diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-49113/win_application_error_exploit_cve_2024_49113_ldap_nightmare.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-49113/win_application_error_exploit_cve_2024_49113_ldap_nightmare.yml index 466d0708209..df6c66344cb 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-49113/win_application_error_exploit_cve_2024_49113_ldap_nightmare.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-49113/win_application_error_exploit_cve_2024_49113_ldap_nightmare.yml @@ -1,6 +1,6 @@ title: CVE-2024-49113 Exploitation Attempt - LDAP Nightmare id: 3f2c93c7-7b2a-4d58-bb8d-6f39422d8148 -status: experimental +status: test description: | Detects exploitation attempt of CVE-2024-49113 known as LDAP Nightmare, based on "Application Error" log where the faulting application is "lsass.exe" and the faulting module is "WLDAP32.dll". references: diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-50623/proc_creation_win_exploit_cve_2024_50623_cleo.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-50623/proc_creation_win_exploit_cve_2024_50623_cleo.yml index a07be223483..b40557ec726 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-50623/proc_creation_win_exploit_cve_2024_50623_cleo.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-50623/proc_creation_win_exploit_cve_2024_50623_cleo.yml @@ -1,6 +1,6 @@ title: CVE-2024-50623 Exploitation Attempt - Cleo id: f007b877-02e3-45b7-8501-1b78c2864029 -status: experimental +status: test description: | Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline. references: diff --git a/rules-emerging-threats/2024/Malware/Generic/file_event_win_malware_generic_creation_configuration_rats.yml b/rules-emerging-threats/2024/Malware/Generic/file_event_win_malware_generic_creation_configuration_rats.yml index d341da03ad5..0f553981bdb 100644 --- a/rules-emerging-threats/2024/Malware/Generic/file_event_win_malware_generic_creation_configuration_rats.yml +++ b/rules-emerging-threats/2024/Malware/Generic/file_event_win_malware_generic_creation_configuration_rats.yml @@ -1,6 +1,6 @@ title: File Creation Related To RAT Clients id: 2f3039c8-e8fe-43a9-b5cf-dcd424a2522d -status: experimental +status: test description: | File .conf created related to VenomRAT, AsyncRAT and Lummac samples observed in the wild. references: diff --git a/rules-emerging-threats/2024/Malware/Lummac-Stealer/proc_creation_win_malware_lummac_more_vbc.yml b/rules-emerging-threats/2024/Malware/Lummac-Stealer/proc_creation_win_malware_lummac_more_vbc.yml index 2fb0416cea6..43dc4fff489 100644 --- a/rules-emerging-threats/2024/Malware/Lummac-Stealer/proc_creation_win_malware_lummac_more_vbc.yml +++ b/rules-emerging-threats/2024/Malware/Lummac-Stealer/proc_creation_win_malware_lummac_more_vbc.yml @@ -1,6 +1,6 @@ title: Lummac Stealer Activity - Execution Of More.com And Vbc.exe id: 19b3806e-46f2-4b4c-9337-e3d8653245ea -status: experimental +status: test description: | Detects the execution of more.com and vbc.exe in the process tree. This behavior was observed by a set of samples related to Lummac Stealer. diff --git a/rules-emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml b/rules-emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml index fc8e078fe7c..a64b919fe07 100644 --- a/rules-emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml +++ b/rules-emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml @@ -1,6 +1,6 @@ title: Forest Blizzard APT - Process Creation Activity id: 07db928c-8632-488e-ac7d-3db847489175 -status: experimental +status: test description: | Detects the execution of specific processes and command line combination. These were seen being created by Forest Blizzard as described by MSFT. diff --git a/rules-threat-hunting/windows/file/file_event/file_event_win_wdac_policy_creation_in_codeintegrity_folder.yml b/rules-threat-hunting/windows/file/file_event/file_event_win_wdac_policy_creation_in_codeintegrity_folder.yml index 54ae1b45b83..3da71cbdb48 100644 --- a/rules-threat-hunting/windows/file/file_event/file_event_win_wdac_policy_creation_in_codeintegrity_folder.yml +++ b/rules-threat-hunting/windows/file/file_event/file_event_win_wdac_policy_creation_in_codeintegrity_folder.yml @@ -1,6 +1,6 @@ title: WDAC Policy File Creation In CodeIntegrity Folder id: 121b25f7-b9d6-4b37-afa0-cba317ec52f3 -status: experimental +status: test description: | Attackers can craft a custom Windows Defender Application Control (WDAC) policy that blocks Endpoint Detection and Response (EDR) components while allowing their own malicious code. The policy is placed in the privileged Windows Code Integrity folder (C:\Windows\System32\CodeIntegrity\). Upon reboot, the policy prevents EDR drivers from loading, effectively bypassing security measures and may further enable undetected lateral movement within an Active Directory environment. references: diff --git a/rules/cloud/aws/cloudtrail/aws_delete_saml_provider.yml b/rules/cloud/aws/cloudtrail/aws_delete_saml_provider.yml index b9f691ce7cc..bb05665bfb2 100644 --- a/rules/cloud/aws/cloudtrail/aws_delete_saml_provider.yml +++ b/rules/cloud/aws/cloudtrail/aws_delete_saml_provider.yml @@ -1,6 +1,6 @@ title: AWS SAML Provider Deletion Activity id: ccd6a6c8-bb4e-4a91-9d2a-07e632819374 -status: experimental +status: test description: | Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access. An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it. diff --git a/rules/cloud/aws/cloudtrail/aws_ec2_import_key_pair_activity.yml b/rules/cloud/aws/cloudtrail/aws_ec2_import_key_pair_activity.yml index 18e6d4861e0..fc72564f7d3 100644 --- a/rules/cloud/aws/cloudtrail/aws_ec2_import_key_pair_activity.yml +++ b/rules/cloud/aws/cloudtrail/aws_ec2_import_key_pair_activity.yml @@ -1,6 +1,6 @@ title: AWS Key Pair Import Activity id: 92f84194-8d9a-4ee0-8699-c30bfac59780 -status: experimental +status: test description: | Detects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead to initial access, persistence, or privilege escalation, potentially compromising sensitive data and operations. references: diff --git a/rules/cloud/aws/cloudtrail/aws_lambda_function_url.yml b/rules/cloud/aws/cloudtrail/aws_lambda_function_url.yml index 5d611b64ade..15597ab9c4f 100644 --- a/rules/cloud/aws/cloudtrail/aws_lambda_function_url.yml +++ b/rules/cloud/aws/cloudtrail/aws_lambda_function_url.yml @@ -1,6 +1,6 @@ title: New AWS Lambda Function URL Configuration Created id: ec541962-c05a-4420-b9ea-84de072d18f4 -status: experimental +status: test description: | Detects when a user creates a Lambda function URL configuration, which could be used to expose the function to the internet and potentially allow unauthorized access to the function's IAM role for AWS API calls. This could give an adversary access to the privileges associated with the Lambda service role that is attached to that function. diff --git a/rules/cloud/aws/cloudtrail/aws_rds_dbcluster_actions.yml b/rules/cloud/aws/cloudtrail/aws_rds_dbcluster_actions.yml index 875c8697180..c7bcd131188 100644 --- a/rules/cloud/aws/cloudtrail/aws_rds_dbcluster_actions.yml +++ b/rules/cloud/aws/cloudtrail/aws_rds_dbcluster_actions.yml @@ -1,6 +1,6 @@ title: Modification or Deletion of an AWS RDS Cluster id: 457cc9ac-d8e6-4d1d-8c0e-251d0f11a74c -status: experimental +status: test description: Detects modifications to an RDS cluster or its deletion, which may indicate potential data exfiltration attempts, unauthorized access, or exposure of sensitive information. references: - https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBCluster.html diff --git a/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml b/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml index 1c79ddd3895..ae0c8d2d23d 100644 --- a/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml +++ b/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml @@ -1,6 +1,6 @@ title: Azure Login Bypassing Conditional Access Policies id: 13f2d3f5-6497-44a7-bf5f-dc13ffafe5dc -status: experimental +status: test description: | Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith. author: Josh Nickels, Marius Rothenbücher diff --git a/rules/linux/process_creation/proc_creation_lnx_rsync_shell_execution.yml b/rules/linux/process_creation/proc_creation_lnx_rsync_shell_execution.yml index 6fdd74444d2..5fffefe77ab 100644 --- a/rules/linux/process_creation/proc_creation_lnx_rsync_shell_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_rsync_shell_execution.yml @@ -1,6 +1,6 @@ title: Shell Execution via Rsync - Linux id: e2326866-609f-4015-aea9-7ec634e8aa04 -status: experimental +status: test description: | Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. references: diff --git a/rules/linux/process_creation/proc_creation_lnx_rsync_shell_spawn.yml b/rules/linux/process_creation/proc_creation_lnx_rsync_shell_spawn.yml index d75fc682da0..5b0cb8cbcb8 100644 --- a/rules/linux/process_creation/proc_creation_lnx_rsync_shell_spawn.yml +++ b/rules/linux/process_creation/proc_creation_lnx_rsync_shell_spawn.yml @@ -1,6 +1,6 @@ title: Suspicious Invocation of Shell via Rsync id: 297241f3-8108-4b3a-8c15-2dda9f844594 -status: experimental +status: test description: | Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation. references: diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml index f3c8172ecc8..df5c2ba4250 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml @@ -1,6 +1,6 @@ title: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation id: f8931561-97f5-4c46-907f-0a4a592e47a7 -status: experimental +status: test description: | Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired. This event is best correlated with EID 3089 to determine the error of the validation. diff --git a/rules/windows/dns_query/dns_query_win_quickassist.yml b/rules/windows/dns_query/dns_query_win_quickassist.yml index 5ab11aded6d..e150b925e72 100644 --- a/rules/windows/dns_query/dns_query_win_quickassist.yml +++ b/rules/windows/dns_query/dns_query_win_quickassist.yml @@ -1,6 +1,6 @@ title: DNS Query Request By QuickAssist.EXE id: 882e858a-3233-4ba8-855e-2f3d3575803d -status: experimental +status: test description: | Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session. references: diff --git a/rules/windows/file/file_event/file_event_win_susp_public_folder_extension.yml b/rules/windows/file/file_event/file_event_win_susp_public_folder_extension.yml index 826214e9bda..f5f2bba2e16 100644 --- a/rules/windows/file/file_event/file_event_win_susp_public_folder_extension.yml +++ b/rules/windows/file/file_event/file_event_win_susp_public_folder_extension.yml @@ -1,6 +1,6 @@ title: Suspicious Binaries and Scripts in Public Folder id: b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e -status: experimental +status: test description: Detects the creation of a file with a suspicious extension in the public folder, which could indicate potential malicious activity. references: - https://intel.thedfirreport.com/events/view/30032 # Private Report diff --git a/rules/windows/image_load/image_load_clfs_load.yml b/rules/windows/image_load/image_load_clfs_load.yml index 9e615a91cae..6e1762bcd9c 100644 --- a/rules/windows/image_load/image_load_clfs_load.yml +++ b/rules/windows/image_load/image_load_clfs_load.yml @@ -1,6 +1,6 @@ title: Clfs.SYS Loaded By Process Located In a Potential Suspicious Location id: fb4e2211-6d08-426b-8e6f-0d4a161e3b1d -status: experimental +status: test description: Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File. references: - https://ssd-disclosure.com/ssd-advisory-common-log-file-system-clfs-driver-pe/ diff --git a/rules/windows/process_creation/proc_creation_win_quickassist_execution.yml b/rules/windows/process_creation/proc_creation_win_quickassist_execution.yml index 922387bda9f..ddef5f6b7db 100644 --- a/rules/windows/process_creation/proc_creation_win_quickassist_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_quickassist_execution.yml @@ -1,6 +1,6 @@ title: QuickAssist Execution id: e20b5b14-ce93-4230-88af-981983ef6e74 -status: experimental +status: test description: | Detects the execution of Microsoft Quick Assist tool "QuickAssist.exe". This utility can be used by attackers to gain remote access. references: