7 @@ author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community date: 2020-10-13 modified: 2022-10-20 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml b/rules/windows/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml index a5e46c532b5..357b22fd960 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml @@ -8,6 +8,7 @@ author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community date: 2020-10-05 modified: 2024-12-01 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml b/rules/windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml index 39847bf8db9..7f94f128e12 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml @@ -12,6 +12,7 @@ author: Sreeman date: 2020-01-13 modified: 2022-12-25 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.persistence - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml b/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml index 2e93071db45..dac1a5a8995 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems), Samir Bousseaden (idea) date: 2019-06-17 modified: 2025-10-17 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1055 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_velociraptor_child_process.yml b/rules/windows/process_creation/proc_creation_win_susp_velociraptor_child_process.yml index 3962e121a75..d6706ae6ad5 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_velociraptor_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_velociraptor_child_process.yml @@ -7,6 +7,7 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-08-29 tags: + - attack.command-and-control - attack.persistence - attack.defense-evasion - attack.t1219 diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml index 48348d71d68..7c87186c618 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml @@ -8,6 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-06-16 modified: 2023-02-24 tags: + - attack.privilege-escalation - attack.discovery - attack.persistence - attack.t1543.003 diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml index 92433b191c4..fbd95fa9b7e 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml @@ -11,6 +11,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-03-23 tags: + - attack.privilege-escalation - attack.discovery - attack.persistence - attack.t1543.003 diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml index 5ada3cce64f..b0bfccfe467 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml @@ -9,6 +9,7 @@ author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd date: 2019-10-24 modified: 2021-11-27 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml index c987fc15d3b..9422e51e860 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml @@ -7,6 +7,7 @@ references: author: Tim Rauch, Elastic (idea) date: 2022-09-27 tags: + - attack.defense-evasion - attack.privilege-escalation - attack.t1548 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml index cbd2202241e..0fe66c35bce 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml @@ -14,6 +14,7 @@ author: Florian Roth (Nextron Systems) date: 2021-08-27 modified: 2025-06-17 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1548.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml b/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml index b7893d038b6..1cb76c92783 100644 --- a/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml @@ -12,6 +12,7 @@ author: Tom Ueltschi (@c_APT_ure), Tim Shelton date: 2019-01-12 modified: 2023-11-14 tags: + - attack.privilege-escalation - attack.t1037.001 - attack.persistence logsource: diff --git a/rules/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml b/rules/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml index edc4a660e91..1a29ce8fb8e 100644 --- a/rules/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml @@ -12,6 +12,7 @@ author: Konstantin Grishchenko, oscd.community date: 2020-10-06 modified: 2021-11-27 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml b/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml index 7af9fb7cef0..ce97ceb1f38 100644 --- a/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml +++ b/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml @@ -9,6 +9,7 @@ author: Florian Roth (Nextron Systems) date: 2019-10-11 modified: 2023-02-08 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_wmi_password_never_expire.yml b/rules/windows/process_creation/proc_creation_win_wmi_password_never_expire.yml index 829c535240f..8e5cf0909da 100644 --- a/rules/windows/process_creation/proc_creation_win_wmi_password_never_expire.yml +++ b/rules/windows/process_creation/proc_creation_win_wmi_password_never_expire.yml @@ -8,6 +8,7 @@ references: author: "Daniel Koifman (KoifSec)" date: 2025-07-30 tags: + - attack.privilege-escalation - attack.execution - attack.persistence - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml b/rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml index ead1a4d821e..275cc819bad 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml @@ -9,6 +9,7 @@ author: Florian Roth (Nextron Systems) date: 2021-06-25 modified: 2023-02-14 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_wmic_stdregprov_reg_modification.yml b/rules/windows/process_creation/proc_creation_win_wmic_stdregprov_reg_modification.yml index 56d6e4f8c05..4d94eafcd89 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_stdregprov_reg_modification.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_stdregprov_reg_modification.yml @@ -12,6 +12,7 @@ references: author: Daniel Koifman (KoifSec) date: 2025-07-30 tags: + - attack.persistence - attack.execution - attack.defense-evasion - attack.discovery diff --git a/rules/windows/process_creation/proc_creation_win_xwizard_execution_non_default_location.yml b/rules/windows/process_creation/proc_creation_win_xwizard_execution_non_default_location.yml index 83181a12942..2af1da66ba7 100644 --- a/rules/windows/process_creation/proc_creation_win_xwizard_execution_non_default_location.yml +++ b/rules/windows/process_creation/proc_creation_win_xwizard_execution_non_default_location.yml @@ -11,6 +11,8 @@ author: Christian Burkard (Nextron Systems) date: 2021-09-20 modified: 2024-08-15 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 logsource: diff --git a/rules/windows/registry/registry_add/registry_add_malware_netwire.yml b/rules/windows/registry/registry_add/registry_add_malware_netwire.yml index 3bbb016b80b..3c020f7b6a3 100644 --- a/rules/windows/registry/registry_add/registry_add_malware_netwire.yml +++ b/rules/windows/registry/registry_add/registry_add_malware_netwire.yml @@ -12,6 +12,7 @@ author: Christopher Peacock date: 2021-10-07 modified: 2023-02-07 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml b/rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml index 015af3461ca..788fe0c7a68 100644 --- a/rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml +++ b/rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml @@ -8,6 +8,7 @@ author: Kutepov Anton, oscd.community date: 2019-10-23 modified: 2023-02-07 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.015 logsource: diff --git a/rules/windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml b/rules/windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml index d1374b97853..b112c18e0ab 100644 --- a/rules/windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml +++ b/rules/windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml @@ -8,6 +8,7 @@ author: Tom Ueltschi (@c_APT_ure) date: 2019-01-12 modified: 2023-06-09 tags: + - attack.privilege-escalation - attack.t1037.001 - attack.persistence - attack.lateral-movement diff --git a/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml b/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml index 99588236826..91dcf400a09 100644 --- a/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml +++ b/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml @@ -10,6 +10,7 @@ author: Christian Burkard (Nextron Systems) date: 2021-10-19 modified: 2023-02-08 tags: + - attack.persistence - attack.defense-evasion - attack.t1070 - attack.t1112 diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml index fd3c00d1510..60d10e76718 100644 --- a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml +++ b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml @@ -14,6 +14,7 @@ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020-05-02 modified: 2025-10-07 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml b/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml index 20247e3386d..041424007f8 100755 --- a/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml +++ b/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml @@ -9,6 +9,7 @@ author: Ilyas Ochkov, oscd.community date: 2019-10-25 modified: 2021-11-27 tags: + - attack.persistence - attack.defense-evasion - attack.t1562.002 - attack.t1112 diff --git a/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml b/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml index 56a249bb1d2..27281a36e7b 100644 --- a/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml +++ b/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml @@ -11,6 +11,7 @@ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2019-08-25 modified: 2021-11-27 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_event/registry_event_mal_azorult.yml b/rules/windows/registry/registry_event/registry_event_mal_azorult.yml index dea91ae946a..a3f72eea28c 100644 --- a/rules/windows/registry/registry_event/registry_event_mal_azorult.yml +++ b/rules/windows/registry/registry_event/registry_event_mal_azorult.yml @@ -8,6 +8,7 @@ author: Trent Liffick date: 2020-05-08 modified: 2021-11-27 tags: + - attack.defense-evasion - attack.persistence - attack.execution - attack.t1112 diff --git a/rules/windows/registry/registry_event/registry_event_malware_qakbot_registry.yml b/rules/windows/registry/registry_event/registry_event_malware_qakbot_registry.yml index 52adb226f85..5a53af9c3db 100644 --- a/rules/windows/registry/registry_event/registry_event_malware_qakbot_registry.yml +++ b/rules/windows/registry/registry_event/registry_event_malware_qakbot_registry.yml @@ -7,6 +7,7 @@ references: author: Hieu Tran date: 2023-03-13 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml b/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml index c8ab8533915..9fda1f82146 100755 --- a/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml +++ b/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml @@ -8,6 +8,7 @@ author: Dmitriy Lifanov, oscd.community date: 2019-10-25 modified: 2022-03-26 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml b/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml index 9f131a0f32e..069a0b82d00 100644 --- a/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml +++ b/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml @@ -9,6 +9,7 @@ author: Florian Roth (Nextron Systems), wagga, Nasreddine Bencherchali (Splunk S date: 2018-03-20 modified: 2024-12-03 tags: + - attack.persistence - attack.defense-evasion - attack.t1562.001 - attack.t1112 diff --git a/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml b/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml index 93d902ac561..1f55e687a95 100755 --- a/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml +++ b/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml @@ -11,6 +11,7 @@ author: Ilyas Ochkov, oscd.community date: 2019-10-25 modified: 2021-11-27 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.009 logsource: diff --git a/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml index 71bdd12881a..c98cbc5b647 100755 --- a/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml +++ b/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml @@ -8,6 +8,7 @@ author: Ilyas Ochkov, oscd.community, Tim Shelton date: 2019-10-25 modified: 2022-12-25 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.010 logsource: diff --git a/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml b/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml index 4f6a06aef32..91a97245d3f 100644 --- a/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml +++ b/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml @@ -10,6 +10,7 @@ author: frack113 date: 2021-11-18 modified: 2022-12-06 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547 logsource: diff --git a/rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml b/rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml index c31f0ad855d..b23b06a4cb1 100644 --- a/rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml +++ b/rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml @@ -8,6 +8,7 @@ author: Alexander Rausch date: 2020-06-24 modified: 2021-11-27 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml b/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml index 7819beef522..b7a058814d1 100644 --- a/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml +++ b/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml @@ -8,6 +8,7 @@ author: omkar72 date: 2020-10-30 modified: 2021-11-27 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547 logsource: diff --git a/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml b/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml index ece118bc42f..eb30bcf2836 100644 --- a/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml +++ b/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml @@ -9,6 +9,7 @@ author: 'Avneet Singh @v3t0_, oscd.community' date: 2020-11-15 modified: 2024-03-25 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml b/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml index e7a7cf01bcb..57b07c7330f 100644 --- a/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml +++ b/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml @@ -11,6 +11,7 @@ author: Christian Burkard (Nextron Systems) date: 2021-08-30 modified: 2022-01-13 tags: + - attack.persistence - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 diff --git a/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml b/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml index 45bf4bee00c..f75c58b644e 100755 --- a/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml +++ b/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml @@ -10,6 +10,7 @@ author: iwillkeepwatch date: 2019-01-18 modified: 2022-08-09 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.005 logsource: diff --git a/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml b/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml index 772eaf2fda3..3da1adbb6ff 100644 --- a/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml +++ b/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml @@ -9,6 +9,7 @@ author: Mateusz Wydra, oscd.community date: 2020-10-13 modified: 2023-01-19 tags: + - attack.privilege-escalation - attack.defense-evasion - attack.t1218 - attack.persistence diff --git a/rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml b/rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml index 11610042a52..75137f926e3 100755 --- a/rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml +++ b/rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml @@ -9,6 +9,7 @@ author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poude (Nextron Syst date: 2019-10-01 modified: 2025-02-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml b/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml index 088f2c485e6..b8264d5ecb8 100644 --- a/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml +++ b/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml @@ -9,6 +9,7 @@ author: Florian Roth (Nextron Systems) date: 2019-10-16 modified: 2022-04-21 tags: + - attack.privilege-escalation - attack.execution - attack.persistence - attack.t1547.008 diff --git a/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml b/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml index 75ac8d1ae6d..922861fe9ea 100644 --- a/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml +++ b/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml @@ -10,6 +10,7 @@ author: frack113 date: 2021-12-30 modified: 2024-03-25 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.010 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml b/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml index 050a8bad631..b6451dfe272 100644 --- a/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml +++ b/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml @@ -8,6 +8,7 @@ author: frack113 date: 2022-08-19 modified: 2023-08-17 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml index b799dd05be2..78da51ab553 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml @@ -13,6 +13,7 @@ author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatull date: 2019-10-25 modified: 2023-08-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml index 47a01b08beb..1b1a1e81420 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml @@ -14,6 +14,7 @@ author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatull date: 2019-10-25 modified: 2025-06-16 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml index 1e9344aa9bb..4f69735d7af 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml @@ -13,6 +13,7 @@ author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatull date: 2019-10-25 modified: 2023-08-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml index 0f768b106d5..48994c5ea51 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml @@ -14,6 +14,7 @@ author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatull date: 2019-10-25 modified: 2025-10-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml index d142d526501..df7358e11e5 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml @@ -13,6 +13,7 @@ author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatull date: 2019-10-25 modified: 2025-10-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml index 9f57805778d..28c30276549 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml @@ -13,6 +13,7 @@ author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatull date: 2019-10-25 modified: 2023-08-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml index 2c7c412fbaf..6ffc701624c 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml @@ -13,6 +13,7 @@ author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatull date: 2019-10-25 modified: 2025-10-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml index 1bfaea456e9..2abffb1ce3b 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml @@ -13,6 +13,7 @@ author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatull date: 2019-10-25 modified: 2023-08-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 - attack.t1546.009 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml index 20d89348b72..51f3d1d2010 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml @@ -13,6 +13,7 @@ author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatull date: 2019-10-25 modified: 2023-08-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml index 0beedb07ebc..a6085723452 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml @@ -13,6 +13,7 @@ author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatull date: 2019-10-25 modified: 2023-08-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml index 9363958fde6..c94e1dc1884 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml @@ -14,6 +14,7 @@ author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatull date: 2019-10-25 modified: 2025-10-07 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml index 4cb70d032de..88a9f6e4f21 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml @@ -13,6 +13,7 @@ author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatull date: 2019-10-25 modified: 2023-08-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml index d99258b0775..b0e4edb831a 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml @@ -13,6 +13,7 @@ author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatull date: 2019-10-25 modified: 2023-08-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml b/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml index 5ce4cc41f6d..e717b00e211 100644 --- a/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml +++ b/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml @@ -7,6 +7,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-08-16 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml b/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml index 9c4c1e35b0d..a32506418d0 100644 --- a/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml +++ b/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml @@ -10,6 +10,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-08-16 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml b/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml index 014cd8e34d4..6ae92024b30 100644 --- a/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml +++ b/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml @@ -10,6 +10,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-08-16 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml index a229c550bdf..d07c281b181 100644 --- a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml +++ b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml @@ -9,6 +9,7 @@ author: frack113 date: 2022-01-05 modified: 2023-08-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.010 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml b/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml index 8d36c147b1f..6cae9accb08 100644 --- a/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml +++ b/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml @@ -11,6 +11,7 @@ author: frack113 date: 2022-01-01 modified: 2024-03-25 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.010 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_chrome_extension.yml b/rules/windows/registry/registry_set/registry_set_chrome_extension.yml index 0771d6288f2..29478e3df8e 100644 --- a/rules/windows/registry/registry_set/registry_set_chrome_extension.yml +++ b/rules/windows/registry/registry_set/registry_set_chrome_extension.yml @@ -8,6 +8,7 @@ author: frack113 date: 2021-12-28 modified: 2023-08-17 tags: + - attack.initial-access - attack.persistence - attack.t1133 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml b/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml index 32370ff286a..c6afcca11b4 100644 --- a/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml +++ b/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml @@ -9,6 +9,7 @@ author: '@SerkinValery, Nasreddine Bencherchali (Nextron Systems)' date: 2023-06-12 modified: 2023-08-17 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml b/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml index a393bbf48cb..158b67d471e 100644 --- a/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml +++ b/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml @@ -9,6 +9,7 @@ author: Wojciech Lesicki date: 2021-06-29 modified: 2024-03-25 tags: + - attack.persistence - attack.execution - attack.privilege-escalation - attack.lateral-movement diff --git a/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml b/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml index 9fd6561e0db..38951f4a344 100644 --- a/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml +++ b/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml @@ -9,6 +9,8 @@ author: Omkar Gudhate date: 2020-09-27 modified: 2023-09-28 tags: + - attack.persistence + - attack.defense-evasion - attack.privilege-escalation - attack.t1546 - attack.t1548 diff --git a/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml b/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml index 871923baadb..34064efbd3e 100644 --- a/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml @@ -8,6 +8,7 @@ author: Tobias Michalski (Nextron Systems) date: 2022-02-24 modified: 2023-08-17 tags: + - attack.persistence - attack.defense-evasion - attack.t1564 - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_create_minint_key.yml b/rules/windows/registry/registry_set/registry_set_create_minint_key.yml index 724be0f103f..82c13ca64aa 100644 --- a/rules/windows/registry/registry_set/registry_set_create_minint_key.yml +++ b/rules/windows/registry/registry_set/registry_set_create_minint_key.yml @@ -13,6 +13,7 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-04-09 tags: + - attack.persistence - attack.defense-evasion - attack.t1562.002 - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml b/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml index dcba9542439..76fe5360a41 100644 --- a/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml +++ b/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml @@ -11,6 +11,7 @@ author: Florian Roth (Nextron Systems), frack113 date: 2022-05-02 modified: 2025-10-07 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml b/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml index 4821a80b6ef..269ee080551 100644 --- a/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml @@ -9,6 +9,8 @@ author: frack113 date: 2022-08-07 modified: 2023-08-17 tags: + - attack.privilege-escalation + - attack.defense-evasion - attack.persistence - attack.t1574 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml b/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml index 7de036f7d24..51cba8ce2f6 100644 --- a/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml +++ b/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml @@ -18,6 +18,7 @@ author: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq date: 2023-12-21 modified: 2025-10-17 tags: + - attack.persistence - attack.defense-evasion - attack.impact - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml b/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml index d0232d452e3..33c9c15f557 100755 --- a/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml +++ b/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml @@ -10,6 +10,8 @@ author: Dimitrios Slamaris date: 2017-05-15 modified: 2023-08-17 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_disable_function_user.yml b/rules/windows/registry/registry_set/registry_set_disable_function_user.yml index 32231a88305..42ffb0b44e7 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_function_user.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_function_user.yml @@ -13,6 +13,7 @@ author: frack113, Nasreddine Bencherchali (Nextron Systems), CrimpSec date: 2022-03-18 modified: 2025-06-04 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml b/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml index e69c0e5cc19..942ec0a23f2 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml @@ -8,6 +8,7 @@ author: frack113 date: 2022-08-19 modified: 2023-08-17 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_disable_windows_event_log_access.yml b/rules/windows/registry/registry_set/registry_set_disable_windows_event_log_access.yml index 8377f4a5dce..923e7b2709c 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_windows_event_log_access.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_windows_event_log_access.yml @@ -11,6 +11,8 @@ author: X__Junior date: 2025-01-16 modified: 2025-08-16 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1547.001 - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml b/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml index 241d0948a61..aaee3dd8057 100644 --- a/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml +++ b/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml @@ -8,6 +8,7 @@ author: frack113 date: 2022-08-19 modified: 2023-08-17 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml b/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml index ae806c898a4..31029adfa80 100644 --- a/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml +++ b/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml @@ -14,6 +14,7 @@ author: Austin Songer date: 2021-07-22 modified: 2023-08-17 tags: + - attack.persistence - attack.defense-evasion - attack.t1140 - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml b/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml index b68e998f089..0c834fdda91 100644 --- a/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml +++ b/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml @@ -14,6 +14,8 @@ author: Florian Roth (Nextron Systems) date: 2017-05-08 modified: 2023-08-17 tags: + - attack.privilege-escalation + - attack.persistence - attack.defense-evasion - attack.t1574.001 - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml index b71ae4c380e..9a86f7983c0 100644 --- a/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml @@ -21,6 +21,7 @@ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020-06-05 modified: 2023-08-17 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 - attack.t1562 diff --git a/rules/windows/registry/registry_set/registry_set_dsrm_tampering.yml b/rules/windows/registry/registry_set/registry_set_dsrm_tampering.yml index 7dfbbebd5ef..40b058bc1cd 100644 --- a/rules/windows/registry/registry_set/registry_set_dsrm_tampering.yml +++ b/rules/windows/registry/registry_set/registry_set_dsrm_tampering.yml @@ -18,6 +18,8 @@ references: author: Nischal Khadgi date: 2024-07-11 tags: + - attack.defense-evasion + - attack.credential-access - attack.persistence - attack.t1556 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml b/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml index f3ea04cf0b5..1a76560aab9 100644 --- a/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml +++ b/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml @@ -9,6 +9,7 @@ author: frack113 date: 2022-07-17 modified: 2022-12-30 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml b/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml index 74ea732a0c3..a4a7d770460 100644 --- a/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml +++ b/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml @@ -9,6 +9,7 @@ author: frack113 date: 2022-07-17 modified: 2022-12-30 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_hide_function_user.yml b/rules/windows/registry/registry_set/registry_set_hide_function_user.yml index f902886972b..3bf497ab47c 100644 --- a/rules/windows/registry/registry_set/registry_set_hide_function_user.yml +++ b/rules/windows/registry/registry_set/registry_set_hide_function_user.yml @@ -8,6 +8,7 @@ author: frack113 date: 2022-03-18 modified: 2023-08-17 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml b/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml index 59be85afc22..8b943256e54 100644 --- a/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml +++ b/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml @@ -15,6 +15,7 @@ author: frack113 date: 2023-01-13 modified: 2024-08-23 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml b/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml index 7ac2c37899d..4002f7483be 100644 --- a/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml +++ b/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml @@ -11,6 +11,7 @@ author: Trent Liffick (@tliffick) date: 2020-05-14 modified: 2023-08-17 tags: + - attack.defense-evasion - attack.execution - attack.persistence - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml b/rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml index 3df719ef0bf..b1a4b531686 100644 --- a/rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml +++ b/rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml @@ -11,6 +11,7 @@ author: frack113 date: 2022-11-18 modified: 2023-08-17 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml b/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml index 44e763fd74f..a066f5e6084 100644 --- a/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml +++ b/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml @@ -14,6 +14,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-11-28 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.007 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml b/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml index 903ba29c220..8ad300bef6c 100644 --- a/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml @@ -15,6 +15,7 @@ author: Anish Bogati date: 2023-11-28 modified: 2025-10-08 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.007 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml b/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml index bf362b6220e..7eb6d83328c 100644 --- a/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml @@ -13,6 +13,7 @@ author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems) date: 2020-05-22 modified: 2023-08-17 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml b/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml index 9865487ee21..463773fcdeb 100644 --- a/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml +++ b/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml @@ -9,6 +9,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2021-04-05 modified: 2023-08-17 tags: + - attack.privilege-escalation - attack.persistence - attack.command-and-control - attack.t1137 diff --git a/rules/windows/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml b/rules/windows/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml index 264e7acf1a5..ec07ff082b7 100644 --- a/rules/windows/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml +++ b/rules/windows/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml @@ -9,6 +9,7 @@ author: '@ScoubiMtl' date: 2021-04-05 modified: 2023-08-17 tags: + - attack.privilege-escalation - attack.persistence - attack.command-and-control - attack.t1137 diff --git a/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml b/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml index fa2a2c5d48e..bb43bcf1c04 100644 --- a/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml +++ b/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml @@ -14,6 +14,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-02-08 modified: 2023-08-17 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml b/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml index 2ad8ad3f9a5..d917c44456f 100644 --- a/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml +++ b/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml @@ -12,6 +12,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-06-21 modified: 2023-08-17 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml b/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml index a459bf57fc3..b83c26fcb50 100644 --- a/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml +++ b/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml @@ -12,6 +12,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-06-21 modified: 2023-09-29 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml b/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml index d9a2515c995..bac2794ecfd 100644 --- a/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml @@ -13,6 +13,7 @@ author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems) date: 2020-05-22 modified: 2024-03-19 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml b/rules/windows/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml index 5e439d63d83..dbdc7ca51cf 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml @@ -10,6 +10,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2024-01-01 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.011 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml b/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml index 3e047066a30..07f1ab0b88a 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml @@ -13,6 +13,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-10 modified: 2023-08-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.012 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml b/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml index e864f47692a..9500c38fa3d 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml @@ -9,6 +9,7 @@ author: frack113 date: 2022-07-27 modified: 2023-08-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.015 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml index 52115f0fc49..603e84e2331 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml @@ -20,6 +20,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2024-07-16 modified: 2025-07-01 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.015 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml b/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml index 024ff90f1e7..24833ef444f 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml @@ -11,6 +11,7 @@ author: BlackBerry Threat Research and Intelligence Team - @Joseliyo_Jstnk date: 2023-06-07 modified: 2023-08-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.015 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml b/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml index 1d13b5b9929..acdbf733e3a 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml @@ -8,6 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-05-30 modified: 2023-05-12 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_ie.yml b/rules/windows/registry/registry_set/registry_set_persistence_ie.yml index 44d0e2b3257..de4c9572b77 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_ie.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_ie.yml @@ -9,6 +9,7 @@ author: frack113 date: 2022-01-22 modified: 2025-07-04 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml b/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml index d3bfa4b7dfb..cefe4979b36 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml @@ -15,6 +15,7 @@ author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Svee date: 2021-06-09 modified: 2024-08-07 tags: + - attack.defense-evasion - attack.persistence - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml b/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml index 045fc46882c..bdd1d855571 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml @@ -14,6 +14,7 @@ author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Svee date: 2021-06-10 modified: 2024-08-07 tags: + - attack.defense-evasion - attack.persistence - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_scrobj_dll.yml b/rules/windows/registry/registry_set/registry_set_persistence_scrobj_dll.yml index 19605f38597..7eb69df3b09 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_scrobj_dll.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_scrobj_dll.yml @@ -8,6 +8,7 @@ author: frack113 date: 2022-08-20 modified: 2023-08-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.015 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml b/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml index 0090b5367d3..82a36ed6365 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml @@ -12,6 +12,7 @@ author: frack113 date: 2021-12-30 modified: 2023-08-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.011 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml b/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml index f6322754434..d6530aa06f1 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml @@ -9,6 +9,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-08-01 modified: 2023-12-06 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.011 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml b/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml index febab1a54fd..e8b5983803e 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml @@ -10,6 +10,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-08-01 modified: 2023-08-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.011 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml b/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml index 7b76844720d..db995d0dd8b 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml @@ -10,6 +10,7 @@ author: frack113, Florian Roth (Nextron Systems) date: 2022-03-17 modified: 2025-07-18 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml index 6fa1557bebc..a27d6fa27c5 100644 --- a/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml @@ -8,6 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-12-09 modified: 2023-08-17 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 - attack.t1562 diff --git a/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml index e466ab1ad4c..70a61d64ba1 100644 --- a/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml @@ -8,6 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-12-09 modified: 2023-08-17 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 - attack.t1562 diff --git a/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml b/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml index cdb33222ca3..3163de270bb 100644 --- a/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml +++ b/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml @@ -8,6 +8,7 @@ author: frack113 date: 2022-03-18 modified: 2023-08-17 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml b/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml index 75aa70f2c11..b1c23f87a71 100644 --- a/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml +++ b/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml @@ -8,6 +8,7 @@ author: frack113 date: 2022-08-19 modified: 2023-08-17 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml b/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml index a6f0d4deddd..736468ed789 100644 --- a/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml @@ -8,6 +8,8 @@ author: Florian Roth (Nextron Systems) date: 2020-07-01 modified: 2023-08-17 tags: + - attack.persistence + - attack.defense-evasion - attack.privilege-escalation - attack.t1574 - cve.2021-1675 diff --git a/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml b/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml index daaf3cef5e5..7ac4b355c64 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems), oscd.community date: 2018-07-18 modified: 2023-12-11 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml b/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml index 6fdf9bcb6f5..74e0b1055c7 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml @@ -9,6 +9,7 @@ author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing, Swachchhand date: 2018-08-25 modified: 2025-10-06 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml b/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml index 88939c9dd6c..dca4ea2b83e 100644 --- a/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml +++ b/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml @@ -14,6 +14,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-12-15 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml b/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml index 4ebede3bdfe..cd9bfd5fe86 100644 --- a/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml +++ b/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml @@ -9,6 +9,8 @@ author: Syed Hasan (@syedhasan009) date: 2021-06-18 modified: 2025-07-04 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.t1053 - attack.t1053.005 diff --git a/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml b/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml index c251bd1a849..6ab950ea8de 100644 --- a/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml @@ -15,6 +15,8 @@ author: Lednyov Alexey, oscd.community, Sreeman date: 2020-10-16 modified: 2023-08-17 tags: + - attack.privilege-escalation + - attack.execution - attack.persistence - attack.t1053.005 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml b/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml index ba44cc7bddd..84da2fa71cd 100644 --- a/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml @@ -9,6 +9,7 @@ author: frack113 date: 2022-08-28 modified: 2025-07-11 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.015 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml b/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml index 52aeb3c5dc6..89a114d4f42 100644 --- a/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml +++ b/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2021-03-05 modified: 2023-08-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.001 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml b/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml index 7781c7f092b..ebac2060a79 100644 --- a/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml +++ b/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml @@ -10,6 +10,7 @@ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2019-09-12 modified: 2023-08-17 tags: + - attack.persistence - attack.defense-evasion - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml b/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml index f37acde0327..c2f3eb55cd8 100644 --- a/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml +++ b/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml @@ -10,6 +10,7 @@ author: frack113 date: 2021-12-30 modified: 2023-08-17 tags: + - attack.privilege-escalation - attack.persistence - attack.t1547.004 logsource: diff --git a/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml b/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml index 173f03817e4..b39cafc6292 100644 --- a/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml +++ b/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml @@ -10,6 +10,7 @@ author: Tom Ueltschi (@c_APT_ure) date: 2019-01-12 modified: 2021-11-27 tags: + - attack.privilege-escalation - attack.persistence - attack.t1546.003 logsource: diff --git a/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml b/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml index 7bea92992e3..1692dfd8bf9 100644 --- a/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml +++ b/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml @@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2021-09-01 modified: 2022-10-09 tags: + - attack.privilege-escalation - attack.execution - attack.t1047 - attack.persistence