From 8108d2b1fec4af863e42e34760b1441074e97542 Mon Sep 17 00:00:00 2001 From: Rony <49360849+r0ny123@users.noreply.github.com> Date: Tue, 24 Sep 2024 05:06:44 +0000 Subject: [PATCH 01/42] chg: [threat-actor] add earth baxia --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5dfa6132..76e932d6 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16688,6 +16688,20 @@ }, "uuid": "071d271a-313f-442d-9bf0-10e6eeba0a8e", "value": "HikkI-Chan" + }, + { + "description": "Earth Baxia is a threat actor opearting ot of China, targeting government organizations in Taiwan and potentially across the APAC region, using spear-phishing emails and exploiting the GeoServer vulnerability CVE-2024-36401 for remote code execution, deploying customized Cobalt Strike components with altered signatures, leveraging GrimResource and AppDomainManager injection techniques to deliver additional payloads, and utilizing a new backdoor named EAGLEDOOR for multi-protocol communication and payload delivery.", + "meta": { + "country": "CN", + "refs": [ + "https://www.tgsoft.it/news/news_archivio.asp?id=1568", + "https://jp.security.ntt/tech_blog/appdomainmanager-injection", + "https://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/i/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac/IOCs%20-%20Earth%20Baxia%20Uses%20Spear-Phishing%20and%20GeoServer%20Exploit%20to%20Target%20APAC.txt" + ] + }, + "uuid": "d0c2cd99-64d5-406f-abd7-16b9e27966a7", + "value": "Earth Baxia" } ], "version": 313 From 483f532613836e2adcdfd712c853abe3ab97daa4 Mon Sep 17 00:00:00 2001 From: Rony <49360849+r0ny123@users.noreply.github.com> Date: Tue, 24 Sep 2024 05:07:30 +0000 Subject: [PATCH 02/42] chg: [threat-actor] fix typo --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 76e932d6..69e020dd 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16690,7 +16690,7 @@ "value": "HikkI-Chan" }, { - "description": "Earth Baxia is a threat actor opearting ot of China, targeting government organizations in Taiwan and potentially across the APAC region, using spear-phishing emails and exploiting the GeoServer vulnerability CVE-2024-36401 for remote code execution, deploying customized Cobalt Strike components with altered signatures, leveraging GrimResource and AppDomainManager injection techniques to deliver additional payloads, and utilizing a new backdoor named EAGLEDOOR for multi-protocol communication and payload delivery.", + "description": "Earth Baxia is a threat actor opearting out of China, targeting government organizations in Taiwan and potentially across the APAC region, using spear-phishing emails and exploiting the GeoServer vulnerability CVE-2024-36401 for remote code execution, deploying customized Cobalt Strike components with altered signatures, leveraging GrimResource and AppDomainManager injection techniques to deliver additional payloads, and utilizing a new backdoor named EAGLEDOOR for multi-protocol communication and payload delivery.", "meta": { "country": "CN", "refs": [ From 17c4d15eec0f833f0838568b15ffd58e81bfa4d2 Mon Sep 17 00:00:00 2001 From: Rony <49360849+r0ny123@users.noreply.github.com> Date: Tue, 24 Sep 2024 05:21:54 +0000 Subject: [PATCH 03/42] chg: [doc] README updated --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3be99197..7e3dcb70 100644 --- a/README.md +++ b/README.md @@ -599,7 +599,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements [Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group. -Category: *actor* - source: *MISP Project* - total: *736* elements +Category: *actor* - source: *MISP Project* - total: *737* elements [[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)] From 24a228d731323f4282654f72f76ad650714c818c Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 26 Sep 2024 08:19:26 +0200 Subject: [PATCH 04/42] chg: [producer] updated with cloudflare and one description fixed --- README.md | 2 +- clusters/producer.json | 9 +++++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 7e3dcb70..043c788f 100644 --- a/README.md +++ b/README.md @@ -487,7 +487,7 @@ Category: *measure* - source: *MISP Project* - total: *20* elements [Producer](https://www.misp-galaxy.org/producer) - List of threat intelligence producer from security vendors to CERTs including any producer of intelligence at large. -Category: *actor* - source: *MISP Project* - total: *37* elements +Category: *actor* - source: *MISP Project* - total: *38* elements [[HTML](https://www.misp-galaxy.org/producer)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/producer.json)] diff --git a/clusters/producer.json b/clusters/producer.json index d8161ebe..72fa059e 100644 --- a/clusters/producer.json +++ b/clusters/producer.json @@ -448,7 +448,7 @@ "value": "BleepingComputer" }, { - "description": "", + "description": "Cisco Talos, or Cisco Talos Intelligence Group, is a cybersecurity technology and information security company based in Fulton, Maryland. It is a part of Cisco Systems Inc. Talos' threat intelligence powers Cisco Secure products and services, including malware detection and prevention systems. Talos provides Cisco customers and internet users with customizable defensive technologies and techniques through several of their own open-source products, including the Snort intrusion prevention system and ClamAV[3] anti-virus engine", "meta": { "country": "US", "refs": [ @@ -663,7 +663,12 @@ }, "uuid": "e5964f36-7644-4f73-bdfd-f24d9e006656", "value": "Avira" + }, + { + "description": "Cloudflare, Inc. is an American company that provides content delivery network services, cloud cybersecurity, DDoS mitigation, wide area network services, reverse proxies, Domain Name Service, and ICANN-accredited domain registration services. Cloudflare's headquarters are in San Francisco, California.", + "uuid": "a0a87034-b8ff-4991-9ae1-e650a43292ef", + "value": "Cloudflare" } ], - "version": 11 + "version": 12 } From 60340edb22095708e4eb96b7007cfeb235655a7b Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 26 Sep 2024 08:34:37 +0200 Subject: [PATCH 05/42] chg: [threat-actor] SloppyLemming added --- README.md | 2 +- clusters/threat-actor.json | 12 +++++++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 043c788f..e5620d1a 100644 --- a/README.md +++ b/README.md @@ -599,7 +599,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements [Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group. -Category: *actor* - source: *MISP Project* - total: *737* elements +Category: *actor* - source: *MISP Project* - total: *738* elements [[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)] diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 69e020dd..3cce334d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16702,7 +16702,17 @@ }, "uuid": "d0c2cd99-64d5-406f-abd7-16b9e27966a7", "value": "Earth Baxia" + }, + { + "description": "SloppyLemming is an advanced actor that uses multiple cloud service providers to facilitate different aspects of their activities, such as credential harvesting, malware delivery and command and control (C2). This actor conducts extensive operations targeting Pakistani, Sri Lanka, Bangladesh, and China. Industries targeted include government, law enforcement, energy, telecommunications, and technology entitie", + "meta": { + "refs": [ + "https://blog.cloudflare.com/unraveling-sloppylemming-operations/" + ] + }, + "uuid": "6f7489f5-7edc-4693-b35a-44e79c969678", + "value": "SloppyLemming" } ], - "version": 313 + "version": 314 } From f6f6ab550f905c21f0fd7e93a00620ff71a6e501 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 26 Sep 2024 17:36:42 +0200 Subject: [PATCH 06/42] chg: [ransomware] updated --- README.md | 2 +- clusters/ransomware.json | 17 +++++++++++++++-- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index e5620d1a..8b3c6f9e 100644 --- a/README.md +++ b/README.md @@ -495,7 +495,7 @@ Category: *actor* - source: *MISP Project* - total: *38* elements [Ransomware](https://www.misp-galaxy.org/ransomware) - Ransomware galaxy based on different sources and maintained by the MISP Project. -Category: *tool* - source: *Various* - total: *1804* elements +Category: *tool* - source: *Various* - total: *1805* elements [[HTML](https://www.misp-galaxy.org/ransomware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ransomware.json)] diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 2a91f5c2..3ff94d11 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -28551,7 +28551,8 @@ "description": "", "meta": { "links": [ - "http://weg7sdx54bevnvulapqu6bpzwztryeflq3s23tegbmnhkbpqz637f2yd.onion" + "http://weg7sdx54bevnvulapqu6bpzwztryeflq3s23tegbmnhkbpqz637f2yd.onion", + "http://c7jpc6h2ccrdwmhofuij7kz6sr2fg2ndtbvvqy4fse23cf7m2e5hvqid.onion" ], "refs": [ "https://www.ransomlook.io/group/black suit" @@ -29682,7 +29683,19 @@ }, "uuid": "2a1e103b-da5f-56d6-a0c8-5daff4c4fd87", "value": "orca" + }, + { + "meta": { + "links": [ + "http://hackerosyolorz77y7vwj57zobwdeuzydhctz3kuuzr52ylzayvxuqyd.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/osyolorz collective" + ] + }, + "uuid": "99ddf1b6-7d75-58f6-b340-47545fec5e55", + "value": "osyolorz collective" } ], - "version": 133 + "version": 134 } From aeab78b95eada597f609ee9521bcff681634939c Mon Sep 17 00:00:00 2001 From: Rony <49360849+r0ny123@users.noreply.github.com> Date: Thu, 26 Sep 2024 17:12:54 +0000 Subject: [PATCH 07/42] chg: [threat-actor] `GhostEmperor` updated --- clusters/threat-actor.json | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 3cce334d..d51bb9c6 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -15233,8 +15233,18 @@ "meta": { "country": "CN", "refs": [ - "https://www.mandiant.com/resources/blog/unc4841-post-barracuda-zero-day-remediation", - "https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/" + "https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/30094337/GhostEmperor_technical-details_PDF_eng.pdf", + "https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/", + "https://www.ncsc.gov.uk/files/NCSC-MAR-SparrowDoor.pdf", + "https://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation", + "https://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/", + "https://www.wsj.com/politics/national-security/china-cyberattack-internet-providers-260bd835" + ], + "synonyms": [ + "FamousSparrow", + "UNC2286", + "Salt Typhoon" ] }, "uuid": "3c3ca8f3-c6ab-4c5d-9bd0-be6677d6cdeb", From e6db8c579a4ae9623dea49674869b206b7e9841d Mon Sep 17 00:00:00 2001 From: Rony <49360849+r0ny123@users.noreply.github.com> Date: Thu, 26 Sep 2024 18:21:38 +0000 Subject: [PATCH 08/42] chg: [threat-actor] added a relationship between `Earth Estries` and `GhostEmperor` --- clusters/threat-actor.json | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index d51bb9c6..65613817 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12795,6 +12795,15 @@ "https://www.sentinelone.com/labs/cyber-soft-power-chinas-continental-takeover/" ] }, + "related": [ + { + "dest-uuid": "3c3ca8f3-c6ab-4c5d-9bd0-be6677d6cdeb", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], "uuid": "1f7f4a51-c4a8-4365-ade3-83b222e7cb67", "value": "Earth Estries" }, @@ -15247,6 +15256,15 @@ "Salt Typhoon" ] }, + "related": [ + { + "dest-uuid": "1f7f4a51-c4a8-4365-ade3-83b222e7cb67", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], "uuid": "3c3ca8f3-c6ab-4c5d-9bd0-be6677d6cdeb", "value": "GhostEmperor" }, From 70b0823947cb10d7bb02a31aee4674ae723daefe Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Fri, 27 Sep 2024 14:23:01 +0200 Subject: [PATCH 09/42] SloppyLemming relationsships --- clusters/backdoor.json | 12 ++++- clusters/botnet.json | 24 +++++++++- clusters/ransomware.json | 11 ++++- clusters/threat-actor.json | 90 +++++++++++++++++++++++++++++++++++++- clusters/tool.json | 12 ++++- 5 files changed, 143 insertions(+), 6 deletions(-) diff --git a/clusters/backdoor.json b/clusters/backdoor.json index d41dede8..25cfd997 100644 --- a/clusters/backdoor.json +++ b/clusters/backdoor.json @@ -488,7 +488,17 @@ ], "uuid": "4838b37b-2d1f-4cb8-945d-7185580f0bff", "value": "TERRIBLETEA" + }, + { + "description": "Merdoor is a fully-featured backdoor that appears to have been in existence since 2018.\nThe backdoor contains the following functionality: Installing itself as a service, Keylogging, A variety of methods to communicate with its command-and-control (C&C) server (HTTP, HTTPS, DNS, UDP, TCP), Ability to listen on a local port for commands\nInstances of the Merdoor backdoor are usually identical with the exception of embedded and encrypted configuration, which determines: C&C communication method, Service details, Installation directory\nTypically, the backdoor is injected into the legitimate processes perfhost.exe or svchost.exe.", + "meta": { + "refs": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor" + ] + }, + "uuid": "8ebda9f4-f8f2-4d35-ba2b-d6ecb54b23d4", + "value": "Merdoor" } ], - "version": 19 + "version": 20 } diff --git a/clusters/botnet.json b/clusters/botnet.json index c3d9d0a7..05e7fbd3 100644 --- a/clusters/botnet.json +++ b/clusters/botnet.json @@ -2031,7 +2031,29 @@ }, "uuid": "40cd57f6-39c9-4a9f-b4cf-de4762642bff", "value": "Ztorg" + }, + { + "meta": { + "refs": [ + "https://www.team-cymru.com/post/botnet-7777-are-you-betting-on-a-compromised-router", + "https://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd" + ], + "synonyms": [ + "7777" + ] + }, + "uuid": "3e027dad-9c0a-437e-9938-dd3cf13b0c22", + "value": "Quad7" + }, + { + "meta": { + "refs": [ + "https://www.team-cymru.com/post/botnet-7777-are-you-betting-on-a-compromised-router" + ] + }, + "uuid": "963d898f-dc48-409e-8069-aaa51ad6664c", + "value": "63256 botnet" } ], - "version": 35 + "version": 36 } diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 2a91f5c2..7b4287c6 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -1494,6 +1494,15 @@ "HavocCrypt Ransomware" ] }, + "related": [ + { + "dest-uuid": "6f7489f5-7edc-4693-b35a-44e79c969678", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + } + ], "uuid": "c6bef9c8-becb-4bee-bd97-c1c655133396", "value": "Havoc" }, @@ -29684,5 +29693,5 @@ "value": "orca" } ], - "version": 133 + "version": 134 } diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 3cce334d..5fce6346 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -15215,6 +15215,15 @@ "Outrider Tiger" ] }, + "related": [ + { + "dest-uuid": "6f7489f5-7edc-4693-b35a-44e79c969678", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], "uuid": "0df34184-4ccf-4357-8e8e-e990058d2992", "value": "Fishing Elephant" }, @@ -16710,9 +16719,88 @@ "https://blog.cloudflare.com/unraveling-sloppylemming-operations/" ] }, + "related": [ + { + "dest-uuid": "0df34184-4ccf-4357-8e8e-e990058d2992", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "97f26fab-af0e-4da9-b4c1-aec70cace22d", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c6bef9c8-becb-4bee-bd97-c1c655133396", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b09b683-5650-4a6c-a383-d8f3b686ebc2", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "targets" + }, + { + "dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b250414b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "targets" + }, + { + "dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b2424744", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "targets" + }, + { + "dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b249444e", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "targets" + }, + { + "dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b24c4b41", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "targets" + }, + { + "dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b243484e", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "targets" + }, + { + "dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b24e504c", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "targets" + }, + { + "dest-uuid": "6012ecea-dcc8-490c-b368-e2e06b2cb62f", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "targets" + } + ], "uuid": "6f7489f5-7edc-4693-b35a-44e79c969678", "value": "SloppyLemming" } ], - "version": 314 + "version": 315 } diff --git a/clusters/tool.json b/clusters/tool.json index d9d9cdb6..3ac50d62 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1882,7 +1882,8 @@ "refs": [ "http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html", "https://blogs.cisco.com/security/talos/opening-zxshell", - "https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox" + "https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor" ], "synonyms": [ "Sensode" @@ -9208,6 +9209,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "similar" + }, + { + "dest-uuid": "6f7489f5-7edc-4693-b35a-44e79c969678", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" } ], "uuid": "97f26fab-af0e-4da9-b4c1-aec70cace22d", @@ -11075,5 +11083,5 @@ "value": "SLIVER" } ], - "version": 173 + "version": 174 } From a71f9c7e944c42a6d4b854ed7138c8c46a44435e Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Mon, 30 Sep 2024 10:41:46 +0200 Subject: [PATCH 10/42] update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 8b3c6f9e..fd1d6b9b 100644 --- a/README.md +++ b/README.md @@ -63,7 +63,7 @@ Category: *guidelines* - source: *Open Sources* - total: *71* elements [Backdoor](https://www.misp-galaxy.org/backdoor) - A list of backdoor malware. -Category: *tool* - source: *Open Sources* - total: *28* elements +Category: *tool* - source: *Open Sources* - total: *29* elements [[HTML](https://www.misp-galaxy.org/backdoor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/backdoor.json)] @@ -87,7 +87,7 @@ Category: *mobile* - source: *https://arxiv.org/pdf/2005.05110.pdf* - total: *47 [Botnet](https://www.misp-galaxy.org/botnet) - botnet galaxy -Category: *tool* - source: *MISP Project* - total: *130* elements +Category: *tool* - source: *MISP Project* - total: *132* elements [[HTML](https://www.misp-galaxy.org/botnet)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/botnet.json)] From 710bcf6bd96e5bc3f7830ae3c894ff142bf220d1 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 2 Oct 2024 02:04:55 -0700 Subject: [PATCH 11/42] [threat-actors] Add Storm-0494 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ff18ffbc..1105c38c 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16828,6 +16828,17 @@ ], "uuid": "6f7489f5-7edc-4693-b35a-44e79c969678", "value": "SloppyLemming" + }, + { + "description": "Storm-0494 is a threat actor that facilitates Gootloader infections, which are then exploited by groups like Vice Society to deploy tools such as the Supper backdoor, AnyDesk, and MEGA. They utilize RDP for lateral movement and employ the WMI Provider Host to deploy the INC ransomware payload. Microsoft has identified their activities as part of a campaign targeting the U.S. health sector. Their operations are characterized by financially motivated tactics.", + "meta": { + "refs": [ + "https://cisoseries.com/cybersecurity-news-inc-targets-healthcare-providence-schools-cyberattack-apple-ipads-bricked/", + "https://x.com/MsftSecIntel/status/1836456406276342215" + ] + }, + "uuid": "bed7279c-4ae4-459a-a862-8c69e0cfdb93", + "value": "Storm-0494" } ], "version": 315 From f39dcbdb730b77f3430a1a4e191c9ec34d92ffdc Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 2 Oct 2024 02:04:55 -0700 Subject: [PATCH 12/42] [threat-actors] Add DragonRank --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 1105c38c..38a35bad 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16839,6 +16839,16 @@ }, "uuid": "bed7279c-4ae4-459a-a862-8c69e0cfdb93", "value": "Storm-0494" + }, + { + "description": "DragonRank is a threat actor primarily targeting web application services in Asia and Europe, utilizing TTPs associated with Simplified Chinese-speaking hacking groups. They exploit vulnerabilities in platforms like phpMyAdmin and WordPress to deploy web shells, enabling the installation of PlugX and BadIIS malware for black hat SEO practices. Their operations involve lateral movement within compromised networks to maintain control and elevate privileges, while also engaging in unethical online marketing strategies. DragonRank's activities include manipulating search engine rankings and distributing scam websites through compromised Windows IIS servers.", + "meta": { + "refs": [ + "https://blog.talosintelligence.com/dragon-rank-seo-poisoning/" + ] + }, + "uuid": "28157c93-0b9f-4341-983a-3a521cee12bb", + "value": "DragonRank" } ], "version": 315 From 0c0817ab7e569a2446689bb4e9de9c84e752f4d0 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 2 Oct 2024 02:04:55 -0700 Subject: [PATCH 13/42] [threat-actors] Add VICE SPIDER --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 38a35bad..b50e58e8 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16849,6 +16849,17 @@ }, "uuid": "28157c93-0b9f-4341-983a-3a521cee12bb", "value": "DragonRank" + }, + { + "description": "Vice Spider is a Russian-speaking ransomware group that has been active since at least April 2021 and is linked to a significant increase in identity-based attacks, with a reported 583% rise in Kerberoasting incidents. CrowdStrike attributes 27% of these intrusions specifically to Vice Spider, which exploits vulnerabilities in the Kerberos authentication protocol to crack user passwords.", + "meta": { + "country": "RU", + "refs": [ + "https://www.techtarget.com/searchsecurity/news/366547445/CrowdStrike-observes-massive-spike-in-identity-based-attacks" + ] + }, + "uuid": "2be3426b-c216-499f-b111-6694e96918f7", + "value": "VICE SPIDER" } ], "version": 315 From 84ca613198d11e60849d48bc285f815b2e383c00 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 2 Oct 2024 02:04:56 -0700 Subject: [PATCH 14/42] [threat-actors] Add AzzaSec --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b50e58e8..c278876f 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16860,6 +16860,18 @@ }, "uuid": "2be3426b-c216-499f-b111-6694e96918f7", "value": "VICE SPIDER" + }, + { + "description": "AzzaSec is a hacktivist group that originated in Italy. Known for their pro-Palestine stance, they have been involved in various cyberattacks targeting Israel and pro-Israel countries. Additionally, AzzaSec has engaged in ransomware activities and has been known to collaborate with other cybercriminal groups.\n\n\n\n\n\n\n\n\n", + "meta": { + "country": "IT", + "refs": [ + "https://socradar.io/dark-peep-16-play-ransomware-lockbits-alliance-breachforums-leak-and-cyberniggers-revival/", + "https://thecyberexpress.com/azzasec-noname-join-hands-to-target-ukriane/" + ] + }, + "uuid": "7d067b1a-89df-46ff-a2fc-d688da721236", + "value": "AzzaSec" } ], "version": 315 From 3b57092dd15b05a7af3a83ff6b791b821a471e6d Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 2 Oct 2024 02:04:56 -0700 Subject: [PATCH 15/42] [threat-actors] Add Handala --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c278876f..90e264c9 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16872,6 +16872,19 @@ }, "uuid": "7d067b1a-89df-46ff-a2fc-d688da721236", "value": "AzzaSec" + }, + { + "description": "Handala is a pro-Palestinian hacktivist group that targets Israeli organizations, employing tactics such as phishing, data theft, extortion, and destructive attacks using custom wiper malware. The group utilizes a multi-stage loading process, including a Delphi-coded second-stage loader and an AutoIT injector, to deliver wiper malware that specifically targets Windows and Linux environments. Their phishing campaigns often exploit major events and critical vulnerabilities, masquerading as legitimate organizations to gain initial access. Handala operates a data leak site to publicize stolen data, although claims of successful attacks are sometimes disputed by targeted organizations.", + "meta": { + "country": "PS", + "refs": [ + "https://www.splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html", + "https://www.trellix.com/blogs/research/handalas-wiper-targets-israel/", + "https://intezer.com/blog/research/stealth-wiper-israeli-infrastructure/" + ] + }, + "uuid": "7b14f285-86e9-47da-be1a-16ce566c428b", + "value": "Handala" } ], "version": 315 From 50b2ad7c23fd6655a691fe5a995cc4999b6b4036 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 2 Oct 2024 02:04:56 -0700 Subject: [PATCH 16/42] [threat-actors] Add Storm-0501 --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 90e264c9..392776f6 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16885,6 +16885,16 @@ }, "uuid": "7b14f285-86e9-47da-be1a-16ce566c428b", "value": "Handala" + }, + { + "description": "Storm-0501 is a financially motivated cybercriminal group that has been active since 2021, initially targeting US school districts with the Sabbath ransomware and later transitioning to a RaaS model deploying various ransomware strains, including Embargo. The group exploits weak credentials and over-privileged accounts to achieve lateral movement from on-premises environments to cloud infrastructures, establishing persistent backdoor access and deploying ransomware. They have utilized techniques such as credential theft, exploiting vulnerabilities in Zoho ManageEngine and Citrix NetScaler, and employing tools like Cobalt Strike and Rclone for lateral movement and data exfiltration. Storm-0501 has specifically targeted sectors such as government, manufacturing, transportation, and law enforcement in the United States.", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/" + ] + }, + "uuid": "f6a60403-4bcc-4fc6-ac07-abb913c1f080", + "value": "Storm-0501" } ], "version": 315 From e6072c5823937cc47458cc7e8708d91cb9e1d538 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 2 Oct 2024 02:04:56 -0700 Subject: [PATCH 17/42] [threat-actors] Add CosmicBeetle --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 392776f6..60d98687 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16895,6 +16895,16 @@ }, "uuid": "f6a60403-4bcc-4fc6-ac07-abb913c1f080", "value": "Storm-0501" + }, + { + "description": "CosmicBeetle is a threat actor known for deploying the ScRansom ransomware, which has replaced its previous variant, Scarab. The actor utilizes a custom toolset called Spacecolon, consisting of ScHackTool, ScInstaller, and ScService, to gain initial access through RDP brute forcing and exploiting vulnerabilities like CVE-2020-1472 and FortiOS SSL-VPN. CosmicBeetle has been observed impersonating the LockBit ransomware gang to leverage its reputation and has shown a tendency to leave artifacts on compromised systems. The group primarily targets SMBs globally, employing techniques such as credential dumping and data destruction.", + "meta": { + "refs": [ + "https://www.welivesecurity.com/en/eset-research/cosmicbeetle-steps-up-probation-period-ransomhub/" + ] + }, + "uuid": "9686ff2b-01e0-46eb-9169-9e8d115be345", + "value": "CosmicBeetle" } ], "version": 315 From cbdca883d69a213abfd3ea40468673d2574127a5 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 2 Oct 2024 02:04:56 -0700 Subject: [PATCH 18/42] [threat-actors] Add Storm-1567 aliases --- clusters/threat-actor.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 60d98687..8c4ba11e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -15084,7 +15084,9 @@ "https://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/" ], "synonyms": [ - "Akira" + "Akira", + "PUNK SPIDER", + "GOLD SAHARA" ] }, "uuid": "3a912680-6f38-4fe7-9941-744f0e2280b3", From aa21df1b3fe244dca89bcb71b8f724df3feba242 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 2 Oct 2024 02:04:56 -0700 Subject: [PATCH 19/42] [threat-actors] Add UNC1860 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8c4ba11e..498caf6c 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16907,6 +16907,17 @@ }, "uuid": "9686ff2b-01e0-46eb-9169-9e8d115be345", "value": "CosmicBeetle" + }, + { + "description": "UNC1860 is a persistent and opportunistic Iranian state-sponsored threat actor that is likely affiliated with Iran’s Ministry of Intelligence and Security (MOIS). A key feature of UNC1860 is its collection of specialized tooling and passive backdoors that Mandiant believes supports several objectives, including its role as a probable initial access provider and its ability to gain persistent access to high-priority networks, such as those in the government and telecommunications space throughout the Middle East.", + "meta": { + "country": "IR", + "refs": [ + "https://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks" + ] + }, + "uuid": "80a874d5-0645-4245-aeb6-9b33a8689928", + "value": "UNC1860" } ], "version": 315 From d9c1ddb7cecff3ea94fdf32474cbf658e96ceb40 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 2 Oct 2024 02:04:57 -0700 Subject: [PATCH 20/42] [threat actors] Update README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index fd1d6b9b..6baa9db2 100644 --- a/README.md +++ b/README.md @@ -599,7 +599,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements [Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group. -Category: *actor* - source: *MISP Project* - total: *738* elements +Category: *actor* - source: *MISP Project* - total: *746* elements [[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)] From 86e27576100848cfe7d518485f89406cb7852b80 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 3 Oct 2024 08:21:33 +0200 Subject: [PATCH 21/42] chg: [ransomware] updated --- clusters/ransomware.json | 129 +++++++++++++++++++++++++++++++++++---- 1 file changed, 118 insertions(+), 11 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index be420bc8..5980df9c 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -14578,7 +14578,10 @@ ], "links": [ "http://ekbgzchl6x2ias37.onion", - "http://santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad.onion/" + "http://santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad.onion/", + "http://3ws3t4uo7fehnn4qpmadk3zjrxta5xlt3gsc5mx4sztrsy7ficuz5ayd.onion/", + "http://amnwxasjtjc6e42siac6t45mhbkgtycrx5krv7sf5festvqxmnchuayd.onion/", + "http://qahjimrublt35jlv4teesicrw6zhpwhkb6nhtonwxuqafmjhr7hax2id.onion/" ], "refs": [ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", @@ -26498,7 +26501,19 @@ "links": [ "https://stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd.onion/", "https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion", - "http://stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd.onion/" + "http://stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd.onion/", + "http://6y2qjrzzt4inluxzygdfxccym5qjy2ltyae7vnxtoyeotfg3ljwqtaid.onion/", + "http://r6qkk55wxvy2ziy47oyhptesucwdqqaip23uxregdgquq5oxxlpeecad.onion/", + "http://weqv4fxkacebqrjd3lmnss6lrmoxoyihtcc6kdc6mblbv62p5q6skgid.onion/", + "http://thesiliconroad1.top/", + "http://stuffstevenpeters4.top/", + "http://greenmotors5.top/", + "http://megatron3.top/", + "http://fmzipzpirdpfelbbvnfhoehqxbqg7s7efmgce6hpr5xdcmeazdmic2id.onion/", + "http://daulpxe3epdysjozaujz4sj7rytanp4suvdnebxkwdfcuzwxlslebvyd.onion/", + "http://databasebb3.top/", + "http://l6zxfn3u2s4bl4vt3nvpve6uibqn3he3tgwdpkeeplhwlfwy3ifbt5id.onion/", + "http://onlylegalstuff6.top/" ], "ransomnotes": [ "Your data are stolen and encrypted\nThe data will be published on TOR website if you do not pay the ransom\nYou can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565y1u2c6Lay6yfiebkcbtvvcytyolt33s77xypi7nypxyd.onion/ \n\nYour company id for log in: [REDACTED]" @@ -27649,7 +27664,8 @@ "http://lbbjmbkvw3yurmnazwkbj5muyvw5dd6y7hyxrus23y33qiqczclrnbyd.onion/", "http://lbbpoq6d2jglpw7dxarr6oaakgnlxt5nmrza5ojlufsuffuzexajsuyd.onion/", "http://lbbp2rsfcmg5durpwgs22wxrdngsa4wiwmc4xk6hgmuluy6bvbvvtlid.onion/", - "http://lbbov7weoojwnqytnjqygmglkwtim5dvyw3xvoluk5ostz75ofd6enqd.onion/" + "http://lbbov7weoojwnqytnjqygmglkwtim5dvyw3xvoluk5ostz75ofd6enqd.onion/", + "http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion/ec_page3.php" ], "refs": [ "https://threatpost.com/lockbit-ransomware-proliferates-globally/168746", @@ -28426,7 +28442,8 @@ "links": [ "https://hunters55rdxciehoqzwv7vgyv6nt37tbwax2reroyzxhou7my5ejyid.onion", "https://hunters33mmcwww7ek7q5ndahul6nmzmrsumfs6aenicbqon6mxfiqyd.onion/login", - "https://huntersinternational.net" + "https://huntersinternational.net", + "http://huntersinternational.su" ], "refs": [ "https://www.ransomlook.io/group/hunters" @@ -28561,7 +28578,18 @@ "meta": { "links": [ "http://weg7sdx54bevnvulapqu6bpzwztryeflq3s23tegbmnhkbpqz637f2yd.onion", - "http://c7jpc6h2ccrdwmhofuij7kz6sr2fg2ndtbvvqy4fse23cf7m2e5hvqid.onion" + "http://c7jpc6h2ccrdwmhofuij7kz6sr2fg2ndtbvvqy4fse23cf7m2e5hvqid.onion", + "http://nz2ihtemh2zli2wc3bovzps55clanspsqx5htu2plolby45a7pk4d3qd.onion/", + "http://qjdremetxo2zpli32exwb5uct6cjljyj7v52d5thn7usmj5mlyxdojqd.onion/", + "http://yef4xoqj2jq554rqetf2ikmpdtewdlbnx5xrtjtjqaotvfw77ipb6pad.onion/", + "http://ptsfbwx5j7kyk5r6n6uz4faic43jtb55sbls7py5wztwbxkyvsikguid.onion/", + "http://ro4h37fieb6oyfrwoi5u5wpvaalnegsxzxnwzwzw43anxqmv6hjcsfyd.onion/", + "http://cyfafnmijhiqxxfhtofmn5lgk3w5ana6xzpc6gk5uvdfadqflvznpjyd.onion/", + "http://betrvom4agzebo27bt7o3hk35tvr7ppw3hrx5xx4ecvijwfsb4iufoyd.onion/", + "http://ybo3xr25btxs47nmwykoudoe23nyv6ftkcpjdo4gilfzww4djpurtgid.onion/", + "http://k6wtpxwq72gpeil5hqofae7yhbtxphbkyoe2g7rwmpx5sadc4sgsfvid.onion/", + "http://vm2rbvfkcqsx2xusltbxziwbsrunjegk6qeywf3bxpjlznq622s3iead.onion/", + "http://ng2gzceugc2df6hp6s7wtg7hpupw37vqkvamaydhagv2qbrswdqlq6ad.onion/" ], "refs": [ "https://www.ransomlook.io/group/black suit" @@ -28861,7 +28889,8 @@ { "meta": { "links": [ - "http://threeamkelxicjsaf2czjyz2lc4q3ngqkxhhlexyfcp2o6raw4rphyad.onion" + "http://threeamkelxicjsaf2czjyz2lc4q3ngqkxhhlexyfcp2o6raw4rphyad.onion", + "http://ulkvlj5sirgrbnvb4hvbjo2ex2c2ceqe2j4my57fcdozpbq5h5pyu7id.onion" ], "refs": [ "https://www.ransomlook.io/group/3am" @@ -28898,7 +28927,8 @@ "meta": { "links": [ "http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion/blog", - "http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion/login" + "http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion/login", + "http://dragonforxxbp3awc7mzs5dkswrua3znqyx5roefmi4smjrsdi22xwqd.onion" ], "refs": [ "https://www.ransomlook.io/group/dragonforce" @@ -28956,7 +28986,33 @@ "links": [ "http://mbrlkbtq5jonaqkurjwmxftytyn2ethqvbxfu4rgjbkkknndqwae6byd.onion", "http://k7kg3jqxang3wh7hnmaiokchk7qoebupfgoik6rha6mjpzwupwtj25yd.onion", - "http://k7kg3jqzffsxe2z53jjx4goybvxu3a557kpsqakpwi6mrvfgcdo55tid.onion" + "http://k7kg3jqzffsxe2z53jjx4goybvxu3a557kpsqakpwi6mrvfgcdo55tid.onion", + "http://ipi4tiumgzjsym6pyuzrfqrtwskokxokqannmd6sa24shvr7x5kxdvqd.onion", + "http://j75o7xvvsm4lpsjhkjvb4wl2q6ajegvabe6oswthuaubbykk4xkzgpid.onion", + "http://zi34ocznt242jallttwvvhihrezjdzfgflf3uhdv6t3z23hhcn54efid.onion", + "http://37wb3ygyb3r2vf2dt5o3ca62zlduuowvkkwjrtbcgc5iri4t6rnzr7yd.onion", + "http://eppsldmcnv3ylabsx5srvf36wnk6jrowg6x4unxclv55rnu4kf5436yd.onion", + "http://slg7tnjb65swwyaebnyymyvo73xm36hxwugdsps7cwcxicizyzyt2byd.onion", + "http://x6zdxw6vt3gtpv35yqloydttvfvwyrju3opkmp4xejmlfxto7ahgnpyd.onion", + "http://jnbiz5lp44ddg4u5rsr4yebbpxa3iytcsshgbqa4m6r6po5y57h6yxid.onion", + "http://sm2gah7bjg6u2dfl3voiex6njh2kcuqqquvv7za37xokmbcivsgqcnad.onion", + "http://z7u6dkys7b2aeibvklxga7mldzrepoauiuniqwfhdadkkwwgmv6bqhad.onion", + "http://kri3lez34pbqra3xs5wxo55djldtsekol6tuqdjqecqzga6dpnjqruyd.onion", + "http://iejj6bywviuecjwi3kxanzojqroe3j3phzgplvrdzcicimtcw6xgk3yd.onion", + "http://xixkhm6inbg6t5642t2pjafsjsh3eaonpjysdcfvr3zvadlqb6nhryad.onion", + "http://giix5r763sbxmu442tmwfb4thqbz4i5ppxcqsmnnlqnm2yiezv6epxqd.onion", + "http://mokcrzbitq2gc5qcpxcbce43pawuthyaoazl6iz2xknj53ebyb4r4eid.onion", + "http://gpph6awu7hqsmzmr5sihusjoscp3itwtk3b4i2chwspmka2ikuqcwaqd.onion", + "http://v3r6g4q3b2jpqusznecxexr5aqi42vy5ts6jy6fu3strecvb5c2woead.onion", + "http://4xo3cicwo2rhpwr6vkgwt7mqg4oiqihsmoxwlmklf4sjoatkdqjtmcyd.onion", + "http://a4gbdvoorwn3tcqijoedvdeukqaqwc6t2kx4gh3gm37gv4p37evvzqad.onion", + "http://6jb5avmh6rvcb7vcux7kaivnzpqcrfg4ui4xv2co5vmspgrwll7lkkyd.onion", + "http://doz7omlqqanryonvil4iuj65shzcv3efupqwubkza6553wnekrrd4uid.onion", + "http://hbwsxlq3uzknabg2blt7d4mcbu24oriklji36zdqsz3ou3mf2d7bvoid.onion", + "http://ysknyr5m5n3pwg4jnaqsytxea2thwsbca3qipi64vlep42flywx7dgqd.onion", + "http://b3pzp6qwelgeygmzn6awkduym6s4gxh6htwxuxeydrziwzlx63zergyd.onion", + "http://p2qzf3rfvg4f74v2ambcnr6vniueucitbw6lyupkagsqejtuyak6qrid.onion", + "http://whfsjr35whjtrmmqqeqfxscfq564htdm427mjekic63737xscuayvkad.onion" ], "refs": [ "https://www.ransomlook.io/group/play", @@ -29012,10 +29068,15 @@ "value": "qiulong" }, { + "description": "", "meta": { "links": [ "https://cactusbloguuodvqjmnzlwetjlpj6aggc6iocwhuupb47laukux7ckid.onion", - "https://cactus5dqnqkppa5ayckiyk6dttpqwczdqphv5mxh4dkk5ct544q5aad.onion/" + "https://cactus5dqnqkppa5ayckiyk6dttpqwczdqphv5mxh4dkk5ct544q5aad.onion/", + "https://vhfd5qagh6j7qbisjqvly7eejqbv6z5bv77v6yuhctn77wmd3hjkyvad.onion", + "https://acfckf3l6l7v2tsnedfx222a4og63zt6dmvheqbvsd72hkhaqadrrsad.onion", + "https://6wuivqgrv2g7brcwhjw5co3vligiqowpumzkcyebku7i2busrvlxnzid.onion", + "https://truysrv2txxvobngtlssbgqs3e3ekd53zl6zoxbotajyvmslp5rdxgid.onion" ], "refs": [ "https://www.ransomlook.io/group/cactus" @@ -29250,7 +29311,19 @@ "meta": { "links": [ "http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion", - "http://5ntlvn7lmkezscee2vhatjaigkcu2rzj3bwhqaz32snmqc4jha3gcjad.onion" + "http://5ntlvn7lmkezscee2vhatjaigkcu2rzj3bwhqaz32snmqc4jha3gcjad.onion", + "http://76yl7gfmz2kkjglcevxps4tleyeqnqhfcxh6rnstxj27oxhoxird3hyd.onion", + "http://yj3eozlkkxkcsprc2fug7tolgtnllruyavuyyar3yzsccjdgvu2bl2yd.onion/", + "http://ufjoe7fdwvml52oin7flwlqksvp3fcvfyh2kwsngt7j2yf7xou52w2qd.onion/", + "http://i2okedfryhllg6ka6aur3wnxcxdaufbuuysp4drr5xoc6gvqpcogejid.onion/", + "http://s37weqmxusvfcxkoorgkut5v7frn27zftdb6pdjsyjl5djg6oxjqjbid.onion/", + "http://oftm4u5cfl6wyadj27h3csdxfvyd7favssxcr7l7wnswdsrfedxswxqd.onion/", + "http://wg55rcy2chmbpeh6pl5pftnveac2lqfxbletrtzanfjhhmvcjnn5tcqd.onion/", + "http://sbjthwyoxfuxq75b77e2hsj7ie67m3qicfnuikhuabwo3sikvrzyaxad.onion/", + "http://zo5xog4vpvdae473doneepetidh36m5czdq2vyeiq3lvqhuel56p6nid.onion/", + "http://66ohzao6afsv2opk22r2kv6fbnf2fthe7v4ykzzc5vjezvvyf3gocwyd.onion/", + "https://2nn4b6gihz5bttzabjegune3blwktad2zmy77fwutvvrxxodbufo6qid.onion/", + "http://y6kyfs2unbfcyodzjrxadn4w5vyulhyotdi5dtiqulxbduujehupunqd.onion/" ], "refs": [ "https://www.ransomlook.io/group/embargo" @@ -29299,6 +29372,7 @@ "value": "apos" }, { + "description": "This group is believed to be connected to Lost Trust. El Dorado rebranded to BlackLock in September 2024.", "meta": { "links": [ "http://dataleakypypu7uwblm5kttv726l3iripago6p336xjnbstkjwrlnlid.onion/", @@ -29544,6 +29618,7 @@ "value": "chilelocker" }, { + "description": "Group is also currently known as MADDLL32 and Metatron.", "meta": { "links": [ "http://k67ivvik3dikqi4gy4ua7xa6idijl4si7k5ad5lotbaeirfcsx4sgbid.onion" @@ -29704,7 +29779,39 @@ }, "uuid": "99ddf1b6-7d75-58f6-b340-47545fec5e55", "value": "osyolorz collective" + }, + { + "meta": { + "links": [ + "http://3o5ewrzhqoyodfs5kll4cjxagdfrpuu474panwobm4im7ejfpaux5jyd.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/embrago" + ] + }, + "uuid": "f054ec08-9058-52ba-a90d-922a9cc1a412", + "value": "embrago" + }, + { + "meta": { + "links": [ + "http://nitrogenczslprh3xyw6lh5xyjvmsz7ciljoqxxknd7uymkfetfhgvqd.onion", + "http://2u6njk55okdxvrup5feu3wbhyxvlqla7yuj2oz3xkzz27yzc66vcirqd.onion/", + "http://jzl4bylm4bng2zgmeqw3lx6bcbxzb2hulicxneuosq26sshnitrcvcad.onion/", + "http://6a5ib4udgwlkyl3zzeyenedcb7d33j2vq7egpqykr5457uiskeu6zjad.onion/", + "http://hzyp7n436ecwo73xvrgnf5wmbjewszwut4h6vz4fu6f2oqd5zfcd7sad.onion/", + "http://67hvtslok5a4cwjxfmidbgbunsvckypf2dwkpxg3y2sabar5b4jidmyd.onion/", + "http://sqnnhgqr4iiwnkaih6vspyxmebz2vvjv3uybmjdynw6sne5plilunhyd.onion/", + "http://z4tonbkjybcllsvd45smpkqkk5uaspmlnvmysrkxt37wuudijvp7k2id.onion", + "http://awrfq7pjydfp3hwbsun6ltxrrzths5ztgxj7i7ybx7twjrdvzvxkgwad.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/nitrogen" + ] + }, + "uuid": "9d7ca9df-c219-59fc-93fb-86f4606942ba", + "value": "nitrogen" } ], - "version": 134 + "version": 135 } From a3fd555efe6248e7ea5a399e1f7b083f9a019d39 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 3 Oct 2024 08:38:18 +0200 Subject: [PATCH 22/42] chg: [sigma] updated to the latest version --- README.md | 4 +- clusters/sigma-rules.json | 3046 +++++++++++++++++++------------------ 2 files changed, 1543 insertions(+), 1507 deletions(-) diff --git a/README.md b/README.md index fd1d6b9b..71ff208b 100644 --- a/README.md +++ b/README.md @@ -495,7 +495,7 @@ Category: *actor* - source: *MISP Project* - total: *38* elements [Ransomware](https://www.misp-galaxy.org/ransomware) - Ransomware galaxy based on different sources and maintained by the MISP Project. -Category: *tool* - source: *Various* - total: *1805* elements +Category: *tool* - source: *Various* - total: *1807* elements [[HTML](https://www.misp-galaxy.org/ransomware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ransomware.json)] @@ -535,7 +535,7 @@ Category: *sector* - source: *CERT-EU* - total: *118* elements [Sigma-Rules](https://www.misp-galaxy.org/sigma-rules) - MISP galaxy cluster based on Sigma Rules. -Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2964* elements +Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2965* elements [[HTML](https://www.misp-galaxy.org/sigma-rules)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sigma-rules.json)] diff --git a/clusters/sigma-rules.json b/clusters/sigma-rules.json index 222a4df1..db7c7bfa 100644 --- a/clusters/sigma-rules.json +++ b/clusters/sigma-rules.json @@ -23,10 +23,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml" ], "tags": [ @@ -149,10 +149,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", + "https://www.sans.org/cyber-security-summit/archives", "https://twitter.com/jamieantisocial/status/1304520651248668673", "https://learn.microsoft.com/en-us/dotnet/core/runtime-config/debugging-profiling", - "https://www.sans.org/cyber-security-summit/archives", - "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml" ], "tags": [ @@ -188,9 +188,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml" ], "tags": [ @@ -258,10 +258,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml" ], "tags": [ @@ -294,9 +294,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/", "https://twitter.com/Hexacorn/status/991447379864932352", "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml", + "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml" ], "tags": [ @@ -395,8 +395,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging", "https://persistence-info.github.io/Data/aedebug.html", + "https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml" ], "tags": [ @@ -419,12 +419,12 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/", - "https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior", - "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI", - "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper", - "https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html", "https://www.attackiq.com/2023/09/20/emulating-rhysida/", + "https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html", + "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI", + "https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior", + "https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/", + "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml" ], "tags": [ @@ -466,11 +466,11 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/", - "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html", - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN", - "https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6", "https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html", + "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html", + "https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/", + "https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml" ], "tags": [ @@ -717,8 +717,8 @@ "logsource.product": "windows", "refs": [ "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", - "https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml" ], "tags": [ @@ -751,8 +751,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/AaLl86/WindowsInternals/blob/070dc4f317726dfb6ffd2b7a7c121a33a8659b5e/Slides/Hypervisor-enforced%20Paging%20Translation%20-%20The%20end%20of%20non%20data-driven%20Kernel%20Exploits%20(Recon2024).pdf", "https://twitter.com/standa_t/status/1808868985678803222", + "https://github.com/AaLl86/WindowsInternals/blob/070dc4f317726dfb6ffd2b7a7c121a33a8659b5e/Slides/Hypervisor-enforced%20Paging%20Translation%20-%20The%20end%20of%20non%20data-driven%20Kernel%20Exploits%20(Recon2024).pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedpagingtranslation_disabled.yml" ], "tags": [ @@ -820,9 +820,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", - "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", + "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml" ], "tags": [ @@ -863,8 +863,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74", + "https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml" ], "tags": [ @@ -1032,8 +1032,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade", + "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_network_provider.yml" ], "tags": [ @@ -1100,9 +1100,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml" ], "tags": [ @@ -1135,8 +1135,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/dottor_morte/status/1544652325570191361", "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", + "https://twitter.com/dottor_morte/status/1544652325570191361", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml" ], "tags": [ @@ -1202,10 +1202,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d/detection", + "https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html", "https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html", "https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine", - "https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html", + "https://www.virustotal.com/gui/file/6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml" ], "tags": [ @@ -1329,8 +1329,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://labs.f-secure.com/blog/scheduled-task-tampering/", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://labs.f-secure.com/blog/scheduled-task-tampering/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml" ], "tags": [ @@ -1439,8 +1439,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll", "https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/", + "https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml" ], "tags": [ @@ -1473,8 +1473,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", "https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry", + "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml" ], "tags": [ @@ -1508,6 +1508,7 @@ "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)", + "https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml" ], "tags": [ @@ -1540,9 +1541,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/", "https://learn.microsoft.com/en-us/windows/win32/api/winevt/", - "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml" ], "tags": [ @@ -1626,9 +1627,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", "https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/", "https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml" ], "tags": [ @@ -1661,8 +1662,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/inversecos/status/1494174785621819397", "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", + "https://twitter.com/inversecos/status/1494174785621819397", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml" ], @@ -1773,8 +1774,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml" ], "tags": [ @@ -1857,8 +1858,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/dottor_morte/status/1544652325570191361", "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", + "https://twitter.com/dottor_morte/status/1544652325570191361", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml" ], "tags": [ @@ -1891,9 +1892,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf", "https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise", "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", + "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml" ], "tags": [ @@ -1939,10 +1940,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", - "https://github.com/gtworek/PSBits/tree/master/IFilter", - "https://twitter.com/0gtweet/status/1468548924600459267", "https://persistence-info.github.io/Data/ifilters.html", + "https://twitter.com/0gtweet/status/1468548924600459267", + "https://github.com/gtworek/PSBits/tree/master/IFilter", + "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml" ], "tags": [ @@ -1965,10 +1966,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/JAMESWT_MHT/status/1699042827261391247", "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content", - "https://twitter.com/M_haggis/status/1699056847154725107", + "https://twitter.com/JAMESWT_MHT/status/1699042827261391247", "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", + "https://twitter.com/M_haggis/status/1699056847154725107", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml" ], "tags": [ @@ -2285,17 +2286,17 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "https://twitter.com/_xpn_/status/1268712093928378368", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml" ], "tags": [ @@ -2336,8 +2337,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", + "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_xll.yml" ], "tags": [ @@ -2393,8 +2394,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store", + "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml" ], "tags": [ @@ -2451,8 +2452,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll", "https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/", + "https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml" ], "tags": [ @@ -2485,8 +2486,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files", "https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index", + "https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml" ], "tags": [ @@ -2519,8 +2520,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://youtu.be/zSihR3lTf7g", "https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650", + "https://youtu.be/zSihR3lTf7g", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml" ], "tags": [ @@ -2610,16 +2611,16 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://blog.sekoia.io/darkgate-internals/", - "https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", - "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", + "https://blog.sekoia.io/darkgate-internals/", "https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry", - "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", - "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", "https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry", + "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", + "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", + "https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml" ], "tags": [ @@ -2787,9 +2788,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml" ], "tags": [ @@ -2857,13 +2858,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml" ], "tags": [ @@ -2896,9 +2897,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/", "https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task", + "https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml" ], "tags": [ @@ -2933,9 +2934,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml" ], "tags": [ @@ -2991,9 +2992,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/MichalKoczwara/status/1553634816016498688", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://twitter.com/MichalKoczwara/status/1553634816016498688", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml" ], "tags": [ @@ -3077,9 +3078,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml" ], "tags": [ @@ -3148,8 +3149,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time", "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml" ], "tags": [ @@ -3184,9 +3185,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml" ], "tags": [ @@ -3277,9 +3278,9 @@ "logsource.product": "windows", "refs": [ "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", - "https://github.com/elastic/detection-rules/issues/1371", - "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", + "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", + "https://github.com/elastic/detection-rules/issues/1371", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml" ], "tags": [ @@ -3444,9 +3445,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml" ], "tags": [ @@ -3552,8 +3553,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/inversecos/status/1494174785621819397", "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", + "https://twitter.com/inversecos/status/1494174785621819397", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml" ], @@ -3620,8 +3621,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/shell/app-registration", "https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", + "https://learn.microsoft.com/en-us/windows/win32/shell/app-registration", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml" ], "tags": [ @@ -3654,13 +3655,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", - "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", + "https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml" ], "tags": [ @@ -3728,8 +3729,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd", "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml" ], "tags": [ @@ -3819,8 +3820,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://vanmieghem.io/stealth-outlook-persistence/", "https://twitter.com/_vivami/status/1347925307643355138", + "https://vanmieghem.io/stealth-outlook-persistence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml" ], "tags": [ @@ -3877,8 +3878,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "Internal Research", "https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml" ], "tags": [ @@ -3978,10 +3979,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/", - "https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1", "https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware", + "https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/", "https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps", + "https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml" ], "tags": [ @@ -4038,9 +4039,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml" ], "tags": [ @@ -4106,9 +4107,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf", "https://persistence-info.github.io/Data/codesigning.html", "https://github.com/gtworek/PSBits/tree/master/SIP", - "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml" ], "tags": [ @@ -4199,8 +4200,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/visualstudio/deployment/how-to-configure-the-clickonce-trust-prompt-behavior", "https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5", + "https://learn.microsoft.com/en-us/visualstudio/deployment/how-to-configure-the-clickonce-trust-prompt-behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml" ], "tags": [ @@ -4233,8 +4234,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/client-management/manage-recall", "https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis", + "https://learn.microsoft.com/en-us/windows/client-management/manage-recall", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enable_windows_recall.yml" ], "tags": [ @@ -4267,8 +4268,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.exploit-db.com/exploits/47696", "http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass", + "https://www.exploit-db.com/exploits/47696", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml" ], "tags": [ @@ -4399,8 +4400,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", "https://github.com/hfiref0x/UACME", + "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml" ], "tags": [ @@ -4468,8 +4469,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass", "https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/", + "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml" ], "tags": [ @@ -4535,9 +4536,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70", "https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change", - "https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml" ], "tags": [ @@ -4645,8 +4646,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/rootm0s/WinPwnage", "https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/", + "https://github.com/rootm0s/WinPwnage", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml" ], "tags": [ @@ -4679,8 +4680,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml" ], "tags": [ @@ -4804,9 +4805,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope", "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", "https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/", - "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml" ], "tags": [ @@ -4862,8 +4863,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44", "https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml" ], "tags": [ @@ -5087,8 +5088,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html", "https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/", + "https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml" ], "tags": [ @@ -5189,9 +5190,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", "https://twitter.com/pabraeken/status/998627081360695297", "https://twitter.com/VakninHai/status/1517027824984547329", + "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml" ], "tags": [ @@ -5265,8 +5266,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://twitter.com/malmoeb/status/1560536653709598721", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml" ], "tags": [ @@ -5290,10 +5291,10 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", - "https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage", "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml" ], "tags": [ @@ -5459,8 +5460,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/", + "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml" ], "tags": [ @@ -5527,9 +5528,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml" ], "tags": [ @@ -5597,10 +5598,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://persistence-info.github.io/Data/userinitmprlogonscript.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml" ], "tags": [ @@ -5634,9 +5635,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml" ], "tags": [ @@ -5711,8 +5712,8 @@ "logsource.product": "windows", "refs": [ "https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials", - "https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/", "https://adsecurity.org/?p=1785", + "https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dsrm_tampering.yml" ], "tags": [ @@ -5745,10 +5746,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml" ], "tags": [ @@ -6086,8 +6087,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html", "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", + "https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml" ], "tags": [ @@ -6327,9 +6328,9 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer", "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", "http://woshub.com/how-to-clear-rdp-connections-history/", + "https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml" ], "tags": [ @@ -6370,11 +6371,11 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/win32/shell/launch", "https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", "https://github.com/OTRF/detection-hackathon-apt29/issues/7", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md", "https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", - "https://learn.microsoft.com/en-us/windows/win32/shell/launch", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml" ], "tags": [ @@ -6441,8 +6442,8 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/client-management/manage-recall", "https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis", + "https://learn.microsoft.com/en-us/windows/client-management/manage-recall", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_enable_windows_recall.yml" ], "tags": [ @@ -6508,8 +6509,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", + "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml" ], "tags": [ @@ -6552,9 +6553,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ + "https://adepts.of0x.cc/netsh-portproxy-code/", "https://www.dfirnotes.net/portproxy_detection/", "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", - "https://adepts.of0x.cc/netsh-portproxy-code/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml" ], "tags": [ @@ -6659,9 +6660,9 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", + "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf", "https://nvd.nist.gov/vuln/detail/cve-2021-34527", - "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", "https://nvd.nist.gov/vuln/detail/cve-2021-1675", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml" ], @@ -6697,9 +6698,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ + "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/", "https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf", "https://persistence-info.github.io/Data/recyclebin.html", - "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml" ], "tags": [ @@ -6732,10 +6733,10 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", - "https://github.com/hfiref0x/UACME", - "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", + "https://github.com/hfiref0x/UACME", + "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", + "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml" ], "tags": [ @@ -6877,8 +6878,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Wsreset", "https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly", + "https://lolbas-project.github.io/lolbas/Binaries/Wsreset", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml" ], "tags": [ @@ -7253,8 +7254,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/", "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Install-SSP.ps1#L157", + "https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml" ], "tags": [ @@ -7428,8 +7429,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/MalwareJake/status/870349480356454401", "https://wikileaks.org/vault7/#Pandemic", + "https://twitter.com/MalwareJake/status/870349480356454401", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml" ], "tags": [ @@ -7743,11 +7744,11 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", - "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", - "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", - "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", + "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", + "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", + "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", + "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_malware_netwire.yml" ], "tags": [ @@ -7847,8 +7848,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/amsi.html", "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c", + "https://persistence-info.github.io/Data/amsi.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml" ], "tags": [ @@ -8307,8 +8308,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", + "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml" ], "tags": [ @@ -8341,8 +8342,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "Internal Research", "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_cloudflared_communication.yml" ], "tags": [ @@ -8376,9 +8377,9 @@ "logsource.product": "windows", "refs": [ "https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/", - "https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/", + "https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_domain_azurewebsites.yml" ], "tags": [ @@ -8411,8 +8412,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", "https://twitter.com/notwhickey/status/1333900137232523264", + "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_appinstaller.yml" ], "tags": [ @@ -8445,9 +8446,9 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", "https://twitter.com/neonprimetime/status/1436376497980428318", "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", + "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_external_ip_lookup.yml" ], "tags": [ @@ -8548,8 +8549,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2", "https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security", + "https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2", "https://cydefops.com/devtunnels-unleashed", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml" ], @@ -8784,8 +8785,8 @@ "logsource.product": "windows", "refs": [ "https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/", - "https://www.malwarebytes.com/blog/detections/pup-optional-onelaunch-silentcf", "https://malware.guide/browser-hijacker/remove-onelaunch-virus/", + "https://www.malwarebytes.com/blog/detections/pup-optional-onelaunch-silentcf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml" ], "tags": [ @@ -8861,13 +8862,13 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a", - "https://redcanary.com/blog/misbehaving-rats/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", "https://blog.sekoia.io/scattered-spider-laying-new-eggs/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", "https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", + "https://redcanary.com/blog/misbehaving-rats/", "https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml" ], @@ -8901,18 +8902,18 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", - "https://thedfirreport.com/2020/06/21/snatch-ransomware/", - "https://github.com/RiccardoAncarani/LiquidSnake", - "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://securelist.com/faq-the-projectsauron-apt/75533/", - "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", - "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", - "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", + "https://github.com/RiccardoAncarani/LiquidSnake", + "https://securelist.com/faq-the-projectsauron-apt/75533/", "https://www.us-cert.gov/ncas/alerts/TA17-117A", + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", + "https://thedfirreport.com/2020/06/21/snatch-ransomware/", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", + "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", + "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", + "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_malicious_namedpipes.yml" ], "tags": [ @@ -9027,8 +9028,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", - "https://o365blog.com/post/adfs/", "https://github.com/Azure/SimuLand", + "https://o365blog.com/post/adfs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_adfs_namedpipe_connection_uncommon_tool.yml" ], "tags": [ @@ -9130,8 +9131,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", "https://github.com/malcomvetter/CSExec", + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_pua_csexec_default_pipe.yml" ], "tags": [ @@ -9309,10 +9310,10 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/d4rksystem/status/1357010969264873472", + "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", + "https://github.com/SigmaHQ/sigma/issues/253", "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", - "https://github.com/SigmaHQ/sigma/issues/253", - "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml" ], "tags": [ @@ -9346,8 +9347,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html", "https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html", + "https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml" ], "tags": [ @@ -9448,8 +9449,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml" ], "tags": [ @@ -9506,8 +9507,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html", "https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html", + "https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_powershell_execution_pipe.yml" ], "tags": [ @@ -9540,8 +9541,8 @@ "logsource.category": "sysmon_status", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_status.yml" ], "tags": [ @@ -9620,8 +9621,8 @@ "logsource.category": "sysmon_error", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_error.yml" ], "tags": [ @@ -9654,8 +9655,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon", "https://medium.com/@olafhartong/sysmon-15-0-file-executable-detected-40fd64349f36", + "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_file_executable_detected.yml" ], "tags": [ @@ -9736,9 +9737,9 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/KeeThief", "https://github.com/denandz/KeeFarce", "https://www.cisa.gov/uscert/ncas/alerts/aa20-259a", + "https://github.com/GhostPack/KeeThief", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml" ], "tags": [ @@ -9771,8 +9772,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/", "https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/", + "https://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_target_shell_application.yml" ], "tags": [ @@ -9906,8 +9907,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f", "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/", + "https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml" ], "tags": [ @@ -10523,8 +10524,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/SafetyKatz", "https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63", + "https://github.com/GhostPack/SafetyKatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_safetykatz.yml" ], "tags": [ @@ -10557,8 +10558,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", + "https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml" ], "tags": [ @@ -10682,8 +10683,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "Internal Research", "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_creation.yml" ], "tags": [ @@ -10740,8 +10741,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", + "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml" ], @@ -10775,9 +10776,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://en.wikipedia.org/wiki/IExpress", - "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html", + "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", + "https://en.wikipedia.org/wiki/IExpress", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sed_file_creation.yml" ], "tags": [ @@ -10960,10 +10961,10 @@ "logsource.product": "windows", "refs": [ "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", - "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml" ], "tags": [ @@ -10996,8 +10997,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", + "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_vhd_download_via_browsers.yml" ], @@ -11111,8 +11112,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government", + "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml" ], "tags": [ @@ -11303,8 +11304,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/office/troubleshoot/excel/use-startup-folders", "https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies", + "https://learn.microsoft.com/en-us/office/troubleshoot/excel/use-startup-folders", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_startup_persistence.yml" ], "tags": [ @@ -11337,10 +11338,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer", "https://github.com/Yaxser/Backstab", - "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/", "https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks", + "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/", + "https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml" ], "tags": [ @@ -11543,9 +11544,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", "Internal Research", "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", + "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_addin_persistence.yml" ], "tags": [ @@ -11578,8 +11579,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", + "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml" ], "tags": [ @@ -11602,10 +11603,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", - "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", "https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", + "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", + "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml" ], "tags": [ @@ -11727,8 +11728,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/wpbbin.html", "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", + "https://persistence-info.github.io/Data/wpbbin.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml" ], "tags": [ @@ -11785,8 +11786,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "Internal Research", "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml" ], "tags": [ @@ -11882,8 +11883,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", + "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_adwind.yml" ], "tags": [ @@ -12399,9 +12400,9 @@ "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/", + "https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions", "https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3", "http://addbalance.com/word/startup.htm", - "https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml" ], "tags": [ @@ -12533,26 +12534,26 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/besimorhino/powercat", - "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://github.com/adrecon/ADRecon", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/samratashok/nishang", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/NetSPI/PowerUpSQL", - "https://github.com/adrecon/AzureADRecon", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/nettitude/Invoke-PowerThIEf", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu", - "https://github.com/PowerShellMafia/PowerSploit", "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/PowerShellMafia/PowerSploit", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/nettitude/Invoke-PowerThIEf", + "https://github.com/NetSPI/PowerUpSQL", + "https://github.com/S3cur3Th1sSh1t/WinPwn", "https://github.com/CsEnox/EventViewer-UACBypass", - "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/besimorhino/powercat", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/samratashok/nishang", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/HarmJ0y/DAMP", + "https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu", + "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/adrecon/ADRecon", + "https://github.com/adrecon/AzureADRecon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml" ], "tags": [ @@ -12651,8 +12652,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/davisrichardg/status/1616518800584704028", "https://aboutdfir.com/the-key-to-identify-psexec/", + "https://twitter.com/davisrichardg/status/1616518800584704028", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service_key.yml" ], "tags": [ @@ -12705,12 +12706,12 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/helpsystems/nanodump", - "https://www.google.com/search?q=procdump+lsass", "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", + "https://www.google.com/search?q=procdump+lsass", "https://github.com/CCob/MirrorDump", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", + "https://github.com/helpsystems/nanodump", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml" ], "tags": [ @@ -12811,10 +12812,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", - "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", + "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", + "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml" ], "tags": [ @@ -12880,8 +12881,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1550836225652686848", "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1547.015/T1547.015.md#atomic-test-1---persistence-by-modifying-windows-terminal-profile", + "https://twitter.com/nas_bench/status/1550836225652686848", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml" ], "tags": [ @@ -13045,8 +13046,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "Internal Research", "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml" ], "tags": [ @@ -13069,8 +13070,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/c95a0a1a2855dc0cd7f7327614545fe30482a636/Upload%20Insecure%20Files/README.md", "PT ESC rule and personal experience", + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/c95a0a1a2855dc0cd7f7327614545fe30482a636/Upload%20Insecure%20Files/README.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml" ], "tags": [ @@ -13103,8 +13104,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g", + "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml" ], @@ -13233,8 +13234,8 @@ "refs": [ "https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79", - "https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76", + "https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml" ], "tags": [ @@ -13367,8 +13368,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/14", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/14", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml" ], "tags": [ @@ -13598,10 +13599,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory", - "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", "https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence", "https://liberty-shell.com/sec/2020/02/25/shim-persistence/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory", + "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml" ], "tags": [ @@ -13768,8 +13769,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs", - "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs", + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml" ], "tags": [ @@ -13835,8 +13836,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/", "https://github.com/last-byte/PersistenceSniper", + "https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_errorhandler_persistence.yml" ], "tags": [ @@ -13859,11 +13860,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://twitter.com/malwrhunterteam/status/1235135745611960321", "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", - "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://twitter.com/luc4m/status/1073181154126254080", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml" ], "tags": [ @@ -13897,9 +13898,9 @@ "logsource.product": "windows", "refs": [ "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://pentestlab.blog/tag/ntds-dit/", "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", + "https://pentestlab.blog/tag/ntds-dit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml" ], "tags": [ @@ -14065,10 +14066,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/cube0x0/status/1418920190759378944", - "https://github.com/WiredPulse/Invoke-HiveNightmare", "https://github.com/GossiTheDog/HiveNightmare", "https://github.com/FireFart/hivenightmare/", + "https://github.com/WiredPulse/Invoke-HiveNightmare", + "https://twitter.com/cube0x0/status/1418920190759378944", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml" ], "tags": [ @@ -14247,8 +14248,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py", "https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/", + "https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml" ], "tags": [ @@ -14282,8 +14283,8 @@ "logsource.product": "windows", "refs": [ "https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html", - "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://twitter.com/Sam0x90/status/1552011547974696960", + "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_mount.yml" ], "tags": [ @@ -14339,8 +14340,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", + "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml" ], @@ -14407,8 +14408,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/outflanknl/Dumpert", "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", + "https://github.com/outflanknl/Dumpert", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_dumpert.yml" ], "tags": [ @@ -14441,8 +14442,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://github.com/fox-it/LDAPFragger", + "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml" ], @@ -14536,9 +14537,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", "https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation", "https://twitter.com/pfiatde/status/1681977680688738305", - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", "https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/", "https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml" @@ -14573,8 +14574,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.joesandbox.com/analysis/465533/0/html", "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", + "https://www.joesandbox.com/analysis/465533/0/html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_get_variable.yml" ], "tags": [ @@ -14657,11 +14658,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://twitter.com/malwrhunterteam/status/1235135745611960321", "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", - "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://twitter.com/luc4m/status/1073181154126254080", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml" ], "tags": [ @@ -14694,8 +14695,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc", "https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml" ], "tags": [ @@ -14755,10 +14756,10 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/MaD_c4t/status/1623414582382567424", + "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", + "https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/", "https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/", "https://labs.withsecure.com/publications/detecting-onenote-abuse", - "https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/", - "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml" ], @@ -15107,12 +15108,12 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "https://decoded.avast.io/martinchlumecky/png-steganography/", + "https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc", + "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", "https://github.com/Wh04m1001/SysmonEoP", "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", - "https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc", - "https://decoded.avast.io/martinchlumecky/png-steganography/", - "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", + "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml" ], "tags": [ @@ -15155,8 +15156,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "Internal Research", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml" ], "tags": [ @@ -15222,9 +15223,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", "https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb", - "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml" ], "tags": [ @@ -15257,11 +15258,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934", + "https://www.google.com/search?q=%22reg.exe+save%22+sam", "https://github.com/search?q=CVE-2021-36934", "https://github.com/HuskyHacks/ShadowSteal", "https://github.com/FireFart/hivenightmare", - "https://www.google.com/search?q=%22reg.exe+save%22+sam", - "https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml" ], "tags": [ @@ -15294,8 +15295,8 @@ "logsource.category": "file_rename", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/", "https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/", + "https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml" ], "tags": [ @@ -15362,8 +15363,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_credential_manager_access.yml" ], "tags": [ @@ -15465,8 +15466,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens", "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", + "https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_teams_sensitive_files.yml" ], "tags": [ @@ -15599,8 +15600,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://www.group-ib.com/blog/hunting-for-ttps-with-prefetch-files/", "Internal Research", + "https://www.group-ib.com/blog/hunting-for-ttps-with-prefetch-files/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml" ], "tags": [ @@ -15756,8 +15757,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/", "Internal Research", + "https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml" ], "tags": [ @@ -15823,8 +15824,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/", "https://github.com/cube0x0/CVE-2021-1675", + "https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml" ], "tags": [ @@ -15961,8 +15962,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/9", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml" ], "tags": [ @@ -16028,9 +16029,9 @@ "logsource.category": "file_executable_detected", "logsource.product": "windows", "refs": [ - "https://en.wikipedia.org/wiki/IExpress", - "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html", + "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", + "https://en.wikipedia.org/wiki/IExpress", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml" ], "tags": [ @@ -16188,9 +16189,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", - "https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files", "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE", + "https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files", + "https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml" ], "tags": [ @@ -16223,9 +16224,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", - "https://github.com/hfiref0x/UACME", "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", + "https://github.com/hfiref0x/UACME", + "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml" ], "tags": [ @@ -16510,10 +16511,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://twitter.com/splinter_code/status/1483815103279603714", - "https://www.elastic.co/security-labs/operation-bleeding-bear", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", + "https://www.elastic.co/security-labs/operation-bleeding-bear", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml" ], "tags": [ @@ -16565,8 +16566,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/bohops/status/1477717351017680899?s=12", - "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/", + "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_acccheckconsole_execution.yml" ], "tags": [ @@ -16656,8 +16657,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://twitter.com/nao_sec/status/1530196847679401984", + "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://twitter.com/_JohnHammond/status/1531672601067675648", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml" ], @@ -16724,9 +16725,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus", - "https://github.com/GhostPack/Rubeus", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", + "https://github.com/GhostPack/Rubeus", + "https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml" ], "tags": [ @@ -16776,12 +16777,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/", - "https://nwgat.ninja/getting-system-information-with-wmic-on-windows/", - "https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior", - "https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic", - "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar", "https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/", + "https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic", + "https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior", + "https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/", + "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar", + "https://nwgat.ninja/getting-system-information-with-wmic-on-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml" ], "tags": [ @@ -16814,13 +16815,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", - "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", - "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", - "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", + "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", + "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", + "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", + "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml" ], "tags": [ @@ -16853,9 +16854,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.hackingarticles.in/rdp-session-hijacking-with-tscon/", "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", - "https://www.hackingarticles.in/rdp-session-hijacking-with-tscon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_rdp_redirect.yml" ], "tags": [ @@ -16932,8 +16933,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", "https://ss64.com/bash/rar.html", + "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_compression_with_password.yml" ], @@ -17159,8 +17160,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp", + "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml" ], "tags": [ @@ -17226,10 +17227,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://en.wikipedia.org/wiki/IExpress", - "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", - "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html", "https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/", + "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html", + "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", + "https://en.wikipedia.org/wiki/IExpress", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml" ], "tags": [ @@ -17295,9 +17296,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml" ], @@ -17413,8 +17414,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml" ], @@ -17597,8 +17598,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml", "Turla has used fsutil fsinfo drives to list connected drives.", + "https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml" ], "tags": [ @@ -17631,8 +17632,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/BloodHoundAD/BloodHound", "https://github.com/BloodHoundAD/SharpHound", + "https://github.com/BloodHoundAD/BloodHound", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml" ], "tags": [ @@ -17706,8 +17707,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/Seatbelt", "https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html", + "https://github.com/GhostPack/Seatbelt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml" ], "tags": [ @@ -17923,8 +17924,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/mandiant/SharPersist", "https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit", + "https://github.com/mandiant/SharPersist", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml" ], "tags": [ @@ -17980,13 +17981,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", - "https://github.com/zcgonvh/NTDSDumpEx", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://pentestlab.blog/tag/ntds-dit/", - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", + "https://pentestlab.blog/tag/ntds-dit/", + "https://github.com/zcgonvh/NTDSDumpEx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml" ], "tags": [ @@ -18128,8 +18129,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml" ], "tags": [ @@ -18360,8 +18361,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml" ], "tags": [ @@ -18462,8 +18463,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", + "https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml" ], "tags": [ @@ -18497,9 +18498,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://adepts.of0x.cc/netsh-portproxy-code/", "https://www.dfirnotes.net/portproxy_detection/", "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", - "https://adepts.of0x.cc/netsh-portproxy-code/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml" ], "tags": [ @@ -18608,10 +18609,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml" ], "tags": [ @@ -18721,10 +18722,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine", "https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", "https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultravnc_susp_execution.yml" ], "tags": [ @@ -18791,9 +18792,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/cloudflare/cloudflared", "https://blog.reconinfosec.com/emergence-of-akira-ransomware-group", "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", - "https://github.com/cloudflare/cloudflared", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml" ], "tags": [ @@ -19020,8 +19021,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36", "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", + "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml" ], "tags": [ @@ -19360,11 +19361,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vysecurity/status/885545634958385153", "https://twitter.com/Hexacorn/status/885570278637678592", + "https://twitter.com/Hexacorn/status/885553465417756673", "https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques", "https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", - "https://twitter.com/Hexacorn/status/885553465417756673", + "https://twitter.com/vysecurity/status/885545634958385153", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml" ], "tags": [ @@ -19487,8 +19488,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://www.echotrail.io/insights/search/wusa.exe/", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml" ], "tags": [ @@ -19661,8 +19662,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "Internal Research", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml" ], "tags": [ @@ -19686,8 +19687,8 @@ "logsource.product": "windows", "refs": [ "https://blog.viettelcybersecurity.com/saml-show-stopper/", - "https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/", "https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py", + "https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml" ], "tags": [ @@ -19779,8 +19780,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", "https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml" ], "tags": [ @@ -19813,8 +19814,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38", + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradle_obfuscated.yml" ], "tags": [ @@ -20030,8 +20031,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/wpbbin.html", "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", + "https://persistence-info.github.io/Data/wpbbin.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wpbbin_potential_persistence.yml" ], "tags": [ @@ -20139,8 +20140,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/tag/svchost/", "https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/", + "https://pentestlab.blog/tag/svchost/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml" ], "tags": [ @@ -20172,8 +20173,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://emkc.org/s/RJjuLa", "https://www.mandiant.com/resources/blog/lnk-between-browsers", + "https://emkc.org/s/RJjuLa", "https://redcanary.com/blog/chromeloader/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml" ], @@ -20207,8 +20208,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml" ], "tags": [ @@ -20307,8 +20308,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://linux.die.net/man/1/bash", "https://lolbas-project.github.io/lolbas/Binaries/Bash/", + "https://linux.die.net/man/1/bash", "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml" ], @@ -20410,9 +20411,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/swagkarna/Defeat-Defender-V1.2.0", - "https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2", "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", + "https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2", + "https://github.com/swagkarna/Defeat-Defender-V1.2.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml" ], "tags": [ @@ -20512,9 +20513,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/gN3mes1s/status/1222088214581825540", "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://twitter.com/gN3mes1s/status/1222095371175911424", + "https://twitter.com/gN3mes1s/status/1222088214581825540", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml" ], "tags": [ @@ -20570,10 +20571,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", - "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac", + "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsi_fsharp_code_execution.yml" ], "tags": [ @@ -20606,8 +20607,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows", "https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/", + "https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml" ], "tags": [ @@ -20657,8 +20658,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/", "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/", + "https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml" ], "tags": [ @@ -20732,11 +20733,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/aceresponder/status/1636116096506818562", + "https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png", "https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/", + "https://twitter.com/aceresponder/status/1636116096506818562", "https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/", "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/", - "https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml" ], "tags": [ @@ -20838,8 +20839,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=Ie831jF0bb0", "https://twitter.com/_xpn_/status/1491557187168178176", + "https://www.youtube.com/watch?v=Ie831jF0bb0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_citrix_trolleyexpress_procdump.yml" ], "tags": [ @@ -20881,9 +20882,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2023/03/06/2022-year-in-review/", - "https://www.yeahhub.com/list-installed-programs-version-path-windows/", "https://learn.microsoft.com/en-us/answers/questions/253555/software-list-inventory-wmic-product", + "https://www.yeahhub.com/list-installed-programs-version-path-windows/", + "https://thedfirreport.com/2023/03/06/2022-year-in-review/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml" ], "tags": [ @@ -20918,9 +20919,9 @@ "refs": [ "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://twitter.com/egre55/status/1087685529016193025", - "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", + "https://twitter.com/egre55/status/1087685529016193025", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download.yml" ], "tags": [ @@ -20953,8 +20954,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Internal Research", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_change.yml" ], "tags": [ @@ -20988,9 +20989,9 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery", "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_dump_sensitive_files.yml" ], "tags": [ @@ -21023,9 +21024,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/", + "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml" ], "tags": [ @@ -21092,9 +21093,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA", "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", - "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml" ], "tags": [ @@ -21129,9 +21130,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", - "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", + "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml" ], "tags": [ @@ -21274,8 +21275,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntdsutil_susp_usage.yml" ], "tags": [ @@ -21310,9 +21311,9 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", + "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml" ], "tags": [ @@ -21336,8 +21337,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", + "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml" ], "tags": [ @@ -21459,8 +21460,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd", "https://labs.withsecure.com/publications/fin7-target-veeam-servers", + "https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml" ], "tags": [ @@ -21527,8 +21528,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1550836225652686848", "https://persistence-info.github.io/Data/windowsterminalprofile.html", + "https://twitter.com/nas_bench/status/1550836225652686848", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml" ], "tags": [ @@ -21586,8 +21587,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http", "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode_img.yml" ], "tags": [ @@ -21662,10 +21663,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", - "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control", + "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", + "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml" ], "tags": [ @@ -21754,8 +21755,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/dsnezhkov/TruffleSnout", "https://github.com/dsnezhkov/TruffleSnout/blob/master/TruffleSnout/Docs/USAGE.md", + "https://github.com/dsnezhkov/TruffleSnout", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_trufflesnout.yml" ], @@ -21823,9 +21824,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode", "https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html", + "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml" ], @@ -22109,11 +22110,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Ssh/", - "https://github.com/LOLBAS-Project/LOLBAS/pull/211/files", "https://man.openbsd.org/ssh_config#LocalCommand", "https://gtfobins.github.io/gtfobins/ssh/", + "https://github.com/LOLBAS-Project/LOLBAS/pull/211/files", "https://man.openbsd.org/ssh_config#ProxyCommand", + "https://lolbas-project.github.io/lolbas/Binaries/Ssh/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ssh_proxy_execution.yml" ], "tags": [ @@ -22146,10 +22147,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" ], "tags": [ @@ -22192,9 +22193,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://www.intrinsec.com/apt27-analysis/", - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml" ], "tags": [ @@ -22434,9 +22435,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://twitter.com/MichalKoczwara/status/1553634816016498688", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml" ], "tags": [ @@ -22537,8 +22538,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml", "https://twitter.com/med0x2e/status/1520402518685200384", + "https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_ntlmrelay.yml" ], "tags": [ @@ -22614,8 +22615,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/", "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/", + "https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml" ], "tags": [ @@ -22648,8 +22649,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet", "https://twitter.com/kmkz_security/status/1220694202301976576", + "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yml" ], "tags": [ @@ -22794,8 +22795,8 @@ "refs": [ "https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms", "https://redcanary.com/blog/msix-installers/", - "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csvde_export.yml" ], "tags": [ @@ -22829,9 +22830,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", - "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", + "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_default_accounts_manipulation.yml" ], "tags": [ @@ -23012,10 +23013,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior", - "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", + "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior", + "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml" ], "tags": [ @@ -23292,12 +23293,12 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", - "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", - "https://positive.security/blog/ms-officecmd-rce", - "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", - "https://lolbas-project.github.io/lolbas/Binaries/Teams/", "https://taggart-tech.com/quasar-electron/", + "https://lolbas-project.github.io/lolbas/Binaries/Teams/", + "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", "https://github.com/mttaggart/quasar", + "https://positive.security/blog/ms-officecmd-rce", + "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml" ], "tags": [ @@ -23353,8 +23354,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)", "https://twitter.com/frack113/status/1555830623633375232", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml" ], @@ -23421,8 +23422,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://tria.ge/240731-jh4crsycnb/behavioral2", "https://redcanary.com/blog/threat-detection/process-masquerading/", + "https://tria.ge/240731-jh4crsycnb/behavioral2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution.yml" ], "tags": [ @@ -23479,11 +23480,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml" ], "tags": [ @@ -23516,13 +23517,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sql/tools/bcp-utility", - "https://asec.ahnlab.com/en/61000/", - "https://www.huntress.com/blog/attacking-mssql-servers", - "https://asec.ahnlab.com/en/78944/", - "https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", "https://www.huntress.com/blog/attacking-mssql-servers-pt-ii", + "https://www.huntress.com/blog/attacking-mssql-servers", "https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/", + "https://asec.ahnlab.com/en/61000/", + "https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", + "https://asec.ahnlab.com/en/78944/", + "https://docs.microsoft.com/en-us/sql/tools/bcp-utility", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcp_export_data.yml" ], "tags": [ @@ -23555,8 +23556,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/wermgr.exe", "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", + "https://www.echotrail.io/insights/search/wermgr.exe", "https://github.com/binderlabs/DirCreate2System", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml" ], @@ -23600,9 +23601,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", "https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml" ], "tags": [ @@ -23726,8 +23727,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_service_path_modification.yml" ], "tags": [ @@ -23828,8 +23829,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml" ], "tags": [ @@ -23903,9 +23904,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml" ], "tags": [ @@ -23971,10 +23972,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://tria.ge/240521-ynezpagf56/behavioral1", - "https://bazaar.abuse.ch/sample/64e6605496919cd76554915cbed88e56fdec10dec6523918a631754664b8c8d3/", "https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091", "https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/", + "https://bazaar.abuse.ch/sample/64e6605496919cd76554915cbed88e56fdec10dec6523918a631754664b8c8d3/", + "https://tria.ge/240521-ynezpagf56/behavioral1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitlockertogo_execution.yml" ], "tags": [ @@ -24007,8 +24008,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", "https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/", + "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml" ], "tags": [ @@ -24042,11 +24043,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://twitter.com/cglyer/status/1355171195654709249", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://twitter.com/cglyer/status/1355171195654709249", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml" ], "tags": [ @@ -24222,8 +24223,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", - "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", "http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/", + "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_squirrel_download.yml" ], "tags": [ @@ -24257,8 +24258,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml" ], @@ -24326,8 +24327,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", + "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", "https://www.fortiguard.com/threat-signal-report/4718?s=09", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml" ], @@ -24403,8 +24404,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/", + "https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml" ], "tags": [ @@ -24470,8 +24471,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html", "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", + "https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_plink.yml" ], "tags": [ @@ -24538,8 +24539,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core", "https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html", + "https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml" ], "tags": [ @@ -24572,12 +24573,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/vletoux/pingcastle", - "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", - "https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8", "https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699", "https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1", + "https://github.com/vletoux/pingcastle", "https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680", + "https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8", + "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", "https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml" ], @@ -24612,8 +24613,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41", - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a", "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dism_enable_powershell_web_access_feature.yml" ], "tags": [ @@ -24646,8 +24647,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://emkc.org/s/RJjuLa", "https://www.mandiant.com/resources/blog/lnk-between-browsers", + "https://emkc.org/s/RJjuLa", "https://redcanary.com/blog/chromeloader/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml" ], @@ -24681,11 +24682,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml" ], "tags": [ @@ -24761,12 +24762,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/helpsystems/nanodump", "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", - "https://github.com/Hackndo/lsassy", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", + "https://github.com/Hackndo/lsassy", "https://github.com/CCob/MirrorDump", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", + "https://github.com/helpsystems/nanodump", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml" ], "tags": [ @@ -24799,8 +24800,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Print/", "https://twitter.com/Oddvarmoe/status/985518877076541440", + "https://lolbas-project.github.io/lolbas/Binaries/Print/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml" ], "tags": [ @@ -24882,9 +24883,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.php.net/manual/en/features.commandline.php", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml" ], "tags": [ @@ -24942,8 +24943,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax", "https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html", + "https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml" ], "tags": [ @@ -25043,8 +25044,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml" ], @@ -25122,8 +25123,8 @@ "logsource.product": "windows", "refs": [ "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.yml" ], "tags": [ @@ -25189,10 +25190,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_JohnHammond/status/1588155401752788994", "https://twitter.com/Max_Mal_/status/1633863678909874176", "Internal Research", "https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465", + "https://twitter.com/_JohnHammond/status/1588155401752788994", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml" ], "tags": [ @@ -25258,8 +25259,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml" ], "tags": [ @@ -25348,9 +25349,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/", "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md", + "https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml" ], "tags": [ @@ -25452,10 +25453,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", - "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password", - "https://github.com/defaultnamehere/cookie_crimes/", "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", + "https://github.com/defaultnamehere/cookie_crimes/", + "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password", + "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml" ], "tags": [ @@ -25554,8 +25555,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini", + "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_execution.yml" ], @@ -25657,8 +25658,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml" ], @@ -26140,10 +26141,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", - "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", "https://twitter.com/SBousseaden/status/1211636381086339073", + "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml" ], "tags": [ @@ -26194,8 +26195,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/", "https://lolbas-project.github.io/lolbas/Binaries/Gpscript/", + "https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml" ], "tags": [ @@ -26228,12 +26229,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", - "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", "https://redcanary.com/blog/raspberry-robin/", - "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", + "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", + "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", + "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml" ], "tags": [ @@ -26299,8 +26300,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.gpg4win.de/documentation.html", "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", + "https://www.gpg4win.de/documentation.html", "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml" ], @@ -26324,8 +26325,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism", "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dism_remove.yml" ], "tags": [ @@ -26359,9 +26360,9 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery", "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_restore_sensitive_files.yml" ], "tags": [ @@ -26461,9 +26462,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1", - "https://labs.nettitude.com/blog/introducing-sharpwsus/", "https://github.com/nettitude/SharpWSUS", + "https://labs.nettitude.com/blog/introducing-sharpwsus/", + "https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpwsus_wsuspendu_execution.yml" ], "tags": [ @@ -26530,8 +26531,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", + "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_atbroker_uncommon_ats_execution.yml" ], "tags": [ @@ -26901,8 +26902,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml" ], "tags": [ @@ -27026,8 +27027,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml" ], "tags": [ @@ -27061,11 +27062,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md", - "https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team", "https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841", + "https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team", + "https://github.com/S3cur3Th1sSh1t/WinPwn", "https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/", + "https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml" ], "tags": [ @@ -27159,9 +27160,9 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", - "https://github.com/antonioCoco/RogueWinRM", "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://github.com/antonioCoco/RogueWinRM", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml" ], "tags": [ @@ -27194,8 +27195,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://twitter.com/nao_sec/status/1530196847679401984", + "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml" ], "tags": [ @@ -27269,8 +27270,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation", "https://github.com/carlospolop/PEASS-ng", + "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml" ], "tags": [ @@ -27342,8 +27343,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options", "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", + "https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powercfg_execution.yml" ], "tags": [ @@ -27575,12 +27576,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/05/08/adfind-recon/", - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", - "https://www.joeware.net/freetools/tools/adfind/", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://www.joeware.net/freetools/tools/adfind/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml" ], "tags": [ @@ -27711,8 +27712,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", + "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml" ], "tags": [ @@ -27778,10 +27779,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/cloudflare/cloudflared/releases", "https://github.com/cloudflare/cloudflared", - "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", "https://www.intrinsec.com/akira_ransomware/", + "https://github.com/cloudflare/cloudflared/releases", + "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml" ], @@ -27815,9 +27816,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/", "https://twitter.com/nas_bench/status/1534915321856917506", "https://twitter.com/nas_bench/status/1534916659676422152", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml" ], "tags": [ @@ -27893,8 +27894,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.gpg4win.de/documentation.html", "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", + "https://www.gpg4win.de/documentation.html", "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml" ], @@ -28020,8 +28021,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade", + "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml" ], "tags": [ @@ -28054,9 +28055,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd", "https://learn.microsoft.com/en-us/azure/dns/dns-zones-records", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd", + "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml" ], "tags": [ @@ -28340,8 +28341,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/", "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/", + "https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_aspnet_compiler_exectuion.yml" ], "tags": [ @@ -28466,9 +28467,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing", "https://reaqta.com/2017/11/short-journey-darkvnc/", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html", + "https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml" ], "tags": [ @@ -28560,12 +28561,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/", - "https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior", - "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI", - "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper", - "https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html", "https://www.attackiq.com/2023/09/20/emulating-rhysida/", + "https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html", + "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI", + "https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior", + "https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/", + "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml" ], "tags": [ @@ -28608,9 +28609,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", - "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac", + "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml" ], "tags": [ @@ -28869,13 +28870,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", - "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", - "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", - "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", + "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", + "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", + "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", + "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml" ], "tags": [ @@ -28975,8 +28976,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm", "https://github.com/Hackplayers/evil-winrm", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_evil_winrm.yml" ], "tags": [ @@ -29178,9 +29179,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/dsacls.html", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone", + "https://ss64.com/nt/dsacls.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml" ], "tags": [ @@ -29282,10 +29283,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", "https://twitter.com/EricaZelic/status/1614075109827874817", - "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", + "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml" ], "tags": [ @@ -29334,8 +29335,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", + "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml" ], @@ -29438,13 +29439,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/gN3mes1s/status/941315826107510784", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", - "https://reaqta.com/2017/12/mavinject-microsoft-injector/", - "https://github.com/SigmaHQ/sigma/issues/3742", - "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", "https://twitter.com/Hexacorn/status/776122138063409152", + "https://twitter.com/gN3mes1s/status/941315826107510784", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", + "https://github.com/SigmaHQ/sigma/issues/3742", + "https://reaqta.com/2017/12/mavinject-microsoft-injector/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml" ], @@ -29520,8 +29521,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bopin2020/status/1366400799199272960", "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", + "https://twitter.com/bopin2020/status/1366400799199272960", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml" ], "tags": [ @@ -29562,9 +29563,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://twitter.com/Hexacorn/status/1420053502554951689", - "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_process_clone.yml" ], "tags": [ @@ -29642,8 +29643,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml" ], "tags": [ @@ -29677,8 +29678,8 @@ "logsource.product": "windows", "refs": [ "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", - "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml" ], @@ -29777,8 +29778,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.nirsoft.net/utils/nircmd.html", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://www.nirsoft.net/utils/nircmd.html", "https://www.nirsoft.net/utils/nircmd2.html#using", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml" ], @@ -29837,8 +29838,8 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", - "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", + "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml" ], "tags": [ @@ -29976,8 +29977,8 @@ "logsource.product": "windows", "refs": [ "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", - "https://redcanary.com/blog/child-processes/", "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf", + "https://redcanary.com/blog/child-processes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml" ], "tags": [ @@ -30010,9 +30011,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf", "https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/", "https://twitter.com/RedDrip7/status/1506480588827467785", + "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml" ], "tags": [ @@ -30045,8 +30046,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/995837734379032576", "https://twitter.com/pabraeken/status/999090532839313408", + "https://twitter.com/pabraeken/status/995837734379032576", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml" ], @@ -30080,9 +30081,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist", - "https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf", "https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html", + "https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf", + "https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml" ], "tags": [ @@ -30156,8 +30157,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", "https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", + "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml" ], @@ -30259,15 +30260,15 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", - "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml", - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html", - "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", - "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", + "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml", + "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", + "https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", + "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", "https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/", "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml" @@ -30319,8 +30320,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", "https://github.com/cloudflare/cloudflared", + "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml" ], "tags": [ @@ -30446,8 +30447,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/msbuild.exe", "https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/", + "https://www.echotrail.io/insights/search/msbuild.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml" ], "tags": [ @@ -30526,8 +30527,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa", + "https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml" ], "tags": [ @@ -30585,8 +30586,8 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", - "https://redcanary.com/threat-detection-report/", "https://www.cobaltstrike.com/help-windows-executable", + "https://redcanary.com/threat-detection-report/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml" ], "tags": [ @@ -30619,10 +30620,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml", "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/", + "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml" ], "tags": [ @@ -30699,9 +30700,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://unicode-explorer.com/c/202E", "https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method", "https://redcanary.com/blog/right-to-left-override/", - "https://unicode-explorer.com/c/202E", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml" ], "tags": [ @@ -30801,8 +30802,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md", "https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1", + "https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml" ], "tags": [ @@ -30936,9 +30937,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1461041276514623491", "https://twitter.com/tccontre18/status/1480950986650832903", "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", + "https://twitter.com/mrd0x/status/1461041276514623491", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml" ], "tags": [ @@ -30971,13 +30972,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.softperfect.com/products/networkscanner/", + "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/", "https://www.protect.airbus.com/blog/uncovering-cyber-intruders-netscan/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue", "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf", "https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/", - "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue", "https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/", - "https://www.softperfect.com/products/networkscanner/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_netscan.yml" ], "tags": [ @@ -31119,9 +31120,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml" ], "tags": [ @@ -31197,8 +31198,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/", "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#bypass-or-avoid-amsi-by-version-downgrade-", + "http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml" ], "tags": [ @@ -31308,8 +31309,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/api0cradle/LOLBAS/blob/d148d278f5f205ce67cfaf49afdfb68071c7252a/OSScripts/pester.md", "https://twitter.com/Oddvarmoe/status/993383596244258816", + "https://github.com/api0cradle/LOLBAS/blob/d148d278f5f205ce67cfaf49afdfb68071c7252a/OSScripts/pester.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pester_1.yml" ], "tags": [ @@ -31484,8 +31485,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://twitter.com/ForensicITGuy/status/1334734244120309760", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml" @@ -31537,9 +31538,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1003.005/T1003.005.md#atomic-test-1---cached-credential-dump-via-cmdkey", "https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation", "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx", - "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1003.005/T1003.005.md#atomic-test-1---cached-credential-dump-via-cmdkey", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml" ], "tags": [ @@ -31572,9 +31573,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Scripts/Winrm/", "https://twitter.com/bohops/status/994405551751815170", "https://redcanary.com/blog/lateral-movement-winrm-wmi/", - "https://lolbas-project.github.io/lolbas/Scripts/Winrm/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml" ], "tags": [ @@ -31641,10 +31642,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", - "https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", + "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", + "https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml" ], "tags": [ @@ -31744,8 +31745,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100", "https://adsecurity.org/?p=2288", + "https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml" ], "tags": [ @@ -31842,8 +31843,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66", "https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml" ], "tags": [ @@ -32013,9 +32014,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml" ], "tags": [ @@ -32057,8 +32058,8 @@ "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", - "https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0", "https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4", + "https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml" ], "tags": [ @@ -32091,9 +32092,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://youtu.be/5mqid-7zp8k?t=2481", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", - "https://youtu.be/5mqid-7zp8k?t=2481", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_mailboxexport_share.yml" ], @@ -32152,8 +32153,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Libraries/Desk/", "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1218.011/T1218.011.md#atomic-test-13---rundll32-with-deskcpl", + "https://lolbas-project.github.io/lolbas/Libraries/Desk/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml" ], "tags": [ @@ -32219,10 +32220,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml" ], "tags": [ @@ -32265,8 +32266,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cglyer/status/1182391019633029120", "https://twitter.com/cglyer/status/1182389676876980224", + "https://twitter.com/cglyer/status/1182391019633029120", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" ], "tags": [ @@ -32322,11 +32323,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://isc.sans.edu/diary/22264", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://isc.sans.edu/diary/22264", "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml" ], @@ -32370,8 +32371,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", + "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", "https://www.fortiguard.com/threat-signal-report/4718?s=09", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml" ], @@ -32405,8 +32406,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.phpied.com/make-your-javascript-a-windows-exe/", "https://twitter.com/DissectMalware/status/998797808907046913", + "https://www.phpied.com/make-your-javascript-a-windows-exe/", "https://lolbas-project.github.io/lolbas/Binaries/Jsc/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_jsc_execution.yml" ], @@ -32440,8 +32441,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_view_share_and_sessions_enum.yml" ], "tags": [ @@ -32661,8 +32662,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication", - "https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922", "https://github.com/grayhatkiller/SharpExShell", + "https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml" ], "tags": [ @@ -32695,8 +32696,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", + "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml" ], @@ -32805,8 +32806,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20201124182207/https://github.com/yosqueoy/ditsnap", "https://thedfirreport.com/2020/06/21/snatch-ransomware/", + "https://web.archive.org/web/20201124182207/https://github.com/yosqueoy/ditsnap", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ditsnap.yml" ], "tags": [ @@ -32930,10 +32931,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1535322450858233858", - "https://twitter.com/bohops/status/1276357235954909188?s=12", "https://twitter.com/CyberRaiju/status/1273597319322058752", + "https://twitter.com/nas_bench/status/1535322450858233858", "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", + "https://twitter.com/bohops/status/1276357235954909188?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml" ], "tags": [ @@ -32966,8 +32967,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/chromeloader-malware/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage", + "https://unit42.paloaltonetworks.com/chromeloader-malware/", "https://lolbas-project.github.io/lolbas/Binaries/Tar/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tar_extraction.yml" ], @@ -33010,10 +33011,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", - "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", + "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml" ], "tags": [ @@ -33104,8 +33105,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml" ], @@ -33140,13 +33141,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/gN3mes1s/status/941315826107510784", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", - "https://reaqta.com/2017/12/mavinject-microsoft-injector/", - "https://github.com/SigmaHQ/sigma/issues/3742", - "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", "https://twitter.com/Hexacorn/status/776122138063409152", + "https://twitter.com/gN3mes1s/status/941315826107510784", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", + "https://github.com/SigmaHQ/sigma/issues/3742", + "https://reaqta.com/2017/12/mavinject-microsoft-injector/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml" ], @@ -33213,8 +33214,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/hfiref0x/UACME", - "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", + "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml" ], "tags": [ @@ -33386,9 +33387,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://user-images.githubusercontent.com/61026070/136518004-b68cce7d-f9b8-4e9a-9b7b-53b1568a9a94.png", "https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/tools.conf", "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", - "https://user-images.githubusercontent.com/61026070/136518004-b68cce7d-f9b8-4e9a-9b7b-53b1568a9a94.png", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml" ], "tags": [ @@ -33423,9 +33424,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://medium.com/@cyberjyot/t1218-008-dll-execution-using-odbcconf-exe-803fa9e08dac", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", + "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml" ], "tags": [ @@ -33492,9 +33493,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", "https://twitter.com/pabraeken/status/990717080805789697", "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", - "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_runonce_execution.yml" ], "tags": [ @@ -33528,8 +33529,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/sensepost/ruler", - "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49", + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml" ], "tags": [ @@ -33571,8 +33572,8 @@ "logsource.product": "windows", "refs": [ "https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo", - "https://www.echotrail.io/insights/search/regsvr32.exe", "https://redcanary.com/blog/intelligence-insights-april-2022/", + "https://www.echotrail.io/insights/search/regsvr32.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml" ], "tags": [ @@ -33728,10 +33729,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/lefterispan/status/1286259016436514816", + "https://twitter.com/jseerden/status/1247985304667066373/photo/1", "https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", - "https://twitter.com/jseerden/status/1247985304667066373/photo/1", - "https://twitter.com/lefterispan/status/1286259016436514816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml" ], "tags": [ @@ -33764,8 +33765,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/3proxy/3proxy", "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://github.com/3proxy/3proxy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml" ], "tags": [ @@ -33832,9 +33833,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/", "https://twitter.com/mrd0x/status/1511489821247684615", "https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/", "https://twitter.com/mrd0x/status/1511415432888131586", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml" ], @@ -33877,8 +33878,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", "https://www.uptycs.com/blog/lolbins-are-no-laughing-matter", + "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml" ], "tags": [ @@ -33912,8 +33913,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml" ], "tags": [ @@ -33946,11 +33947,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nao_sec/status/1530196847679401984", "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", - "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/", + "https://twitter.com/nao_sec/status/1530196847679401984", "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", + "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml" ], "tags": [ @@ -34034,9 +34035,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", - "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", + "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", + "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml" ], "tags": [ @@ -34092,9 +34093,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer", "https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection", "https://www.exploit-db.com/exploits/37525", - "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml" ], "tags": [ @@ -34194,10 +34195,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf", - "https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/", "https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/", "https://github.com/AlessandroZ/LaZagne/tree/master", + "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf", + "https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_lazagne.yml" ], @@ -34221,8 +34222,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/child-processes/", "https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html", + "https://redcanary.com/blog/child-processes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_scrcons_susp_child_process.yml" ], "tags": [ @@ -34255,8 +34256,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml" ], "tags": [ @@ -34355,8 +34356,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20220514073704/https://github.com/ch2sh/Jlaive", "https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool", + "https://web.archive.org/web/20220514073704/https://github.com/ch2sh/Jlaive", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml" ], "tags": [ @@ -34423,8 +34424,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/netsh.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules", + "https://ss64.com/nt/netsh.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml" ], "tags": [ @@ -34457,10 +34458,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml" ], "tags": [ @@ -34493,9 +34494,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/", "https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/", "https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/", + "https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user.yml" ], @@ -34528,8 +34529,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml" ], "tags": [ @@ -34642,8 +34643,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", + "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml" @@ -34790,10 +34791,10 @@ "refs": [ "https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup", - "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_delete_all_backups.yml" ], "tags": [ @@ -34868,8 +34869,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/", "https://securityxploded.com/", + "https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_secutyxploded.yml" ], "tags": [ @@ -34902,10 +34903,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", - "https://github.com/wunderwuzzi23/firefox-cookiemonster", - "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", "https://github.com/defaultnamehere/cookie_crimes/", + "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", + "https://github.com/wunderwuzzi23/firefox-cookiemonster", + "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml" ], "tags": [ @@ -35142,8 +35143,8 @@ "logsource.product": "windows", "refs": [ "https://www.revshells.com/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://nmap.org/ncat/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_netcat.yml" ], "tags": [ @@ -35243,8 +35244,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml" ], "tags": [ @@ -35326,8 +35327,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows", "https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml" ], "tags": [ @@ -35402,9 +35403,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/gN3mes1s/status/1222088214581825540", "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://twitter.com/gN3mes1s/status/1222095371175911424", + "https://twitter.com/gN3mes1s/status/1222088214581825540", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml" ], "tags": [ @@ -35461,11 +35462,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", "https://twitter.com/cyberwar_15/status/1187287262054076416", + "https://blog.alyac.co.kr/1901", + "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", "https://en.wikipedia.org/wiki/Hangul_(word_processor)", - "https://blog.alyac.co.kr/1901", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml" ], "tags": [ @@ -35516,11 +35517,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive", "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/", - "https://twitter.com/0gtweet/status/1299071304805560321?s=21", "https://www.pureid.io/dumping-abusing-windows-credentials-part-1/", + "https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive", + "https://twitter.com/0gtweet/status/1299071304805560321?s=21", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml" ], "tags": [ @@ -35586,8 +35587,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", + "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_xwizard_execution_non_default_location.yml" ], "tags": [ @@ -35621,8 +35622,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", - "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", "https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html", + "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_export.yml" ], "tags": [ @@ -35678,8 +35679,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_protocolhandler_download.yml" ], "tags": [ @@ -35713,8 +35714,8 @@ "logsource.product": "windows", "refs": [ "http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt", - "https://twitter.com/n1nj4sec/status/1421190238081277959", "https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt", + "https://twitter.com/n1nj4sec/status/1421190238081277959", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml" ], "tags": [ @@ -35780,9 +35781,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", + "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml" ], "tags": [ @@ -35838,8 +35839,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", + "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml" ], "tags": [ @@ -35998,8 +35999,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml" ], @@ -36033,12 +36034,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", "https://twitter.com/eral4m/status/1479080793003671557", + "https://twitter.com/nas_bench/status/1433344116071583746", "https://twitter.com/Hexacorn/status/885258886428725250", "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", - "https://twitter.com/nas_bench/status/1433344116071583746", "https://twitter.com/eral4m/status/1479106975967240209", - "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml" ], "tags": [ @@ -36137,9 +36138,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html", - "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf", "https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors", + "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf", + "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml" ], "tags": [ @@ -36266,11 +36267,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", - "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee", "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", + "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml" ], "tags": [ @@ -36378,8 +36379,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Hexacorn/status/1224848930795552769", "http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/", + "https://twitter.com/Hexacorn/status/1224848930795552769", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml" ], "tags": [ @@ -36402,8 +36403,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/quarkslab/quarkspwdump", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", + "https://github.com/quarkslab/quarkspwdump", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_quarks_pwdump.yml" ], "tags": [ @@ -36478,8 +36479,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", + "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml" ], @@ -36570,8 +36571,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", "https://twitter.com/bigmacjpg/status/1349727699863011328?s=12", + "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_finger_execution.yml" ], @@ -36638,8 +36639,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "https://github.com/malcomvetter/CSExec", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_csexec.yml" ], "tags": [ @@ -36681,8 +36682,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/", "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", + "https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml" ], "tags": [ @@ -37021,11 +37022,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://twitter.com/0gtweet/status/1628720819537936386", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", - "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml" ], "tags": [ @@ -37060,9 +37061,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://docs.python.org/3/using/cmdline.html#cmdoption-c", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml" ], "tags": [ @@ -37218,10 +37219,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.intrinsec.com/akira_ransomware/", "https://github.com/cloudflare/cloudflared", - "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", + "https://www.intrinsec.com/akira_ransomware/", + "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml" ], "tags": [ @@ -37336,8 +37337,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hatching.io/blog/powershell-analysis/", "https://lab52.io/blog/winter-vivern-all-summer/", + "https://hatching.io/blog/powershell-analysis/", "https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml" ], @@ -37440,8 +37441,8 @@ "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", - "https://twitter.com/Z3Jpa29z/status/1317545798981324801", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", + "https://twitter.com/Z3Jpa29z/status/1317545798981324801", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csi_execution.yml" ], "tags": [ @@ -37525,9 +37526,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", - "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml" ], "tags": [ @@ -37593,9 +37594,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js", "https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/", "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", - "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_koadic.yml" ], "tags": [ @@ -37644,9 +37645,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/", "https://twitter.com/nas_bench/status/1534957360032120833", - "https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cdb_arbitrary_command_execution.yml" ], "tags": [ @@ -37762,8 +37763,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Kevin-Robertson/Inveigh", "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", + "https://github.com/Kevin-Robertson/Inveigh", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml" ], "tags": [ @@ -37796,8 +37797,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/x86matthew/status/1505476263464607744?s=12", "https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b", + "https://twitter.com/x86matthew/status/1505476263464607744?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parents.yml" ], "tags": [ @@ -37898,8 +37899,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml" ], "tags": [ @@ -38009,8 +38010,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/byt3bl33d3r/CrackMapExec", "https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242", + "https://github.com/byt3bl33d3r/CrackMapExec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml" ], "tags": [ @@ -38052,9 +38053,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/oulusoyum/status/1191329746069655553", - "https://twitter.com/mattifestation/status/1196390321783025666", "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", + "https://twitter.com/mattifestation/status/1196390321783025666", + "https://twitter.com/oulusoyum/status/1191329746069655553", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml" ], "tags": [ @@ -38310,8 +38311,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/", "https://twitter.com/0gtweet/status/1457676633809330184", + "https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sigverif_uncommon_child_process.yml" ], "tags": [ @@ -38410,10 +38411,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", "https://nodejs.org/api/cli.html", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", + "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml" ], "tags": [ @@ -38446,8 +38447,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml" ], @@ -38471,9 +38472,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan", "https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/", "https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/", - "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml" ], "tags": [ @@ -38599,24 +38600,24 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/besimorhino/powercat", "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/adrecon/ADRecon", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/adrecon/AzureADRecon", + "https://adsecurity.org/?p=2921", + "https://github.com/HarmJ0y/DAMP", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/samratashok/nishang", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/Kevin-Robertson/Powermad", - "https://adsecurity.org/?p=2921", + "https://github.com/besimorhino/powercat", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/calebstewart/CVE-2021-1675", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/samratashok/nishang", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/adrecon/ADRecon", + "https://github.com/adrecon/AzureADRecon", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml" ], "tags": [ @@ -38706,8 +38707,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html", "https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/", + "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml" ], "tags": [ @@ -38764,8 +38765,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/64043a79-165f-4052-bcba-e6e49f847ec1/", "https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/", + "https://app.any.run/tasks/64043a79-165f-4052-bcba-e6e49f847ec1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_browser_launch_from_document_reader_process.yml" ], "tags": [ @@ -38798,9 +38799,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", "https://www.elastic.co/guide/en/security/current/execution-of-com-object-via-xwizard.html", + "https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_xwizard_runwizard_com_object_exec.yml" ], "tags": [ @@ -38901,8 +38902,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/", "https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866", + "https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml" ], "tags": [ @@ -39043,9 +39044,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", "https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml" ], "tags": [ @@ -39187,10 +39188,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/cloudflare/cloudflared/releases", "https://github.com/cloudflare/cloudflared", - "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", "https://www.intrinsec.com/akira_ransomware/", + "https://github.com/cloudflare/cloudflared/releases", + "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_portable_execution.yml" ], @@ -39374,9 +39375,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/", "https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019", "https://twitter.com/pabraeken/status/990758590020452353", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml" ], "tags": [ @@ -39409,8 +39410,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", + "https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_soundrecorder_audio_capture.yml" ], "tags": [ @@ -39466,10 +39467,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/lefterispan/status/1286259016436514816", + "https://twitter.com/jseerden/status/1247985304667066373/photo/1", "https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", - "https://twitter.com/jseerden/status/1247985304667066373/photo/1", - "https://twitter.com/lefterispan/status/1286259016436514816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml" ], "tags": [ @@ -39535,8 +39536,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/blackorbird/status/1140519090961825792", "https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html", + "https://twitter.com/blackorbird/status/1140519090961825792", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml" ], "tags": [ @@ -39604,10 +39605,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior", - "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", + "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior", + "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml" ], "tags": [ @@ -39640,8 +39641,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_output.yml" ], @@ -39733,12 +39734,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", + "https://www.localpotato.com/", "https://github.com/ohpe/juicy-potato", "https://pentestlab.blog/2017/04/13/hot-potato/", - "https://www.localpotato.com/", "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", - "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml" ], "tags": [ @@ -39840,11 +39841,11 @@ "logsource.product": "windows", "refs": [ "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", - "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml" ], "tags": [ @@ -39885,9 +39886,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", - "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", + "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml" ], "tags": [ @@ -40056,8 +40057,8 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", - "https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0", "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", + "https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml" ], "tags": [ @@ -40099,9 +40100,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://github.com/samratashok/ADModule", "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", + "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml" ], "tags": [ @@ -40195,13 +40196,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.softwaretestinghelp.com/how-to-use-ngrok/", + "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", + "https://ngrok.com/docs", "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", "https://twitter.com/xorJosh/status/1598646907802451969", - "https://www.softwaretestinghelp.com/how-to-use-ngrok/", - "https://ngrok.com/docs", "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", - "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml" ], "tags": [ @@ -40267,8 +40268,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml" ], @@ -40338,8 +40339,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md", - "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx", + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml" ], "tags": [ @@ -40372,8 +40373,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2017/03/30/weak-service-permissions/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://pentestlab.blog/2017/03/30/weak-service-permissions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml" ], "tags": [ @@ -40409,8 +40410,8 @@ "logsource.product": "windows", "refs": [ "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", - "https://twitter.com/0gtweet/status/1628720819537936386", "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", + "https://twitter.com/0gtweet/status/1628720819537936386", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml" ], "tags": [ @@ -40443,8 +40444,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf", "https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/", + "https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml" ], "tags": [ @@ -40688,8 +40689,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml" ], "tags": [ @@ -40758,8 +40759,8 @@ "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode.yml" ], "tags": [ @@ -40793,11 +40794,11 @@ "logsource.product": "windows", "refs": [ "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://twitter.com/egre55/status/1087685529016193025", - "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", + "https://twitter.com/egre55/status/1087685529016193025", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml" ], "tags": [ @@ -40832,8 +40833,8 @@ "refs": [ "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", "https://twitter.com/hFireF0X/status/897640081053364225", - "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/hfiref0x/UACME", + "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml" ], "tags": [ @@ -40878,8 +40879,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government", + "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gather_network_info.yml" ], "tags": [ @@ -40956,15 +40957,15 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/intelligence-insights-october-2021/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", - "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", - "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", - "https://github.com/Neo23x0/Raccine#the-process", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", "https://blog.talosintelligence.com/2017/05/wannacry.html", + "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", + "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", + "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/Neo23x0/Raccine#the-process", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml" ], "tags": [ @@ -41191,8 +41192,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md", "https://www.radmin.fr/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_radmin.yml" ], "tags": [ @@ -41226,8 +41227,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", + "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml" ], @@ -41261,10 +41262,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", - "https://adsecurity.org/?p=2604", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4", + "https://adsecurity.org/?p=2604", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4", + "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml" ], "tags": [ @@ -41297,8 +41298,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)", "https://twitter.com/jonasLyk/status/1555914501802921984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml" ], @@ -41405,8 +41406,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", + "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_system.yml" ], "tags": [ @@ -41530,12 +41531,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/JohnLaTwC/status/835149808817991680", "https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", - "https://twitter.com/JohnLaTwC/status/835149808817991680", - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_decode.yml" ], "tags": [ @@ -41568,10 +41569,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", - "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", + "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", + "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml" ], "tags": [ @@ -41639,8 +41640,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool", "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", + "https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_instalutil_no_log_execution.yml" ], "tags": [ @@ -41663,10 +41664,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/JAMESWT_MHT/status/1699042827261391247", "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content", - "https://twitter.com/M_haggis/status/1699056847154725107", + "https://twitter.com/JAMESWT_MHT/status/1699042827261391247", "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", + "https://twitter.com/M_haggis/status/1699056847154725107", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml" ], "tags": [ @@ -41690,9 +41691,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", - "https://en.wikipedia.org/wiki/HTML_Application", "https://www.echotrail.io/insights/search/mshta.exe", + "https://en.wikipedia.org/wiki/HTML_Application", + "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml" ], "tags": [ @@ -41725,8 +41726,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", "https://github.com/fireeye/DueDLLigence", + "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml" ], @@ -41845,10 +41846,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", - "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml" ], "tags": [ @@ -41914,16 +41915,16 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", "https://bunnyinside.com/?term=f71e8cb9c76a", "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://twitter.com/_xpn_/status/1268712093928378368", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml" ], "tags": [ @@ -41980,10 +41981,10 @@ "logsource.product": "windows", "refs": [ "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", - "https://twitter.com/mattifestation/status/1326228491302563846", - "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script", - "http://blog.sevagas.com/?Hacking-around-HTA-files", "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", + "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script", + "https://twitter.com/mattifestation/status/1326228491302563846", + "http://blog.sevagas.com/?Hacking-around-HTA-files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml" ], "tags": [ @@ -42034,15 +42035,15 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", - "https://www.group-ib.com/blog/apt41-world-tour-2021/", - "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a", + "https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1", "http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/", + "https://www.group-ib.com/blog/apt41-world-tour-2021/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a", + "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml" ], "tags": [ @@ -42245,9 +42246,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", - "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml" ], @@ -42308,8 +42309,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", - "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", "http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/", + "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml" ], "tags": [ @@ -42343,10 +42344,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml" ], "tags": [ @@ -42455,13 +42456,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", "https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", + "https://www.cobaltstrike.com/help-opsec", "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", "https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", "https://twitter.com/CyberRaiju/status/1251492025678983169", - "https://www.cobaltstrike.com/help-opsec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml" ], "tags": [ @@ -42550,9 +42551,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control", "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", + "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml" ], "tags": [ @@ -42655,8 +42656,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/991335019833708544", "https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/", + "https://twitter.com/pabraeken/status/991335019833708544", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml" ], "tags": [ @@ -42732,8 +42733,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/wermgr.exe", "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", + "https://www.echotrail.io/insights/search/wermgr.exe", "https://github.com/binderlabs/DirCreate2System", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_exec_location.yml" ], @@ -42781,8 +42782,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/outflanknl/Dumpert", "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", + "https://github.com/outflanknl/Dumpert", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_dumpert.yml" ], "tags": [ @@ -42898,8 +42899,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution", + "https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml" ], "tags": [ @@ -42956,8 +42957,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/", "https://klausjochem.me/2016/02/03/netsh-the-cyber-attackers-tool-of-choice/", + "https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_packet_capture.yml" ], "tags": [ @@ -42991,8 +42992,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml" ], "tags": [ @@ -43082,8 +43083,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", + "https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml" ], "tags": [ @@ -43116,9 +43117,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", "https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation", "https://twitter.com/pfiatde/status/1681977680688738305", - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", "https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/", "https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml" @@ -43355,10 +43356,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.activecyber.us/activelabs/windows-uac-bypass", - "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", - "https://twitter.com/ReaQta/status/1222548288731217921", "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", + "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", + "https://www.activecyber.us/activelabs/windows-uac-bypass", + "https://twitter.com/ReaQta/status/1222548288731217921", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml" ], "tags": [ @@ -43425,9 +43426,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://redcanary.com/blog/raspberry-robin/", "https://github.com/SigmaHQ/sigma/issues/1009", "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", - "https://redcanary.com/blog/raspberry-robin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml" ], "tags": [ @@ -43549,8 +43550,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://twitter.com/orange_8361/status/1518970259868626944", + "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr_recentviews.yml" ], "tags": [ @@ -43617,8 +43618,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall", + "https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml" ], "tags": [ @@ -43717,8 +43718,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Gerenios/AADInternals", "https://o365blog.com/aadinternals/", + "https://github.com/Gerenios/AADInternals", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml" ], "tags": [ @@ -43803,8 +43804,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml" ], "tags": [ @@ -43969,8 +43970,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.nirsoft.net/utils/nircmd.html", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://www.nirsoft.net/utils/nircmd.html", "https://www.nirsoft.net/utils/nircmd2.html#using", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd_as_system.yml" ], @@ -44138,8 +44139,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", + "https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml" ], "tags": [ @@ -44163,8 +44164,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-hardware/drivers/taef/", - "https://twitter.com/pabraeken/status/993298228840992768", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", + "https://twitter.com/pabraeken/status/993298228840992768", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml" ], "tags": [ @@ -44197,8 +44198,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/client-management/manage-recall", "https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis", + "https://learn.microsoft.com/en-us/windows/client-management/manage-recall", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_enable_windows_recall.yml" ], "tags": [ @@ -44273,8 +44274,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://support.anydesk.com/Automatic_Deployment", "https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20", + "https://support.anydesk.com/Automatic_Deployment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml" ], "tags": [ @@ -44476,9 +44477,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", + "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml" ], "tags": [ @@ -44535,9 +44536,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/", + "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml" ], "tags": [ @@ -44772,11 +44773,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets", + "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml" ], "tags": [ @@ -44826,9 +44827,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_susp_execution.yml" ], @@ -45011,13 +45012,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", + "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", + "https://twitter.com/SBousseaden/status/1167417096374050817", + "https://twitter.com/Hexacorn/status/1224848930795552769", "https://twitter.com/Wietze/status/1542107456507203586", + "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", "https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py", "https://twitter.com/shantanukhande/status/1229348874298388484", - "https://twitter.com/Hexacorn/status/1224848930795552769", - "https://twitter.com/SBousseaden/status/1167417096374050817", - "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml" ], "tags": [ @@ -45061,8 +45062,8 @@ "logsource.product": "windows", "refs": [ "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", "http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html", + "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml" ], "tags": [ @@ -45165,9 +45166,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/ps/foreach-object.html", - "https://ss64.com/nt/for.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://ss64.com/nt/for.html", + "https://ss64.com/ps/foreach-object.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml" ], "tags": [ @@ -45209,9 +45210,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1461041276514623491", "https://twitter.com/tccontre18/status/1480950986650832903", "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", + "https://twitter.com/mrd0x/status/1461041276514623491", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml" ], "tags": [ @@ -45244,8 +45245,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery", "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_restore_file.yml" ], "tags": [ @@ -45278,8 +45279,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", "https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certmgr_certificate_installation.yml" ], "tags": [ @@ -45463,8 +45464,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_execution.yml" ], "tags": [ @@ -45498,8 +45499,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", "https://h.43z.one/ipconverter/", + "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml" ], "tags": [ @@ -45555,8 +45556,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03", "https://twitter.com/JohnLaTwC/status/1082851155481288706", + "https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_appdata.yml" ], "tags": [ @@ -45663,8 +45664,8 @@ "refs": [ "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", - "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", + "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" ], @@ -45843,11 +45844,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", - "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", + "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml" ], "tags": [ @@ -45880,9 +45881,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", "https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html", "https://twitter.com/mattifestation/status/986280382042595328", + "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", "https://atomicredteam.io/defense-evasion/T1220/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml" ], @@ -45941,8 +45942,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://abuse.io/lockergoga.txt", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml" ], @@ -45985,8 +45986,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md", + "https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dirlister_execution.yml" ], "tags": [ @@ -46106,12 +46107,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/vletoux/pingcastle", - "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", - "https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8", "https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699", "https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1", + "https://github.com/vletoux/pingcastle", "https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680", + "https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8", + "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", "https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_pingcastle.yml" ], @@ -46145,8 +46146,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", + "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml" ], "tags": [ @@ -46221,8 +46222,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", "https://twitter.com/cglyer/status/1183756892952248325", + "https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch.yml" ], "tags": [ @@ -46255,8 +46256,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md", "https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml" ], "tags": [ @@ -46433,8 +46434,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nmap.org/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows", + "https://nmap.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nmap_zenmap.yml" ], "tags": [ @@ -46467,11 +46468,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", - "https://twitter.com/JohnLaTwC/status/1223292479270600706", "https://twitter.com/bohops/status/980659399495741441", "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", + "https://twitter.com/JohnLaTwC/status/1223292479270600706", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", + "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml" ], "tags": [ @@ -46639,8 +46640,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini", + "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_ads.yml" ], @@ -46674,8 +46675,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100", "https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100", + "https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_http_appdata.yml" ], "tags": [ @@ -46816,12 +46817,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/_JohnHammond/status/1708910264261980634", "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://twitter.com/egre55/status/1087685529016193025", - "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", - "https://twitter.com/_JohnHammond/status/1708910264261980634", + "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", + "https://twitter.com/egre55/status/1087685529016193025", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml" ], "tags": [ @@ -46896,11 +46897,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", - "https://twitter.com/christophetd/status/1164506034720952320", - "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks", "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/", + "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks", + "https://twitter.com/christophetd/status/1164506034720952320", + "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml" ], "tags": [ @@ -47033,9 +47034,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", - "https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", + "https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml" ], "tags": [ @@ -47058,9 +47059,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml" ], "tags": [ @@ -47145,8 +47146,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)", "https://twitter.com/jonasLyk/status/1555914501802921984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml" ], @@ -47229,8 +47230,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", + "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnx_execute_csharp_code.yml" ], "tags": [ @@ -47271,8 +47272,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://tools.thehacker.recipes/mimikatz/modules", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml" ], "tags": [ @@ -47337,8 +47338,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/core/diagnostics/dotnet-dump#dotnet-dump-collect", "https://twitter.com/bohops/status/1635288066909966338", + "https://learn.microsoft.com/en-us/dotnet/core/diagnostics/dotnet-dump#dotnet-dump-collect", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dotnetdump_memory_dump.yml" ], "tags": [ @@ -47513,8 +47514,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html", "https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/", + "https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml" ], "tags": [ @@ -47582,11 +47583,11 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", - "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", - "https://positive.security/blog/ms-officecmd-rce", - "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", - "https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc", "https://lolbas-project.github.io/lolbas/Binaries/Teams/", + "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", + "https://positive.security/blog/ms-officecmd-rce", + "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", + "https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml" ], "tags": [ @@ -47651,8 +47652,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government", + "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gather_network_info_execution.yml" ], "tags": [ @@ -47729,8 +47730,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter", "https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/", + "https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml" ], "tags": [ @@ -47763,8 +47764,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/dsacls.html", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", + "https://ss64.com/nt/dsacls.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml" ], "tags": [ @@ -47898,10 +47899,10 @@ "logsource.product": "windows", "refs": [ "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", - "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", - "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file", + "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", "https://twitter.com/max_mal_/status/1542461200797163522", + "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml" ], "tags": [ @@ -47934,8 +47935,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bryon_/status/975835709587075072", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/", + "https://twitter.com/bryon_/status/975835709587075072", "https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml" ], @@ -48027,9 +48028,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://boinc.berkeley.edu/", "https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details", "https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software", - "https://boinc.berkeley.edu/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_boinc.yml" ], "tags": [ @@ -48104,9 +48105,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", - "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", + "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", + "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml" ], "tags": [ @@ -48130,8 +48131,8 @@ "logsource.product": "windows", "refs": [ "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml" ], "tags": [ @@ -48164,8 +48165,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/muddywater/88059/", "https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection", + "https://securelist.com/muddywater/88059/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml" ], "tags": [ @@ -48295,8 +48296,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/locked-out/68960/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md", + "https://securelist.com/locked-out/68960/", "https://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml" ], @@ -48363,10 +48364,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", + "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", - "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", + "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml" ], "tags": [ @@ -48537,8 +48538,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html", "https://twitter.com/eral4m/status/1451112385041911809", + "https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml" ], "tags": [ @@ -48661,8 +48662,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)", "https://twitter.com/frack113/status/1555830623633375232", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml" ], @@ -48719,8 +48720,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1511489821247684615", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/", + "https://twitter.com/mrd0x/status/1511489821247684615", "https://twitter.com/mrd0x/status/1511415432888131586", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml" ], @@ -48829,8 +48830,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/pull/180", "https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/", + "https://github.com/LOLBAS-Project/LOLBAS/pull/180", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml" ], "tags": [ @@ -48897,8 +48898,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bopin2020/status/1366400799199272960", "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", + "https://twitter.com/bopin2020/status/1366400799199272960", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_createdump_lolbin_execution.yml" ], "tags": [ @@ -48939,10 +48940,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1583356502340870144", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", - "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", + "https://twitter.com/0gtweet/status/1583356502340870144", "https://lolbas-project.github.io/lolbas/Binaries/Setres/", + "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_setres_uncommon_child_process.yml" ], "tags": [ @@ -48983,10 +48984,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", + "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", - "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", + "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml" ], "tags": [ @@ -49019,14 +49020,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", + "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", + "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", "https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest", - "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", - "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", - "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", - "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml" ], "tags": [ @@ -49141,8 +49142,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://asec.ahnlab.com/en/39828/", "https://twitter.com/GelosSnake/status/934900723426439170", + "https://asec.ahnlab.com/en/39828/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml" ], "tags": [ @@ -49245,9 +49246,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement", "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", - "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_localsystem.yml" ], "tags": [ @@ -49282,8 +49283,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", - "https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", + "https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt", "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml" @@ -49328,9 +49329,9 @@ "logsource.product": "windows", "refs": [ "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", - "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", - "https://twitter.com/JohnLaTwC/status/1415295021041979392", "https://vms.drweb.fr/virus/?i=24144899", + "https://twitter.com/JohnLaTwC/status/1415295021041979392", + "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml" ], "tags": [ @@ -49503,8 +49504,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2", "https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set", + "https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml" ], "tags": [ @@ -49633,10 +49634,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", "https://twitter.com/nas_bench/status/1537896324837781506", - "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml" ], "tags": [ @@ -49704,8 +49705,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_30.10.2023.txt", - "Internal Research", "https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml" ], "tags": [ @@ -49894,9 +49895,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/", - "https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf", "https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery", + "https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf", + "https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml" ], "tags": [ @@ -49963,8 +49964,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/harr0ey/status/989617817849876488", "https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/", + "https://twitter.com/harr0ey/status/989617817849876488", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwutl.yml" ], "tags": [ @@ -49997,9 +49998,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44", "https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048", + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml" ], "tags": [ @@ -50158,9 +50159,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", "https://twitter.com/fr0s7_/status/1712780207105404948", "https://h.43z.one/ipconverter/", + "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml" ], "tags": [ @@ -50183,10 +50184,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/", - "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", + "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml" ], "tags": [ @@ -50317,8 +50318,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_volume.yml" ], "tags": [ @@ -50396,8 +50397,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.poweradmin.com/paexec/", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", + "https://www.poweradmin.com/paexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml" ], "tags": [ @@ -50430,8 +50431,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20", "https://github.com/microsoft/Windows-classic-samples/blob/7cbd99ac1d2b4a0beffbaba29ea63d024ceff700/Samples/Win7Samples/winbase/vss/vsssampleprovider/register_app.vbs", + "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml" ], "tags": [ @@ -50465,8 +50466,8 @@ "logsource.product": "windows", "refs": [ "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", - "https://learn.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", + "https://learn.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml" ], "tags": [ @@ -50499,8 +50500,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html", "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", + "https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml" ], "tags": [ @@ -50541,8 +50542,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8", "https://blackpointcyber.com/resources/blog/breaking-through-the-screen/", + "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_webshell.yml" ], "tags": [ @@ -50575,9 +50576,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml" ], "tags": [ @@ -50610,8 +50611,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Forfiles/", "https://pentestlab.blog/2020/07/06/indirect-command-execution/", + "https://lolbas-project.github.io/lolbas/Binaries/Forfiles/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_forfiles_proxy_execution_.yml" ], "tags": [ @@ -50710,9 +50711,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", "https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/", "https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml" ], "tags": [ @@ -50765,6 +50766,41 @@ "uuid": "6d3a3952-6530-44a3-8554-cf17c116c615", "value": "Suspicious Office Token Search Via CLI" }, + { + "description": "Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly.\nMeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.\n", + "meta": { + "author": "@Kostastsale", + "creation_date": "2024-09-22", + "falsepositive": [ + "False positives can be found in environments using MessAgent for remote management, analysis should prioritize the grandparent process, MessAgent.exe, and scrutinize the resulting child processes triggered by any suspicious interactive commands directed at the target host." + ], + "filename": "proc_creation_win_remote_access_tools_meshagent_exec.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/Ylianst/MeshAgent", + "https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-info.js#L55", + "https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_meshagent_exec.yml" + ], + "tags": [ + "attack.command-and-control", + "attack.t1219" + ] + }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "74a2b202-73e0-4693-9a3a-9d36146d0775", + "value": "Remote Access Tool - MeshAgent Command Execution via MeshCentral" + }, { "description": "Detects the \"IDiagnosticProfileUAC\" UAC bypass technique", "meta": { @@ -50855,9 +50891,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe", - "https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915", "https://github.com/electron/rcedit", + "https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915", + "https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml" ], "tags": [ @@ -50914,8 +50950,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/", "https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/", + "https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cl_loadassembly.yml" ], "tags": [ @@ -50948,13 +50984,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects", - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", - "https://www.joeware.net/freetools/tools/adfind/", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://www.joeware.net/freetools/tools/adfind/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml" ], "tags": [ @@ -51047,9 +51083,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1564968845726580736", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html", + "https://twitter.com/0gtweet/status/1564968845726580736", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml" ], "tags": [ @@ -51168,10 +51204,10 @@ "refs": [ "https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup", - "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_delete_backups.yml" ], "tags": [ @@ -51246,8 +51282,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", + "https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml" ], "tags": [ @@ -51280,9 +51316,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/", "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", "https://github.com/jpillora/chisel/", + "https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_chisel.yml" ], "tags": [ @@ -51349,8 +51385,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", - "https://twitter.com/_felamos/status/1204705548668555264", "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", + "https://twitter.com/_felamos/status/1204705548668555264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dotnet_arbitrary_dll_csproj_execution.yml" ], "tags": [ @@ -51383,8 +51419,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", + "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_download.yml" ], @@ -51442,9 +51478,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", - "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml" ], @@ -51511,8 +51547,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", + "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml" ], @@ -51546,8 +51582,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", "https://twitter.com/nas_bench/status/1535431474429808642", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml" ], "tags": [ @@ -51630,8 +51666,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md", + "https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml" ], "tags": [ @@ -51700,8 +51736,8 @@ "logsource.product": "windows", "refs": [ "https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md", "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml" ], "tags": [ @@ -51835,8 +51871,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/1ZRR4H/status/1534259727059787783", "https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/", + "https://twitter.com/1ZRR4H/status/1534259727059787783", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_archiver_iso_phishing.yml" ], "tags": [ @@ -51869,9 +51905,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", - "https://web.archive.org/web/20231210115125/http://www.xuetr.com/", "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", + "https://web.archive.org/web/20231210115125/http://www.xuetr.com/", + "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml" ], "tags": [ @@ -52138,8 +52174,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/outflanknl/NetshHelperBeacon", "https://web.archive.org/web/20160928212230/https://www.adaptforward.com/2016/09/using-netshell-to-execute-evil-dlls-and-persist-on-a-host/", + "https://github.com/outflanknl/NetshHelperBeacon", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml" ], @@ -52454,9 +52490,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", "https://twitter.com/vysecurity/status/974806438316072960", "https://twitter.com/vysecurity/status/873181705024266241", - "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml" ], @@ -52490,8 +52526,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml" ], "tags": [ @@ -52625,8 +52661,8 @@ "logsource.product": "windows", "refs": [ "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml" ], "tags": [ @@ -52659,8 +52695,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md", "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains", + "https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_w32tm.yml" ], "tags": [ @@ -52802,8 +52838,8 @@ "refs": [ "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", - "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", + "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml" ], "tags": [ @@ -52836,8 +52872,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml" ], @@ -53099,8 +53135,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/993497996179492864", "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml", + "https://twitter.com/pabraeken/status/993497996179492864", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml" ], "tags": [ @@ -53133,8 +53169,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/chromeloader-malware/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage", + "https://unit42.paloaltonetworks.com/chromeloader-malware/", "https://lolbas-project.github.io/lolbas/Binaries/Tar/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tar_compression.yml" ], @@ -53313,8 +53349,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/frgnca/AudioDeviceCmdlets", - "https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", + "https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml" ], "tags": [ @@ -53348,8 +53384,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/tevora-threat/SharpView/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml" ], "tags": [ @@ -53414,8 +53450,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_automated_collection.yml" ], "tags": [ @@ -53490,8 +53526,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml" ], "tags": [ @@ -53525,8 +53561,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/17", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_execution.yml" ], "tags": [ @@ -53852,8 +53888,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", "https://twitter.com/_st0pp3r_/status/1583914244344799235", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml" ], @@ -53978,10 +54014,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mode", - "https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", "https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior", + "https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html", + "https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mode_codepage_russian.yml" ], "tags": [ @@ -54014,9 +54050,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/countuponsec/status/910969424215232518", "https://twitter.com/countuponsec/status/910977826853068800", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/", - "https://twitter.com/countuponsec/status/910969424215232518", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml" ], "tags": [ @@ -54049,10 +54085,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://twitter.com/splinter_code/status/1483815103279603714", - "https://www.elastic.co/security-labs/operation-bleeding-bear", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", + "https://www.elastic.co/security-labs/operation-bleeding-bear", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml" ], "tags": [ @@ -54121,8 +54157,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/tag/svchost/", "https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/", + "https://pentestlab.blog/tag/svchost/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml" ], "tags": [ @@ -54227,8 +54263,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1206692239839289344", "https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/", + "https://twitter.com/0gtweet/status/1206692239839289344", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml" ], "tags": [ @@ -54403,9 +54439,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://www.joeware.net/freetools/tools/adfind/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml" ], "tags": [ @@ -54438,8 +54474,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nsudo.yml" ], "tags": [ @@ -54473,8 +54509,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml", + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_email_exfil.yml" ], "tags": [ @@ -54497,13 +54533,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", - "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", - "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", - "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", + "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", + "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", + "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", + "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml" ], "tags": [ @@ -54538,10 +54574,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", - "https://twitter.com/gN3mes1s/status/1206874118282448897", "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe", + "https://twitter.com/gN3mes1s/status/1206874118282448897", + "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml" ], @@ -54845,8 +54881,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2017/03/31/insecure-registry-permissions/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://pentestlab.blog/2017/03/31/insecure-registry-permissions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml" ], "tags": [ @@ -54879,8 +54915,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SwiftOnSecurity/status/1455897435063074824", "https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/", + "https://twitter.com/SwiftOnSecurity/status/1455897435063074824", "https://github.com/LOLBAS-Project/LOLBAS/pull/151", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdl32_arbitrary_file_download.yml" ], @@ -54923,8 +54959,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml", "https://twitter.com/harr0ey/status/991670870384021504", + "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_openwith.yml" ], "tags": [ @@ -55127,8 +55163,8 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", - "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", + "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml" ], "tags": [ @@ -55364,9 +55400,9 @@ "logsource.product": "windows", "refs": [ "https://zero2auto.com/2020/05/19/netwalker-re/", - "https://mez0.cc/posts/cobaltstrike-powershell-exec/", - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", "https://redcanary.com/blog/yellow-cockatoo/", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", + "https://mez0.cc/posts/cobaltstrike-powershell-exec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml" ], "tags": [ @@ -55493,9 +55529,9 @@ "logsource.category": "wmi_event", "logsource.product": "windows", "refs": [ + "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", "https://github.com/RiccardoAncarani/LiquidSnake", - "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml" ], "tags": [ @@ -55528,8 +55564,8 @@ "logsource.category": "process_tampering", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/", "https://twitter.com/SecurePeacock/status/1486054048390332423?s=20", + "https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_tampering/proc_tampering_susp_process_hollowing.yml" ], "tags": [ @@ -55674,8 +55710,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2", "https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security", + "https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2", "https://cydefops.com/devtunnels-unleashed", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_devtunnels.yml" ], @@ -55709,8 +55745,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://megatools.megous.com/", "https://www.mandiant.com/resources/russian-targeting-gov-business", + "https://megatools.megous.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_mega_nz.yml" ], "tags": [ @@ -55854,8 +55890,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", "https://www.ietf.org/rfc/rfc2821.txt", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml" ], "tags": [ @@ -55930,11 +55966,11 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://youtu.be/n2dFlSaBBKo", + "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf", "https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/", "https://github.com/looCiprian/GC2-sheet", + "https://youtu.be/n2dFlSaBBKo", "https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/", - "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_google_api_non_browser_access.yml" ], "tags": [ @@ -56068,9 +56104,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ + "https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2", "https://portmap.io/", "https://github.com/rapid7/metasploit-framework/issues/11337", - "https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_portmap.yml" ], "tags": [ @@ -56181,8 +56217,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://pypi.org/project/scapy/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python", + "https://pypi.org/project/scapy/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_python.yml" ], "tags": [ @@ -56215,8 +56251,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "Internal Research", "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", + "Internal Research", "https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_cloudflared_communication.yml" ], @@ -56418,11 +56454,11 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://twitter.com/M_haggis/status/900741347035889665", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", "https://twitter.com/M_haggis/status/1032799638213066752", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml" ], "tags": [ @@ -56524,9 +56560,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ + "https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/", "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", "https://app.any.run/tasks/ec207948-4916-47eb-a0f4-4c6abb2e7668/", - "https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_regasm_network_activity.yml" ], "tags": [ @@ -56561,8 +56597,8 @@ "refs": [ "https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/", "https://tria.ge/240301-rk34sagf5x/behavioral2", - "https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d", "https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html", + "https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dialer_initiated_connection.yml" ], "tags": [ @@ -56618,10 +56654,10 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf", - "https://ngrok.com/", "https://ngrok.com/blog-post/new-ngrok-domains", + "https://ngrok.com/", "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/", + "https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_ngrok.yml" ], "tags": [ @@ -56654,8 +56690,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c", "https://github.com/FalconForceTeam/FalconFriday/blob/master/Discovery/ADWS_Connection_from_Unexpected_Binary-Win.md", + "https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_adws_unusual_connection.yml" ], "tags": [ @@ -56688,9 +56724,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ + "https://www.poolwatch.io/coin/monero", "https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files", "https://github.com/stamparm/maltrail/blob/3ea70459b9559134449423c0a7d8b965ac5c40ea/trails/static/suspicious/crypto_mining.txt", - "https://www.poolwatch.io/coin/monero", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_crypto_mining_pools.yml" ], "tags": [ @@ -56800,9 +56836,9 @@ "logsource.product": "windows", "refs": [ "https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/", - "https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/", + "https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_azurewebsites.yml" ], "tags": [ @@ -57140,8 +57176,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/", "https://twitter.com/forensicitguy/status/1513538712986079238", + "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/", "https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_eqnedt.yml" ], @@ -57175,9 +57211,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a", "https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_external_ip_lookup.yml" ], @@ -57313,12 +57349,12 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al", - "https://twitter.com/kleiton0x7e/status/1600567316810551296", - "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", - "https://github.com/kleiton0x00/RedditC2", + "https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al", "https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/", + "https://twitter.com/kleiton0x7e/status/1600567316810551296", + "https://github.com/kleiton0x00/RedditC2", + "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml" ], "tags": [ @@ -57479,8 +57515,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", "https://ngrok.com/", + "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml" ], "tags": [ @@ -57581,8 +57617,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://twitter.com/malmoeb/status/1535142803075960832", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml" ], "tags": [ @@ -57616,10 +57652,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", - "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://twitter.com/malmoeb/status/1535142803075960832", + "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml" ], "tags": [ @@ -57721,10 +57757,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml" ], "tags": [ @@ -57758,9 +57794,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://nxlog.co/documentation/nxlog-user-guide/applocker.html", - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker", + "https://nxlog.co/documentation/nxlog-user-guide/applocker.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml" ], "tags": [ @@ -57833,8 +57869,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/mattifestation/status/899646620148539397", "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", + "https://twitter.com/mattifestation/status/899646620148539397", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/wmi/win_wmi_persistence.yml" ], "tags": [ @@ -57993,8 +58029,8 @@ "logsource.product": "windows", "refs": [ "https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/", - "https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule", + "https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_wmiprvse.yml" ], "tags": [ @@ -58147,8 +58183,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/mattifestation/status/899646620148539397", "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", + "https://twitter.com/mattifestation/status/899646620148539397", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_wmi_persistence.yml" ], "tags": [ @@ -58182,8 +58218,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx", "https://twitter.com/SBousseaden/status/1096148422984384514", + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml" ], "tags": [ @@ -58235,8 +58271,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072", "https://twitter.com/duzvik/status/1269671601852813320", + "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_camera_microphone_access.yml" ], "tags": [ @@ -58597,7 +58633,7 @@ } ], "uuid": "e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d", - "value": "Windows Defender Exclusion Reigstry Key - Write Access Requested" + "value": "Windows Defender Exclusion Registry Key - Write Access Requested" }, { "description": "Detects WRITE_DAC access to a domain object", @@ -58911,8 +58947,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1101431884540710913", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625", + "https://twitter.com/SBousseaden/status/1101431884540710913", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml" ], "tags": [ @@ -59165,10 +59201,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_workstation_was_locked.yml" ], "tags": [ @@ -59191,9 +59227,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", "https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all", + "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_user_enumeration.yml" ], @@ -59335,8 +59371,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4649", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4649", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_replay_attack_detected.yml" ], "tags": [ @@ -59402,9 +59438,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634", - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_logoff.yml" ], "tags": [ @@ -59640,8 +59676,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.trustedsec.com/blog/art_of_kerberoast/", "https://adsecurity.org/?p=3513", + "https://www.trustedsec.com/blog/art_of_kerberoast/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_kerberoasting_activity.yml" ], "tags": [ @@ -59674,16 +59710,16 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", "https://bunnyinside.com/?term=f71e8cb9c76a", "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://twitter.com/_xpn_/status/1268712093928378368", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml" ], "tags": [ @@ -59766,9 +59802,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-0-16-1-scheduled-task-execution-at-scale-via-gpo.html", "https://twitter.com/menasec1/status/1106899890377052160", "https://www.secureworks.com/blog/ransomware-as-a-distraction", - "https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-0-16-1-scheduled-task-execution-at-scale-via-gpo.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml" ], "tags": [ @@ -59843,8 +59879,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://msdn.microsoft.com/en-us/library/cc220234.aspx", "https://adsecurity.org/?p=3466", + "https://msdn.microsoft.com/en-us/library/cc220234.aspx", "https://blog.harmj0y.net/redteaming/another-word-on-delegation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml" ], @@ -59986,8 +60022,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sans.org/webcasts/119395", "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", + "https://www.sans.org/webcasts/119395", "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml" ], @@ -60039,9 +60075,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/gentilkiwi/status/1003236624925413376", - "https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", + "https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48", + "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml" ], "tags": [ @@ -60074,10 +60110,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", - "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", - "https://twitter.com/MsftSecIntel/status/1257324139515269121", "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", + "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", + "https://twitter.com/MsftSecIntel/status/1257324139515269121", + "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_iso_mount.yml" ], "tags": [ @@ -60313,9 +60349,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://twitter.com/SBousseaden/status/1581300963650187264?", "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html", - "https://twitter.com/SBousseaden/status/1581300963650187264?", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml" ], "tags": [ @@ -60416,8 +60452,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", + "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_teams_suspicious_objectaccess.yml" ], "tags": [ @@ -60450,9 +60486,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616", - "Live environment caused by malware", "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", + "Live environment caused by malware", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_time_modification.yml" ], "tags": [ @@ -60518,10 +60554,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://x.com/_st0pp3r_/status/1742203752361128162?s=20", "https://github.com/deepinstinct/NoFilter", - "https://github.com/deepinstinct/NoFilter/blob/121d215ab130c5e8e3ad45a7e7fcd56f4de97b4d/NoFilter/Consts.cpp", "https://www.deepinstinct.com/blog/nofilter-abusing-windows-filtering-platform-for-privilege-escalation", + "https://x.com/_st0pp3r_/status/1742203752361128162?s=20", + "https://github.com/deepinstinct/NoFilter/blob/121d215ab130c5e8e3ad45a7e7fcd56f4de97b4d/NoFilter/Consts.cpp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_hktl_nofilter.yml" ], "tags": [ @@ -60595,8 +60631,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=1714", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794", + "https://adsecurity.org/?p=1714", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_dsrm_password_change.yml" ], "tags": [ @@ -60679,8 +60715,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml", "https://twitter.com/deviouspolack/status/832535435960209408", + "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml", "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_audit_log_cleared.yml" ], @@ -60717,8 +60753,8 @@ "refs": [ "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", - "https://twitter.com/Flangvik/status/1283054508084473861", "https://twitter.com/SecurityJosh/status/1283027365770276866", + "https://twitter.com/Flangvik/status/1283054508084473861", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml" ], "tags": [ @@ -60861,8 +60897,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_add_remove_computer.yml" ], @@ -61251,8 +61287,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://github.com/fox-it/LDAPFragger", + "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml" ], @@ -61627,10 +61663,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/gentilkiwi/status/1003236624925413376", - "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", + "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662", + "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml" ], "tags": [ @@ -62067,8 +62103,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4699", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4701", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4699", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml" ], "tags": [ @@ -62211,9 +62247,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py", - "https://twitter.com/malmoeb/status/1511760068743766026", "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", + "https://twitter.com/malmoeb/status/1511760068743766026", + "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml" ], "tags": [ @@ -62249,8 +62285,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml", "https://github.com/topotam/PetitPotam", + "https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_network_share.yml" ], "tags": [ @@ -62316,8 +62352,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673", "https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_driver_loaded.yml" ], "tags": [ @@ -62350,11 +62386,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776", + "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624", "https://github.com/sensepost/ruler/issues/47", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776", "https://github.com/sensepost/ruler", - "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml" ], "tags": [ @@ -62528,8 +62564,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml" ], "tags": [ @@ -62674,8 +62710,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/blob/master/documentation/logsource-guides/windows/service/security.md", "https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit", + "https://github.com/SigmaHQ/sigma/blob/master/documentation/logsource-guides/windows/service/security.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_disable_event_auditing_critical.yml" ], "tags": [ @@ -62944,8 +62980,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708", "https://twitter.com/AdamTheAnalyst/status/1134394070045003776", + "https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_rdp_bluekeep_poc_scanner.yml" ], "tags": [ @@ -63064,8 +63100,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation", "https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html", + "https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_access_token_abuse.yml" ], "tags": [ @@ -63123,9 +63159,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", "https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis", "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", + "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml" ], "tags": [ @@ -63158,11 +63194,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml" ], "tags": [ @@ -63316,10 +63352,10 @@ "logsource.product": "windows", "refs": [ "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml" ], "tags": [ @@ -63352,11 +63388,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", "https://www.cisecurity.org/controls/cis-controls-list/", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml" ], "tags": [ @@ -63389,9 +63425,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983", - "https://github.com/amjcyber/EDRNoiseMaker", "https://github.com/netero1010/EDRSilencer", + "https://github.com/amjcyber/EDRNoiseMaker", + "https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml" ], "tags": [ @@ -63424,8 +63460,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml" ], @@ -63449,8 +63485,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml" ], @@ -63474,8 +63510,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml" ], @@ -63499,8 +63535,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml" ], @@ -63524,8 +63560,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml" ], @@ -63549,8 +63585,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml" ], @@ -63574,8 +63610,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml" ], @@ -63609,8 +63645,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml" ], @@ -63635,8 +63671,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "https://twitter.com/SBousseaden/status/1483810148602814466", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml" ], @@ -64258,8 +64294,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/", "https://twitter.com/KevTheHermit/status/1410203844064301056", + "https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/", "https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml" ], @@ -64326,8 +64362,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection", + "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml" ], "tags": [ @@ -64348,7 +64384,7 @@ "value": "Microsoft Defender Tamper Protection Trigger" }, { - "description": "Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initaited this action you might want to reduce it to a \"medium\" level if this occurs too many times in your environment\n", + "description": "Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a \"medium\" level if this occurs too many times in your environment\n", "meta": { "author": "Ján Trenčanský, frack113", "creation_date": "2020-07-28", @@ -64361,9 +64397,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", - "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_real_time_protection_disabled.yml" ], "tags": [ @@ -64396,8 +64432,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands", "https://twitter.com/duff22b/status/1280166329660497920", + "https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_asr_psexec_wmi.yml" ], "tags": [ @@ -64507,8 +64543,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012", + "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_virus_scan_disabled.yml" ], "tags": [ @@ -64599,8 +64635,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010", - "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_malware_and_pua_scan_disabled.yml" ], "tags": [ @@ -64699,9 +64735,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", - "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_antimalware_platform_expired.yml" ], "tags": [ @@ -64734,9 +64770,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346", "https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "Internal Research", + "https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml" ], "tags": [ @@ -64837,8 +64873,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", "https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies", + "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml" ], "tags": [ @@ -64871,10 +64907,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01", "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", "https://www.nextron-systems.com/?s=antivirus", - "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/Other/win_av_relevant_match.yml" ], "tags": [ @@ -64950,8 +64986,8 @@ "logsource.product": "windows", "refs": [ "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55", "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml" ], "tags": [ @@ -65026,8 +65062,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/mgreen27/status/1558223256704122882", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)", + "https://twitter.com/mgreen27/status/1558223256704122882", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse.yml" ], "tags": [ @@ -65060,8 +65096,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/mgreen27/status/1558223256704122882", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)", + "https://twitter.com/mgreen27/status/1558223256704122882", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml" ], "tags": [ @@ -65084,11 +65120,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/DidierStevens/status/1217533958096924676", - "https://twitter.com/FlemmingRiis/status/1217147415482060800", "https://nullsec.us/windows-event-log-audit-cve/", - "https://www.youtube.com/watch?v=ebmW42YYveI", + "https://twitter.com/FlemmingRiis/status/1217147415482060800", "https://twitter.com/VM_vivisector/status/1217190929330655232", + "https://www.youtube.com/watch?v=ebmW42YYveI", + "https://twitter.com/DidierStevens/status/1217533958096924676", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml" ], "tags": [ @@ -65428,8 +65464,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml", "https://learn.microsoft.com/en-us/windows/win32/msi/event-logging", + "https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/msiinstaller/win_builtin_remove_application.yml" ], "tags": [ @@ -65485,8 +65521,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", "https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx", + "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft_windows_backup/win_susp_backup_delete.yml" ], "tags": [ @@ -65585,12 +65621,12 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", + "https://ipurple.team/2024/07/15/sharphound-detection/", + "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c", "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", - "https://ipurple.team/2024/07/15/sharphound-detection/", - "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c", - "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml" ], "tags": [ @@ -65639,8 +65675,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/", "https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/", + "https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml" ], "tags": [ @@ -65706,8 +65742,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10)", + "https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml" ], "tags": [ @@ -65862,8 +65898,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.secura.com/blog/zero-logon", "https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382", + "https://www.secura.com/blog/zero-logon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/netlogon/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" ], "tags": [ @@ -66436,8 +66472,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml" ], "tags": [ @@ -66610,8 +66646,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sans.org/webcasts/119395", "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", + "https://www.sans.org/webcasts/119395", "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml" ], @@ -67559,9 +67595,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/jonasLyk/status/1347900440000811010", - "https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/", "https://twitter.com/wdormann/status/1347958161609809921", + "https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/", + "https://twitter.com/jonasLyk/status/1347900440000811010", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/ntfs/win_system_ntfs_vuln_exploit.yml" ], "tags": [ @@ -67627,8 +67663,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708", "https://github.com/Ekultek/BlueKeep", + "https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml" ], "tags": [ @@ -67662,9 +67698,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", - "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", + "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml" ], "tags": [ @@ -67697,9 +67733,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", - "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", + "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml" ], "tags": [ @@ -67951,9 +67987,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", - "https://twitter.com/gentilkiwi/status/861641945944391680", "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", + "https://twitter.com/gentilkiwi/status/861641945944391680", + "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml" ], "tags": [ @@ -68019,8 +68055,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "Internal Research", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml" ], "tags": [ @@ -68068,11 +68104,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", - "https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", - "https://winaero.com/enable-openssh-server-windows-10/", "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", + "https://winaero.com/enable-openssh-server-windows-10/", + "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml" ], "tags": [ @@ -68106,8 +68142,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection", - "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml", "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers", + "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml" ], "tags": [ @@ -68164,8 +68200,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", + "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml" ], "tags": [ @@ -68400,9 +68436,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml" ], "tags": [ @@ -68449,10 +68485,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", - "Internal Research", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "Internal Research", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml" ], "tags": [ @@ -68475,10 +68511,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", - "Internal Research", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "Internal Research", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml" ], "tags": [ @@ -68501,10 +68537,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", - "Internal Research", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "Internal Research", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml" ], "tags": [ @@ -68527,10 +68563,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", - "Internal Research", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "Internal Research", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml" ], "tags": [ @@ -68824,11 +68860,11 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://hijacklibs.net/", - "https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/", - "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", + "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", + "https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/", + "https://hijacklibs.net/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml" ], "tags": [ @@ -69080,9 +69116,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/oulusoyum/status/1191329746069655553", - "https://twitter.com/mattifestation/status/1196390321783025666", "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", + "https://twitter.com/mattifestation/status/1196390321783025666", + "https://twitter.com/oulusoyum/status/1191329746069655553", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_tttracer_module_load.yml" ], "tags": [ @@ -69212,9 +69248,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/dez_/status/986614411711442944", "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", "https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html", + "https://twitter.com/dez_/status/986614411711442944", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml" ], "tags": [ @@ -69322,12 +69358,12 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", - "https://github.com/Wh04m1001/SysmonEoP", - "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", + "https://github.com/Wh04m1001/SysmonEoP", + "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", + "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml" ], "tags": [ @@ -69371,10 +69407,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/", - "https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html", - "https://www.crowdstrike.com/blog/windows-restart-manager-part-1/", "https://www.crowdstrike.com/blog/windows-restart-manager-part-2/", + "https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/", + "https://www.crowdstrike.com/blog/windows-restart-manager-part-1/", + "https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml" ], "tags": [ @@ -69484,8 +69520,8 @@ "refs": [ "https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", - "https://github.com/tyranid/DotNetToJScript", "https://thewover.github.io/Introducing-Donut/", + "https://github.com/tyranid/DotNetToJScript", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml" ], "tags": [ @@ -69628,8 +69664,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html", "https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/", + "https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml" ], "tags": [ @@ -69781,8 +69817,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/", "http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp", + "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_jsschhlp.yml" ], "tags": [ @@ -69825,11 +69861,11 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/DTCERT/status/1712785426895839339", - "https://thehackernews.com/2024/03/two-chinese-apt-groups-ramp-up-cyber.html", "https://twitter.com/Max_Mal_/status/1775222576639291859", + "https://thehackernews.com/2024/03/two-chinese-apt-groups-ramp-up-cyber.html", "https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/", "https://csirt-cti.net/2024/02/01/stately-taurus-continued-new-information-on-cyberespionage-attacks-against-myanmar-military-junta/", + "https://twitter.com/DTCERT/status/1712785426895839339", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_keyscrambler.yml" ], "tags": [ @@ -69871,10 +69907,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", - "https://twitter.com/chadtilbury/status/1275851297770610688", "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", + "https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", "https://github.com/bohops/WSMan-WinRM", + "https://twitter.com/chadtilbury/status/1275851297770610688", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml" ], "tags": [ @@ -69992,9 +70028,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/WhichbufferArda/status/1658829954182774784", "https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/", "https://securelist.com/apt-luminousmoth/103332/", + "https://twitter.com/WhichbufferArda/status/1658829954182774784", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_wwlib.yml" ], "tags": [ @@ -70358,8 +70394,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html", "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", + "https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html", "https://twitter.com/HunterPlaybook/status/1301207718355759107", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml" ], @@ -70504,8 +70540,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/wdormann/status/1547583317410607110", "https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC", + "https://twitter.com/wdormann/status/1547583317410607110", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml" ], "tags": [ @@ -70540,8 +70576,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2921", "https://github.com/p3nt4/PowerShdll", + "https://adsecurity.org/?p=2921", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml" ], "tags": [ @@ -70574,8 +70610,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/", "https://github.com/ly4k/SpoolFool", + "https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_spoolsv_dll_load.yml" ], "tags": [ @@ -70655,9 +70691,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/unsigned-dlls/?web_view=true", - "https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion", "https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql", + "https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion", + "https://unit42.paloaltonetworks.com/unsigned-dlls/?web_view=true", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_unsigned_dll.yml" ], "tags": [ @@ -70785,8 +70821,8 @@ "logsource.product": "windows", "refs": [ "https://www.roboform.com/", - "https://twitter.com/StopMalvertisin/status/1648604148848549888", "https://twitter.com/t3ft3lb/status/1656194831830401024", + "https://twitter.com/StopMalvertisin/status/1648604148848549888", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_robform.yml" ], "tags": [ @@ -70870,9 +70906,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", - "https://github.com/S12cybersecurity/RDPCredentialStealer", "https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html", + "https://github.com/S12cybersecurity/RDPCredentialStealer", + "https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml" ], @@ -70973,8 +71009,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6", "https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", + "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6", "https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_unsigned_load.yml" ], @@ -71117,8 +71153,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html", "https://hijacklibs.net/entries/3rd_party/vlc/libvlc.html", + "https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_libvlc.yml" ], "tags": [ @@ -71381,10 +71417,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/", - "https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html", - "https://www.crowdstrike.com/blog/windows-restart-manager-part-1/", "https://www.crowdstrike.com/blog/windows-restart-manager-part-2/", + "https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/", + "https://www.crowdstrike.com/blog/windows-restart-manager-part-1/", + "https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml" ], "tags": [ @@ -71512,8 +71548,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://wazuh.com/blog/detecting-xll-files-used-for-dropping-fin7-jssloader-with-wazuh/", "https://www.mandiant.com/resources/blog/lnk-between-browsers", + "https://wazuh.com/blog/detecting-xll-files-used-for-dropping-fin7-jssloader-with-wazuh/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_excel_xll_susp_load.yml" ], "tags": [ @@ -71867,8 +71903,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets", "https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/", + "https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_classicexplorer32.yml" ], "tags": [ @@ -72084,8 +72120,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/gabe-k/themebleed", "Internal Research", + "https://github.com/gabe-k/themebleed", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_rundll32_remote_share_load.yml" ], "tags": [ @@ -72164,8 +72200,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/besimorhino/powercat", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://nmap.org/ncat/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml" ], "tags": [ @@ -72298,9 +72334,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/chadtilbury/status/1275851297770610688", "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://github.com/bohops/WSMan-WinRM", + "https://twitter.com/chadtilbury/status/1275851297770610688", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml" ], "tags": [ @@ -72751,8 +72787,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA", "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", + "https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml" ], "tags": [ @@ -72820,8 +72856,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml" ], "tags": [ @@ -72920,8 +72956,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2604", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4", + "https://adsecurity.org/?p=2604", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml" ], @@ -72955,10 +72991,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", "https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps", - "https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", "http://woshub.com/manage-windows-firewall-powershell/", + "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", + "https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml" ], @@ -73127,9 +73163,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://github.com/samratashok/ADModule", "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", + "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml" ], "tags": [ @@ -73230,8 +73266,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml" ], "tags": [ @@ -73388,8 +73424,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell", + "https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml" ], "tags": [ @@ -73455,8 +73491,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0", "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0", + "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml" ], "tags": [ @@ -73587,24 +73623,24 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/besimorhino/powercat", "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/adrecon/ADRecon", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/adrecon/AzureADRecon", + "https://adsecurity.org/?p=2921", + "https://github.com/HarmJ0y/DAMP", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/samratashok/nishang", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/Kevin-Robertson/Powermad", - "https://adsecurity.org/?p=2921", + "https://github.com/besimorhino/powercat", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/calebstewart/CVE-2021-1675", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/samratashok/nishang", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/adrecon/ADRecon", + "https://github.com/adrecon/AzureADRecon", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml" ], "tags": [ @@ -73903,8 +73939,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319", "https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1", + "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml" ], "tags": [ @@ -73938,8 +73974,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml" ], "tags": [ @@ -74160,8 +74196,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_localuser.yml" ], "tags": [ @@ -74227,8 +74263,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml" ], "tags": [ @@ -74261,9 +74297,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus", - "https://github.com/GhostPack/Rubeus", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", + "https://github.com/GhostPack/Rubeus", + "https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml" ], "tags": [ @@ -74591,8 +74627,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml" ], "tags": [ @@ -74749,8 +74785,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/Arno0x/DNSExfiltrator", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh", + "https://github.com/Arno0x/DNSExfiltrator", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml" ], "tags": [ @@ -74886,8 +74922,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml" ], "tags": [ @@ -75039,8 +75075,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml" ], "tags": [ @@ -75073,9 +75109,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://youtu.be/5mqid-7zp8k?t=2481", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", - "https://youtu.be/5mqid-7zp8k?t=2481", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml" ], @@ -75324,9 +75360,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13", "https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/7b8935fe4c82cb64d61343de1a8b2e38dd968534/handbooks/10_post_exploitation.md", "https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing", - "https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_packet_capture.yml" ], "tags": [ @@ -75394,9 +75430,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", - "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml" ], "tags": [ @@ -75619,10 +75655,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", - "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", - "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", + "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", + "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", + "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml" ], "tags": [ @@ -75731,8 +75767,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml" ], "tags": [ @@ -75887,8 +75923,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41", - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a", "https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powershell_web_access_installation.yml" ], "tags": [ @@ -75921,9 +75957,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", "https://powersploit.readthedocs.io/en/stable/Recon/README", "https://thedfirreport.com/2020/10/08/ryuks-return", - "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", "https://adsecurity.org/?p=2277", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml" ], @@ -75991,8 +76027,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml" ], "tags": [ @@ -76125,9 +76161,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1087.002/T1087.002.md", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer", + "https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1087.002/T1087.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml" ], "tags": [ @@ -76168,8 +76204,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", "https://www.offensive-security.com/metasploit-unleashed/timestomp/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml" ], "tags": [ @@ -76202,8 +76238,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://attack.mitre.org/datasources/DS0005/", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml" ], "tags": [ @@ -76269,11 +76305,11 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md", - "https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team", "https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841", + "https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team", + "https://github.com/S3cur3Th1sSh1t/WinPwn", "https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/", + "https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml" ], "tags": [ @@ -76390,9 +76426,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://www.shellhacks.com/clear-history-powershell/", "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/", - "https://www.shellhacks.com/clear-history-powershell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml" ], "tags": [ @@ -76467,8 +76503,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml" ], @@ -76829,8 +76865,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine", "https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml" ], "tags": [ @@ -76905,8 +76941,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml" ], "tags": [ @@ -76972,8 +77008,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml" ], "tags": [ @@ -77007,8 +77043,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/oroneequalsone/status/1568432028361830402", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml" ], "tags": [ @@ -77075,9 +77111,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md", "https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml" ], "tags": [ @@ -77110,9 +77146,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", - "https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", + "https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml" ], "tags": [ @@ -77202,8 +77238,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml" ], "tags": [ @@ -77302,8 +77338,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md", "https://learn.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml" ], "tags": [ @@ -77370,8 +77406,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://techgenix.com/malicious-powershell-scripts-evade-detection/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md", + "https://techgenix.com/malicious-powershell-scripts-evade-detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml" ], "tags": [ @@ -77446,8 +77482,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/Gerenios/AADInternals", "https://o365blog.com/aadinternals/", + "https://github.com/Gerenios/AADInternals", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml" ], "tags": [ @@ -77706,9 +77742,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt", - "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", "https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)", + "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml" ], "tags": [ @@ -77916,9 +77952,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", - "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml" ], "tags": [ @@ -77984,10 +78020,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", - "https://twitter.com/ScumBots/status/1610626724257046529", "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", + "https://twitter.com/ScumBots/status/1610626724257046529", + "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml" ], "tags": [ @@ -78021,8 +78057,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso", + "https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml" ], "tags": [ @@ -78229,9 +78265,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", "https://www.ietf.org/rfc/rfc2821.txt", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml" ], "tags": [ @@ -78523,9 +78559,9 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://github.com/samratashok/ADModule", "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", + "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml" ], "tags": [ @@ -78800,8 +78836,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/8", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/8", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml" ], "tags": [ @@ -78867,23 +78903,23 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/HarmJ0y/DAMP", "https://github.com/PowerShellMafia/PowerSploit", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/nettitude/Invoke-PowerThIEf", + "https://github.com/NetSPI/PowerUpSQL", + "https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/samratashok/nishang", "https://github.com/besimorhino/powercat", "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/NetSPI/PowerUpSQL", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/samratashok/nishang", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://github.com/CsEnox/EventViewer-UACBypass", - "https://github.com/HarmJ0y/DAMP", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/nettitude/Invoke-PowerThIEf", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml" ], "tags": [ @@ -78916,8 +78952,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md", "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml" ], "tags": [ @@ -79026,24 +79062,24 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/besimorhino/powercat", "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/adrecon/ADRecon", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/adrecon/AzureADRecon", + "https://adsecurity.org/?p=2921", + "https://github.com/HarmJ0y/DAMP", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/samratashok/nishang", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/Kevin-Robertson/Powermad", - "https://adsecurity.org/?p=2921", + "https://github.com/besimorhino/powercat", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/calebstewart/CVE-2021-1675", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/samratashok/nishang", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/adrecon/ADRecon", + "https://github.com/adrecon/AzureADRecon", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml" ], "tags": [ @@ -79392,9 +79428,9 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://www.mdeditor.tw/pl/pgRt", - "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/", "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", + "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/", + "https://www.mdeditor.tw/pl/pgRt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml" ], "tags": [ @@ -79714,17 +79750,17 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://github.com/ohpe/juicy-potato", - "https://github.com/outflanknl/Dumpert", - "https://github.com/gentilkiwi/mimikatz", - "https://github.com/antonioCoco/RoguePotato", - "https://github.com/fortra/nanodump", - "https://github.com/wavestone-cdt/EDRSandblast", "https://github.com/codewhitesec/HandleKatz", + "https://github.com/fortra/nanodump", "https://github.com/xuanxuan0/DripLoader", + "https://github.com/ohpe/juicy-potato", "https://www.tarasco.org/security/pwdump_7/", - "https://github.com/hfiref0x/UACME", + "https://github.com/antonioCoco/RoguePotato", "https://github.com/topotam/PetitPotam", + "https://github.com/outflanknl/Dumpert", + "https://github.com/hfiref0x/UACME", + "https://github.com/wavestone-cdt/EDRSandblast", + "https://github.com/gentilkiwi/mimikatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml" ], "tags": [ @@ -79911,8 +79947,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/detecting-onenote-abuse", "https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md", + "https://labs.withsecure.com/publications/detecting-onenote-abuse", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml" ], "tags": [ @@ -80025,8 +80061,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/bh4b3sh/status/1303674603819081728", "https://github.com/skelsec/pypykatz", + "https://twitter.com/bh4b3sh/status/1303674603819081728", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_python_based_tool.yml" ], "tags": [ @@ -80234,8 +80270,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html", "https://jsecurity101.medium.com/bypassing-access-mask-auditing-strategies-480fb641c158", + "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_generic_access.yml" ], "tags": [ @@ -80269,9 +80305,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", - "https://twitter.com/SBousseaden/status/1541920424635912196", "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", + "https://twitter.com/SBousseaden/status/1541920424635912196", + "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_seclogon_access.yml" ], "tags": [ @@ -80304,8 +80340,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://twitter.com/_xpn_/status/1491557187168178176", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_dump_keyword_image.yml" ], "tags": [ @@ -80608,9 +80644,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://twitter.com/mrd0x/status/1460597833917251595", "https://twitter.com/_xpn_/status/1491557187168178176", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_whitelisted_process_names.yml" ], "tags": [ @@ -80682,8 +80718,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/boku7/spawn", "https://github.com/boku7/injectAmsiBypass", + "https://github.com/boku7/spawn", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml" ], "tags": [ @@ -80999,8 +81035,8 @@ "refs": [ "https://threatpost.com/microsoft-petitpotam-poc/168163/", "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", - "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", + "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml" ], "tags": [ @@ -81040,9 +81076,9 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://github.com/nknorg/nkn-sdk-go", "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", "https://github.com/Maka8ka/NGLite", + "https://github.com/nknorg/nkn-sdk-go", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_nkn.yml" ], "tags": [ @@ -81287,12 +81323,12 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://github.com/corelight/CVE-2021-1675", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", + "https://github.com/corelight/CVE-2021-1675", "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml" ], "tags": [ @@ -81319,10 +81355,10 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", "https://twitter.com/neu5ron/status/1346245602502443009", - "https://tools.ietf.org/html/rfc2929#section-2.1", + "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", + "https://tools.ietf.org/html/rfc2929#section-2.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml" ], "tags": [ @@ -81608,8 +81644,8 @@ "logsource.category": "No established category", "logsource.product": "cisco", "refs": [ - "https://blog.router-switch.com/2013/11/show-running-config/", "https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/show_startup-config.htm", + "https://blog.router-switch.com/2013/11/show-running-config/", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_collect_data.yml" ], @@ -82320,8 +82356,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", + "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_mal_cobaltstrike.yml" ], "tags": [ @@ -82429,8 +82465,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://core.telegram.org/bots/faq", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", + "https://core.telegram.org/bots/faq", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_telegram_api.yml" @@ -82562,8 +82598,8 @@ "logsource.product": "No established product", "refs": [ "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://www.cisecurity.org/controls/cis-controls-list/", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_cleartext_protocols.yml" ], "tags": [ @@ -82654,11 +82690,11 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100", - "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile", - "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile", "https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/", "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile", + "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile", + "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile", + "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_hktl_cobalt_strike_malleable_c2_requests.yml" ], "tags": [ @@ -82692,10 +82728,10 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ + "https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462", + "https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html", "https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4", "https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html", - "https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html", - "https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_webdav_external_execution.yml" ], "tags": [ @@ -82770,10 +82806,10 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ + "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", "https://www.spamhaus.org/statistics/tlds/", - "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml" ], "tags": [ @@ -82934,13 +82970,13 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "http://www.botopedia.org/search?searchword=scan&searchphrase=all", "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", - "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", - "https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q", - "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", "https://twitter.com/crep1x/status/1635034100213112833", + "https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q", + "http://www.botopedia.org/search?searchword=scan&searchphrase=all", "https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large", + "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", + "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", "https://perishablepress.com/blacklist/ua-2013.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_malware.yml" ], @@ -82974,8 +83010,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h", "https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65", + "https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_cryptominer.yml" ], "tags": [ @@ -83077,8 +83113,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone", "https://rclone.org/", + "https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_rclone.yml" ], "tags": [ @@ -83111,9 +83147,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ + "https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11", "https://blog.talosintelligence.com/ipfs-abuse/", "https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638", - "https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml" ], "tags": [ @@ -83196,9 +83232,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash", "https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516", "https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029", + "https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml" ], "tags": [ @@ -83468,8 +83504,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", + "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_hacktool.yml" ], "tags": [ @@ -83644,9 +83680,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", + "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_telegram_api.yml" ], "tags": [ @@ -83797,8 +83833,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html", "https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1", + "https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_source_code_enumeration.yml" ], "tags": [ @@ -83831,11 +83867,11 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", - "https://twitter.com/httpvoid0x2f/status/1532924261035384832", "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035", "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", + "https://twitter.com/httpvoid0x2f/status/1532924261035384832", + "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_java_payload_in_access_logs.yml" ], "tags": [ @@ -83974,9 +84010,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", - "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", + "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", + "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_susp_useragents.yml" ], "tags": [ @@ -84010,8 +84046,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/payloadbox/ssti-payloads", "https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection", + "https://github.com/payloadbox/ssti-payloads", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_ssti_in_access_logs.yml" ], "tags": [ @@ -84044,9 +84080,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash", "https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516", "https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029", + "https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml" ], "tags": [ @@ -84116,11 +84152,11 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/payloadbox/sql-injection-payload-list", - "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", - "https://brightsec.com/blog/sql-injection-payloads/", "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", "https://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection", + "https://github.com/payloadbox/sql-injection-payload-list", + "https://brightsec.com/blog/sql-injection-payloads/", + "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_sql_injection_in_access_logs.yml" ], "tags": [ @@ -84154,8 +84190,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://book.hacktricks.xyz/pentesting-web/file-inclusion", "https://github.com/projectdiscovery/nuclei-templates", + "https://book.hacktricks.xyz/pentesting-web/file-inclusion", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_path_traversal_exploitation_attempt.yml" ], "tags": [ @@ -84222,9 +84258,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.exploit-db.com/exploits/19525", "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", "https://github.com/lijiejie/IIS_shortname_Scanner", + "https://www.exploit-db.com/exploits/19525", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml" ], "tags": [ @@ -84290,8 +84326,8 @@ "logsource.category": "application", "logsource.product": "jvm", "refs": [ - "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://secariolabs.com/research/analysing-and-reproducing-poc-for-log4j-2-15-0", + "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_jndi_injection_exploitation_attempt.yml" ], "tags": [ @@ -84358,8 +84394,8 @@ "logsource.product": "jvm", "refs": [ "https://rules.sonarsource.com/java/RSPEC-2755", - "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing", + "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_xxe_exploitation_attempt.yml" ], "tags": [ @@ -84460,8 +84496,8 @@ "logsource.category": "application", "logsource.product": "spring", "refs": [ - "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection", + "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/spring/spring_spel_injection.yml" ], "tags": [ @@ -84527,10 +84563,10 @@ "logsource.category": "application", "logsource.product": "ruby_on_rails", "refs": [ - "http://guides.rubyonrails.org/action_controller_overview.html", - "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", - "http://edgeguides.rubyonrails.org/security.html", "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", + "http://edgeguides.rubyonrails.org/security.html", + "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", + "http://guides.rubyonrails.org/action_controller_overview.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml" ], "tags": [ @@ -84564,8 +84600,8 @@ "logsource.category": "application", "logsource.product": "velocity", "refs": [ - "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://antgarsil.github.io/posts/velocity/", + "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/velocity/velocity_ssti_injection.yml" ], "tags": [ @@ -84631,8 +84667,8 @@ "logsource.category": "application", "logsource.product": "django", "refs": [ - "https://docs.djangoproject.com/en/1.11/topics/logging/#django-security", "https://docs.djangoproject.com/en/1.11/ref/exceptions/", + "https://docs.djangoproject.com/en/1.11/topics/logging/#django-security", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/django/appframework_django_exceptions.yml" ], "tags": [ @@ -85452,8 +85488,8 @@ "logsource.category": "No established category", "logsource.product": "kubernetes", "refs": [ - "https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/", "https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/", + "https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_secrets_modified_or_deleted.yml" ], "tags": [ @@ -85566,8 +85602,8 @@ "logsource.category": "No established category", "logsource.product": "kubernetes", "refs": [ - "https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/", "https://security.padok.fr/en/blog/kubernetes-webhook-attackers", + "https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml" ], "tags": [ @@ -85617,8 +85653,8 @@ "logsource.category": "No established category", "logsource.product": "kubernetes", "refs": [ - "https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/", "https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues", + "https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_unauthorized_unauthenticated_actions.yml" ], "tags": [ @@ -85642,8 +85678,8 @@ "logsource.category": "No established category", "logsource.product": "kubernetes", "refs": [ - "https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/", "https://www.redhat.com/en/blog/protecting-kubernetes-against-mitre-attck-persistence#technique-33-kubernetes-cronjob", + "https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_cronjob_modification.yml" ], "tags": [ @@ -85805,10 +85841,10 @@ "logsource.category": "application", "logsource.product": "kubernetes", "refs": [ - "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/", "https://www.elastic.co/guide/en/security/current/kubernetes-pod-created-with-hostnetwork.html", - "https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html", + "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer", + "https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml" ], "tags": [ @@ -85872,8 +85908,8 @@ "logsource.category": "application", "logsource.product": "kubernetes", "refs": [ - "https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch", "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/", + "https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_sidecar_injection.yml" ], "tags": [ @@ -85955,10 +85991,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://github.com/zeronetworks/rpcfirewall", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml" ], "tags": [ @@ -85982,8 +86018,8 @@ "logsource.product": "rpc_firewall", "refs": [ "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/zeronetworks/rpcfirewall", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml" ], "tags": [ @@ -86114,8 +86150,8 @@ "refs": [ "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/zeronetworks/rpcfirewall", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml" ], "tags": [ @@ -86148,12 +86184,12 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", "https://github.com/zeronetworks/rpcfirewall", - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml" ], "tags": [ @@ -86220,10 +86256,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/zeronetworks/rpcfirewall", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml" ], "tags": [ @@ -86256,10 +86292,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml" ], "tags": [ @@ -86318,8 +86354,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml" @@ -86354,10 +86390,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml" ], "tags": [ @@ -86380,8 +86416,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml" @@ -86406,10 +86442,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/zeronetworks/rpcfirewall", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml" ], "tags": [ @@ -86432,10 +86468,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/zeronetworks/rpcfirewall", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml" ], "tags": [ @@ -86572,9 +86608,9 @@ "logsource.product": "macos", "refs": [ "https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior", + "https://objective-see.org/blog/blog_0x6D.html", "https://ss64.com/osx/csrutil.html", "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/", - "https://objective-see.org/blog/blog_0x6D.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_csrutil_disable.yml" ], "tags": [ @@ -86640,8 +86676,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://ss64.com/osx/osacompile.html", "https://redcanary.com/blog/applescript/", + "https://ss64.com/osx/osacompile.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_osacompile_runonly_execution.yml" ], "tags": [ @@ -86748,10 +86784,10 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.trendmicro.com/en_ph/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", "https://www.virustotal.com/gui/file/5907d59ec1303cfb5c0a0f4aaca3efc0830707d86c732ba6b9e842b5730b95dc/behavior", - "https://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior", + "https://www.trendmicro.com/en_ph/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", "https://www.virustotal.com/gui/file/4ffdc72d1ff1ee8228e31691020fc275afd1baee5a985403a71ca8c7bd36e2e4/behavior", + "https://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_ioreg_discovery.yml" ], "tags": [ @@ -86784,9 +86820,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", - "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/", "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", + "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml" ], "tags": [ @@ -86877,9 +86913,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", "https://github.com/MythicAgents/typhon/", "https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html", + "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_jamf_usage.yml" ], "tags": [ @@ -86939,9 +86975,9 @@ "refs": [ "https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.001/T1569.001.md", - "https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html", - "https://www.loobins.io/binaries/launchctl/", "https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/", + "https://www.loobins.io/binaries/launchctl/", + "https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml" ], "tags": [ @@ -86991,9 +87027,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://ss64.com/mac/hdiutil.html", "https://www.loobins.io/binaries/hdiutil/", "https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/", - "https://ss64.com/mac/hdiutil.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_hdiutil_create.yml" ], "tags": [ @@ -87016,8 +87052,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://ss64.com/osx/sysadminctl.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos", + "https://ss64.com/osx/sysadminctl.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml" ], "tags": [ @@ -87051,8 +87087,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md", + "https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml" ], "tags": [ @@ -87085,9 +87121,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://ss64.com/osx/sw_vers.html", - "https://www.virustotal.com/gui/file/d3fa64f63563fe958b75238742d1e473800cb5f49f5cb79d38d4aa3c93709026/behavior", "https://www.virustotal.com/gui/file/03b71eaceadea05bc0eea5cddecaa05f245126d6b16cfcd0f3ba0442ac58dab3/behavior", + "https://www.virustotal.com/gui/file/d3fa64f63563fe958b75238742d1e473800cb5f49f5cb79d38d4aa3c93709026/behavior", + "https://ss64.com/osx/sw_vers.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_swvers_discovery.yml" ], "tags": [ @@ -87120,9 +87156,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", "https://github.com/MythicAgents/typhon/", "https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html", + "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml" ], "tags": [ @@ -87180,9 +87216,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml", - "https://ss64.com/osx/dsenableroot.html", "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1078.003/T1078.003.md", + "https://ss64.com/osx/dsenableroot.html", + "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml" ], "tags": [ @@ -87323,9 +87359,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://ss64.com/mac/hdiutil.html", "https://www.loobins.io/binaries/hdiutil/", "https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/", - "https://ss64.com/mac/hdiutil.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_hdiutil_mount.yml" ], "tags": [ @@ -87399,8 +87435,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", + "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_screencapture.yml" ], "tags": [ @@ -87499,13 +87535,13 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", - "https://evasions.checkpoint.com/techniques/macos.html", "https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/", - "https://www.loobins.io/binaries/sysctl/#", + "https://evasions.checkpoint.com/techniques/macos.html", + "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", "https://www.virustotal.com/gui/file/1c547a064494a35d6b5e6b459de183ab2720a22725e082bed6f6629211f7abc1/behavior", "https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior", "https://objective-see.org/blog/blog_0x1E.html", + "https://www.loobins.io/binaries/sysctl/#", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_sysctl_discovery.yml" ], "tags": [ @@ -87581,8 +87617,8 @@ "logsource.product": "macos", "refs": [ "https://linux.die.net/man/1/dd", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md", "https://linux.die.net/man/1/truncate", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_binary_padding.yml" ], "tags": [ @@ -87683,8 +87719,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://objective-see.org/blog/blog_0x4B.html", "https://redcanary.com/blog/applescript/", + "https://objective-see.org/blog/blog_0x4B.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_office_susp_child_processes.yml" ], "tags": [ @@ -87876,9 +87912,9 @@ "logsource.product": "macos", "refs": [ "https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior", + "https://objective-see.org/blog/blog_0x6D.html", "https://ss64.com/osx/csrutil.html", "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/", - "https://objective-see.org/blog/blog_0x6D.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_csrutil_status.yml" ], "tags": [ @@ -88273,8 +88309,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_initial_access_suspicious_browser_childproc.toml", "https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang", + "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_initial_access_suspicious_browser_childproc.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_browser_child_process.yml" ], "tags": [ @@ -88324,8 +88360,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.loobins.io/binaries/nscurl/", "https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl", + "https://www.loobins.io/binaries/nscurl/", "https://gist.github.com/nasbench/ca6ef95db04ae04ffd1e0b1ce709cadd", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_nscurl_usage.yml" ], @@ -88496,9 +88532,9 @@ "refs": [ "https://ss64.com/mac/system_profiler.html", "https://www.trendmicro.com/en_za/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", + "https://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf", "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", "https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af", - "https://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf", "https://objective-see.org/blog/blog_0x62.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_system_profiler_discovery.yml" ], @@ -88574,10 +88610,10 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", - "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf", "https://www.sentinelone.com/labs/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/", "https://ss64.com/mac/chflags.html", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf", + "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_chflags_hidden_flag.yml" ], "tags": [ @@ -88910,8 +88946,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.manpagez.com/man/8/PlistBuddy/", "https://redcanary.com/blog/clipping-silver-sparrows-wings/", + "https://www.manpagez.com/man/8/PlistBuddy/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml" ], "tags": [ @@ -88998,8 +89034,8 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://thehackernews.com/2024/03/github-rolls-out-default-secret.html", "https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "https://thehackernews.com/2024/03/github-rolls-out-default-secret.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_push_protection_disabled.yml" ], "tags": [ @@ -89065,8 +89101,8 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", "https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts", + "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml" ], "tags": [ @@ -89140,9 +89176,9 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ + "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions", "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", "https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization", - "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions", "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_disable_high_risk_configuration.yml" ], @@ -89211,10 +89247,10 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration", + "https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership", "https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository", "https://docs.github.com/en/migrations", - "https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership", + "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_repo_or_org_transferred.yml" ], "tags": [ @@ -89325,8 +89361,8 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities", "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority", + "https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_ssh_certificate_config_changed.yml" ], "tags": [ @@ -89360,8 +89396,8 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://thehackernews.com/2024/03/github-rolls-out-default-secret.html", "https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "https://thehackernews.com/2024/03/github-rolls-out-default-secret.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_push_protection_bypass_detected.yml" ], "tags": [ @@ -89395,8 +89431,8 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions", + "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_outside_collaborator_detected.yml" ], "tags": [ @@ -89448,8 +89484,8 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#search-based-on-operation", "https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners", + "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#search-based-on-operation", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_self_hosted_runner_changes_detected.yml" ], "tags": [ @@ -89644,8 +89680,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data", + "https://developer.okta.com/docs/reference/api/system-log/", "https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_password_in_alternateid_field.yml" ], @@ -89727,8 +89763,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/okta/workflows-templates/blob/master/workflows/suspicious_activity_reported/readme.md", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_suspicious_activity_enduser_report.yml" ], "tags": [ @@ -89762,8 +89798,8 @@ "logsource.product": "okta", "refs": [ "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", "https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_security_threat_detected.yml" ], "tags": [ @@ -90105,8 +90141,8 @@ "logsource.category": "No established category", "logsource.product": "cisco", "refs": [ - "https://duo.com/docs/adminapi#logs", "https://help.duo.com/s/article/6327?language=en_US", + "https://duo.com/docs/adminapi#logs", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/cisco/duo/cisco_duo_mfa_bypass_via_bypass_code.yml" ], "tags": [ @@ -90263,8 +90299,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://github.com/elastic/detection-rules/pull/1213", "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html", + "https://github.com/elastic/detection-rules/pull/1213", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml" ], "tags": [ @@ -90350,8 +90386,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", + "https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml" ], "tags": [ @@ -90511,8 +90547,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html", "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html", + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml" ], "tags": [ @@ -90571,9 +90607,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ + "https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html", "https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/", "https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md", - "https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml" ], "tags": [ @@ -90723,9 +90759,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml" ], "tags": [ @@ -90901,9 +90937,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html", "https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-info-in-cloudtrail.html", "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html", + "https://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml" ], "tags": [ @@ -91111,9 +91147,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ + "https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/", "https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things", "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html", - "https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml" ], "tags": [ @@ -91197,9 +91233,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ + "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html", "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py", "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html", - "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml" ], "tags": [ @@ -91388,13 +91424,13 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", - "https://github.com/elastic/detection-rules/pull/1145/files", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", + "https://github.com/elastic/detection-rules/pull/1145/files", + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_s3_data_management_tampering.yml" ], "tags": [ @@ -91750,8 +91786,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html", "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_firewall_rule_modified_or_deleted.yml" ], "tags": [ @@ -91808,9 +91844,9 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog", - "https://cloud.google.com/logging/docs/audit/understanding-audit-logs", "https://cloud.google.com/access-context-manager/docs/audit-logging", + "https://cloud.google.com/logging/docs/audit/understanding-audit-logs", + "https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_access_policy_deleted.yml" ], "tags": [ @@ -92037,11 +92073,11 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ + "https://github.com/elastic/detection-rules/pull/1267", + "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", + "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", - "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", - "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", - "https://github.com/elastic/detection-rules/pull/1267", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_kubernetes_rolebinding.yml" ], "tags": [ @@ -92065,9 +92101,9 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://cloud.google.com/kubernetes-engine/docs", "https://kubernetes.io/docs/concepts/workloads/controllers/job/", + "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_kubernetes_cronjob.yml" ], "tags": [ @@ -92160,8 +92196,8 @@ "logsource.product": "gcp", "refs": [ "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_mfa_disabled.yml" ], "tags": [ @@ -92184,8 +92220,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_role_privilege_deleted.yml" ], "tags": [ @@ -92208,8 +92244,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_removed.yml" ], @@ -92233,8 +92269,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://support.google.com/a/answer/9261439", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings", + "https://support.google.com/a/answer/9261439", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_access_levels_modified.yml" ], "tags": [ @@ -92302,8 +92338,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml" ], "tags": [ @@ -92336,8 +92372,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_role_modified_or_deleted.yml" ], "tags": [ @@ -92436,8 +92472,8 @@ "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ - "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", "https://confluence.atlassian.com/bitbucketserver/global-permissions-776640369.html", + "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml" ], "tags": [ @@ -92514,8 +92550,8 @@ "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ - "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", "https://support.atlassian.com/security-and-access-policies/docs/export-user-accounts", + "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_user_details_export_attempt_detected.yml" ], "tags": [ @@ -92902,11 +92938,11 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://o365blog.com/post/aadbackdoor/", - "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", - "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", - "https://www.sygnia.co/golden-saml-advisory", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", + "https://www.sygnia.co/golden-saml-advisory", + "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", + "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", + "https://o365blog.com/post/aadbackdoor/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/exchange/microsoft365_new_federated_domain_added_exchange.yml" ], "tags": [ @@ -94107,8 +94143,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/", "https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f", + "https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_ad_new_root_ca_added.yml" ], "tags": [ @@ -94142,9 +94178,9 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://twitter.com/NathanMcNulty/status/1785051227568632263", - "https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487", "https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/", + "https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487", + "https://twitter.com/NathanMcNulty/status/1785051227568632263", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_auditlogs_laps_credential_dumping.yml" ], "tags": [ @@ -94715,8 +94751,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/", "https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f", + "https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_ad_certificate_based_authencation_enabled.yml" ], "tags": [ @@ -96113,9 +96149,9 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in", "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", - "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml" ], "tags": [ @@ -96287,8 +96323,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address", + "https://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml" ], "tags": [ @@ -96359,8 +96395,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml", "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_pods_deleted.yml" ], "tags": [ @@ -96385,10 +96421,10 @@ "logsource.product": "azure", "refs": [ "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_container_registry_created_or_deleted.yml" ], "tags": [ @@ -96438,10 +96474,10 @@ "logsource.product": "azure", "refs": [ "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_role_access.yml" ], "tags": [ @@ -96465,10 +96501,10 @@ "logsource.product": "azure", "refs": [ "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_secret_or_config_object_access.yml" ], "tags": [ @@ -97054,10 +97090,10 @@ "logsource.product": "azure", "refs": [ "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_network_policy_change.yml" ], "tags": [ @@ -97166,10 +97202,10 @@ "logsource.product": "azure", "refs": [ "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_rolebinding_modified_or_deleted.yml" ], "tags": [ @@ -97318,10 +97354,10 @@ "logsource.product": "azure", "refs": [ "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_service_account_modified_or_deleted.yml" ], "tags": [ @@ -97356,10 +97392,10 @@ "logsource.product": "azure", "refs": [ "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_cluster_created_or_deleted.yml" ], "tags": [ @@ -97639,10 +97675,10 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://kubernetes.io/docs/concepts/workloads/controllers/job/", + "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_cronjob.yml" ], "tags": [ @@ -97677,8 +97713,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml", "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_events_deleted.yml" ], "tags": [ @@ -97956,8 +97992,8 @@ "logsource.product": "qualys", "refs": [ "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://www.cisecurity.org/controls/cis-controls-list/", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/host_without_firewall.yml" ], "tags": "No established tags" @@ -97978,10 +98014,10 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/default_credentials_usage.yml" ], "tags": [ @@ -98005,8 +98041,8 @@ "logsource.product": "No established product", "refs": [ "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://www.cisecurity.org/controls/cis-controls-list/", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/netflow_cleartext_protocols.yml" ], "tags": [ @@ -98166,12 +98202,12 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ + "https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7", "https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916", - "https://www.nextron-systems.com/?s=antivirus", - "https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d", "https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045", "https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c", - "https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7", + "https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d", + "https://www.nextron-systems.com/?s=antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_ransomware.yml" ], "tags": [ @@ -98237,16 +98273,16 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", - "https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection", - "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", - "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", - "https://github.com/tennc/webshell", - "https://www.nextron-systems.com/?s=antivirus", - "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", - "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", + "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", + "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", + "https://www.nextron-systems.com/?s=antivirus", + "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", + "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", + "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", + "https://github.com/tennc/webshell", + "https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_webshell.yml" ], "tags": [ @@ -98279,10 +98315,10 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424", + "https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466", "https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797", "https://www.nextron-systems.com/?s=antivirus", - "https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466", + "https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_exploiting.yml" ], "tags": [ @@ -98415,9 +98451,9 @@ "logsource.category": "file_event", "logsource.product": "linux", "refs": [ - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml" ], @@ -98475,9 +98511,9 @@ "logsource.category": "file_event", "logsource.product": "linux", "refs": [ - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml" ], @@ -98677,9 +98713,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", "https://access.redhat.com/articles/4409591#audit-record-types-2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", + "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", "https://linux.die.net/man/8/pam_tty_audit", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml" ], @@ -98855,10 +98891,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://man7.org/linux/man-pages/man8/getcap.8.html", "https://mn3m.info/posts/suid-vs-capabilities/", - "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", + "https://man7.org/linux/man-pages/man8/getcap.8.html", "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", + "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml" ], "tags": [ @@ -99066,8 +99102,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", + "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml" ], "tags": [ @@ -99133,8 +99169,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://firewalld.org/documentation/man-pages/firewall-cmd.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", + "https://firewalld.org/documentation/man-pages/firewall-cmd.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml" ], "tags": [ @@ -99201,8 +99237,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", + "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml" ], "tags": [ @@ -99513,8 +99549,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://blog.aquasec.com/container-security-tnt-container-attack", "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html", + "https://blog.aquasec.com/container-security-tnt-container-attack", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml" ], "tags": [ @@ -99547,9 +99583,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/1/import", "https://imagemagick.org/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", + "https://linux.die.net/man/1/import", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencapture_import.yml" ], "tags": [ @@ -99582,9 +99618,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files", - "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07", "https://access.redhat.com/articles/4409591#audit-record-types-2", + "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07", + "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_create_account.yml" ], "tags": [ @@ -99651,8 +99687,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://objective-see.org/blog/blog_0x68.html", "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat", + "https://objective-see.org/blog/blog_0x68.html", "https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml" ], @@ -100081,9 +100117,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", "https://linux.die.net/man/8/insmod", "https://man7.org/linux/man-pages/man8/kmod.8.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_load_module_insmod.yml" ], "tags": [ @@ -100216,10 +100252,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence", "https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content", - "https://regex101.com/r/RugQYK/1", "https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf", + "https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence", + "https://regex101.com/r/RugQYK/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_pnscan_binary_cli_pattern.yml" ], "tags": [ @@ -100285,8 +100321,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk", "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", + "https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml" ], "tags": [ @@ -100345,8 +100381,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml" ], "tags": [ @@ -100369,8 +100405,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk", "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", + "https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml" ], "tags": [ @@ -100600,8 +100636,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html", "https://gtfobins.github.io/gtfobins/nice/#shell", + "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nice_shell_execution.yml" ], "tags": [ @@ -100709,8 +100745,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md", "https://attack.mitre.org/techniques/T1548/001/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml" ], "tags": [ @@ -100743,9 +100779,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml" ], @@ -100864,8 +100900,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/projectdiscovery/naabu", "https://github.com/Tib3rius/AutoRecon", + "https://github.com/projectdiscovery/naabu", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_network_utilities_execution.yml" ], @@ -101033,9 +101069,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://linux.die.net/man/1/bash", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml" ], "tags": [ @@ -101124,9 +101160,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml" ], @@ -101219,8 +101255,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml" ], "tags": [ @@ -101288,8 +101324,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://blogs.blackberry.com/", + "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml" ], "tags": [ @@ -101421,10 +101457,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/", - "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html", - "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html", + "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", + "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html", + "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml" ], "tags": [ @@ -101541,9 +101577,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml" ], @@ -101568,8 +101604,8 @@ "logsource.product": "linux", "refs": [ "https://github.com/diego-treitos/linux-smart-enumeration", - "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes", "https://github.com/carlospolop/PEASS-ng", + "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml" ], "tags": [ @@ -101626,9 +101662,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml" ], @@ -101662,8 +101698,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html", "https://gtfobins.github.io/gtfobins/ssh/", + "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_ssh_shell_execution.yml" ], "tags": [ @@ -101729,10 +101765,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/", - "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html", - "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html", + "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", + "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html", + "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml" ], "tags": [ @@ -101755,8 +101791,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", + "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", "https://github.com/apache/spark/pull/36315/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml" ], @@ -101791,9 +101827,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://access.redhat.com/security/cve/cve-2019-14287", "https://twitter.com/matthieugarin/status/1183970598210412546", "https://www.openwall.com/lists/oss-security/2019/10/14/1", - "https://access.redhat.com/security/cve/cve-2019-14287", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml" ], "tags": [ @@ -101869,8 +101905,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://blogs.blackberry.com/", + "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml" ], @@ -101937,9 +101973,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan", "https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/", "https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/", - "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml" ], "tags": [ @@ -102006,8 +102042,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://blogs.blackberry.com/", + "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml" ], "tags": [ @@ -102040,10 +102076,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://linuxize.com/post/how-to-delete-group-in-linux/", + "https://www.cyberciti.biz/faq/linux-remove-user-command/", "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://linux.die.net/man/8/groupdel", - "https://www.cyberciti.biz/faq/linux-remove-user-command/", + "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_groupdel.yml" ], "tags": [ @@ -102099,10 +102135,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://linuxize.com/post/how-to-delete-group-in-linux/", + "https://www.cyberciti.biz/faq/linux-remove-user-command/", "https://linux.die.net/man/8/userdel", "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", - "https://www.cyberciti.biz/faq/linux-remove-user-command/", + "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_userdel.yml" ], "tags": [ @@ -102135,9 +102171,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml" ], @@ -102161,8 +102197,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html", "https://gtfobins.github.io/gtfobins/find/#shell", + "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_find_shell_execution.yml" ], "tags": [ @@ -102229,8 +102265,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://blogs.blackberry.com/", + "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml" ], "tags": [ @@ -102263,9 +102299,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html", "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vsan.html", "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html", + "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml" ], "tags": [ @@ -102306,15 +102342,15 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/pathtofile/bad-bpf", - "https://github.com/1N3/Sn1per", - "https://github.com/Pennyw0rth/NetExec/", - "https://github.com/t3l3machus/Villain", "https://github.com/t3l3machus/hoaxshell", - "https://github.com/HavocFramework/Havoc", - "https://github.com/Ne0nd0g/merlin", + "https://github.com/t3l3machus/Villain", "https://github.com/carlospolop/PEASS-ng", + "https://github.com/Ne0nd0g/merlin", + "https://github.com/pathtofile/bad-bpf", + "https://github.com/Pennyw0rth/NetExec/", + "https://github.com/1N3/Sn1per", "https://github.com/Gui774ume/ebpfkit", + "https://github.com/HavocFramework/Havoc", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml" ], "tags": [ @@ -102381,8 +102417,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html", "https://gtfobins.github.io/gtfobins/flock/#shell", + "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_flock_shell_execution.yml" ], "tags": [ @@ -102448,8 +102484,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml" ], @@ -102483,8 +102519,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml" ], "tags": [ @@ -102507,8 +102543,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/", "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF", + "https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml" ], "tags": [ @@ -102583,8 +102619,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://research.splunk.com/endpoint/linux_doas_tool_execution/", "https://www.makeuseof.com/how-to-install-and-use-doas/", + "https://research.splunk.com/endpoint/linux_doas_tool_execution/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml" ], "tags": [ @@ -102652,8 +102688,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml" ], "tags": [ @@ -102709,10 +102745,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html", "https://gtfobins.github.io/gtfobins/gcc/#shell", "https://gtfobins.github.io/gtfobins/c89/#shell", "https://gtfobins.github.io/gtfobins/c99/#shell", + "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gcc_shell_execution.yml" ], "tags": [ @@ -102813,9 +102849,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://gtfobins.github.io/gtfobins/rvim/", "https://gtfobins.github.io/gtfobins/vim/", "https://gtfobins.github.io/gtfobins/vimdiff/", - "https://gtfobins.github.io/gtfobins/rvim/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_vim_shell_execution.yml" ], "tags": [ @@ -102848,11 +102884,11 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", - "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", "https://curl.se/docs/manpage.html", "https://twitter.com/d1r4c/status/1279042657508081664", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", + "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", + "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml" ], "tags": [ @@ -102992,8 +103028,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml" ], "tags": [ @@ -103017,8 +103053,8 @@ "logsource.product": "linux", "refs": [ "https://gtfobins.github.io/gtfobins/nohup/", - "https://www.computerhope.com/unix/unohup.htm", "https://en.wikipedia.org/wiki/Nohup", + "https://www.computerhope.com/unix/unohup.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup.yml" ], "tags": [ @@ -103204,8 +103240,8 @@ "logsource.product": "linux", "refs": [ "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_storage.html", - "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html", "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html", + "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml" ], "tags": [ @@ -103281,10 +103317,10 @@ "logsource.product": "linux", "refs": [ "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", - "https://www.revshells.com/", - "https://man7.org/linux/man-pages/man1/ncat.1.html", "https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/", + "https://www.revshells.com/", "https://www.infosecademy.com/netcat-reverse-shells/", + "https://man7.org/linux/man-pages/man1/ncat.1.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml" ], "tags": [ @@ -103516,9 +103552,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml" ], @@ -103576,8 +103612,8 @@ "logsource.product": "linux", "refs": [ "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", - "https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html", "https://bpftrace.org/", + "https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml" ], "tags": [ @@ -103668,9 +103704,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml" ], @@ -103704,9 +103740,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", - "https://blogs.blackberry.com/", "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/", + "https://blogs.blackberry.com/", + "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml" ], "tags": [ @@ -103806,10 +103842,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://sysdig.com/blog/mitre-defense-evasion-falco", - "https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command", "https://linuxhint.com/uninstall-debian-packages/", + "https://sysdig.com/blog/mitre-defense-evasion-falco", "https://linuxhint.com/uninstall_yum_package/", + "https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_remove_package.yml" ], "tags": [ @@ -103967,8 +104003,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/AonCyberLabs/Cexigua/blob/34d338620afae4c6335ba8d8d499e1d7d3d5d7b5/overwrite.sh", "https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/", + "https://github.com/AonCyberLabs/Cexigua/blob/34d338620afae4c6335ba8d8d499e1d7d3d5d7b5/overwrite.sh", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml" ], "tags": [ @@ -104227,11 +104263,11 @@ "logsource.category": "network_connection", "logsource.product": "linux", "refs": [ + "https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors", + "https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html", + "https://www.mandiant.com/resources/blog/ukraine-and-sandworm-team", "https://thehackernews.com/2024/01/systembc-malwares-c2-server-analysis.html", "https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections", - "https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html", - "https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors", - "https://www.mandiant.com/resources/blog/ukraine-and-sandworm-team", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_susp_malware_callback_port.yml" ], "tags": [ @@ -104298,9 +104334,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan", "https://book.hacktricks.xyz/shells/shells/linux", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan", + "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_dev_tcp.yml" ], "tags": [ @@ -104323,8 +104359,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://redcanary.com/blog/ebpf-malware/", "https://man7.org/linux/man-pages/man7/bpf-helpers.7.html", + "https://redcanary.com/blog/ebpf-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml" ], "tags": [ @@ -104447,10 +104483,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", "https://artkond.com/2017/03/23/pivoting-guide/", "http://pastebin.com/FtygZ1cg", "https://web.archive.org/web/20170319121015/http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html", + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_commands.yml" ], "tags": [ @@ -104506,9 +104542,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid", "https://linux.die.net/man/8/useradd", "https://digital.nhs.uk/cyber-alerts/2018/cc-2825", - "https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_privileged_user_creation.yml" ], "tags": [ @@ -104683,9 +104719,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.hackers-arise.com/post/2016/06/20/covering-your-bash-shell-tracks-antiforensics", "https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md", + "https://www.hackers-arise.com/post/2016/06/20/covering-your-bash-shell-tracks-antiforensics", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml" ], "tags": [ @@ -104718,8 +104754,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/", "https://github.com/Immersive-Labs-Sec/nimbuspwn", + "https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml" ], "tags": [ @@ -104875,9 +104911,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://access.redhat.com/security/cve/cve-2019-14287", "https://twitter.com/matthieugarin/status/1183970598210412546", "https://www.openwall.com/lists/oss-security/2019/10/14/1", - "https://access.redhat.com/security/cve/cve-2019-14287", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml" ], "tags": [ @@ -105051,8 +105087,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c", "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml", + "https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml" ], "tags": [ @@ -105139,5 +105175,5 @@ "value": "Modifying Crontab" } ], - "version": 20240919 + "version": 20241003 } From 59a0d9a986e3d190125357cd9df28234c7f95aeb Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 3 Oct 2024 08:40:13 +0200 Subject: [PATCH 23/42] chg: [tidal] updated to the latest version --- README.md | 8 +- clusters/tidal-campaigns.json | 204 +- clusters/tidal-groups.json | 932 +++--- clusters/tidal-references.json | 2534 +++++++++------ clusters/tidal-software.json | 5238 +++++++++++--------------------- 5 files changed, 3982 insertions(+), 4934 deletions(-) diff --git a/README.md b/README.md index 71ff208b..ab7a653c 100644 --- a/README.md +++ b/README.md @@ -607,7 +607,7 @@ Category: *actor* - source: *MISP Project* - total: *738* elements [Tidal Campaigns](https://www.misp-galaxy.org/tidal-campaigns) - Tidal Campaigns Cluster -Category: *Campaigns* - source: *https://app-api.tidalcyber.com/api/v1/campaigns/* - total: *78* elements +Category: *Campaigns* - source: *https://app-api.tidalcyber.com/api/v1/campaigns/* - total: *83* elements [[HTML](https://www.misp-galaxy.org/tidal-campaigns)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-campaigns.json)] @@ -615,7 +615,7 @@ Category: *Campaigns* - source: *https://app-api.tidalcyber.com/api/v1/campaigns [Tidal Groups](https://www.misp-galaxy.org/tidal-groups) - Tidal Groups Galaxy -Category: *Threat Groups* - source: *https://app-api.tidalcyber.com/api/v1/groups/* - total: *200* elements +Category: *Threat Groups* - source: *https://app-api.tidalcyber.com/api/v1/groups/* - total: *206* elements [[HTML](https://www.misp-galaxy.org/tidal-groups)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-groups.json)] @@ -623,7 +623,7 @@ Category: *Threat Groups* - source: *https://app-api.tidalcyber.com/api/v1/group [Tidal References](https://www.misp-galaxy.org/tidal-references) - Tidal References Cluster -Category: *References* - source: *https://app-api.tidalcyber.com/api/v1/references/* - total: *4309* elements +Category: *References* - source: *https://app-api.tidalcyber.com/api/v1/references/* - total: *4349* elements [[HTML](https://www.misp-galaxy.org/tidal-references)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-references.json)] @@ -631,7 +631,7 @@ Category: *References* - source: *https://app-api.tidalcyber.com/api/v1/referenc [Tidal Software](https://www.misp-galaxy.org/tidal-software) - Tidal Software Cluster -Category: *Software* - source: *https://app-api.tidalcyber.com/api/v1/software/* - total: *1014* elements +Category: *Software* - source: *https://app-api.tidalcyber.com/api/v1/software/* - total: *1053* elements [[HTML](https://www.misp-galaxy.org/tidal-software)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-software.json)] diff --git a/clusters/tidal-campaigns.json b/clusters/tidal-campaigns.json index 996d30a7..80be3e5a 100644 --- a/clusters/tidal-campaigns.json +++ b/clusters/tidal-campaigns.json @@ -57,7 +57,7 @@ { "description": "In July 2023, U.S. authorities released joint Cybersecurity Advisory AA23-187A, which detailed increased observations of new variants of the Truebot botnet malware infecting organizations in the United States and Canada. Authorities assessed that Truebot infections are primarily motivated around collection and exfiltration of sensitive victim data for financial gain. Officials also assessed that actors were using both spearphishing emails containing malicious hyperlinks and exploitation of CVE-2022-31199 in the IT system auditing application Netwrix Auditor to deliver Truebot during these attacks. Additional tools associated with the attacks included Raspberry Robin for initial infections, FlawedGrace and Cobalt Strike for various post-exploitation activities, and Teleport, a custom tool for data exfiltration.[[U.S. CISA Increased Truebot Activity July 6 2023](/references/6f9b8f72-c55f-4268-903e-1f8a82efa5bb)]\n\nThe Advisory did not provide specific impacted victim sectors. The Advisory referred to activity taking place “in recent months” prior to July 2023 but did not provide an estimated date when the summarized activity began. A public threat report referenced in the Advisory reported an observed increase in Truebot infections beginning in August 2022, including several compromises involving education sector organizations.[[U.S. CISA Increased Truebot Activity July 6 2023](/references/6f9b8f72-c55f-4268-903e-1f8a82efa5bb)][[Cisco Talos Blog December 08 2022](/references/bcf92374-48a3-480f-a679-9fd34b67bcdd)]\n\n**Related Vulnerabilities**: CVE-2022-31199[[U.S. CISA Increased Truebot Activity July 6 2023](/references/6f9b8f72-c55f-4268-903e-1f8a82efa5bb)]", "meta": { - "campaign_attack_id": "C5000", + "campaign_attack_id": "C3003", "first_seen": "2022-08-01T00:00:00Z", "last_seen": "2023-05-31T00:00:00Z", "owner": "TidalCyberIan", @@ -75,7 +75,7 @@ { "description": "In August 2023, U.S. Cybersecurity & Infrastructure Security Agency (CISA) and Norwegian National Cyber Security Centre (NCSC-NO) authorities released Cybersecurity Advisory AA23-213A, which detailed observed exploitation of two vulnerabilities, CVE-2023-35078 and CVE-2023-35081, affecting Ivanti Endpoint Manager Mobile (EPMM), a solution which provides elevated access to an organization's mobile devices. According to the Advisory, authorities observed unspecified advanced persistent threat (APT) actors exploiting CVE-2023-35078 as a zero-day from at least April 2023 in order to gather information from unspecified organizations in Norway, and to gain initial access to a Norwegian government agency.\n\nIvanti released a CVE-2023-35078 patch on July 23, but then determined that CVE-2023-35081 could be chained together with the first vulnerability, a process which can enable arbitrary upload and execution of actor files, such as web shells. Ivanti released a CVE-2023-35081 patch on July 28. The Advisory provided mitigation recommendations, vulnerability and compromise identification methods, and incident response guidance, which can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-213a).[[U.S. CISA CVE-2023-35078 Exploits](/references/62305b8a-76c8-49ec-82dc-6756643ccf7a)]\n\n**Related Vulnerabilities**: CVE-2023-35078[[U.S. CISA CVE-2023-35078 Exploits](/references/62305b8a-76c8-49ec-82dc-6756643ccf7a)], CVE-2023-35081[[U.S. CISA CVE-2023-35078 Exploits](/references/62305b8a-76c8-49ec-82dc-6756643ccf7a)]", "meta": { - "campaign_attack_id": "C5004", + "campaign_attack_id": "C3007", "first_seen": "2023-04-01T00:00:00Z", "last_seen": "2023-07-28T00:00:00Z", "owner": "TidalCyberIan", @@ -95,7 +95,7 @@ { "description": "In September 2023, U.S. cybersecurity authorities released Cybersecurity Advisory AA23-250A, which detailed multiple intrusions in early 2023 involving an aeronautical sector organization and attributed to multiple unspecified “nation-state advanced persistent threat (APT) actors”. As early as January, one set of actors exploited CVE-2022-47966, a vulnerability in the Zoho ManageEngine ServiceDesk Plus IT service management application that allows remote code execution, to access the organization’s public-facing web servers. A separate set of actors was also observed exploiting CVE-2022-42475, a vulnerability in Fortinet, Inc.’s FortiOS SSL-VPN that also allows remote code execution, to gain access to the organization’s firewall devices.\n\nAfter gaining access, the actors downloaded malware, performed network discovery, collected administrator credentials, and moved laterally, but according to the advisory, unclear data storage records inhibited insight into whether any proprietary information was accessed, altered, or exfiltrated. A common behavior among both sets of actors was log deletion from critical servers and the use of disabled, legitimate administrator credentials, which in one case belonged to a previously employed contractor (the organization confirmed the credentials were disabled before the observed threat activity).[[U.S. CISA Zoho Exploits September 7 2023](/references/6bb581e8-ed0e-41fe-bf95-49b5d11b4e6b)]\n\nIn addition to behavioral observations and indicators of compromise, the Advisory provided detection and mitigation guidance, which can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a).\n\n**Related Vulnerabilities**: CVE-2022-47966, CVE-2022-42475, CVE-2021-44228[[U.S. CISA Zoho Exploits September 7 2023](/references/6bb581e8-ed0e-41fe-bf95-49b5d11b4e6b)]", "meta": { - "campaign_attack_id": "C5005", + "campaign_attack_id": "C3009", "first_seen": "2023-01-01T00:00:00Z", "last_seen": "2023-04-01T00:00:00Z", "owner": "TidalCyberIan", @@ -115,7 +115,7 @@ { "description": "AMBERSQUID is a \"cloud-native\" financially motivated threat operation that specifically leverages AWS services. Researchers estimated that AMBERSQUID cryptojacking activity could cost its victims more than $10,000 per day.[[Sysdig AMBERSQUID September 18 2023](/references/7ffa880f-5854-4b8a-83f5-da42c1c39345)]", "meta": { - "campaign_attack_id": "C5031", + "campaign_attack_id": "C3030", "first_seen": "2022-05-01T00:00:00Z", "last_seen": "2023-03-31T00:00:00Z", "owner": "TidalCyberIan", @@ -134,7 +134,7 @@ { "description": "In July 2024, U.S. cybersecurity authorities and international partners published Cybersecurity Advisory AA24-207A, which detailed North Korean state-sponsored cyber espionage activity likely intended to support the regime's military and nuclear development programs. The advisory focused on an actor group tracked as Andariel, Onyx Sleet, and APT45 and highlighted how this group has shifted from conducting destructive attacks to carrying out espionage operations that have been funded through ransomware. Where past destructive operations mainly targeted U.S. and South Korean entities, recent espionage attacks targeted various defense, aerospace, nuclear, and engineering organizations, while ransomware attacks targeted U.S. healthcare entities.\n\nAndariel actors gain initial access especially by exploiting software vulnerabilities, use widely available tools for discovery and privilege escalation, and leverage a wide range of custom as well as commodity malware. The advisory does not clearly identify the timeframe in which malicious activities were observed, although it discusses actors' exploits of vulnerabilities disclosed in 2017, 2019, and especially 2021, 2022, and 2023 and referenced public threat reporting published from March 2021 through May 2024.[[U.S. CISA Andariel July 25 2024](/references/b615953e-3c6c-4201-914c-4b75e45bb9ed)]", "meta": { - "campaign_attack_id": "C5048", + "campaign_attack_id": "C3048", "first_seen": "2021-03-01T00:00:00Z", "last_seen": "2024-05-30T00:00:00Z", "owner": "TidalCyberIan", @@ -202,7 +202,7 @@ { "description": "Threat actors, believed to be associated with the FIN7 financially motivated adversary group, stood up malicious hosting websites impersonating prominent brands in the financial services, technology/SaaS, and media sectors, then used paid web search advertisements to direct victims to these sites. Victims were then tricked into downloading malicious binaries, which ultimately led to the ingress of the NetSupport RAT and/or DiceLoader (aka Lizar) malware (these latter tools are known to be used for a range of persistent access and malware ingress purposes).[[Esentire 5 8 2024](/references/67c3a7ed-e2e2-4566-aca7-61e766f177bf)]", "meta": { - "campaign_attack_id": "C5038", + "campaign_attack_id": "C3038", "first_seen": "2024-04-01T00:00:00Z", "last_seen": "2024-04-30T00:00:00Z", "owner": "TidalCyberIan", @@ -219,7 +219,7 @@ { "description": "In April 2023, U.S. and UK cybersecurity authorities released joint Cybersecurity Advisory AA23-108, which detailed a campaign by Russia-backed APT28 to compromise vulnerable routers running Cisco Internetworking Operating System (IOS). Actors collected device information and conducted further network reconnaissance on victims “worldwide”, including U.S. government institutions, 250 Ukrainian entities, and “a small number” of victims elsewhere in Europe. Adversary activity occurred over an unspecified timeframe in 2021.\n\nActors exploited CVE-2017-6742, a Simple Network Management Protocol (SNMP) vulnerability for which Cisco released a patch in 2017, and used default authentication strings to gain initial access to devices and subsequently gather router information, such as router interface details. In some cases, authorities observed actors deploying Jaguar Tooth, a malicious software bundle consisting of a series of payloads and patches. Jaguar Tooth deployments allowed actors to collect further device information via execution of Cisco IOS Command Line Interface commands, discover other network devices, and achieve unauthenticated, backdoor access to victim systems.[[U.S. CISA APT28 Cisco Routers April 18 2023](/references/c532a6fc-b27f-4240-a071-3eaa866bce89)]\n\nIn addition to behavioral observations, the Advisory also provided mitigation recommendations and indicators of compromise, which can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-108).\n\n**Related Vulnerabilities**: CVE-2017-6742[[U.S. CISA APT28 Cisco Routers April 18 2023](/references/c532a6fc-b27f-4240-a071-3eaa866bce89)]", "meta": { - "campaign_attack_id": "C5007", + "campaign_attack_id": "C3008", "first_seen": "2021-01-01T00:00:00Z", "last_seen": "2021-12-31T00:00:00Z", "owner": "TidalCyberIan", @@ -236,7 +236,7 @@ { "description": "U.S. authorities and various international partners released joint cybersecurity advisory AA20-150A, which detailed a series of attacks linked to APT28 that leveraged compromised Ubiquiti EdgeRouters to facilitate the attacks. Actors used the network of compromised routers for a range of malicious activities, including harvesting credentials, proxying network traffic, and hosting fake landing pages and post-exploitation tools. Attacks targeted organizations in a wide range of sectors around the world.[[U.S. Federal Bureau of Investigation 2 27 2024](/references/962fb031-dfd1-43a7-8202-3a2231b0472b)] According to a separate U.S. Justice Department announcement, the botnet involved in these attacks differed from previous APT28-linked cases, since nation-state actors accessed routers that had been initially compromised by a separate, unspecified cybercriminal group.[[U.S. Justice Department GRU Botnet February 2024](/references/26a554dc-39c0-4638-902d-7e84fe01b961)]", "meta": { - "campaign_attack_id": "C5015", + "campaign_attack_id": "C3027", "first_seen": "2022-12-01T00:00:00Z", "last_seen": "2024-01-01T00:00:00Z", "owner": "TidalCyberIan", @@ -260,7 +260,7 @@ { "description": "UK cybersecurity authorities and international partners published Cybersecurity Advisory AA24-057A (February 2024), which detailed recent tactics, techniques, and procedures (TTPs) used by Russian state-backed adversary group APT29 to target cloud environments. The advisory indicated that as more government agencies and enterprises move elements of their operations to cloud infrastructure, APT29 actors have especially adapted their TTPs for gaining initial access into these cloud environments.[[U.S. CISA APT29 Cloud Access](/references/e9e08eca-1e01-4ff0-a8ef-49ecf66aaf3d)]", "meta": { - "campaign_attack_id": "C5016", + "campaign_attack_id": "C3028", "first_seen": "2023-02-26T00:00:00Z", "last_seen": "2024-02-26T00:00:00Z", "owner": "TidalCyberIan", @@ -277,7 +277,7 @@ { "description": "*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nIn December 2023, U.S. cybersecurity authorities and international partners released Cybersecurity Advisory AA23-347A, which detailed large-scale observed exploitation of CVE-2023-42793 since September 2023 by cyber threat actors associated with Russia’s Foreign Intelligence Service (SVR). According to the advisory, these actors are also known as APT29, the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard.\n\nCVE-2023-42793 is an authentication bypass vulnerability in the JetBrains TeamCity software development program. After exploiting the vulnerability to gain access into victim networks, SVR actors were then observed escalating privileges, moving laterally, and deploying additional backdoors in an apparent effort to maintain long-term persistent access to victim environments. The advisory noted how SVR actors used access gained during the 2020 compromise of SolarWinds, another software company, to conduct supply chain operations affecting SolarWinds customers, but it also noted that such activity has not been observed in this case to date.\n\nJetBrains released a patch for CVE-2023-42793 in September 2023. The advisory indicated that the compromises observed to date appear to be opportunistic, impacting unpatched, internet-accessible TeamCity servers. “A few dozen” compromised entities have been identified so far (companies in disparate sectors in the United States, Europe, Asia, and Australia), but authorities assess that this tally does not represent the full number of compromised victims. Indicators of compromise, mitigation guidance, and detection resources – including Sigma and YARA rules – can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a).[[U.S. CISA SVR TeamCity Exploits December 2023](/references/5f66f864-58c2-4b41-8011-61f954e04b7e)]", "meta": { - "campaign_attack_id": "C5012", + "campaign_attack_id": "C3017", "first_seen": "2023-09-01T00:00:00Z", "last_seen": "2023-12-14T00:00:00Z", "owner": "TidalCyberIan", @@ -294,7 +294,7 @@ { "description": "On July 8, 2024, international authorities published an advisory (CISA Alert AA24-190A) that detailed recent activity associated with APT40, a Chinese state-sponsored cyber espionage group. The advisory covers observed attacks on Australian organizations, but the group has been recently active elsewhere (Tidal metadata shows observed activity historically across East/Southeast Asia, the Middle East, Europe, and North America). The advisory emphasized that the recently published TTPs are relevant for defenders at organizations “globally”.\n\nThe advisory spotlighted the group's efforts to compromise outdated small-office/home-office (SOHO) routers via vulnerability exploits, using the routers as infrastructure to carry out further attacks. However, the advisory also summarized a range of other Techniques not previously associated with APT40, which were used at phases across the attack chain, including for persistence, credential access, lateral movement, collection, and exfiltration.[[U.S. CISA APT40 July 8 2024](/references/3bf90a48-caf6-4b9d-adc2-3d1176f49ffc)]", "meta": { - "campaign_attack_id": "C5047", + "campaign_attack_id": "C3047", "first_seen": "2022-04-01T00:00:00Z", "last_seen": "2022-09-30T00:00:00Z", "owner": "TidalCyberIan", @@ -325,7 +325,7 @@ { "description": "In July 2024, security researchers publicized a campaign attributed to Chinese state-sponsored espionage group APT41, where actors gained and maintained long-term access to various organizations' networks in multiple sectors around the world. Victims belonged to the shipping/logistics, media, entertainment, technology, and automotive industries and were located in western Europe, the Middle East, and East and Southeast Asia. Actors used a combination of red teaming tools, publicly available software, and custom malware for persistence, command and control, data collection, and exfiltration to Microsoft OneDrive accounts. The intrusions were notable for featuring the reemergence of DUSTPAN, a dropper not observed since a series of older APT41 compromises in 2021 & 2022.[[Mandiant APT41 July 18 2024](/references/34ee3a7c-27c0-492f-a3c6-a5a3e86915f0)]", "meta": { - "campaign_attack_id": "C5049", + "campaign_attack_id": "C3049", "first_seen": "2023-03-21T00:00:00Z", "last_seen": "2024-07-16T00:00:00Z", "owner": "TidalCyberIan", @@ -342,7 +342,7 @@ { "description": "ArcaneDoor was a campaign, which likely ran from November 2023 until around February 2024, that targeted Cisco Adaptive Security Appliances (ASAs). ASAs are network devices that combine firewall, VPN, and other functionality. The campaign targeted unspecified government institutions around the world and was believed to have been conducted for espionage purposes.[[Cisco Talos ArcaneDoor April 24 2024](/references/531c3f6f-2d2b-4774-b069-e2b7a13602c1)]\n\nResearchers attributed the campaign to UAT4356 (aka Storm-1849), a possible China-linked adversary.[[Wired ArcaneDoor April 24 2024](/references/05a8afd3-0173-41ca-b23b-196ea0f3b1c1)] The initial access vector for the ArcaneDoor attacks remains unclear. After gaining a foothold, actors used the Line Dancer tool to upload Line Runner, a persistence and arbitrary code execution capability, to compromised ASAs (Cisco assigned two vulnerabilities, CVE-2024-20359 and CVE-2024-20353, to these activities). Responders observed various actions on objectives during the attacks, including device configuration modification, network traffic capture, and possible lateral movement.[[Cisco Talos ArcaneDoor April 24 2024](/references/531c3f6f-2d2b-4774-b069-e2b7a13602c1)]", "meta": { - "campaign_attack_id": "C5019", + "campaign_attack_id": "C3036", "first_seen": "2023-11-01T00:00:00Z", "last_seen": "2024-02-29T00:00:00Z", "owner": "TidalCyberIan", @@ -365,7 +365,7 @@ { "description": "This object represents a collection of MITRE ATT&CK® Techniques related to an incident response where an attacker used exposed cloud credentials to gain access to an AWS environment and ultimately collect and exfiltrate data before deleting files and leaving a ransom note extorting the victim to recover the stolen data.[[Www.invictus-ir.com 1 11 2024](/references/5e2a0756-d8f6-4359-9ca3-1e96fb8b5ac9)]", "meta": { - "campaign_attack_id": "C5035", + "campaign_attack_id": "C3034", "first_seen": "2024-01-01T00:00:00Z", "last_seen": "2024-01-01T00:00:00Z", "owner": "TidalCyberIan", @@ -385,7 +385,7 @@ { "description": "Security researchers observed adversary activity that involved deployment of hundreds of AWS ECS Fargate clusters used to run XMRig cryptomining software. Researchers assessed that the activity was likely part of a wider campaign involving potentially hundreds of thousands of environments.[[Datadog ECS January 19 2024](/references/7e4e44a7-b079-41af-b41d-176ba7e99563)]", "meta": { - "campaign_attack_id": "C5032", + "campaign_attack_id": "C3031", "first_seen": "2023-12-01T00:00:00Z", "last_seen": "2024-01-19T00:00:00Z", "owner": "TidalCyberIan", @@ -404,7 +404,7 @@ { "description": "This object represents a collection of MITRE ATT&CK® Techniques related to an incident response where an attacker was able to steal AWS Lambda credentials, use them to execute various API calls and enumerate various cloud services, and ultimately perform a cloud-based phishing attack, which reportedly cost the target organization considerable financial damage.[[Unit 42 12 8 2022](/references/e7a4a0cf-ffa2-48cc-9b21-a2333592c773)]", "meta": { - "campaign_attack_id": "C5033", + "campaign_attack_id": "C3032", "first_seen": "2022-05-20T00:00:00Z", "last_seen": "2022-05-20T00:00:00Z", "owner": "TidalCyberIan", @@ -422,7 +422,7 @@ { "description": "Adversaries used email bombing and subsequent voice phishing to convince target users into granting the actors remote access to victim systems via legitimate tools including AnyDesk and the built-in Windows Quick Assist utility. The actors then used malicious remote access tools to access other assets within compromised environments, in some cases followed by deployment of Black Basta ransomware.[[Rapid7 Blog 5 10 2024](/references/ba749fe0-1ac7-4767-85df-97e6351c37f9)][[Microsoft Security Blog 5 15 2024](/references/0876de6e-ea0c-4717-89a4-9c7baed53b6f)]", "meta": { - "campaign_attack_id": "C5037", + "campaign_attack_id": "C3037", "first_seen": "2024-04-15T00:00:00Z", "last_seen": "2024-05-15T00:00:00Z", "owner": "TidalCyberIan", @@ -442,7 +442,7 @@ { "description": "This object represents observed pre-attack, initial access, execution, and other techniques used to distribute Bumblebee malware in 2023 and early 2024. Further background & contextual details can be found in the References tab below, and additional techniques associated with the technical mechanics of Bumblebee binaries can be found in the relevant Software object.", "meta": { - "campaign_attack_id": "C5029", + "campaign_attack_id": "C3025", "first_seen": "2023-03-01T00:00:00Z", "last_seen": "2024-02-01T00:00:00Z", "owner": "TidalCyberIan", @@ -592,7 +592,7 @@ { "description": "In June 2023, U.S. authorities released Cybersecurity Advisory AA23-158A, which detailed observed exploits of a zero-day SQL injection vulnerability (CVE-2023-34362) affecting Progress Software's managed file transfer (MFT) solution, MOVEit Transfer. According to the Advisory, exploit activity began on May 27, 2023, as threat actors, which the Advisory attributed to \"CL0P Ransomware Gang, also known as TA505\", began compromising internet-facing MOVEit Transfer web applications. Actors deployed web shells, dubbed LEMURLOOT, on compromised MOVEit applications, which enabled persistence, discovery of files and folders stored on MOVEit servers, and staging and exfiltration of compressed victim data. Authorities indicated they expected to see \"widespread exploitation of unpatched software services in both private and public networks\".[[U.S. CISA CL0P CVE-2023-34362 Exploitation](/references/07e48ca8-b965-4234-b04a-dfad45d58b22)] Progress Software acknowledged the vulnerability and issued guidance on known affected versions, software upgrades, and patching.[[Progress Software MOVEit Transfer Critical Vulnerability](/references/9f364e22-b73c-4f3a-902c-a3f0eb01a2b9)]\n\n**Related Vulnerabilities**: CVE-2023-34362[[U.S. CISA CL0P CVE-2023-34362 Exploitation](/references/07e48ca8-b965-4234-b04a-dfad45d58b22)]", "meta": { - "campaign_attack_id": "C5002", + "campaign_attack_id": "C3005", "first_seen": "2023-05-27T00:00:00Z", "last_seen": "2023-06-16T00:00:00Z", "owner": "TidalCyberIan", @@ -610,7 +610,7 @@ { "description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.", "meta": { - "campaign_attack_id": "C5026", + "campaign_attack_id": "C3022", "first_seen": "2023-11-14T00:00:00Z", "last_seen": "2023-11-24T00:00:00Z", "owner": "TidalCyberIan", @@ -625,6 +625,28 @@ "uuid": "bbbdc2a2-bd7e-4251-a064-b7f4997ac2a4", "value": "Cloudflare Thanksgiving 2023 security incident" }, + { + "description": "Actors deploying a variant of the Mirai botnet, known as Corona, were observed exploiting a zero-day vulnerability (CVE-2024-7029) to achieve initial infection of new devices with the botnet. The vulnerability enables remote code execution on affected devices (AVTECH closed-circuit television (CCTV) cameras), which actors abused to ingress their main payloads.[[Akamai Corona Zero-Day August 28 2024](/references/140284f8-075c-4225-99dd-519ba5cebabe)]", + "meta": { + "campaign_attack_id": "C3051", + "first_seen": "2024-03-18T00:00:00Z", + "last_seen": "2024-08-28T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "55cb344a-cbd5-4fd1-a1e9-30bbc956527e", + "f925e659-1120-4b76-92b6-071a7fb757d6", + "06236145-e9d6-461c-b7e4-284b3de5f561", + "a98d7a43-f227-478e-81de-e7299639a355", + "33d35d5e-f0cf-4c66-9be3-a3ffe6610b1a", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "4f1823b1-80ad-4f5d-ba04-a4d4baf37e72", + "value": "Corona Mirai Botnet Zero-Day Exploit Campaign" + }, { "description": "[CostaRicto](https://app.tidalcyber.com/campaigns/fb011ed2-bfb9-4f0f-bd88-8b3fa0cf9b48) was a suspected hacker-for-hire cyber espionage campaign that targeted multiple industries worldwide, with a large number being financial institutions. [CostaRicto](https://app.tidalcyber.com/campaigns/fb011ed2-bfb9-4f0f-bd88-8b3fa0cf9b48) actors targeted organizations in Europe, the Americas, Asia, Australia, and Africa, with a large concentration in South Asia (especially India, Bangladesh, and Singapore), using custom malware, open source tools, and a complex network of proxies and SSH tunnels.[[BlackBerry CostaRicto November 2020](https://app.tidalcyber.com/references/93a23447-641c-4ee2-9fbd-64b2adea8a5f)]", "meta": { @@ -664,7 +686,7 @@ { "description": "This object represents a collection of MITRE ATT&CK® Techniques related to an incident response where an attacker gained initial access to an AWS environment using an \"accidentally exposed long term access key belonging to an IAM user\". The actor persisted for approximately a month and ultimately used their access to carry out limited cryptomining acitivty, conduct phishing and spam email attacks via AWS SES, and establish domains for further phishing/spam campaigns.[[Www.invictus-ir.com 1 31 2024](/references/803a084a-0468-4c43-9843-a0b5652acdba)]", "meta": { - "campaign_attack_id": "C5034", + "campaign_attack_id": "C3033", "first_seen": "2024-01-01T00:00:00Z", "last_seen": "2024-01-31T00:00:00Z", "owner": "TidalCyberIan", @@ -682,7 +704,7 @@ { "description": "German and South Korean cybersecurity authorities published an advisory highlighting recent attempts by North Korea-linked cyber actors to target enterprises and research centers in the defense sector. The advisory detailed a supply chain attack, attributed to an unnamed threat group, in which actors compromised a company that maintained a defense sector research center's web servers, then used stolen SSH credentials to remotely access the research center's network. The actors then used various methods to evade defenses, including impersonating security staff, deployed malware via a patch management system, and stole account information and email contents before being evicted from the network.[[BfV North Korea February 17 2024](/references/cc76be15-6d9d-40b2-b7f3-196bb0a7106a)]", "meta": { - "campaign_attack_id": "C5014", + "campaign_attack_id": "C3026", "first_seen": "2022-12-01T00:00:00Z", "last_seen": "2022-12-31T00:00:00Z", "owner": "TidalCyberIan", @@ -700,7 +722,7 @@ { "description": "In September 2023, French cybersecurity authorities released advisory CERTFR-2023-CTI-007, which detailed a network intrusion of the Regional and University Hospital Center of Brest, in northwestern France. Actors used valid credentials belonging to a healthcare professional to connect to a remote desktop service exposed to the Internet, then installed Cobalt Strike and SystemBC to provide backdoor network access. Authorities indicated that the credentials were likely compromised via unspecified infostealer malware.\n\nThe actors used multiple third-party tools for credential access and discovery, and they attempted to exploit at least five vulnerabilities for privilege escalation and lateral movement. Authorities worked with hospital personnel to isolate affected systems and disrupt the intrusion before suspected data exfiltration and encryption could take place. Based on infrastructural and behavioral overlaps with other incidents, officials attributed the intrusion to the FIN12 financially motivated actor group and indicated the same actors are responsible for dozens of attacks on French victims in recent years.\n\nAdditional details, indicators of compromise, and the observed Cobalt Strike configuration can be found in the [source report](https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf).[[CERTFR-2023-CTI-007](/references/0f4a03c5-79b3-418e-a77d-305d5a32caca)]\n\n**Related Vulnerabilities**: CVE-2023-21746, CVE-2022-24521, CVE-2021-34527, CVE-2019-0708, CVE-2020-1472[[CERTFR-2023-CTI-007](/references/0f4a03c5-79b3-418e-a77d-305d5a32caca)]", "meta": { - "campaign_attack_id": "C5006", + "campaign_attack_id": "C3010", "first_seen": "2023-03-01T00:00:00Z", "last_seen": "2023-03-31T00:00:00Z", "owner": "TidalCyberIan", @@ -745,7 +767,7 @@ { "description": "U.S. cybersecurity authorities released an advisory that warned of recent attacks targeting healthcare entities and providers, which leveraged social engineering techniques for initial access and ultimately led to financial theft. The attacks used voice phishing and phishing domains, and sometimes bypassed multi-factor authentication measures, to gain footholds. Actors often used information gathered through extensive reconnaissance to facilitate these efforts.\n\nActors then used \"living off the land\" (LOTL) techniques to persist stealthily in compromised environments. Ultimately, actors sought to modify patient automated clearinghouse (ACH) account information to divert payments to actor-controlled bank accounts. The advisory did not attribute the recent campaign to a named adversary group.[[FBI Social Engineering Attacks June 24 2024](/references/527ac41a-a65e-4cf9-a9c9-194443b37c5b)]", "meta": { - "campaign_attack_id": "C5042", + "campaign_attack_id": "C3042", "first_seen": "2023-08-01T00:00:00Z", "last_seen": "2024-06-24T00:00:00Z", "owner": "TidalCyberIan", @@ -762,7 +784,7 @@ { "description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.", "meta": { - "campaign_attack_id": "C5025", + "campaign_attack_id": "C3021", "first_seen": "2023-05-01T00:00:00Z", "last_seen": "2023-12-12T00:00:00Z", "owner": "TidalCyberIan", @@ -780,7 +802,7 @@ { "description": "In November 2022, U.S. cybersecurity authorities released Cybersecurity Advisory AA22-320A, which detailed an incident response engagement at an unspecified U.S. Federal Civilian Executive Branch organization. Authorities assessed that the network compromise was carried out by unspecified Iranian government-sponsored advanced persistent threat (APT) actors. The actors achieved initial network access by exploiting the Log4Shell vulnerability in an unpatched VMware Horizon server. Post-exploit activities included installing XMRig crypto mining software and executing Mimikatz to harvest credentials, as well as moving laterally to the domain controller and implanting Ngrok reverse proxies on multiple hosts to maintain persistence.\n\nAdditional details, including incident response guidance and relevant mitigations, can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-320a).[[U.S. CISA Advisory November 25 2022](/references/daae1f54-8471-4620-82d5-023d04144acd)]\n\n**Related Vulnerabilities**: CVE-2021-44228[[U.S. CISA Advisory November 25 2022](/references/daae1f54-8471-4620-82d5-023d04144acd)]", "meta": { - "campaign_attack_id": "C5008", + "campaign_attack_id": "C3012", "first_seen": "2022-06-15T00:00:00Z", "last_seen": "2022-07-15T00:00:00Z", "owner": "TidalCyberIan", @@ -797,7 +819,7 @@ { "description": "In November 2020, U.S. cybersecurity authorities released joint Cybersecurity Advisory AA20-304A, which detailed efforts by an unspecified Iranian advanced persistent threat (APT) actor to target U.S. state websites, including election-related sites, with the goal of obtaining voter registration data. The actors used a legitimate vulnerability scanner, Acunetix, to scan state election websites, and they attempted to exploit sites with directory traversal, SQL injection, and web shell upload attacks. Authorities confirmed the actors successfully obtained voter registration data in at least one state – after abusing a website misconfiguration, they used a cURL-based scripting tool to iterate through and retrieve voter records. Officials assessed that the actor behind the website attacks is responsible for mass dissemination of intimidation emails to U.S. citizens and a disinformation campaign featuring a U.S. election-related propaganda video in mid-October 2020. Authorities furthermore assessed that information obtained during the website attacks was featured in the propaganda video.[[U.S. CISA Iran Voter Data November 3 2020](/references/be89be75-c33f-4c58-8bf0-979c1debaad7)]", "meta": { - "campaign_attack_id": "C5010", + "campaign_attack_id": "C3014", "first_seen": "2020-09-20T00:00:00Z", "last_seen": "2020-10-20T00:00:00Z", "owner": "TidalCyberIan", @@ -810,7 +832,7 @@ { "description": "In September 2022, U.S., Canadian, United Kingdom, and Australian cybersecurity authorities released joint Cybersecurity Advisory AA22-257A, which detailed malicious cyber activity attributed to advanced persistent threat (APT) actors affiliated with the Iranian government’s Islamic Revolutionary Guard Corps (IRGC). The advisory updated a previous alert (AA21-321A), published in November 2021, and summarized recent activities linked to the actors. Since at least March 2021, the actors were observed targeting victims in a wide range of U.S. critical infrastructure sectors, including transportation and healthcare, and victims in unspecified sectors in Australia, Canada, and the United Kingdom.\n\nThe actors typically exploited vulnerabilities to gain initial network access. They were observed exploiting vulnerabilities in Microsoft Exchange servers (ProxyShell) and Fortinet devices in 2021, and VMware Horizon (Log4j) in 2022. After gaining access, the actors typically evaluated the perceived value of data held within a victim network and either encrypted it for ransom and/or exfiltrated it. The actors are believed to have sold some exfiltrated data or used it as leverage to further pressure victims into paying a ransom.\n\nIn addition to behavioral observations and indicators of compromise, the advisories provided detection and mitigation guidance, which can be found in the source reports [here](https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-257a) and [here](https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a).\n\n**Related Vulnerabilities**: CVE-2021-34523, CVE-2021-31207, CVE-2021-44228, CVE-2021-45046, CVE-2021-45105[[U.S. CISA IRGC Actors September 14 2022](/references/728b20b0-f702-4dbe-afea-50270648a3a2)], CVE-2021-34473, CVE-2018-13379, CVE-2020-12812, CVE-2019-5591[[U.S. CISA Iranian Government Actors November 19 2021](/references/d7014279-bc6a-43d4-953a-a6bc1d97a13b)]", "meta": { - "campaign_attack_id": "C5009", + "campaign_attack_id": "C3013", "first_seen": "2021-03-01T00:00:00Z", "last_seen": "2022-09-14T00:00:00Z", "owner": "TidalCyberIan", @@ -865,7 +887,7 @@ { "description": "JOKERSPY (aka REF9134) was an intrusion involving a Python-based backdoor, which was used to deploy a malicious macOS-based enumeration tool called Swiftbelt and other open-source tools.[[elastic.co 6 21 2023](/references/42c40ec8-f46a-48fa-bd97-818e3d3d320e)]", "meta": { - "campaign_attack_id": "C5036", + "campaign_attack_id": "C3035", "first_seen": "2023-05-31T00:00:00Z", "last_seen": "2023-06-01T00:00:00Z", "owner": "TidalCyberIan", @@ -882,7 +904,7 @@ { "description": "In July 2023, U.S. Cybersecurity & Infrastructure Security Agency authorities released Cybersecurity Advisory AA23-201A, which detailed an observed exploit of a zero-day vulnerability (CVE-2023-3519) affecting NetScaler (formerly Citrix) Application Delivery Controller (\"ADC\") and NetScaler Gateway appliances. According to the Advisory, the exploitation activity occurred in June 2023, and the victim (an undisclosed entity in the critical infrastructure sector) reported it in July 2023.[[U.S. CISA CVE-2023-3519 Exploits](/references/021c4caa-7a7a-4e49-9c5c-6eec176bf923)] Citrix acknowledged the reported exploit of the vulnerability, which enables unauthenticated remote code execution, and released a patch on July 18, 2023.[[Citrix Bulletin CVE-2023-3519](/references/245ef1b7-778d-4df2-99a9-b51c95c57580)]\n\nAfter achieving initial access via exploit of CVE-2023-3519, threat actors dropped a web shell on the vulnerable ADC appliance, which was present on a non-production environment. The web shell enabled subsequent information discovery on the victim's Active Directory (\"AD\"), followed by collection and exfiltration of AD-related data. The actors also attempted lateral movement to a domain controller, but the Advisory indicated that network segementation controls for the ADC appliance blocked this attempted activity.[[U.S. CISA CVE-2023-3519 Exploits](/references/021c4caa-7a7a-4e49-9c5c-6eec176bf923)] Separately, in a blog on CVE-2023-3519 exploit investigations released the day after the CISA Advisory, Mandiant indicated that the type of activity observed is \"consistent with previous operations by China-nexus actors\".[[Mandiant CVE-2023-3519 Exploitation](/references/4404ed65-3020-453d-8c51-2885018ba03b)]\n\n**Related Vulnerabilities**: CVE-2023-3519[[U.S. CISA CVE-2023-3519 Exploits](/references/021c4caa-7a7a-4e49-9c5c-6eec176bf923)]", "meta": { - "campaign_attack_id": "C5001", + "campaign_attack_id": "C3004", "first_seen": "2023-06-01T00:00:00Z", "last_seen": "2023-06-30T00:00:00Z", "owner": "TidalCyberIan", @@ -900,7 +922,7 @@ { "description": "In November 2023, U.S. cybersecurity authorities and international partners released Cybersecurity Advisory AA23-325A, which detailed observed exploitation of CVE-2023-4966 (known colloquially as the “Citrix Bleed” vulnerability) by threat actors believed to be affiliated with the LockBit ransomware operation.\n\nCitrix Bleed is a vulnerability in Citrix NetScaler web application delivery control (“ADC”) and NetScaler Gateway appliances, which allows adversaries to bypass password requirements and multifactor authentication, enabling hijacking of legitimate user sessions and subsequent credential harvesting, lateral movement, and data or resource access. Authorities indicated that they expected “widespread” Citrix Bleed exploitation on unpatched services due to the ease of carrying out the exploit.\n\nAfter successful Citrix Bleed exploitation, LockBit affiliates were observed using a variety of follow-on TTPs and using a range of software, including abuse of native utilities and popular legitimate remote management and monitoring (“RMM”) tools. Indicators of compromise associated with recent intrusions and further incident response and mitigation guidance can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a).[[U.S. CISA LockBit Citrix Bleed November 21 2023](/references/21f56e0c-9605-4fbb-9cb1-f868ba6eb053)] Public reporting suggested that actors associated with the Medusa and Qilin ransomware operations, plus other unknown ransomware and uncategorized actors, had also exploited Citrix Bleed as part of their operations.[[Malwarebytes Citrix Bleed November 24 2023](/references/fdc86cea-0015-48d1-934f-b22244de6306)][[Cybernews Yanfeng Qilin November 2023](/references/93c89ca5-1863-4ee2-9fff-258f94f655c4)]", "meta": { - "campaign_attack_id": "C5011", + "campaign_attack_id": "C3016", "first_seen": "2023-08-01T00:00:00Z", "last_seen": "2023-11-16T00:00:00Z", "owner": "TidalCyberIan", @@ -917,10 +939,27 @@ "uuid": "f4225d6a-8734-401f-aa2a-1a73c23b16e6", "value": "LockBit Affiliate Citrix Bleed Exploits" }, + { + "description": "Researchers discovered the existence of a newly identified red teaming framework used to generate attack payloads, called \"MacroPack\". The framework was used to deploy the Brute Ratel and Havoc post-exploitation frameworks and the PhantomCore remote access trojan. In addition to red teaming applications, researchers assessed that MacroPack is also being abused by threat actors.[[Cisco Talos Blog September 3 2024](/references/b222cabd-347d-45d4-aeaf-4135795d944d)]", + "meta": { + "campaign_attack_id": "C3052", + "first_seen": "2024-05-01T00:00:00Z", + "last_seen": "2024-07-01T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "2229e945-ec3d-4e20-ad4a-bd12741a6724", + "value": "MacroPack Payload Delivery Activity" + }, { "description": "The DFIR Report researchers reported about activity taking place in May 2023, which saw an adversary, attributed to FIN11 and Lace Tempest, achieve initial access into a victim environment via a spearphishing email, leading to the download of Truebot malware. Several other tools and malware were then subsequently used to move laterally, discover and collect victim information, exfiltrate it, and ultimately deploy a wiper. These included: FlawedGrace, Cobalt Strike, Impacket, various native utilities, and MBR Killer. In total, the activity lasted for 29 hours.[[The DFIR Report Truebot June 12 2023](/references/a6311a66-bb36-4cad-a98f-2b0b89aafa3d)]", "meta": { - "campaign_attack_id": "C5021", + "campaign_attack_id": "C3002", "first_seen": "2023-05-01T00:00:00Z", "last_seen": "2023-05-31T00:00:00Z", "owner": "TidalCyberIan", @@ -937,7 +976,7 @@ { "description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.", "meta": { - "campaign_attack_id": "C5027", + "campaign_attack_id": "C3023", "first_seen": "2023-11-30T00:00:00Z", "last_seen": "2024-01-12T00:00:00Z", "owner": "TidalCyberIan", @@ -955,7 +994,7 @@ { "description": "Researchers observed a campaign that took place in the latter half of 2021, apparently directed at individuals representing financial and political figures in Palestine and Tukery, that used malicious, macro-based Microsoft Office files to compromise victim systems with the aim of installing a .NET-based backdoor tool. Researchers attributed the activity to the Molerats APT group.[[Zscaler Molerats Campaign](/references/3b39e73e-229f-4ff4-bec3-d83e6364a66e)]", "meta": { - "campaign_attack_id": "C5022", + "campaign_attack_id": "C3011", "first_seen": "2021-07-01T00:00:00Z", "last_seen": "2021-12-01T00:00:00Z", "owner": "TidalCyberIan", @@ -972,7 +1011,7 @@ { "description": "This object represents a collection of MITRE ATT&CK® Techniques related to multiple incidents attributed to the North Korean actor group Moonstone Sleet that took place from August 2023 through May 2024. Attacks targeted individuals and organizations related to the software, information technology, education, and defense industrial base sectors, and are believed to have been carried out for both financial gain and espionage purposes.[[Microsoft Security Blog 5 28 2024](/references/faf315ed-71f7-4e29-8334-701da35a69ad)]", "meta": { - "campaign_attack_id": "C5039", + "campaign_attack_id": "C3039", "first_seen": "2023-08-01T00:00:00Z", "last_seen": "2024-05-28T00:00:00Z", "owner": "TidalCyberIan", @@ -1001,7 +1040,7 @@ { "description": "According to details published by Okta Security, threat actors gained unauthorized access to Okta’s customer support management system from September 28 to October 17, 2023. Initial access to the system was believed to have been achieved after an employee signed into a personal cloud account on their Okta-managed laptop and saved the legitimate credentials for an Okta service account into that cloud profile. Okta Security believes the personal cloud account was most likely compromised (through unspecified means), exposing the Okta service account credentials.\n\nAfter gaining access to the Okta customer support management system using the valid service account credentials, the threat actor accessed HTTP Archive (HAR) files provided by Okta customers, which can contain cookies and session tokens. Okta indicated that the threat actor used session tokens compromised during the incident to hijack the legitimate Okta sessions of at least five customers. The threat actor is also believed to have run and downloaded a report that contained the names and email addresses of all Okta customer support system users. Considering that customers’ names and email addresses were downloaded, Okta Security indicated that they assessed there is an increased risk of phishing and social engineering attacks directed at those users following the incident.[[Okta HAR Files Incident Notice](/references/14855034-494e-477d-8c91-fc534fd7790d)][[Okta HAR Files RCA](/references/742d095c-9bd1-4f4a-8bc6-16db6d15a9f4)][[Okta HAR Files Incident Update](/references/5e09ab9c-8cb2-49f5-b65f-fd5447e71ef4)]", "meta": { - "campaign_attack_id": "C5023", + "campaign_attack_id": "C3018", "first_seen": "2023-09-28T00:00:00Z", "last_seen": "2023-10-17T00:00:00Z", "owner": "TidalCyberIan", @@ -1019,7 +1058,7 @@ { "description": "\"Operation Bearded Barbie\" was a suspected AridViper (aka APT-C-23/Desert Falcon) campaign that appeared to target Israeli individuals, especially \"high-profile\" defense, law enforcement, and other government service personnel. The campaign heavily relied upon social engineering techniques, including the use of well-developed social media personas, aimed at tricking targets into installing backdoors for Windows and Android devices. The campaign appeared to be motivated by information collection for espionage purposes.[[Cybereason Operation Bearded Barbie April 5 2022](/references/7d71b7c9-531e-4e4f-ab85-df2380555b7a)]", "meta": { - "campaign_attack_id": "C5018", + "campaign_attack_id": "C3015", "first_seen": "2022-03-01T00:00:00Z", "last_seen": "2022-04-01T00:00:00Z", "owner": "TidalCyberIan", @@ -1096,7 +1135,7 @@ { "description": "Operation In(ter)ception refers to a series of threat activities attributed to Lazarus Group dating back to at least late 2019. Operation In(ter)ception campaigns are considered a sub-component of broader Lazarus Group espionage activities known as Operation Dream Job. Operation In(ter)ception attacks typically feature social engineering lures containing fake job vacany announcements for cryptocurrency companies. They are designed to ultimately infect targets with macOS malware.[[SentinelOne 9 26 2022](/references/973a110c-f1cd-46cd-b92b-5c7d8e7492b1)]", "meta": { - "campaign_attack_id": "C5040", + "campaign_attack_id": "C3040", "first_seen": "2019-12-01T00:00:00Z", "last_seen": "2022-09-26T00:00:00Z", "owner": "TidalCyberIan", @@ -1149,7 +1188,7 @@ { "description": "In May 2023, U.S. Cybersecurity & Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) authorities released Cybersecurity Advisory AA23-131A, which detailed observed exploits of a vulnerability, CVE-2023-27350, affecting certain versions of PaperCut NG and PaperCut MF, software applications for print management. PaperCut released a patch for the vulnerability in March 2023.[[PaperCut MF/NG vulnerability bulletin](/references/d6e71b45-fc91-40f4-8201-2186994ae42a)] According to the Advisory, authorities observed unspecified threat actors exploiting the vulnerability in mid-April 2023, followed by exploitation by the self-identified Bl00dy Ransomware Gang the following month.[[U.S. CISA PaperCut May 2023](/references/b5ef2b97-7cc7-470b-ae97-a45dc4af32a6)]\n\nCVE-2023-27350 allows a remote actor to bypass authentication and remotely execute code on servers running affected versions of PaperCut software. In May, U.S. authorities observed Bl00dy Ransomware Gang actors exploiting the vulnerability to achieve initial access into education sector entities' networks and ingressing both legitimate remote management and maintenance (RMM) tools and several other command and control-related malware, including Lizar, Truebot, and Cobalt Strike. In some cases, the actors ultimately exfiltrated victim data and encrypted files, demanding payment in order to decrypt affected systems (the Advisory did not indicate how precisely actors encrypted data). The Advisory indicated that the \"Education Facilities Subsector\" maintains nearly 70% of exposed (but not necessarily vulnerable) U.S.-based PaperCut servers.[[U.S. CISA PaperCut May 2023](/references/b5ef2b97-7cc7-470b-ae97-a45dc4af32a6)]\n\nThe Advisory instructed defenders to focus CVE-2023-27350 detection efforts on three areas: network traffic signatures, system monitoring, and server settings and log files. More details and resources for detection can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a).\n\n**Related Vulnerabilities**: CVE-2023-27350[[U.S. CISA PaperCut May 2023](/references/b5ef2b97-7cc7-470b-ae97-a45dc4af32a6)]", "meta": { - "campaign_attack_id": "C5003", + "campaign_attack_id": "C3006", "first_seen": "2023-04-15T00:00:00Z", "last_seen": "2023-05-30T00:00:00Z", "owner": "TidalCyberIan", @@ -1169,7 +1208,7 @@ { "description": "*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nThis is a single object to represent the initial access and delivery methods observed with Pikabot distribution in the first year after its discovery. Distribution campaigns have been linked to the TA577 threat actor (previously known for distributing payloads including QakBot, IcedID, SystemBC, and Cobalt Strike)[[Malwarebytes Pikabot December 15 2023](/references/50b29ef4-7ade-4672-99b6-fdf367170a5b)][[Unit42 Malware Roundup December 29 2023](/references/a18e19b5-9046-4c2c-bd94-2cd5061064bf)]; however, the Technique- and Procedure level intelligence associated with these campaigns that is provided below was not explicitly linked to that group, so we are providing this intelligence to users in this Campaign form. The Water Curupira intrusion set (affiliated with the Black Basta ransomware operation) has also been observed distributing Pikabot.[[Trend Micro Pikabot January 9 2024](/references/dc7d882b-4e83-42da-8e2f-f557b675930a)]", "meta": { - "campaign_attack_id": "C5013", + "campaign_attack_id": "C3019", "first_seen": "2023-02-01T00:00:00Z", "last_seen": "2023-12-31T00:00:00Z", "owner": "TidalCyberIan", @@ -1186,7 +1225,7 @@ { "description": "Researchers observed a campaign, with activity occurring between March and at least June 2024, where multiple discrete threat actor clusters used similar social engineering techniques to trick users into copying and executing PowerShell scripts, which ultimately led to malware deployment on the victim's system. Payloads included droppers, RATs, and information stealer malware.\n\nInitial contact with the victim occurred through both malspam email campaigns and web browser injects, which would trigger a popup claiming an error occurred when trying to open a document or webpage. The popup would prompt the user to run a script in the PowerShell terminal or Windows Run dialog box. Researchers attributed these campaigns to TA571, an initial access broker, a known intrusion set (ClearFake), and a newer group dubbed ClickFix.[[Proofpoint June 17 2024](/references/a65d7492-04a4-46d4-85ed-134786c6828b)][[BleepingComputer Fake Chrome Errors June 17 2024](/references/6efa70e3-d8eb-4260-b0ab-62335681e6fd)]", "meta": { - "campaign_attack_id": "C5045", + "campaign_attack_id": "C3045", "first_seen": "2024-03-01T00:00:00Z", "last_seen": "2024-06-07T00:00:00Z", "owner": "TidalCyberIan", @@ -1203,7 +1242,7 @@ { "description": "A collections of TTPs associated with a phishing-based campaign that resulted in QakBot deployments. The campaign comes about four months after the reported disruption of QakBot distribution networks in an international law enforcement operation.[[K7 QakBot Returns January 4 2024](/references/5cb5e645-b77b-4bd1-a742-c8f53f234713)]", "meta": { - "campaign_attack_id": "C5024", + "campaign_attack_id": "C3020", "first_seen": "2023-12-11T00:00:00Z", "last_seen": "2024-01-04T00:00:00Z", "owner": "TidalCyberIan", @@ -1221,7 +1260,7 @@ { "description": "Independent investigators reported details about a response to a compromise involving Quantum ransomware. The date of the attack was not disclosed, but the incident was reported in April 2022. IcedID was used to gain an initial foothold, Cobalt Strike and RDP were leveraged for lateral movement, and WMI and PsExec were used to deploy the ransomware payload. The incident was described as \"one of the fastest ransomware cases\" the investigators had handled, with domain-wide encryption occurring within four hours of initial access.[[The DFIR Report April 25 2022](/references/2e28c754-911a-4f08-a7bd-4580f5283571)]", "meta": { - "campaign_attack_id": "C5043", + "campaign_attack_id": "C3043", "first_seen": "2022-04-01T00:00:00Z", "last_seen": "2022-04-25T00:00:00Z", "owner": "TidalCyberIan", @@ -1240,7 +1279,7 @@ { "description": "Researchers have observed an evolution in Scattered Spider's/UNC3944's TTPs since the second half of 2023, with actors especially focusing on gaining wide access to victim SaaS environments for reconnaissance, data theft, and subsequent extortion purposes. This object reflects the MITRE ATT&CK® Techniques associated with this activity.[[Google Cloud June 13 2024](/references/161423a2-165d-448f-90e9-0c53e319a125)]\n\nNotable Techniques newly associated with Scattered Spider via this Campaign object include Forge Web Credentials: SAML Tokens (T1606.002), Impair Defenses: Disable or Modify Tools (T1562.001), Indicator Removal: Clear Windows Event Logs (T1070.001), Software Discovery: Security Software Discovery (T1518.001), and Pre-OS Boot: System Firmware (T1542.001).", "meta": { - "campaign_attack_id": "C5041", + "campaign_attack_id": "C3041", "first_seen": "2023-08-13T00:00:00Z", "last_seen": "2024-06-13T00:00:00Z", "owner": "TidalCyberIan", @@ -1258,7 +1297,7 @@ { "description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to recently reported attacks that featured exploits of recently disclosed vulnerabilities in the ConnectWise ScreenConnect utility (CVE-2024-1709 and CVE-2024-1708, aka \"SlashAndGrab\"). Several of the observed attacks saw the ingress of various malicious tools, including suspected ransomware.\n\nFurther background & contextual details can be found in the References tab below.", "meta": { - "campaign_attack_id": "C5028", + "campaign_attack_id": "C3024", "first_seen": "2024-02-19T00:00:00Z", "last_seen": "2024-02-23T00:00:00Z", "owner": "TidalCyberIan", @@ -1296,7 +1335,7 @@ { "description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.", "meta": { - "campaign_attack_id": "C5030", + "campaign_attack_id": "C3029", "first_seen": "2024-02-26T00:00:00Z", "last_seen": "2024-02-27T00:00:00Z", "owner": "TidalCyberIan", @@ -1325,10 +1364,38 @@ "uuid": "6c7185e1-bd46-5a80-9a76-a376b16fbc7b", "value": "Triton Safety Instrumented System Attack" }, + { + "description": "On September 5, 2024, international authorities published joint Cybersecurity Advisory AA24-249A, which detailed recent activity linked to cyber actors affiliated with the 161st Specialist Training Center (aka Unit 29155) of the Russian General Staff Main Intelligence Directorate (GRU), the foreign military intelligence agency of Russia's armed forces. The advisory highlighted Unit 29155 espionage, sabotage, and reputational cyber attacks carried out against targets around the world since 2020.\n\nWhile Unit 29155 had been previously linked to influence, interference, and physical sabotage operations, the advisory noted how the group has expanded its tradecraft to now include offensive cyber operations. The advisory indicated that several groups tracked by the cybersecurity community relate to Unit 29155 cyber actors but may not be directly synonyms with all parts of the Unit (or each other), including: Cadet Blizzard, DEV-0586, Ember Bear, Bleeding Bear, Frozenvista, UNC2589, and UAC-0056.[[U.S. CISA Unit 29155 September 5 2024](/references/9631a46d-3e0a-4f25-962b-0b2501c47926)]", + "meta": { + "campaign_attack_id": "C3053", + "first_seen": "2020-08-03T00:00:00Z", + "last_seen": "2024-09-05T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "af5e9be5-b86e-47af-91dd-966a5e34a186", + "35e694ec-5133-46e3-b7e1-5831867c3b55", + "d8f7e071-fbfd-46f8-b431-e241bb1513ac", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", + "5b8371c5-1173-4496-82c7-5f0433987e77", + "f18e6c1d-d2ee-4eda-8172-67dcbc4e59ed", + "9e4936f0-e3b7-4721-a638-58b2d093b2f2", + "1281067e-4a7e-4003-acf8-e436105bf395", + "7c67d99a-fc8a-4463-8f46-45e9a39fe6b0", + "fe28cf32-a15c-44cf-892c-faa0360d6109", + "15f2277a-a17e-4d85-8acd-480bf84f16b4" + ] + }, + "related": [], + "uuid": "5e1bc9d2-1f2e-4ba3-b6b8-8d4e1f635762", + "value": "Unit 29155 Russian Military Cyber Activity" + }, { "description": "Researchers observed suspected \"China-nexus\" actor Velvet Ant exploiting CVE-2024-20399 in Cisco Nexus network switch devices in order to upload and execute \"previously unknown custom malware\" on the devices' operating systems. Researchers first observed \"zero-day\" exploit activity in the wild at an undisclosed point \"during the past year\", and after they shared the findings, Cisco acknowledged the vulnerability in an advisory published on July 1, 2024.\n\nThe vulnerability's overall risk is mitigated by the fact that it requires valid administrator-level credentials and network access to the target switch for successful exploitation. However, researchers highlighted how sophisticated threat groups are increasingly targeting network appliances as means of network access and persistence, since those appliances \"are often not sufficiently protected and monitored\". This exploit campaign was discovered as part of a larger investigation into Velvet Ant, which was previously observed targeting F5 load balancer devices for persistence.[[The Hacker News Velvet Ant Cisco July 2 2024](/references/e3949201-c949-4126-9e02-34bfad4713c0)][[Sygnia Velvet Ant July 1 2024](/references/a0cfeeb6-4617-4dea-80d2-290eaf2bcf5b)]", "meta": { - "campaign_attack_id": "C5046", + "campaign_attack_id": "C3046", "first_seen": "2023-07-01T00:00:00Z", "last_seen": "2024-07-01T00:00:00Z", "owner": "TidalCyberIan", @@ -1348,7 +1415,7 @@ { "description": "This object reflects the tools & TTPs associated with a campaign attributed to Velvet Ant, a suspected \"China-nexus\" state-sponsored threat group. Researchers believe the actor managed to maintain extremely prolonged access to a victim network – residing and remaining active there for around three years – notably by abusing a legacy, internet-exposed F5 BIG-IP load balancer appliance as an internal command and control mechanism. Researchers assess the intrusion was carried out for espionage purposes.[[Sygnia Velvet Ant June 17 2024](/references/5c313af4-61a8-449d-a6c7-f7ead6c72e19)][[BleepingComputer Velvet Ant June 17 2024](/references/70235e47-f8bb-4d16-9933-9f4923f08f5d)]", "meta": { - "campaign_attack_id": "C5044", + "campaign_attack_id": "C3044", "first_seen": "2020-12-01T00:00:00Z", "last_seen": "2023-12-01T00:00:00Z", "owner": "TidalCyberIan", @@ -1363,10 +1430,49 @@ "uuid": "b78565ce-8eec-49ad-b762-8d2107fa9ce7", "value": "Velvet Ant F5 BIG-IP Espionage Activity" }, + { + "description": "Void Banshee is an advanced persistent threat (APT) group identified by Trend Micro researchers, which is known to target victims in North America, Europe, and Southeast Asia for information theft and financial gain. In May 2024, researchers observed Void Banshee actors exploiting CVE-2024-38112, a remote code execution vulnerability in the \"MSHTML\" web browser software component. The vulnerability had not been previously disclosed, so the campaign was characterized as \"zero-day\" exploit activity. Actors delivered the Atlantida infostealer malware during the observed attacks.[[Trend Micro Void Banshee July 15 2024](/references/02c4dda2-3aae-43ec-9b14-df282b200def)]\n\nLater, researchers noted that Void Banshee also exploited a separate MSHTML-related vulnerability, CVE-2024-43461, as a zero-day during attacks culminating in Atlantida infostealer deployments.[[BleepingComputer Void Banshee September 16 2024](/references/2c9a2355-02c5-4718-ad6e-b2fac9ad4096)]", + "meta": { + "campaign_attack_id": "C3054", + "first_seen": "2024-05-15T00:00:00Z", + "last_seen": "2024-07-15T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "0281a78d-1eb1-4e10-9327-2032928e37d9", + "ff8a2e10-4bf7-45f0-954c-8847fdcb9612", + "a98d7a43-f227-478e-81de-e7299639a355", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "dbe34d5d-91b0-4a50-98c7-4e36ba0bcda6", + "value": "Void Banshee Zero-Day Exploit Activity" + }, + { + "description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects related to the subject threat. Further contextual details are provided via the sources in the References tab below and any associated Tags.", + "meta": { + "campaign_attack_id": "C3050", + "first_seen": "2024-08-05T00:00:00Z", + "last_seen": "2024-08-29T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "fe28cf32-a15c-44cf-892c-faa0360d6109", + "82009876-294a-4e06-8cfc-3236a429bda4", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "e740e392-98cb-428a-ab92-b0a4d1d546b7", + "value": "Voldemort Malware Delivery Campaign" + }, { "description": "A suspected affiliate of the Zloader operation carried out attacks mainly affecting financial institutions. Intrusions typically came via drive-by compromise and initiallly saw the installation of the Atera software, which was then used to load Zloader, and in some cases, Ursnif.[[WeLiveSecurity April 19 2022](/references/f86845b9-03c4-446b-845f-b31b79b247ee)]", "meta": { - "campaign_attack_id": "C5020", + "campaign_attack_id": "C3001", "first_seen": "2020-10-01T00:00:00Z", "last_seen": "2022-04-13T00:00:00Z", "owner": "TidalCyberIan", diff --git a/clusters/tidal-groups.json b/clusters/tidal-groups.json index b3b46660..344c6f0a 100644 --- a/clusters/tidal-groups.json +++ b/clusters/tidal-groups.json @@ -12,7 +12,7 @@ { "description": "This object represents the behaviors associated with operators of 8Base ransomware, who may or may not operate as a cohesive unit. Behaviors associated with samples of 8Base ransomware are represented in the \"8Base Ransomware\" Software object.\n \nThe 8Base ransomware operation began claiming significant numbers of victims on its data leak site in June 2023, including organizations in a range of sectors. Researchers have observed considerable similarities between aspects of 8Base's operations and those of other ransomware groups, leading them to suspect that 8Base may be an evolution or offshoot of existing operations. The language in 8Base's ransom notes is similar to the language seen in RansomHouse's notes, and there is strong overlap between the code of Phobos ransomware and 8Base.[[VMWare 8Base June 28 2023](/references/573e9520-6181-4535-9ed3-2338688a8e9f)][[Acronis 8Base July 17 2023](/references/c9822477-1578-4068-9882-41e4d6eaee3f)]", "meta": { - "group_attack_id": "G5030", + "group_attack_id": "G3014", "observed_motivations": [ "Financial Gain" ], @@ -54,12 +54,7 @@ "Financial Services" ] }, - "related": [ - { - "dest-uuid": "ac4bce1f-b3ec-4c44-bd36-b6cc986b319b", - "type": "similar" - } - ], + "related": [], "uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", "value": "admin@338" }, @@ -100,6 +95,7 @@ ], "source": "MITRE", "tags": [ + "fde14c10-e749-4c04-b97f-1d9fbd6e72e7", "0580d361-b60b-4664-9b2e-6d737e495cc1", "9768aada-9d63-4d46-ab9f-d41b8c8e4010", "a159c91c-5258-49ea-af7d-e803008d97d3", @@ -114,6 +110,7 @@ "562e535e-19f5-4d6c-81ed-ce2aec544f09" ], "target_categories": [ + "Aerospace", "Agriculture", "Banks", "Construction", @@ -128,7 +125,8 @@ "Non Profit", "Retail", "Technology", - "Telecommunications" + "Telecommunications", + "Transportation" ] }, "related": [], @@ -310,7 +308,7 @@ { "description": "AnonGhost is an apparent hacktivist collective. In October 2023, following a series of air- and land-based attacks in the Gaza Strip, AnonGhost was one of several hacktivist groups that claimed responsibility for disruptive attacks against computer networks in Israel. Researchers indicated that they observed AnonGhost actors exploit an undisclosed API vulnerability in Red Alert, an application that provides warning of projectile attacks in Israel, using Python scripts to intercept web requests and send spam messages to the app's users.[[Group-IB Threat Intelligence Tweet October 9 2023](/references/2df546ed-6577-44b2-9b26-0a17c3622df7)]", "meta": { - "group_attack_id": "G5011", + "group_attack_id": "G3024", "observed_countries": [ "IL", "US" @@ -330,7 +328,7 @@ { "description": "Anonymous Sudan is an apparent hacktivist collective that has primarily used distributed denial of service (DDoS) and website defacement attacks in support of its ideology, which appears to largely align with Russian state interests. The group regularly cross-promotes communications with Killnet, another hacktivist group that appears to share similar ideologies and methods of operation.[[Flashpoint Anonymous Sudan Timeline](/references/2e7060d2-f7bc-457e-a2e6-12897d503ea6)] Researchers assess that the group is affiliated with neither the Anonymous hacktivist group nor Sudan.[[CyberCX Anonymous Sudan June 19 2023](/references/68ded9b7-3042-44e0-8bf7-cdba2174a3d8)]\n\nSince emerging in January 2023, Anonymous Sudan has claimed and is believed to be responsible for a considerable number of DDoS attacks affecting victims in a wide range of geographic locations and sectors.[[Flashpoint Anonymous Sudan Timeline](/references/2e7060d2-f7bc-457e-a2e6-12897d503ea6)] It claimed responsibility for a series of early June 2023 DDoS attacks that caused temporary interruptions to Microsoft Azure, Outlook, and OneDrive services. Microsoft security researchers attributed those attacks to the Storm-1359 group.[[The Hacker News Microsoft DDoS June 19 2023](/references/2ee27b55-b7a7-40a8-8c0b-5e28943cd273)][[Microsoft DDoS Attacks Response June 2023](/references/d64e941e-785b-4b23-a7d0-04f12024b033)] Like Killnet, Anonymous Sudan claimed responsibility for disruptive attacks against computer networks in Israel following a series of air- and land-based attacks in the Gaza Strip in October 2023.[[FalconFeedsio Tweet October 9 2023](/references/e9810a28-f060-468b-b4ea-ffed9403ae8b)]", "meta": { - "group_attack_id": "G5010", + "group_attack_id": "G3023", "observed_countries": [ "AU", "DK", @@ -419,12 +417,7 @@ "Transportation" ] }, - "related": [ - { - "dest-uuid": "1cb7e1cc-d695-42b1-92f4-fd0112a3c9be", - "type": "similar" - } - ], + "related": [], "uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "value": "APT1" }, @@ -466,12 +459,7 @@ "Technology" ] }, - "related": [ - { - "dest-uuid": "1f73e14f-b882-4032-a565-26dc653b0daf", - "type": "similar" - } - ], + "related": [], "uuid": "06a05175-0812-44f5-a529-30eba07d1762", "value": "APT16" }, @@ -503,12 +491,7 @@ "Technology" ] }, - "related": [ - { - "dest-uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb", - "type": "similar" - } - ], + "related": [], "uuid": "5f083251-f5dc-459a-abfc-47a1aa7f5094", "value": "APT17" }, @@ -526,12 +509,7 @@ "Technology" ] }, - "related": [ - { - "dest-uuid": "9a683d9c-8f7d-43df-bba2-ad0ca71e277c", - "type": "similar" - } - ], + "related": [], "uuid": "a0c31021-b281-4c41-9855-436768299fe7", "value": "APT18" }, @@ -557,12 +535,7 @@ "Telecommunications" ] }, - "related": [ - { - "dest-uuid": "066d25c1-71bd-4bd4-8ca7-edbba00063f4", - "type": "similar" - } - ], + "related": [], "uuid": "713e2963-fbf4-406f-a8cf-6a4489d90439", "value": "APT19" }, @@ -570,7 +543,7 @@ "description": "APT20 is a suspected China-attributed espionage actor. It has attacked organizations in a wide range of verticals for data theft. These operations appear to be motivated by the acquisition of intellectual property but also collection of information around individuals with particular political interests.[[Mandiant APT Groups List](/references/c984fcfc-1bfd-4b1e-9034-a6ff3e6ebf97)] Researchers attributed, with medium confidence, the years-long Operation Wocao espionage campaign to APT20.[[FoxIT Wocao December 2019](/references/aa3e31c7-71cd-4a3f-b482-9049c9abb631)]", "meta": { "country": "CN", - "group_attack_id": "G5006", + "group_attack_id": "G3020", "observed_countries": [ "BR", "CN", @@ -705,12 +678,7 @@ "Utilities" ] }, - "related": [ - { - "dest-uuid": "5b4ee3ea-eee3-4c8e-8323-85ae32658754", - "type": "similar" - } - ], + "related": [], "uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "value": "APT28" }, @@ -800,12 +768,7 @@ "Video Games" ] }, - "related": [ - { - "dest-uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a", - "type": "similar" - } - ], + "related": [], "uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "value": "APT29" }, @@ -864,12 +827,7 @@ "Media" ] }, - "related": [ - { - "dest-uuid": "2f1fd017-9df6-4759-91fb-e7039609b5ff", - "type": "similar" - } - ], + "related": [], "uuid": "be45ff95-6c74-4000-bc39-63044673d82f", "value": "APT30" }, @@ -907,12 +865,7 @@ "Technology" ] }, - "related": [ - { - "dest-uuid": "aa29ae56-e54b-47a2-ad16-d3ab0242d5d7", - "type": "similar" - } - ], + "related": [], "uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "value": "APT32" }, @@ -927,6 +880,7 @@ "IL", "KR", "SA", + "AE", "GB", "US" ], @@ -935,20 +889,23 @@ ], "source": "MITRE", "tags": [ + "cb5803f0-8ab4-4ada-8540-7758dfc126e2", + "0f1b7cb0-c4de-485e-8ff5-fe12ffccd738", + "dd24557e-a8e8-4202-872d-c2f411974cad", "c9c73000-30a5-4a16-8c8b-79169f9c24aa", "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647" ], "target_categories": [ "Aerospace", - "Energy" + "Defense", + "Education", + "Energy", + "Government", + "Pharmaceuticals", + "Telecommunications" ] }, - "related": [ - { - "dest-uuid": "4f69ec6d-cb6b-42af-b8e2-920a2aa4be10", - "type": "similar" - } - ], + "related": [], "uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "value": "APT33" }, @@ -983,12 +940,7 @@ "Technology" ] }, - "related": [ - { - "dest-uuid": "50cd027f-df14-40b2-aa22-bf5de5061163", - "type": "similar" - } - ], + "related": [], "uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "value": "APT37" }, @@ -1054,12 +1006,7 @@ "Media" ] }, - "related": [ - { - "dest-uuid": "68391641-859f-4a9a-9a1e-3e5cf71ec376", - "type": "similar" - } - ], + "related": [], "uuid": "dfbce236-735c-436d-b433-933bd6eae17b", "value": "APT38" }, @@ -1078,6 +1025,9 @@ "AE", "US" ], + "observed_motivations": [ + "Cyber Espionage" + ], "source": "MITRE", "target_categories": [ "Education", @@ -1086,12 +1036,7 @@ "Travel Services" ] }, - "related": [ - { - "dest-uuid": "c2c64bd3-a325-446f-91a8-b4c0f173a30b", - "type": "similar" - } - ], + "related": [], "uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "value": "APT39" }, @@ -1167,12 +1112,7 @@ "Video Games" ] }, - "related": [ - { - "dest-uuid": "9c124874-042d-48cd-b72b-ccdc51ecbbd6", - "type": "similar" - } - ], + "related": [], "uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "value": "APT41" }, @@ -1180,7 +1120,7 @@ "description": "APT42 is an Iranian state-sponsored espionage group believed to operate on behalf of the Islamic Revolutionary Guard Corps (IRGC) Intelligence Organization (IRGC-IO). APT42 primarily focuses on collecting information on and surveilling its targets, mainly individuals and organizations with strategic significance to Iran's government. The group's operations are characterized by targeted spear-phishing attacks and surveillance activity. Mandiant researchers acknowledged overlaps between APT42 and APT35, which both likely operate on behalf of the IRGC, but noted that the groups display \"substantial differences\" in targeting patterns and TTPs.[[Mandiant Crooked Charms August 12 2022](/references/53bab956-be5b-4d8d-b553-9926bc5d9fee)]", "meta": { "country": "IR", - "group_attack_id": "G5051", + "group_attack_id": "G3050", "observed_countries": [ "AU", "BG", @@ -1327,12 +1267,7 @@ "Telecommunications" ] }, - "related": [ - { - "dest-uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb", - "type": "similar" - } - ], + "related": [], "uuid": "90f4d3f9-3fe3-4a64-8dc1-172c6d037dca", "value": "Axiom" }, @@ -1373,7 +1308,7 @@ { "description": "BianLian is an extortion-focused threat actor group. The group originally used double-extortion methods when it began its operations in June 2022, demanding payment in exchange for decrypting locked files while also threatening to leak exfiltrated data. U.S. & Australian cybersecurity officials observed BianLian actors shifting almost exclusively to exfiltration-focused extortion schemes in 2023.[[U.S. CISA BianLian Ransomware May 2023](/references/aa52e826-f292-41f6-985d-0282230c8948)]\n\n**Related Vulnerabilities**: CVE-2020-1472[[U.S. CISA BianLian Ransomware May 2023](/references/aa52e826-f292-41f6-985d-0282230c8948)], CVE-2021-34473[[BianLian Ransomware Gang Gives It a Go! | [redacted]](/references/fc1aa979-7dbc-4fff-a8d1-b35a3b2bec3d)], CVE-2021-34523[[BianLian Ransomware Gang Gives It a Go! | [redacted]](/references/fc1aa979-7dbc-4fff-a8d1-b35a3b2bec3d)], CVE-2021-31207[[BianLian Ransomware Gang Gives It a Go! | [redacted]](/references/fc1aa979-7dbc-4fff-a8d1-b35a3b2bec3d)]\n\n**PulseDive (IOCs)**: https://pulsedive.com/threat/BianLian", "meta": { - "group_attack_id": "G5000", + "group_attack_id": "G3002", "observed_countries": [ "AU", "CA", @@ -1438,7 +1373,7 @@ { "description": "Bl00dy self-identifies as a ransomware group. It gained attention in May 2023 for a series of data exfiltration and encryption attacks against education entities in the United States that featured exploit of vulnerabilities in PaperCut print management software, which is prevalent in the sector.[[U.S. CISA PaperCut May 2023](/references/b5ef2b97-7cc7-470b-ae97-a45dc4af32a6)]\n\n**Related Vulnerabilities**: CVE-2023-27350[[U.S. CISA PaperCut May 2023](/references/b5ef2b97-7cc7-470b-ae97-a45dc4af32a6)]", "meta": { - "group_attack_id": "G5002", + "group_attack_id": "G3010", "observed_countries": [ "US" ], @@ -1472,7 +1407,7 @@ { "description": "This Group object reflects the tools & TTPs associated with threat actors known to deploy Black Basta, a ransomware-as-a-service (RaaS) variant that researchers believe has been used since at least April 2022. Black Basta affiliates have attacked a very wide range of targets, including organizations in at least 12 out of 16 U.S. critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector.[[U.S. CISA Black Basta May 10 2024](/references/10fed6c7-4d73-49cd-9170-3f67d06365ca)]\n\nSpecific pre- and post-exploit behaviors may vary among intrusions carried out by different Black Basta affiliates. TTPs associated with the Black Basta ransomware binary itself can be found in the separate dedicated Software object.", "meta": { - "group_attack_id": "G5023", + "group_attack_id": "G3037", "observed_countries": [ "AU", "AT", @@ -1522,7 +1457,7 @@ { "description": "This object represents the BlackCat/ALPHV Ransomware-as-a-Service (“RaaS”) apex group and the behaviors associated with its various affiliate ransomware operators. Specific affiliate operations defined by the research community will be tracked as separate objects.\n\nResearchers first observed BlackCat ransomware (AKA ALPHV or Noberus) in November 2021. An April 2022 U.S. FBI advisory linked BlackCat’s developers and money launderers to the defunct Blackmatter and Darkside ransomware operations (the latter was responsible for the major 2021 Colonial Pipeline incident).[[FBI BlackCat April 19 2022](/references/2640b58c-8413-4691-80e1-33aec9b6c7f6)] As of September 2023, BlackCat is believed to be responsible for attacking organizations globally and in virtually every major sector, and it consistently claims some of the highest victim tallies of any RaaS. According to data collected by the [ransomwatch project](https://github.com/joshhighet/ransomwatch) and analyzed by Tidal, BlackCat actors publicly claimed 233 victims in 2022, the third most of any ransomware operation in the dataset (considerably below Clop (558) but well above Hive (181)), and it already surpassed that number by July of 2023.[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)] Like many RaaS, BlackCat actors threaten to leak exfiltrated victim data, but they also threaten to carry out denial of service attacks if victims do not pay timely ransoms.[[BlackBerry BlackCat Threat Overview](/references/59f98ae1-c62d-460f-8d2a-9ae287b59953)]\n\nBlackCat developers have regularly evolved the namesake ransomware over time, and collaboration with affiliates means that a large number and variety of tools & TTPs are observed during intrusions involving BlackCat. BlackCat became the first prominent ransomware family to transition to the Rust programming language in 2022, which researchers assess provides greater customization and defense evasion capabilities and faster performance.[[X-Force BlackCat May 30 2023](/references/b80c1f70-9d05-4f4b-bdc2-6157c6837202)][[FBI BlackCat April 19 2022](/references/2640b58c-8413-4691-80e1-33aec9b6c7f6)] A BlackCat variant named Sphynx emerged in early 2023, featuring multiple defense evasion-focused enhancements. In Q3 2023, public reports suggested that Scattered Spider (AKA 0ktapus or UNC3944), a group attributed to several prominent intrusions involving telecommunications, technology, and casino entities, had begun to use BlackCat/Sphynx ransomware during its operations.[[Caesars Scattered Spider September 13 2023](/references/6915c003-7c8b-451c-8fb1-3541f00c14fb)][[BushidoToken Scattered Spider August 16 2023](/references/621a8320-0e3c-444f-b82a-7fd4fdf9fb67)]", "meta": { - "group_attack_id": "G5005", + "group_attack_id": "G3019", "observed_countries": [ "AU", "AT", @@ -1639,19 +1574,14 @@ ], "source": "MITRE" }, - "related": [ - { - "dest-uuid": "8fbd195f-5e03-4e85-8ca5-4f1dff300bec", - "type": "similar" - } - ], + "related": [], "uuid": "428dc121-a593-4981-9127-f958ae0a0fdd", "value": "BlackOasis" }, { "description": "This object reflects the ATT&CK Techniques associated with threat actors who deploy BlackSuit, a ransomware capable of running on Windows and Linux systems. BlackSuit is believed to be a successor to Royal, a ransomware operation which itself derives from the notorious Russia-based Conti gang. BlackSuit operations were first observed in May 2023, and although they were relatively low in number, U.S. authorities issued a warning for healthcare sector organizations due to the ransomware's suspected pedigree.[[HC3 Analyst Note BlackSuit Ransomware November 2023](/references/d956f0c6-d90e-49e8-a64c-a46bfc177cc6)] The number of attacks claimed by BlackSuit operators increased notably in Q2 2024.[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)]\n\nATT&CK Techniques associated with the BlackSuit ransomware binary are tracked in a separate \"BlackSuit Ransomware\" Software object.", "meta": { - "group_attack_id": "G5048", + "group_attack_id": "G3047", "observed_countries": [ "AU", "BR", @@ -1731,12 +1661,7 @@ "Telecommunications" ] }, - "related": [ - { - "dest-uuid": "320c42f7-eab7-4ef9-b09a-74396caa6c3e", - "type": "similar" - } - ], + "related": [], "uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb", "value": "BlackTech" }, @@ -1780,19 +1705,14 @@ "Manufacturing" ] }, - "related": [ - { - "dest-uuid": "add6554a-815a-4ac3-9b22-9337b9661ab8", - "type": "similar" - } - ], + "related": [], "uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "value": "BRONZE BUTLER" }, { "description": "This Group object reflects the tools & TTPs observed in use by threat actors known to deploy CACTUS, a ransomware that researchers believe has been used since at least March 2023.[[Kroll CACTUS Ransomware May 10 2023](/references/f50de2f6-465f-4cae-a79c-cc135ebfee4f)] Specific pre- and post-exploit behaviors may vary among intrusions carried out by distinct actors or actor clusters. TTPs associated with the CACTUS ransomware binary itself can be found in the separate dedicated Software object.", "meta": { - "group_attack_id": "G5035", + "group_attack_id": "G3030", "observed_countries": [ "AU", "BE", @@ -1814,6 +1734,7 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "0bcc4824-7e68-4aac-b883-935e62b5be39", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "3b615816-3403-46a4-bd7e-f7a723fc56da", "a2e000da-8181-4327-bacd-32013dbd3654", @@ -1877,15 +1798,33 @@ "Financial Services" ] }, - "related": [ - { - "dest-uuid": "00220228-a5a4-4032-a30d-826bb55aa3fb", - "type": "similar" - } - ], + "related": [], "uuid": "72d9bea7-9ca1-43e6-8702-2fb7fb1355de", "value": "Carbanak" }, + { + "description": "Charcoal Stork is a threat actor believed to provide content used to fuel malvertising and search engine optimization (SEO) operations, which affiliates ultimately use to deliver malware to victim systems. Charcoal Stork is thought to be financially motivated, operating on a pay-per-install basis.[[Red Canary March 18 2024](/references/a86131cd-1a42-4222-9d39-221dd6e054ba)]", + "meta": { + "group_attack_id": "G5022", + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "target_categories": [ + "Commercial", + "Healthcare", + "Manufacturing" + ] + }, + "related": [], + "uuid": "6d23e83f-fd4f-4802-bd01-daff7348741d", + "value": "Charcoal Stork" + }, { "description": "[Chimera](https://app.tidalcyber.com/groups/ca93af75-0ffa-4df4-b86a-92d4d50e496e) is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry.[[Cycraft Chimera April 2020](https://app.tidalcyber.com/references/a5a14a4e-2214-44ab-9067-75429409d744)][[NCC Group Chimera January 2021](https://app.tidalcyber.com/references/70c217c3-83a2-40f2-8f47-b68d8bd4cdf0)]", "meta": { @@ -1895,6 +1834,9 @@ "TW" ], "source": "MITRE", + "tags": [ + "ff873c9d-468f-46c4-a6ee-c8c707df0be7" + ], "target_categories": [ "Semi Conductors", "Travel Services" @@ -1904,6 +1846,35 @@ "uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", "value": "Chimera" }, + { + "description": "A suspected ransomware-as-a-service (\"RaaS\") group first observed in June 2024, which extorts victims via traditional ransomware encryption and by threatening to leak allegedly exfiltrated data onto the web.[[Truesec AB August 30 2024](/references/de2de0a9-17d2-41c2-838b-7850762b80ae)]", + "meta": { + "group_attack_id": "G3051", + "observed_countries": [ + "GB", + "US" + ], + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "a2e000da-8181-4327-bacd-32013dbd3654", + "562e535e-19f5-4d6c-81ed-ce2aec544f09", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "target_categories": [ + "Manufacturing" + ] + }, + "related": [], + "uuid": "7a28cff6-80df-49e1-8457-a0305e736897", + "value": "Cicada3301 Ransomware Group" + }, { "description": "[Cinnamon Tempest](https://app.tidalcyber.com/groups/8e059c6b-d278-5454-a234-a8ad69feb66c) is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked [Babuk](https://app.tidalcyber.com/software/0dc07eb9-66df-4116-b1bc-7020ca6395a1) source code. [Cinnamon Tempest](https://app.tidalcyber.com/groups/8e059c6b-d278-5454-a234-a8ad69feb66c) does not operate their ransomware on an affiliate model or purchase access but appears to act independently in all stages of the attack lifecycle. Based on victimology, the short lifespan of each ransomware variant, and use of malware attributed to government-sponsored threat groups, [Cinnamon Tempest](https://app.tidalcyber.com/groups/8e059c6b-d278-5454-a234-a8ad69feb66c) may be motivated by intellectual property theft or cyberespionage rather than financial gain.[[Microsoft Ransomware as a Service](https://app.tidalcyber.com/references/833018b5-6ef6-5327-9af5-1a551df25cd2)][[Microsoft Threat Actor Naming July 2023](https://app.tidalcyber.com/references/78a8137d-694e-533d-aed3-6bd48fc0cd4a)][[Trend Micro Cheerscrypt May 2022](https://app.tidalcyber.com/references/ca7ccf2c-37f3-522a-acfb-09daa16e23d8)][[SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022](https://app.tidalcyber.com/references/0b275cf9-a885-58cc-b859-112090a711e3)]", "meta": { @@ -1952,12 +1923,7 @@ "Telecommunications" ] }, - "related": [ - { - "dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810", - "type": "similar" - } - ], + "related": [], "uuid": "c8cc6ce8-d421-42e6-a6eb-2ea9d2d9ab07", "value": "Cleaver" }, @@ -1993,12 +1959,7 @@ "Financial Services" ] }, - "related": [ - { - "dest-uuid": "01967480-c49b-4d4a-a7fa-aef0eaf535fe", - "type": "similar" - } - ], + "related": [], "uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", "value": "Cobalt Group" }, @@ -2046,19 +2007,67 @@ "Technology" ] }, - "related": [ - { - "dest-uuid": "8cca9a1d-66e4-4bc4-ad49-95f759f4c1ae", - "type": "similar" - } - ], + "related": [], "uuid": "6a8f5eca-8ecc-4bff-9c5f-5380e044ed5b", "value": "CopyKittens" }, + { + "description": "CosmicBeetle is a threat actor, active since 2020, that has been associated with multiple ransomware families. Originally known for using a set of custom tools, including ScRansom (a successor to the \"Scarab\" encryptor), researchers reported in September 2024 that they observed a suspected CosmicBeetle attack that involved deployment of tools and malware associated with the RansomHub ransomware-as-a-service operation.[[WeLiveSecurity CosmicBeetle September 10 2024](/references/8debba29-4d6d-41d2-8772-f97c7d49056b)][[BleepingComputer NoName September 10 2024](/references/79752048-f2fd-4357-9e0a-15b9a2927852)]", + "meta": { + "group_attack_id": "G3053", + "observed_countries": [ + "AT", + "CZ", + "FR", + "GF", + "GE", + "GT", + "IN", + "PE", + "PL", + "ZA", + "ES", + "CH", + "TR" + ], + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "55ba9d29-7185-40eb-ba10-874cb3997a0f", + "793f4441-3916-4b3d-a3fd-686a59dc3de2", + "c40971d6-ad75-4b2d-be6c-5353c96a232d", + "3adcb409-166d-4465-ba1f-ddaecaff8282", + "33d22eff-59a1-47e0-b9eb-615dee314595", + "89c5b94b-ecf4-4d53-9b74-3465086d4565", + "09de661e-60c4-43fb-bfef-df017215d1d8", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "target_categories": [ + "Education", + "Financial Services", + "Government", + "Healthcare", + "Hospitality Leisure", + "Legal", + "Manufacturing", + "Pharmaceuticals", + "Technology" + ] + }, + "related": [], + "uuid": "04b73cf2-33f4-4206-be9e-c80c4c9b54e8", + "value": "CosmicBeetle" + }, { "description": "A Group object to represent actors that deploy Cuba Ransomware in victim environments.[[U.S. CISA Cuba Ransomware October 2022](/references/d6ed5172-a319-45b0-b1cb-d270a2a48fa3)]", "meta": { - "group_attack_id": "G5026", + "group_attack_id": "G3008", "observed_motivations": [ "Financial Gain" ], @@ -2090,7 +2099,7 @@ "description": "The Cyber Army of Russia is a threat group that appears to carry out cyber attacks in line with Russian strategic interests. The group has claimed many distributed denial of service (DDoS) attacks against a variety of targets perceived as opposed to Russian interests. More recently, it has claimed disruptive industrial software-based attacks against water utilities in the United States, France, and Poland. Researchers link the Cyber Army of Russia to APT44 / Sandworm Team, although it remains unclear what level of direct support, if any, is provided by the latter group.[[Wired Cyber Army of Russia April 17 2024](/references/53583baf-4e09-4d19-9348-6110206b88be)][[Mandiant APT44 April 17 2024](/references/a64f689e-2bb4-4253-86cd-545e7f633a7e)]", "meta": { "country": "RU", - "group_attack_id": "G5038", + "group_attack_id": "G3035", "observed_countries": [ "FR", "PL", @@ -2124,7 +2133,7 @@ "description": "CyberAv3ngers is a cyber actor group that has claimed responsibility for numerous disruption-focused attacks against critical infrastructure organizations, including an oil refinery and electric utility in Israel and water/wastewater utilities in the United States. According to a joint advisory released by U.S. & Israeli cybersecurity authorities in December 2023, CyberAv3ngers (aka Cyber Av3ngers or Cyber Avengers) is a “cyber persona” of advanced persistent threat actors affiliated with the Iranian Islamic Revolutionary Guard Corps (IRGC). The advisory detailed how suspected CyberAv3ngers actors compromised programmable logic controller (PLC) devices that were exposed to the internet and used the vendor's default passwords and ports, leaving defacement images and possibly rendering the devices inoperable. The defacement messages suggested that the group or affiliates might carry out attacks against other technological equipment produced in or associated with Israel.[[U.S. CISA IRGC-Affiliated PLC Activity December 2023](/references/51a18523-5276-4a67-8644-2bc6997d043c)]", "meta": { "country": "IR", - "group_attack_id": "G5016", + "group_attack_id": "G3028", "observed_countries": [ "IL", "US" @@ -2152,7 +2161,7 @@ { "description": "Cyber Toufan is an apparently politically motivated, destruction-focused threat actor group that has predominantly targeted organizations based in or perceived to be aligned with Israel. Cyber Toufan publicizes many of their cyber operations and in some cases has leaked victim data allegedly exfiltrated during their attacks.[[SOCRadar Cyber Toufan Profile](/references/a9aa6361-8c4d-4456-bb3f-c64ca5260695)] Check Point researchers labeled Cyber Toufan as an \"Iranian-affiliated\", \"hacktivist proxy\" group.[[Check Point Iranian Proxies December 4 2023](/references/60432d84-8f46-4934-951f-df8e0f297ff0)]", "meta": { - "group_attack_id": "G5049", + "group_attack_id": "G3048", "observed_countries": [ "IL", "GB", @@ -2181,7 +2190,7 @@ { "description": "Daixin Team is a ransomware- and data extortion-focused threat group first observed in mid-2022. Daixin Team is known to publicly extort its victims to pressure them into paying a ransom. It has used ransomware (believed to be based on the leaked source code for Babuk Locker) to encrypt victim data and has also exfiltrated sensitive data from victim environments and threatened to publicly leak that data.\n\nMany of Daixin Team’s victims belong to critical infrastructure sectors, especially the Healthcare and Public Health (“HPH”) sector. An October 2022 joint Cybersecurity Advisory noted Daixin Team attacks on multiple U.S. HPH organizations.[[U.S. CISA Daixin Team October 2022](/references/cbf5ecfb-de79-41cc-8250-01790ff6e89b)] Alleged victims referenced on the threat group’s extortion website belong to the healthcare, utilities, transportation (airline), automobile manufacturing, information technology, retail, and media sectors in the United States, Europe, and Asia.[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)]", "meta": { - "group_attack_id": "G5015", + "group_attack_id": "G3007", "observed_countries": [ "CA", "DE", @@ -2248,12 +2257,7 @@ ], "source": "MITRE" }, - "related": [ - { - "dest-uuid": "3d449c83-4426-431a-b06a-cb4f8a0fca94", - "type": "similar" - } - ], + "related": [], "uuid": "7ad94dbf-9909-42dd-8b62-a435481bdb14", "value": "Dark Caracal" }, @@ -2287,12 +2291,7 @@ "Non Profit" ] }, - "related": [ - { - "dest-uuid": "b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d", - "type": "similar" - } - ], + "related": [], "uuid": "efa1d922-8f48-43a6-89fe-237e1f3812c8", "value": "Darkhotel" }, @@ -2306,12 +2305,7 @@ "Government" ] }, - "related": [ - { - "dest-uuid": "ce2c2dfd-2445-4fbc-a747-9e7092e383f9", - "type": "similar" - } - ], + "related": [], "uuid": "f2b31240-0b4a-4fa4-82a4-6bb00e146e75", "value": "DarkHydrus" }, @@ -2362,12 +2356,7 @@ "Telecommunications" ] }, - "related": [ - { - "dest-uuid": "066d25c1-71bd-4bd4-8ca7-edbba00063f4", - "type": "similar" - } - ], + "related": [], "uuid": "43f826a1-e8c8-47b8-9b00-38e1b3e4293b", "value": "Deep Panda" }, @@ -2407,12 +2396,7 @@ "Travel Services" ] }, - "related": [ - { - "dest-uuid": "64d6559c-6d5c-4585-bbf9-c17868f763ee", - "type": "similar" - } - ], + "related": [], "uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", "value": "Dragonfly" }, @@ -2433,12 +2417,7 @@ "Technology" ] }, - "related": [ - { - "dest-uuid": "a9b44750-992c-4743-8922-129880d277ea", - "type": "similar" - } - ], + "related": [], "uuid": "f2c2db08-624c-46b9-b7ed-b22c21b81813", "value": "DragonOK" }, @@ -2479,19 +2458,14 @@ "Technology" ] }, - "related": [ - { - "dest-uuid": "da754aeb-a86d-4874-b388-d1d2028a56be", - "type": "similar" - } - ], + "related": [], "uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "value": "Elderwood" }, { "description": "This object reflects the ATT&CK Techniques associated with threat actors who deploy Eldorado, a ransomware-as-a-service (\"RaaS\") first advertised for sale on cybercrime forums in March 2024. Researchers assess that Eldorado is a \"unique\" ransomware strain that is likely not derived from previously leaked ransomware source code.[[Group-IB July 3 2024](/references/50148a85-314c-4b29-bdfc-913ab647dadf)]\n\nWindows and Linux-focused versions of the ransomware are known to exist. (ATT&CK Techniques associated with these malware binaries are tracked in a separate \"Eldorado Ransomware\" Software object.)", "meta": { - "group_attack_id": "G5046", + "group_attack_id": "G3045", "observed_motivations": [ "Financial Gain" ], @@ -2576,12 +2550,7 @@ "Telecommunications" ] }, - "related": [ - { - "dest-uuid": "7036fb3d-86b7-4d9c-bc66-1e1ead8b7840", - "type": "similar" - } - ], + "related": [], "uuid": "a4704485-65b5-49ec-bebe-5cc932362dd2", "value": "Equation" }, @@ -2651,19 +2620,14 @@ "Mining" ] }, - "related": [ - { - "dest-uuid": "f2d02410-8c2c-11e9-8df1-a31c1fb33d79", - "type": "similar" - } - ], + "related": [], "uuid": "345e553a-164d-4c9d-8bf9-19fcf8a51533", "value": "FIN10" }, { "description": "FIN11 is a financially motivated adversary identified by Mandiant in 2020. Originally known for high-volume phishing campaigns leading to ransomware and data theft, the group more recently is known for carrying out wide-ranging exploitation of multiple vulnerabilities in 2023, including vulnerabilities affecting PaperCut print management software and MOVEit Transfer file transfer software to deliver Clop ransomware and for more general data theft, respectively, as well as GoAnywhere file transfer software exploits.[[Microsoft Threat Intelligence Tweet April 26 2023](/references/3b5a2349-e10c-422b-91e3-20e9033fdb60)][[Mandiant MOVEit Transfer June 2 2023](/references/232c7555-0483-4a57-88cb-71a990f7d683)]. Microsoft Threat Intelligence reports overlaps between FIN11 and Lace Tempest (DEV-0950), which it identifies as a Clop ransomware affiliate. The DFIR Report researchers attributed a May 2023 data theft and wiper campaign to FIN11 and Lace Tempest.[[The DFIR Report Truebot June 12 2023](/references/a6311a66-bb36-4cad-a98f-2b0b89aafa3d)]", "meta": { - "group_attack_id": "G5028", + "group_attack_id": "G3011", "observed_countries": [ "CA", "IN", @@ -2696,7 +2660,7 @@ { "description": "FIN12 is a financially motivated threat actor group believed to be responsible for multiple high-profile ransomware attacks since 2018. The group has attacked victims in various sectors and locations, including multiple attacks on healthcare entities. An October 2021 Mandiant assessment indicated 85% of the group's victims were U.S.-based, and the large majority of them were large enterprises with more than $300 million in annual revenue. The report also assessed that initial access brokers partnering with FIN12 target a wider range of organizations and allow FIN12 actors to select victims for further malicious activity.[[Mandiant FIN12 Group Profile October 07 2021](/references/7af84b3d-bbd6-449f-b29b-2f14591c9f05)]\n\nFIN12's toolset has reportedly shifted over time. Cobalt Strike has been observed in most intrusions. While TrickBot and Empire were common post-exploitation tools historically, French authorities observed the group using SystemBC alongside Cobalt Strike during a March 2023 hospital center intrusion. Ryuk, and to a lesser degree Conti, were traditionally used ransomware payloads, with the former used in a series of attacks on U.S. healthcare entities in 2020. However, a French CERT assessment published in 2023 linked the group to multiple more recent incidents it investigated and analyzed, which featured deployment of various ransomware families, including Hive, Nokoyawa, Play, Royal, and BlackCat, along with Emotet and BazarLoader malware for initial footholds.[[Mandiant FIN12 Group Profile October 07 2021](/references/7af84b3d-bbd6-449f-b29b-2f14591c9f05)][[CERTFR-2023-CTI-007](/references/0f4a03c5-79b3-418e-a77d-305d5a32caca)]\n\n**Related Vulnerabilities**: CVE-2023-21746, CVE-2022-24521, CVE-2021-34527, CVE-2019-0708, CVE-2020-1472[[CERTFR-2023-CTI-007](/references/0f4a03c5-79b3-418e-a77d-305d5a32caca)]", "meta": { - "group_attack_id": "G5008", + "group_attack_id": "G3005", "observed_countries": [ "AU", "CA", @@ -2773,12 +2737,7 @@ "Pharmaceuticals" ] }, - "related": [ - { - "dest-uuid": "ff449346-aa9f-45f6-b482-71e886a5cf57", - "type": "similar" - } - ], + "related": [], "uuid": "4b6531dc-5b29-4577-8b54-fa99229ab0ca", "value": "FIN4" }, @@ -2795,12 +2754,7 @@ "Hospitality Leisure" ] }, - "related": [ - { - "dest-uuid": "44dc2f9c-8c28-11e9-9b9a-7fdced8cbf70", - "type": "similar" - } - ], + "related": [], "uuid": "7902f5cc-d6a5-4a57-8d54-4c75e0c58b83", "value": "FIN5" }, @@ -2821,12 +2775,7 @@ "Retail" ] }, - "related": [ - { - "dest-uuid": "647894f6-1723-4cba-aba4-0ef0966d5302", - "type": "similar" - } - ], + "related": [], "uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "value": "FIN6" }, @@ -2880,12 +2829,7 @@ "Transportation" ] }, - "related": [ - { - "dest-uuid": "00220228-a5a4-4032-a30d-826bb55aa3fb", - "type": "similar" - } - ], + "related": [], "uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "value": "FIN7" }, @@ -2915,12 +2859,7 @@ "Technology" ] }, - "related": [ - { - "dest-uuid": "a78ae9fe-71cd-4563-9213-7b6260bd9a73", - "type": "similar" - } - ], + "related": [], "uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "value": "FIN8" }, @@ -2928,9 +2867,10 @@ "description": "Researchers assess that Flax Typhoon is a nation-state-sponsored espionage group based in China that has targeted government, education, manufacturing, and IT organizations in Taiwan, elsewhere in Southeast Asia, North America, and Africa. Flax Typhoon is believed to overlap with the ETHEREAL PANDA group and has been active since mid-2021. Flax Typhoon has been seen establishing persistence, moving laterally, and accessing victim credentials after achieving network access, but to date, researchers have not observed the actors acting on final objectives during intrusions. Microsoft researchers assess that Flax Typhoon's techniques, which lean on legitimate, often built-in tools & utilities, could be used in attacks on victims in other regions.[[Microsoft Flax Typhoon August 24 2023](/references/ec962b72-7b7f-4f7e-b6d6-7c5380b07201)]", "meta": { "country": "CN", - "group_attack_id": "G5031", + "group_attack_id": "G3018", "observed_countries": [ - "TW" + "TW", + "US" ], "observed_motivations": [ "Cyber Espionage" @@ -2938,14 +2878,22 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "33d35d5e-f0cf-4c66-9be3-a3ffe6610b1a", + "a159c91c-5258-49ea-af7d-e803008d97d3", + "70dc52b0-f317-4134-8a42-71aea1443707", + "b20e7912-6a8d-46e3-8e13-9a3fc4813852", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "target_categories": [ + "Defense", "Education", "Government", "Manufacturing", - "Technology" + "Technology", + "Telecommunications" ] }, "related": [], @@ -2960,6 +2908,7 @@ "observed_countries": [ "AU", "AT", + "AZ", "FI", "FR", "DE", @@ -2982,6 +2931,17 @@ ], "source": "MITRE", "tags": [ + "07f09197-1847-411e-a451-d37211ead1b2", + "0e1abd50-26be-43e7-b8f6-40f8a6aee148", + "1ff4614e-0ee6-4e04-921d-61abba7fcdb7", + "c475ad68-3fdc-4725-8abc-784c56125e96", + "45c5f939-56c4-4d12-844d-578f32d535c3", + "5e42e064-1065-44c6-836e-7dc0a2976bd4", + "ab64f2d8-8da3-48de-ac66-0fd91d634b22", + "cc370970-a67c-4c74-95e3-4fe053e9bfa9", + "0e948c57-6c10-4576-ad27-9832cc2af3a1", + "a159c91c-5258-49ea-af7d-e803008d97d3", + "fe984a01-910d-4e39-9c49-179aa03f75ab", "e551ae97-d1b4-484e-9267-89f33829ec2c", "15787198-6c8b-4f79-bf50-258d55072fee", "9768aada-9d63-4d46-ab9f-d41b8c8e4010", @@ -3101,12 +3061,7 @@ "Non Profit" ] }, - "related": [ - { - "dest-uuid": "1a77e156-76bc-43f5-bdd7-bd67f30fbbbb", - "type": "similar" - } - ], + "related": [], "uuid": "41e8b4a4-2d31-46ee-bc56-12375084d067", "value": "Gamaredon Group" }, @@ -3122,12 +3077,7 @@ "Financial Services" ] }, - "related": [ - { - "dest-uuid": "d93889de-b4bc-4a29-9ce7-d67717c140a0", - "type": "similar" - } - ], + "related": [], "uuid": "dbc85db0-937d-47d7-9002-7364d41be48a", "value": "GCMAN" }, @@ -3166,19 +3116,14 @@ "Government" ] }, - "related": [ - { - "dest-uuid": "e47c2c4d-706b-4098-92a2-b93e7103e131", - "type": "similar" - } - ], + "related": [], "uuid": "efb3b5ac-cd86-44a2-9de1-02e4612b8cc2", "value": "Gorgon Group" }, { "description": "GreenMwizi is assessed to be an actor based in Nairobi, Kenya that has carried out scam campaigns involving social media bots. A campaign observed in May 2023 appeared to target customers of a major online travel/hospitality booking brand.[[GreenMwizi - Kenyan scamming campaign using Twitter bots](/references/3b09696a-1345-4283-a59b-e9a13124ef59)]", "meta": { - "group_attack_id": "G5024", + "group_attack_id": "G3001", "observed_motivations": [ "Financial Gain" ], @@ -3203,19 +3148,14 @@ "group_attack_id": "G0043", "source": "MITRE" }, - "related": [ - { - "dest-uuid": "bc8390aa-8c4e-11e9-a9cb-e37c361210af", - "type": "similar" - } - ], + "related": [], "uuid": "fcc6d937-8cd6-4f2c-adb8-48caedbde70a", "value": "Group5" }, { "description": "H0lyGh0st is a North Korea-based ransomware-focused threat actor group.[[H0lyGh0st - North Korean Threat Group Strikes Back With New Ransomware](/references/3f66ef62-ac0d-4ece-9a4b-917ae70f1617)]", "meta": { - "group_attack_id": "G5025", + "group_attack_id": "G3006", "observed_motivations": [ "Financial Gain" ], @@ -3252,12 +3192,7 @@ "Think Tanks" ] }, - "related": [ - { - "dest-uuid": "4f05d6c1-3fc1-4567-91cd-dd4637cc38b5", - "type": "similar" - } - ], + "related": [], "uuid": "1bcc9382-ccfe-4b04-91f3-ef1250df5e5b", "value": "HAFNIUM" }, @@ -3298,7 +3233,7 @@ { "description": "This Group object reflects the tools & TTPs associated with threat actors known to deploy Hive, a ransomware-as-a-service (RaaS) variant first observed in June 2021.[[U.S. CISA Hive November 25 2022](/references/fce322e6-5e23-404a-acf8-cd003f00c79d)] Specific pre- and post-compromise behaviors may vary among intrusions carried out by different Hive affiliates.\n\nHive actors have targeted victims in a wide range of verticals, including the government, communications, manufacturing, information technology, financial services, education, and especially the healthcare sectors. In January 2023, international authorities announced they disrupted Hive ransomware operations, seizing control of servers and websites used for communication among Hive actors and capturing Hive decryption keys.[[U.S. Justice Department Hive January 2023](/references/81bd5579-6a8a-40d2-b7b7-5cdb879ebdf0)]", "meta": { - "group_attack_id": "G5042", + "group_attack_id": "G3041", "observed_countries": [ "DE", "NL", @@ -3374,12 +3309,7 @@ "Media" ] }, - "related": [ - { - "dest-uuid": "71ef51ca-a791-11e8-a026-07980ca910ca", - "type": "similar" - } - ], + "related": [], "uuid": "d7c58e7f-f0b0-44c6-b205-5adcfb56f0e6", "value": "Inception" }, @@ -3493,19 +3423,14 @@ "NGOs" ] }, - "related": [ - { - "dest-uuid": "3501fbf2-098f-47e7-be6a-6b0ff5742ce8", - "type": "similar" - } - ], + "related": [], "uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "value": "Ke3chang" }, { "description": "Killnet is an apparent hacktivist collective that has primarily used distributed denial of service (DDoS) attacks in support of its ideology, which appears to largely align with Russian state interests. The group emerged in October 2021, initially offering DDoS capabilities as a for-hire service. However, after the February 2022 Russian invasion of Ukraine, Killnet explicitly pledged allegiance to Russia and began to threaten and claim responsibility for attacks on targets in Ukraine and in countries perceived to support Ukraine. To date, the group has claimed and is believed to be responsible for a considerable number of DDoS attacks on government and private sector targets in a range of sectors, using a variety of discrete techniques to carry them out. It is also believed to be behind a smaller number of data exfiltration-focused attacks, and it has promoted the use of defacement tools in its communication channels with supporters.[[Flashpoint Glossary Killnet](/references/502cc03b-350b-4e2d-9436-364c43a0a203)]\n\nIn October 2023, following a series of air- and land-based attacks in the Gaza Strip, researchers observed Killnet claiming responsibility for disruptive attacks against computer networks in Israel and pledging explicit support for Palestinian interests.[[RyanW3stman Tweet October 10 2023](/references/cfd0ad64-54b2-446f-9624-9c90a9a94f52)]", "meta": { - "group_attack_id": "G5009", + "group_attack_id": "G3022", "observed_countries": [ "BE", "CZ", @@ -3620,12 +3545,7 @@ "Infrastructure" ] }, - "related": [ - { - "dest-uuid": "68391641-859f-4a9a-9a1e-3e5cf71ec376", - "type": "similar" - } - ], + "related": [], "uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "value": "Lazarus Group" }, @@ -3732,19 +3652,14 @@ "Transportation" ] }, - "related": [ - { - "dest-uuid": "5b4b6980-3bc7-11e8-84d6-879aaac37dd9", - "type": "similar" - } - ], + "related": [], "uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "value": "Leviathan" }, { "description": "This object represents the LockBit Ransomware-as-a-Service (\"RaaS\") apex group and the behaviors associated with its various affiliate ransomware operators. Specific affiliate operations defined by the research community will be tracked as separate objects.\n\nRansomware labeled \"LockBit\" was first observed in 2020. LockBit developers have introduced multiple versions of the LockBit encryption tool. According to the U.S. Cybersecurity and Infrastructure Security Agency (\"CISA\"), the following major LockBit variants have been observed (first-observed dates in parentheses): ABCD (LockBit malware's predecessor; September 2019), LockBit (January 2020), LockBit 2.0 (June 2021), LockBit Linux-ESXi Locker (October 2021), LockBit 3.0 (March 2022), LockBit Green (a variant that incorporates source code from Conti ransomware; January 2023), and variants capable of targeting macOS environments (April 2023). As of June 2023, CISA reported that the web panel that offers affiliates access to LockBit malware explicitly listed the LockBit 2.0, LockBit 3.0, LockBit Green, and LockBit Linux-ESXi Locker variants.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]\n\nSince emerging in 2020, the LockBit group and its affiliates have carried out a very large number of attacks involving a wide range of victims around the world. In June 2023, the U.S. Federal Bureau of Investigation reported it had identified 1,700 LockBit attacks since 2020.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)] According to data collected by the [ransomwatch project](https://github.com/joshhighet/ransomwatch) and analyzed by Tidal, LockBit actors publicly claimed 970 victims in 2022 (576 associated with the LockBit 2.0 variant and 394 associated with LockBit 3.0), the most of any extortion threat that year. Through April 2023, LockBit had claimed 406 victims, more than double the number of the next threat (Clop, with 179 victims).[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)] CISA reported in June 2023 that U.S. ransoms paid to LockBit since January 2020 totaled $91 million.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]\n\nLockBit affiliate operators are known to use a wide variety of techniques during their attacks. Initial access for LockBit infections has occurred via most methods (including a number of vulnerability exploits), and operators are known to abuse a range of free and open-source software tools for a variety of post-exploitation activities. In addition to victim data encryption, LockBit actors routinely exfiltrate victim data and threaten to leak this data for extortion purposes.\n\n**Related Vulnerabilities**: CVE-2021-22986, CVE-2023-0669, CVE-2023-27350, CVE-2021-44228, CVE-2021-22986, CVE-2020-1472, CVE-2019-0708, CVE-2018-13379[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]", "meta": { - "group_attack_id": "G5004", + "group_attack_id": "G3013", "observed_countries": [ "AR", "AU", @@ -3875,12 +3790,7 @@ "Government" ] }, - "related": [ - { - "dest-uuid": "32fafa69-fe3c-49db-afd4-aac2664bcf0d", - "type": "similar" - } - ], + "related": [], "uuid": "2849455a-cf39-4a9f-bd89-c2b3c1e5dd52", "value": "Lotus Blossom" }, @@ -3897,7 +3807,7 @@ { "description": "Luna Moth (aka Silent Ransom Group) is a financially-motivated, extortion-focused adversary active since at least March 2022 and through at least June 2023. The group is known for carrying out \"callback phishing\" attacks, where actors entice victims to call an actor-controlled number, for example by sending a fraudulent email that claims the victim recently registered for a popular subscription service. Once connected, actors would convince victims to join a live, actor-connected sessions with legitimate remote access tools provided via a link in a subsequent email, then install other legitimate remote administration software used to support further discovery and exfiltration activity.[[Sygnia Luna Moth July 1 2022](/references/115590b2-ab57-432c-900e-000627464a11)][[FBI Ransomware Tools November 7 2023](/references/e096e1f4-6b62-4756-8811-f263cf1dcecc)]", "meta": { - "group_attack_id": "G5043", + "group_attack_id": "G3042", "observed_motivations": [ "Financial Gain" ], @@ -3958,12 +3868,7 @@ "Utilities" ] }, - "related": [ - { - "dest-uuid": "827c17e0-c3f5-4ad1-a4f4-30a40ed0a2d3", - "type": "similar" - } - ], + "related": [], "uuid": "a3be79a2-3d4f-4697-a8a1-83f0884220af", "value": "Machete" }, @@ -3997,6 +3902,17 @@ "Cyber Espionage" ], "source": "MITRE", + "tags": [ + "24448a05-2337-4bc9-a889-a83f2fd1f3ad", + "3ed2343c-a29c-42e2-8259-410381164c6a", + "375983b3-6e87-4281-99e2-1561519dd17b", + "64d3f7d8-30b7-4b03-bee2-a6029672216c", + "915e7ac2-b266-45d7-945c-cb04327d6246", + "e499005b-adba-45bb-85e3-07043fd9edf9", + "8b1cb0dc-dd3e-44ba-828c-55c040e93b93", + "5f5e40cd-0732-4eb4-a083-06940623c3f9", + "1b98f09a-7d93-4abb-8f3e-1eacdb9f9871" + ], "target_categories": [ "Construction", "Defense", @@ -4009,12 +3925,7 @@ "Telecommunications" ] }, - "related": [ - { - "dest-uuid": "b8967b3c-3bc9-11e8-8701-8b1ead8c099e", - "type": "similar" - } - ], + "related": [], "uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "value": "Magic Hound" }, @@ -4048,13 +3959,14 @@ { "description": "MedusaLocker is a ransomware-as-a-service (\"RaaS\") operation that has been active since September 2019. U.S. cybersecurity authorities indicate that MedusaLocker operators have primarily targeted victims in the healthcare sector, among other unspecified sectors. Initial access for MedusaLocker intrusions originally came via phishing and spam email campaigns, but since 2022 has typically occurred via exploit of vulnerable Remote Desktop Protocol devices.[[HC3 Analyst Note MedusaLocker Ransomware February 2023](/references/49e314d6-5324-41e0-8bee-2b3e08d5e12f)]\n \nThis object represents behaviors associated with operators of MedusaLocker ransomware. As MedusaLocker is licensed on a RaaS model, affiliates likely do not act as a single cohesive unit, and behaviors observed during particular attacks may vary. Behaviors associated with samples of MedusaLocker ransomware are represented in the \"MedusaLocker Ransomware\" Software object.\n\n**Malpedia (Research)**: https://malpedia.caad.fkie.fraunhofer.de/details/win.medusalocker", "meta": { - "group_attack_id": "G5003", + "group_attack_id": "G3015", "observed_motivations": [ "Financial Gain" ], "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "65cf80be-342d-4eba-bf8d-2477923f0ce4", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "15787198-6c8b-4f79-bf50-258d55072fee", "5e7433ad-a894-4489-93bc-41e90da90019", @@ -4071,7 +3983,7 @@ { "description": "Medusa is a ransomware operation that reportedly launched in June 2021. In 2023, the group launched a website used to publicize alleged victims. The group appears to be independent of the similarly named \"MedusaLocker\" operation.[[Bleeping Computer Medusa Ransomware March 12 2023](/references/21fe1d9e-17f1-49e2-b05f-78e9160f5414)]\n\nAccording to data collected by the [ransomwatch project](https://github.com/joshhighet/ransomwatch) and analyzed by Tidal, Medusa actors publicly claimed around 90 victims through September 2023, ranking it ninth out of the 50+ ransomware operations in the dataset. These victims come from a wide variety of industry sectors and localities.[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)]", "meta": { - "group_attack_id": "G5007", + "group_attack_id": "G3021", "observed_countries": [ "CA", "CL", @@ -4180,12 +4092,7 @@ "Technology" ] }, - "related": [ - { - "dest-uuid": "56b37b05-72e7-4a89-ba8a-61ce45269a8c", - "type": "similar" - } - ], + "related": [], "uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "value": "menuPass" }, @@ -4219,12 +4126,7 @@ "Manufacturing" ] }, - "related": [ - { - "dest-uuid": "a9b44750-992c-4743-8922-129880d277ea", - "type": "similar" - } - ], + "related": [], "uuid": "4510ce41-27b9-479c-9bf3-a328b77bae29", "value": "Moafee" }, @@ -4282,12 +4184,7 @@ "NGOs" ] }, - "related": [ - { - "dest-uuid": "f7c2e501-73b1-400f-a5d9-2e2e07b7dfde", - "type": "similar" - } - ], + "related": [], "uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6", "value": "Molerats" }, @@ -4295,7 +4192,7 @@ "description": "Moonstone Sleet is a North Korea state-aligned threat actor group that has targeted individuals and organizations related to the software, information technology, education, and defense industrial base sectors, for both financial gain and espionage purposes. The group is believed to be well-resourced, capable of conducting multiple distinct campaigns simultaneously. Microsoft security researchers assess that Moonstone Sleet has expanded its capabilities, with possible goals of enabling disruptive operations and/or software supply chain attacks.[[Microsoft Security Blog 5 28 2024](/references/faf315ed-71f7-4e29-8334-701da35a69ad)]", "meta": { "country": "KP", - "group_attack_id": "G5040", + "group_attack_id": "G3039", "observed_motivations": [ "Cyber Espionage", "Financial Gain" @@ -4410,6 +4307,9 @@ ], "source": "MITRE", "tags": [ + "ee3188ce-20e9-4e8e-bbfd-cdc527d5a2b2", + "89c5b94b-ecf4-4d53-9b74-3465086d4565", + "0eab0089-86a5-43b1-9ddb-8960f1005267", "992bdd33-4a47-495d-883a-58010a2f0efb" ], "target_categories": [ @@ -4420,12 +4320,7 @@ "Telecommunications" ] }, - "related": [ - { - "dest-uuid": "a29af069-03c3-4534-b78b-7d1a77ea085b", - "type": "similar" - } - ], + "related": [], "uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "value": "MuddyWater" }, @@ -4519,12 +4414,7 @@ "Government" ] }, - "related": [ - { - "dest-uuid": "2f1fd017-9df6-4759-91fb-e7039609b5ff", - "type": "similar" - } - ], + "related": [], "uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "value": "Naikon" }, @@ -4540,12 +4430,7 @@ ], "source": "MITRE" }, - "related": [ - { - "dest-uuid": "ada08ea8-4517-4eea-aff1-3ad69e5466bb", - "type": "similar" - } - ], + "related": [], "uuid": "3a660ef3-9954-4252-8946-f903f3f42d0c", "value": "NEODYMIUM" }, @@ -4585,8 +4470,13 @@ "GB", "US" ], + "observed_motivations": [ + "Cyber Espionage" + ], "source": "MITRE", "tags": [ + "0f1b7cb0-c4de-485e-8ff5-fe12ffccd738", + "15f2277a-a17e-4d85-8acd-480bf84f16b4", "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647" ], "target_categories": [ @@ -4599,12 +4489,7 @@ "Telecommunications" ] }, - "related": [ - { - "dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba", - "type": "similar" - } - ], + "related": [], "uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "value": "OilRig" }, @@ -4672,19 +4557,14 @@ "Think Tanks" ] }, - "related": [ - { - "dest-uuid": "18d473a5-831b-47a5-97a1-a32156299825", - "type": "similar" - } - ], + "related": [], "uuid": "32385eba-7bbf-439e-acf2-83040e97165a", "value": "Patchwork" }, { "description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Software and/or Campaigns) related to the Phobos ransomware-as-a-service (\"RaaS\") operation. Further background & contextual details can be found in the References tab below.", "meta": { - "group_attack_id": "G5020", + "group_attack_id": "G3033", "observed_countries": [ "US" ], @@ -4694,6 +4574,7 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "ee8be47a-dbd8-4067-8785-2fc1450587eb", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "d819ae1a-e385-49fd-88d5-f66660729ecb", "e551ae97-d1b4-484e-9267-89f33829ec2c", @@ -4727,12 +4608,7 @@ "Telecommunications" ] }, - "related": [ - { - "dest-uuid": "4d37813c-b8e9-4e58-a758-03168d8aa189", - "type": "similar" - } - ], + "related": [], "uuid": "60936d3c-37ed-4116-a407-868da3aa4446", "value": "PittyTiger" }, @@ -4756,19 +4632,14 @@ "Telecommunications" ] }, - "related": [ - { - "dest-uuid": "1fc5671f-5757-43bf-8d6d-a9a93b03713a", - "type": "similar" - } - ], + "related": [], "uuid": "f036b992-4c3f-47b7-a458-94ac133bce74", "value": "PLATINUM" }, { "description": "*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nPlay is a ransomware operation first observed in mid-2022. Security researchers have observed filename, filepath, and TTP overlaps between Play and Hive and Nokoyawa ransomwares, which themselves are believed to be linked.[[Trend Micro Play Playbook September 06 2022](/references/2d2b527d-25b0-4b58-9ae6-c87060b64069)] According to publicly available ransomware extortion threat data, Play has claimed more than 300 victims from a wide range of sectors on its data leak site since December 2022.[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)]\n\n**Malpedia (Research)**: https://malpedia.caad.fkie.fraunhofer.de/details/win.play\n\n**PulseDive (IOCs)**: https://pulsedive.com/threat/PlayCrypt", "meta": { - "group_attack_id": "G5018", + "group_attack_id": "G3016", "observed_countries": [ "AR", "BE", @@ -4791,6 +4662,7 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "a2e000da-8181-4327-bacd-32013dbd3654", "89c5b94b-ecf4-4d53-9b74-3465086d4565", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172", @@ -4853,12 +4725,7 @@ "Utilities" ] }, - "related": [ - { - "dest-uuid": "5fc09923-fcff-4e81-9cae-4518ef31cf4d", - "type": "similar" - } - ], + "related": [], "uuid": "553e2b7b-170c-4eb5-812b-ea33fe1dd4a0", "value": "Poseidon Group" }, @@ -4874,12 +4741,7 @@ ], "source": "MITRE" }, - "related": [ - { - "dest-uuid": "43894e2a-174e-4931-94a8-2296afe8f650", - "type": "similar" - } - ], + "related": [], "uuid": "cc798766-8662-4b55-8536-6d057fbc58f0", "value": "PROMETHIUM" }, @@ -4901,19 +4763,30 @@ "Telecommunications" ] }, - "related": [ - { - "dest-uuid": "0ca45163-e223-4167-b1af-f088ed14a93d", - "type": "similar" - } - ], + "related": [], "uuid": "6005f4a9-fe26-4237-a44e-3f6cbb1fe75c", "value": "Putter Panda" }, + { + "description": "7777 or Quad7 is a botnet used to compromise network devices such as TP-LINK small office/home office (\"SOHO\") routers and use the infected devices to relay password spraying attacks against Microsoft 365 accounts.[[Sekoia.io Blog July 23 2024](/references/ae84e72a-56b3-4dc4-b053-d3766764ac0d)][[Sekoia.io Blog September 9 2024](/references/eb4a1888-3b04-449b-9738-d96ae26adfee)] This object reflects the various Techniques observed in use by the threat actors known to operate this botnet.", + "meta": { + "group_attack_id": "G3052", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "15f2277a-a17e-4d85-8acd-480bf84f16b4", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "bf3d1108-0bcd-47ae-8d71-4df48e3e2b43", + "value": "Quad7 Botnet Operators" + }, { "description": "This Group object reflects the tools & TTPs associated with threat actors known to deploy Quantum ransomware (aka Quantum Locker, which derives from the MountLocker, AstroLocker, and XingLocker ransomware families). The Quantum group is known to publicly extort its victims.[[Cybereason Quantum Ransomware May 9 2022](/references/19027620-216a-4921-8d78-f56377778a12)] Researchers indicate the group is a rebranding of the \"Conti Team Two\" that formed after the fragmenting of the Ryuk/Conti ransom group in early 2022.[[AdvIntel Bazar Call August 10 2022](/references/5d3dff70-28c2-42a5-bf58-211fe6491fd2)]", "meta": { - "group_attack_id": "G5044", + "group_attack_id": "G3043", "observed_motivations": [ "Financial Gain" ], @@ -4944,29 +4817,50 @@ ], "source": "MITRE" }, - "related": [ - { - "dest-uuid": "79c7c7e0-79d5-11e8-9b9c-1ff96be20c0b", - "type": "similar" - } - ], + "related": [], "uuid": "021b3c71-6467-4e46-a413-8b726f066f2c", "value": "Rancor" }, { "description": "RansomHub is an extortion group that regularly republicizes victim data allegedly stolen in other ransomware groups' attacks, but it is also believed to have developed an original ransomware payload.[[BroadcomSW June 5 2024](/references/3fa49490-cb22-4362-bf48-eaba9e83e6f5)][[The Record RansomHub June 3 2024](/references/1e474240-bd12-4472-8e69-1631b0e4c102)] This object reflects the ATT&CK Techniques and/or associated Software & Campaigns linked to attacks by actors deploying RansomHub ransomware.", "meta": { - "group_attack_id": "G5050", + "group_attack_id": "G3049", + "observed_countries": [ + "US" + ], "observed_motivations": [ "Financial Gain" ], "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "d903e38b-600d-4736-9e3b-cf1a6e436481", + "d819ae1a-e385-49fd-88d5-f66660729ecb", + "15787198-6c8b-4f79-bf50-258d55072fee", + "32b1a271-7856-4dda-a802-42325f465d36", + "89c5b94b-ecf4-4d53-9b74-3465086d4565", + "09de661e-60c4-43fb-bfef-df017215d1d8", + "8046a757-48f0-4787-81ab-9dc8c1eb77cd", + "abe1c785-4f3a-4f4f-96eb-c47da570face", + "9794c389-183b-4d6b-bd59-95cfa4a5afc7", + "4ac8dcde-2665-4066-9ad9-b5572d5f0d28", + "b8448700-7ed0-48b8-85f5-ed23e0d9ab97", + "c475ad68-3fdc-4725-8abc-784c56125e96", + "562e535e-19f5-4d6c-81ed-ce2aec544f09", "5e7433ad-a894-4489-93bc-41e90da90019", - "7e7b0c67-bb85-4996-a289-da0e792d7172", - "c6e1f516-1a18-4ff9-b563-e6ac8103b104", - "2feda37d-5579-4102-a073-aa02e82cb49f" + "7e7b0c67-bb85-4996-a289-da0e792d7172" + ], + "target_categories": [ + "Agriculture", + "Financial Services", + "Government", + "Healthcare", + "Manufacturing", + "Technology", + "Telecommunications", + "Transportation", + "Utilities", + "Water" ] }, "related": [], @@ -4976,7 +4870,7 @@ { "description": "This object represents the behaviors associated with operators of Rhysida ransomware, which is licensed on a ransomware-as-a-service (\"RaaS\") basis. Various affiliated ransomware operators likely do not operate as a cohesive unit. The Rhysida RaaS operation has been active since May 2023, claiming attacks on multiple sectors in several countries in North and South America, Western Europe, and Australia. Many alleged victims are education sector entities. Security researchers have observed TTP and victimology overlaps with the Vice Society extortion group.[[HC3 Analyst Note Rhysida Ransomware August 2023](/references/3f6e2821-5073-4382-b5dd-08676eaa2240)]\n\n**Related Vulnerabilities**: CVE-2020-1472[[U.S. CISA Rhysida Ransomware November 15 2023](/references/6d902955-d9a9-4ec1-8dd4-264f7594605e)]", "meta": { - "group_attack_id": "G5013", + "group_attack_id": "G3017", "observed_countries": [ "AU", "AT", @@ -5002,6 +4896,7 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "1bafa336-67a8-4094-bb2e-2079a7bdaab5", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "15787198-6c8b-4f79-bf50-258d55072fee", "2743d495-7728-4a75-9e5f-b64854039792", @@ -5039,7 +4934,7 @@ { "description": "Royal is a ransomware group believed to be responsible for hundreds of attacks on victims worldwide, including those in critical infrastructure sectors including manufacturing, communications, healthcare, and education. The actors that comprise the Royal ransomware operation are believed to be former members of other cybercriminal groups linked to Roy/Zeon ransomware, Conti ransomware, and TrickBot. Unlike many of the other most prominent ransomware groups in recent years, the developers of Royal ransomware are not known to lease the malware to affiliates as a service.[[Kroll Royal Deep Dive February 2023](/references/dcdcc965-56d0-58e6-996b-d8bd40916745)]\n\nThe Royal group often pressures victims into paying ransom demands by threatening to leak data exfiltrated during intrusions. While public data from the [ransomwatch project](https://github.com/joshhighet/ransomwatch) suggest the group has claimed roughly 200 victims since Q4 2022, a November 2023 U.S. government advisory indicated that Royal “has targeted over 350 known victims worldwide” since September 2022, with extortion demands at times exceeding $250 million.[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)][[CISA Royal AA23-061A March 2023](/references/81baa61e-13c3-51e0-bf22-08383dbfb2a1)]", "meta": { - "group_attack_id": "G5014", + "group_attack_id": "G3003", "observed_countries": [ "AU", "BR", @@ -5102,12 +4997,7 @@ ], "source": "MITRE" }, - "related": [ - { - "dest-uuid": "88100602-8e8b-11e9-bb7c-1bf20b58e305", - "type": "similar" - } - ], + "related": [], "uuid": "666ab5f0-3ef1-4e74-8a10-65c60a7d1acd", "value": "RTM" }, @@ -5151,19 +5041,14 @@ "Transportation" ] }, - "related": [ - { - "dest-uuid": "f512de42-f76b-40d2-9923-59e7dbdfec35", - "type": "similar" - } - ], + "related": [], "uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "value": "Sandworm Team" }, { "description": "SCARLETEEL is a threat actor known to leverage various cloud-based technologies in order to steal proprietary software and other data from victim environments.[[Sysdig Scarleteel February 28 2023](/references/18931f81-51bf-44af-9573-512ccb66c238)]", "meta": { - "group_attack_id": "G5036", + "group_attack_id": "G3032", "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ @@ -5179,6 +5064,21 @@ "uuid": "788ffbf6-1a36-481a-a504-bbcd9f907886", "value": "SCARLETEEL" }, + { + "description": "Scarlet Goldfinch is a threat activity cluster that typically tricks victims into downloading files that appear to be web browser updates, with the file ultimately leading to the deployment of NetSupport Manager, a remote monitoring and management (RMM) utility that has been heavily abused by adversaries.[[Red Canary June 26 2024](/references/e0d62504-6fec-4d95-9f4a-e0dda7e7b6d9)]", + "meta": { + "group_attack_id": "G5023", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "54a13c54-a1d5-46e9-b155-56d981a5ad8f", + "value": "Scarlet Goldfinch" + }, { "description": "[Scarlet Mimic](https://app.tidalcyber.com/groups/6c1bdc51-f633-4512-8b20-04a11c2d97f4) is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by [Scarlet Mimic](https://app.tidalcyber.com/groups/6c1bdc51-f633-4512-8b20-04a11c2d97f4) and [Putter Panda](https://app.tidalcyber.com/groups/6005f4a9-fe26-4237-a44e-3f6cbb1fe75c), it has not been concluded that the groups are the same. [[Scarlet Mimic Jan 2016](https://app.tidalcyber.com/references/f84a5b6d-3af1-45b1-ac55-69ceced8735f)]", "meta": { @@ -5191,12 +5091,7 @@ "Human Rights" ] }, - "related": [ - { - "dest-uuid": "0da10682-85c6-4c0b-bace-ba1f7adfb63e", - "type": "similar" - } - ], + "related": [], "uuid": "6c1bdc51-f633-4512-8b20-04a11c2d97f4", "value": "Scarlet Mimic" }, @@ -5405,19 +5300,14 @@ "Government" ] }, - "related": [ - { - "dest-uuid": "1ca3b039-404e-4132-88c2-4e41235cd2f5", - "type": "similar" - } - ], + "related": [], "uuid": "6632f07f-7c6b-4d12-8544-82edc6a7a577", "value": "Sowbug" }, { "description": "Spandex Tempest is a financially motivated adversary group associated with Dudear campaigns, which deliver the FlawedGrace remote access Trojan for information theft purposes.[[Microsoft Threat Actor Naming](/references/de9cda86-0b23-4bc8-b524-e74fecf99448)] The group has evolved initial access techniques observed during these campaigns to evade defenses.[[Microsoft Threat Intelligence Tweet June 17 2020](/references/98fc7485-9424-412f-8162-a69d6c10c243)]", "meta": { - "group_attack_id": "G5029", + "group_attack_id": "G3012", "observed_motivations": [ "Financial Gain" ], @@ -5436,7 +5326,7 @@ "description": "*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nStar Blizzard is believed to be a Russia-based cyber threat actor group. According to joint Cybersecurity Advisory AA23-341A (December 2023), U.S. and international authorities assess that Star Blizzard is “almost certainly” a subordinate of the Russian Federal Security Service (FSB) Centre 18. Star Blizzard is known to successfully use spear-phishing attacks against its targets for information-gathering purposes. The advisory indicated that authorities observed these spear-phishing attacks occurring through 2023. Star Blizzard has traditionally targeted academic, defense, government, non-governmental (NGO), and think tank organizations (and associated personnel) in the United States and United Kingdom, other NATO nations, and countries neighboring Russia. Politicians have also been targeted. According to the advisory, beginning in 2022, authorities witnessed Star Blizzard targeting expand to targets in the defense-industrial sector and U.S. Department of Energy facilities.[[U.S. CISA Star Blizzard December 2023](/references/3d53c154-8ced-4dbe-ab4e-db3bc15bfe4b)]", "meta": { "country": "RU", - "group_attack_id": "G5017", + "group_attack_id": "G3029", "observed_countries": [ "GB", "US" @@ -5476,19 +5366,14 @@ "Human Rights" ] }, - "related": [ - { - "dest-uuid": "dab75e38-6969-4e78-9304-dc269c3cbcf0", - "type": "similar" - } - ], + "related": [], "uuid": "ca3016f3-642a-4ae0-86bc-7258475d6937", "value": "Stealth Falcon" }, { "description": "Storm-0844 is a threat actor originally known for distributing Akira ransomware, and more recently, for distributing Fog ransomware. The actor gains initial access likely by abusing valid accounts, then uses freely available tools for discovery, lateral movement, and exfiltration prior to ransomware deployment.[[Microsoft Threat Intelligence LinkedIn July 15 2024](/references/0e7ea8d0-bdb8-48a6-9718-703f64d16460)]", "meta": { - "group_attack_id": "G5047", + "group_attack_id": "G3046", "observed_motivations": [ "Financial Gain" ], @@ -5509,7 +5394,7 @@ { "description": "According to Microsoft security researchers, Storm-1811 is a \"financially motivated cybercriminal group known to deploy Black Basta ransomware\".[[Microsoft Security Blog 5 15 2024](/references/0876de6e-ea0c-4717-89a4-9c7baed53b6f)]", "meta": { - "group_attack_id": "G5039", + "group_attack_id": "G3038", "observed_motivations": [ "Financial Gain" ], @@ -5551,12 +5436,7 @@ "Telecommunications" ] }, - "related": [ - { - "dest-uuid": "f3179cfb-9c86-4980-bd6b-e4fa74adaaa7", - "type": "similar" - } - ], + "related": [], "uuid": "deb573c6-071a-4b50-9e92-4aa648d8bdc1", "value": "Strider" }, @@ -5573,12 +5453,7 @@ ], "source": "MITRE" }, - "related": [ - { - "dest-uuid": "5abb12e7-5066-4f84-a109-49a037205c76", - "type": "similar" - } - ], + "related": [], "uuid": "06549082-ff70-43bf-985e-88c695c7113c", "value": "Suckfly" }, @@ -5616,12 +5491,7 @@ ], "source": "MITRE" }, - "related": [ - { - "dest-uuid": "c6472ae1-c6ad-4cf1-8d6e-8c94b94fe314", - "type": "similar" - } - ], + "related": [], "uuid": "e343c1f1-458c-467b-bc4a-c1b97b2127e3", "value": "TA459" }, @@ -5646,12 +5516,7 @@ "a98d7a43-f227-478e-81de-e7299639a355" ] }, - "related": [ - { - "dest-uuid": "03c80674-35f8-4fe0-be2b-226ed0fcd69f", - "type": "similar" - } - ], + "related": [], "uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "value": "TA505" }, @@ -5664,19 +5529,14 @@ ], "source": "MITRE" }, - "related": [ - { - "dest-uuid": "36e8c848-4d20-47ea-9fc2-31aa17bf82d1", - "type": "similar" - } - ], + "related": [], "uuid": "8951bff3-c444-4374-8a9e-b2115d9125b2", "value": "TA551" }, { "description": "*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nTA577 is a cybercriminal actor that has remained highly active since mid-2020. The actor is known for carrying out email-based campaigns that result in the delivery of a wide range of payloads, including at least one leading to ransomware (REvil) deployment. These campaigns are known to impact organizations in a wide range of sectors and geographic locations.[[Proofpoint Ransomware Initial Access June 2021](/references/3b0631ae-f589-4b7c-a00a-04dcd5f3a77b)] The actor appears adept at shifting payloads in response to external factors, for example moving to deliver DarkGate and Pikabot shortly after international authorities disrupted the QakBot botnet in August 2023.[[Malwarebytes Pikabot December 15 2023](/references/50b29ef4-7ade-4672-99b6-fdf367170a5b)]", "meta": { - "group_attack_id": "G5019", + "group_attack_id": "G3031", "observed_motivations": [ "Financial Gain" ], @@ -5727,12 +5587,7 @@ "Infrastructure" ] }, - "related": [ - { - "dest-uuid": "90abfc42-91c6-11e9-89b1-af58de8f7ec2", - "type": "similar" - } - ], + "related": [], "uuid": "3a54b8dc-a231-4db8-96da-1c0c1aa396f6", "value": "TEMP.Veles" }, @@ -5810,12 +5665,7 @@ "Technology" ] }, - "related": [ - { - "dest-uuid": "834e0acd-d92a-4e38-bb14-dc4159d7cb32", - "type": "similar" - } - ], + "related": [], "uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "value": "Threat Group-3390" }, @@ -5835,12 +5685,7 @@ "Telecommunications" ] }, - "related": [ - { - "dest-uuid": "98be4300-a9ef-11e8-9a95-bb9221083cfc", - "type": "similar" - } - ], + "related": [], "uuid": "a3b39b07-0bfa-4c69-9f01-acf7dc6033b4", "value": "Thrip" }, @@ -5880,12 +5725,7 @@ "Telecommunications" ] }, - "related": [ - { - "dest-uuid": "0ab7c8de-fc23-4793-99aa-7ee336199e26", - "type": "similar" - } - ], + "related": [], "uuid": "9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c", "value": "Tonto Team" }, @@ -5958,12 +5798,7 @@ "Transportation" ] }, - "related": [ - { - "dest-uuid": "7f16d1f5-04ee-4d99-abf0-87e1f23f9fee", - "type": "similar" - } - ], + "related": [], "uuid": "0a245c5e-c1a8-480f-8655-bb2594e3266b", "value": "Tropic Trooper" }, @@ -6061,12 +5896,7 @@ "Telecommunications" ] }, - "related": [ - { - "dest-uuid": "fa80877c-f509-4daf-8b62-20aba1635f68", - "type": "similar" - } - ], + "related": [], "uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "value": "Turla" }, @@ -6074,7 +5904,7 @@ "description": "UAT4356 (aka Storm-1849) is an actor attributed to the ArcaneDoor campaign targeting Cisco Adaptive Security Appliance (ASA) network devices. The suspected espionage activity targeted unspecified government institutions around the world.[[Cisco Talos ArcaneDoor April 24 2024](/references/531c3f6f-2d2b-4774-b069-e2b7a13602c1)] Anonymous sources indicated that the ArcaneDoor campaign appeared aligned with China's state interests.[[Wired ArcaneDoor April 24 2024](/references/05a8afd3-0173-41ca-b23b-196ea0f3b1c1)]", "meta": { "country": "CN", - "group_attack_id": "G5022", + "group_attack_id": "G3036", "observed_motivations": [ "Cyber Espionage" ], @@ -6097,7 +5927,7 @@ { "description": "UNC3966 is a threat actor group tracked by Mandiant. In an intrusion documented in March 2023, UNC3966 received access to a victim network initially compromised by the group UNC961. UNC3966 primary motivations remain unclear. During the intrusion, the group was observed collecting and exfiltrating victim data. While a ransom note was also discovered, UNC3966 did not appear to deploy ransomware encryption software and did not appear to demand a ransom payment.[[Mandiant UNC961 March 23 2023](/references/cef19ceb-179f-4d49-acba-5ce40ab9f65e)]", "meta": { - "group_attack_id": "G5034", + "group_attack_id": "G3027", "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ @@ -6112,7 +5942,7 @@ { "description": "UNC5537 is a threat actor believed to be responsible for compromising a large number of database instances belonging to customers of Snowflake, a multi-cloud data warehousing platform, in Q2 2024. Initial access was largely achieved using stolen customer credentials compromised previously via infostealer malware. Actors sought to monetize their access by selling victim data on underground forums and by extorting victims. Researchers believe UNC5537 is comprised of members based in North America and at least one member in Turkey, and it has targeted hundreds of organizations globally.[[Google Cloud June 10 2024](/references/0afe3662-b55c-4189-9c9a-2be55a9b6a70)]", "meta": { - "group_attack_id": "G5041", + "group_attack_id": "G3040", "observed_countries": [ "ES", "US" @@ -6143,7 +5973,7 @@ { "description": "UNC961 is a financially motivated group active since at least 2018. It traditionally targeted retail and \"business services\" organizations based in North America, until expanding its targeting in 2020 to also include victims in a range of additional sectors in Northern Europe and Western Asia. In all known intrusions, UNC961 gained initial access by exploiting web-facing applications.[[Mandiant Log4Shell March 28 2022](/references/62d4d685-09c4-47b6-865c-4a6096e551cd)]", "meta": { - "group_attack_id": "G5033", + "group_attack_id": "G3026", "observed_motivations": [ "Financial Gain" ], @@ -6177,11 +6007,40 @@ "uuid": "e47b2958-b7c4-4fe1-a006-03137db91963", "value": "UNC961" }, + { + "description": "Vanilla Tempest is a financially motivated threat actor that has been active since July 2022, which has used a variety of ransomware payloads during observed attacks. Microsoft Threat Intelligence researchers indicate that Vanilla Tempest, which was previously tracked under the moniker DEV-0832, \"overlaps with\" activity tracked by other research teams as the Vice Society ransomware/extortion group.[[MSTIC Vanilla Tempest September 18 2024](/references/24c11dff-21df-4ce9-b3df-2e0a886339ff)]", + "meta": { + "group_attack_id": "G3054", + "observed_countries": [ + "US" + ], + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "target_categories": [ + "Education", + "Healthcare", + "Manufacturing", + "Technology" + ] + }, + "related": [], + "uuid": "efd2fca2-45fb-4eaf-82e7-0d20c156f84f", + "value": "Vanilla Tempest" + }, { "description": "Velvet Ant is a suspected \"China-nexus\" espionage group that has notably targeted network devices as part of its operations. In one case involving an unspecified victim located in East Asia, the group was seen abusing a legacy, internet-exposed F5 BIG-IP load balancer appliance as a command-and-control mechanism, managing to maintain network persistence for a period of three years. As part of the broader investigation into the group, researchers also observed cases of zero-day exploitation of CVE-2024-20399 in Cisco Nexus network switch devices, which allowed actors to upload and execute previously unknown, custom malware. The researchers highlighted how sophisticated threat groups are increasingly targeting network appliances as means of network access and persistence, since those appliances \"are often not sufficiently protected and monitored\".[[Sygnia Velvet Ant June 17 2024](/references/5c313af4-61a8-449d-a6c7-f7ead6c72e19)][[Sygnia Velvet Ant July 1 2024](/references/a0cfeeb6-4617-4dea-80d2-290eaf2bcf5b)]", "meta": { "country": "CN", - "group_attack_id": "G5045", + "group_attack_id": "G3044", "observed_motivations": [ "Cyber Espionage" ], @@ -6202,7 +6061,7 @@ { "description": "Vice Society is an extortion-focused threat actor group first observed in mid-2021. The group gained notoriety after targeting a considerable number of educational institutions, especially lower education institutions. Although the education sector accounts for a disproportionate amount of the group’s victims, Vice Society has claimed victims in multiple other industries too, including the healthcare, retail, financial, insurance, and public services sectors. The group regularly pressures victims into paying a ransom by threatening to leak data exfiltrated during its intrusions. Vice Society is not known to have developed its own ransomware, instead deploying other existing families, including HELLOKITTY/FIVEHANDS and Zeppelin.[[U.S. CISA Vice Society September 2022](/references/0a754513-5f20-44a0-8cea-c5d9519106c8)]\n\n**Related Vulnerabilities**: CVE-2021-1675[[Unit 42 Vice Society December 6 2022](/references/6abf7387-0857-4938-b36e-1374a66d4ed8)], CVE-2021-34527[[Unit 42 Vice Society December 6 2022](/references/6abf7387-0857-4938-b36e-1374a66d4ed8)]", "meta": { - "group_attack_id": "G5012", + "group_attack_id": "G3004", "observed_countries": [ "AR", "AU", @@ -6273,7 +6132,7 @@ { "description": "Void Rabisu is a threat actor believed be responsible for distributing Cuba ransomware.[[Unit 42 Cuba August 9 2022](/references/06f668d9-9a68-4d2f-b9a0-b92beb3b75d6)] Trend Micro researchers assess that, since October 2022, Void Rabisu's use of the RomCom backdoor during attacks could suggest a shift in its motivation towards more geopolitically motivated activity.[[Trend Micro Void Rabisu May 30 2023](/references/5fd628ca-f366-4f0d-b493-8be19fa4dd4e)]", "meta": { - "group_attack_id": "G5027", + "group_attack_id": "G3009", "observed_countries": [ "UA", "US" @@ -6317,10 +6176,6 @@ "Cyber Espionage" ], "source": "MITRE", - "tags": [ - "c6e1f516-1a18-4ff9-b563-e6ac8103b104", - "2feda37d-5579-4102-a073-aa02e82cb49f" - ], "target_categories": [ "Defense", "Education", @@ -6486,12 +6341,7 @@ "Entertainment" ] }, - "related": [ - { - "dest-uuid": "9c124874-042d-48cd-b72b-ccdc51ecbbd6", - "type": "similar" - } - ], + "related": [], "uuid": "6932662a-53a7-4e43-877f-6e940e2d744b", "value": "Winnti Group" }, @@ -6578,7 +6428,7 @@ "description": "Yellow Liderc (aka Imperial Kitten, Tortoiseshell, TA456, Crimson Sandstorm) is a threat actor group based in Iran that is believed to be aligned with the Iranian Islamic Revolutionary Guard Corp (IRGC). Researchers have observed the group targeting victims in a range of sectors in the United States, Europe, the Middle East and Mediterranean, and South Asia.[[PwC Yellow Liderc October 25 2023](/references/cbeaf9b5-865f-44a1-a913-9eec28d7a5ff)]", "meta": { "country": "IR", - "group_attack_id": "G5032", + "group_attack_id": "G3025", "observed_countries": [ "US" ], @@ -6646,7 +6496,7 @@ { "description": "This object reflects the TTPs used by threat actors to distribute and deploy the Zloader trojan malware. Researchers have observed actors distributing Zloader in campaigns without attributing the activity to named adversaries, such as the operations described by ESET researchers cited in the References.[[WeLiveSecurity April 19 2022](/references/f86845b9-03c4-446b-845f-b31b79b247ee)]\n\nTTPs associated with Zloader binaries themselves can be found in the separate \"Zloader\" Software object.", "meta": { - "group_attack_id": "G5037", + "group_attack_id": "G3034", "observed_countries": [ "AF", "AR", diff --git a/clusters/tidal-references.json b/clusters/tidal-references.json index 115d356b..8cbd3d70 100644 --- a/clusters/tidal-references.json +++ b/clusters/tidal-references.json @@ -1933,20 +1933,6 @@ "uuid": "5b6b909d-870a-4d14-85ec-6aa14e598740", "value": "FireEye APT Groups" }, - { - "description": "Mandiant. (n.d.). Advanced Persistent Threats (APTs). Retrieved February 14, 2024.", - "meta": { - "date_accessed": "2024-02-14T00:00:00Z", - "refs": [ - "https://www.mandiant.com/resources/insights/apt-groups" - ], - "source": "MITRE", - "title": "Advanced Persistent Threats (APTs)" - }, - "related": [], - "uuid": "2d16615b-09fc-5925-8f59-6d20f334d236", - "value": "Mandiant Advanced Persistent Threats" - }, { "description": "Mandiant. (n.d.). Advanced Persistent Threats (APTs). Retrieved September 14, 2023.", "meta": { @@ -1962,6 +1948,20 @@ "uuid": "c984fcfc-1bfd-4b1e-9034-a6ff3e6ebf97", "value": "Mandiant APT Groups List" }, + { + "description": "Mandiant. (n.d.). Advanced Persistent Threats (APTs). Retrieved February 14, 2024.", + "meta": { + "date_accessed": "2024-02-14T00:00:00Z", + "refs": [ + "https://www.mandiant.com/resources/insights/apt-groups" + ], + "source": "MITRE", + "title": "Advanced Persistent Threats (APTs)" + }, + "related": [], + "uuid": "2d16615b-09fc-5925-8f59-6d20f334d236", + "value": "Mandiant Advanced Persistent Threats" + }, { "description": "Simpson, D. et al. (2017, April 19). Advanced security audit policy settings. Retrieved September 14, 2021.", "meta": { @@ -2221,6 +2221,22 @@ "uuid": "28bfb97b-4b58-408a-bef9-9081f6ddedb8", "value": "LogPoint Agent Tesla March 23 2023" }, + { + "description": "Sekoia TDR; Felix Aimé; Pierre-Antoine D; Charles M. (2024, September 9). A glimpse into the Quad7 operators' next moves and associated botnets. Retrieved September 11, 2024.", + "meta": { + "date_accessed": "2024-09-11T00:00:00Z", + "date_published": "2024-09-09T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://blog.sekoia.io/a-glimpse-into-the-quad7-operators-next-moves-and-associated-botnets/" + ], + "source": "Tidal Cyber", + "title": "A glimpse into the Quad7 operators' next moves and associated botnets" + }, + "related": [], + "uuid": "eb4a1888-3b04-449b-9738-d96ae26adfee", + "value": "Sekoia.io Blog September 9 2024" + }, { "description": "Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.", "meta": { @@ -2358,6 +2374,22 @@ "uuid": "1343b052-b158-4dad-9ed4-9dbb7bb778dd", "value": "Sophos Akira May 9 2023" }, + { + "description": "BlackBerry Research and Intelligence Team. (2024, July 11). Akira Ransomware Targets the LATAM Airline Industry. Retrieved September 16, 2024.", + "meta": { + "date_accessed": "2024-09-16T00:00:00Z", + "date_published": "2024-07-11T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://blogs.blackberry.com/en/2024/07/akira-ransomware-targets-the-latam-airline-industry" + ], + "source": "Tidal Cyber", + "title": "Akira Ransomware Targets the LATAM Airline Industry" + }, + "related": [], + "uuid": "59a1bd0f-a907-4918-90e1-d163bf84f927", + "value": "BlackBerry Akira July 11 2024" + }, { "description": "Microsoft. (2023, February 27). AKS-managed Azure Active Directory integration. Retrieved March 8, 2023.", "meta": { @@ -3469,21 +3501,6 @@ "uuid": "03eb080d-0b83-5cbb-9317-c50b35996c9b", "value": "SecureList Fileless" }, - { - "description": "M.Léveillé, M. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved January 8, 2018.", - "meta": { - "date_accessed": "2018-01-08T00:00:00Z", - "date_published": "2014-02-21T00:00:00Z", - "refs": [ - "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/" - ], - "source": "MITRE", - "title": "An In-depth Analysis of Linux/Ebury" - }, - "related": [], - "uuid": "39384c7a-3032-4b45-a5eb-8ebe7de22aa2", - "value": "Welivesecurity Ebury SSH" - }, { "description": "M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019.", "meta": { @@ -3499,6 +3516,21 @@ "uuid": "eb6d4f77-ac63-4cb8-8487-20f9e709334b", "value": "ESET Ebury Feb 2014" }, + { + "description": "M.Léveillé, M. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved January 8, 2018.", + "meta": { + "date_accessed": "2018-01-08T00:00:00Z", + "date_published": "2014-02-21T00:00:00Z", + "refs": [ + "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/" + ], + "source": "MITRE", + "title": "An In-depth Analysis of Linux/Ebury" + }, + "related": [], + "uuid": "39384c7a-3032-4b45-a5eb-8ebe7de22aa2", + "value": "Welivesecurity Ebury SSH" + }, { "description": "Avertium. (2022, June 1). AN IN-DEPTH LOOK AT BLACK BASTA RANSOMWARE. Retrieved March 7, 2023.", "meta": { @@ -4051,21 +4083,6 @@ "uuid": "268e7ade-c0a8-5859-8b16-6fa8aa3b0cb7", "value": "Microsoft App Domains" }, - { - "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", - "meta": { - "date_accessed": "2014-11-18T00:00:00Z", - "date_published": "2008-06-01T00:00:00Z", - "refs": [ - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx" - ], - "source": "MITRE", - "title": "Application Lockdown with Software Restriction Policies" - }, - "related": [], - "uuid": "cae409ca-1c77-45df-88cd-c0998ac724ec", - "value": "Corio 2008" - }, { "description": "Corio, C., & Sayana, D. P.. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "meta": { @@ -4081,6 +4098,21 @@ "uuid": "5dab4466-0871-486a-84ad-0e648b2e937d", "value": "Microsoft Application Lockdown" }, + { + "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", + "meta": { + "date_accessed": "2014-11-18T00:00:00Z", + "date_published": "2008-06-01T00:00:00Z", + "refs": [ + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx" + ], + "source": "MITRE", + "title": "Application Lockdown with Software Restriction Policies" + }, + "related": [], + "uuid": "cae409ca-1c77-45df-88cd-c0998ac724ec", + "value": "Corio 2008" + }, { "description": "Beechey, J.. (2014, November 18). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "meta": { @@ -4397,21 +4429,6 @@ "uuid": "3dd67aae-7feb-4b07-a985-ccadc1b16f1d", "value": "Bitdefender APT28 Dec 2015" }, - { - "description": "Matthew Dunwoody. (2017, March 27). APT29 Domain Fronting With TOR. Retrieved November 20, 2017.", - "meta": { - "date_accessed": "2017-11-20T00:00:00Z", - "date_published": "2017-03-27T00:00:00Z", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html" - ], - "source": "MITRE", - "title": "APT29 Domain Fronting With TOR" - }, - "related": [], - "uuid": "1d919991-bc87-41bf-9e58-edf1b3806bb8", - "value": "FireEye APT29 Domain Fronting With TOR March 2017" - }, { "description": "Dunwoody, M. (2017, March 27). APT29 Domain Fronting With TOR. Retrieved March 27, 2017.", "meta": { @@ -4427,6 +4444,21 @@ "uuid": "3e013b07-deaf-4387-acd7-2d0565d196a9", "value": "FireEye APT29 Domain Fronting" }, + { + "description": "Matthew Dunwoody. (2017, March 27). APT29 Domain Fronting With TOR. Retrieved November 20, 2017.", + "meta": { + "date_accessed": "2017-11-20T00:00:00Z", + "date_published": "2017-03-27T00:00:00Z", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html" + ], + "source": "MITRE", + "title": "APT29 Domain Fronting With TOR" + }, + "related": [], + "uuid": "1d919991-bc87-41bf-9e58-edf1b3806bb8", + "value": "FireEye APT29 Domain Fronting With TOR March 2017" + }, { "description": "FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.", "meta": { @@ -5603,21 +5635,6 @@ "uuid": "d4ca3351-eeb8-5342-8c85-806614e22c48", "value": "FireEye TRITON Dec 2017" }, - { - "description": "Runa A. Sandvik. (2014, January 14). Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved August 9, 2022.", - "meta": { - "date_accessed": "2022-08-09T00:00:00Z", - "date_published": "2014-01-14T00:00:00Z", - "refs": [ - "https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/" - ], - "source": "MITRE", - "title": "Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency" - }, - "related": [], - "uuid": "d2186b8c-10c9-493b-8e25-7d69fce006e4", - "value": "GitHub Cloud Service Credentials" - }, { "description": "Sandvik, R. (2014, January 14). Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved October 19, 2020.", "meta": { @@ -5633,6 +5650,21 @@ "uuid": "303f8801-bdd6-4a0c-a90a-37867898c99c", "value": "Forbes GitHub Creds" }, + { + "description": "Runa A. Sandvik. (2014, January 14). Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved August 9, 2022.", + "meta": { + "date_accessed": "2022-08-09T00:00:00Z", + "date_published": "2014-01-14T00:00:00Z", + "refs": [ + "https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/" + ], + "source": "MITRE", + "title": "Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency" + }, + "related": [], + "uuid": "d2186b8c-10c9-493b-8e25-7d69fce006e4", + "value": "GitHub Cloud Service Credentials" + }, { "description": "Chen, J.. (2020, January 29). Attacker's Tactics and Techniques in Unsecured Docker Daemons Revealed. Retrieved March 31, 2021.", "meta": { @@ -7739,6 +7771,22 @@ "uuid": "eef7cd8a-8cb6-4b24-ba49-9b17353d20b5", "value": "Shadowbunny VM Defense Evasion" }, + { + "description": "Kyle Lefton, Larry Cashdollar, Aline Eliovich. (2024, August 28). Beware the Unpatchable: Corona Mirai Botnet Spreads via Zero-Day. Retrieved September 5, 2024.", + "meta": { + "date_accessed": "2024-09-05T00:00:00Z", + "date_published": "2024-08-28T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.akamai.com/blog/security-research/2024-corona-mirai-botnet-infects-zero-day-sirt" + ], + "source": "Tidal Cyber", + "title": "Beware the Unpatchable: Corona Mirai Botnet Spreads via Zero-Day" + }, + "related": [], + "uuid": "140284f8-075c-4225-99dd-519ba5cebabe", + "value": "Akamai Corona Zero-Day August 28 2024" + }, { "description": "Mathanraj Thangaraju, Sijo Jacob. (2023, July 26). Beyond File Search: A Novel Method for Exploiting the \"search-ms\" URI Protocol Handler. Retrieved March 15, 2024.", "meta": { @@ -8574,21 +8622,6 @@ "uuid": "e90b4941-5dff-4f38-b4dd-af3426fd621e", "value": "GitHub Bloodhound" }, - { - "description": "Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming Azure. Retrieved October 23, 2019.", - "meta": { - "date_accessed": "2019-10-23T00:00:00Z", - "date_published": "2018-05-11T00:00:00Z", - "refs": [ - "https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1" - ], - "source": "MITRE", - "title": "Blue Cloud of Death: Red Teaming Azure" - }, - "related": [], - "uuid": "0c764280-9d8c-4fa4-9088-170f02550d4c", - "value": "Blue Cloud of Death" - }, { "description": "Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming Azure. Retrieved November 21, 2019.", "meta": { @@ -8604,6 +8637,21 @@ "uuid": "39b0adf6-c71e-4501-b8bb-fab82718486b", "value": "Blue Cloud of Death Video" }, + { + "description": "Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming Azure. Retrieved October 23, 2019.", + "meta": { + "date_accessed": "2019-10-23T00:00:00Z", + "date_published": "2018-05-11T00:00:00Z", + "refs": [ + "https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1" + ], + "source": "MITRE", + "title": "Blue Cloud of Death: Red Teaming Azure" + }, + "related": [], + "uuid": "0c764280-9d8c-4fa4-9088-170f02550d4c", + "value": "Blue Cloud of Death" + }, { "description": "SEONGSU PARK. (2022, December 27). BlueNoroff introduces new methods bypassing MoTW. Retrieved February 6, 2024.", "meta": { @@ -8932,21 +8980,6 @@ "uuid": "60fac434-2815-4568-b951-4bde55c2e3af", "value": "PaloAlto Preventing Opportunistic Attacks Apr 2016" }, - { - "description": "Kirk, N. (2018, June 18). Bring Your Own Land (BYOL) – A Novel Red Teaming Technique. Retrieved October 8, 2021.", - "meta": { - "date_accessed": "2021-10-08T00:00:00Z", - "date_published": "2018-06-18T00:00:00Z", - "refs": [ - "https://www.mandiant.com/resources/bring-your-own-land-novel-red-teaming-technique" - ], - "source": "MITRE", - "title": "Bring Your Own Land (BYOL) – A Novel Red Teaming Technique" - }, - "related": [], - "uuid": "104a1c1c-0899-4ff9-a5c4-73de702c467d", - "value": "Mandiant BYOL 2018" - }, { "description": "Kirk, N. (2018, June 18). Bring Your Own Land (BYOL) – A Novel Red Teaming Technique. Retrieved October 4, 2021.", "meta": { @@ -8962,6 +8995,21 @@ "uuid": "445efe8b-659a-4023-afc7-aa7cd21ee5a1", "value": "Mandiant BYOL" }, + { + "description": "Kirk, N. (2018, June 18). Bring Your Own Land (BYOL) – A Novel Red Teaming Technique. Retrieved October 8, 2021.", + "meta": { + "date_accessed": "2021-10-08T00:00:00Z", + "date_published": "2018-06-18T00:00:00Z", + "refs": [ + "https://www.mandiant.com/resources/bring-your-own-land-novel-red-teaming-technique" + ], + "source": "MITRE", + "title": "Bring Your Own Land (BYOL) – A Novel Red Teaming Technique" + }, + "related": [], + "uuid": "104a1c1c-0899-4ff9-a5c4-73de702c467d", + "value": "Mandiant BYOL 2018" + }, { "description": "Bischoff, P. (2020, October 15). Broadvoice database of more than 350 million customer records exposed online. Retrieved October 20, 2020.", "meta": { @@ -9579,21 +9627,6 @@ "uuid": "74df644a-06b8-4331-85a3-932358d65b62", "value": "Hybrid Analysis Icacls1 June 2018" }, - { - "description": "Microsoft. (2016, August 31). Cached and Stored Credentials Technical Overview. Retrieved November 24, 2020.", - "meta": { - "date_accessed": "2020-11-24T00:00:00Z", - "date_published": "2016-08-31T00:00:00Z", - "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565(v=ws.11)#credential-manager-store" - ], - "source": "MITRE", - "title": "Cached and Stored Credentials Technical Overview" - }, - "related": [], - "uuid": "c949a29b-bb31-4bd7-a967-ddd48c7efb8e", - "value": "Microsoft Credential Manager store" - }, { "description": "Microsoft. (2016, August 21). Cached and Stored Credentials Technical Overview. Retrieved February 21, 2020.", "meta": { @@ -9609,6 +9642,21 @@ "uuid": "590ea63f-f800-47e4-8d39-df11a184ba84", "value": "Microsoft - Cached Creds" }, + { + "description": "Microsoft. (2016, August 31). Cached and Stored Credentials Technical Overview. Retrieved November 24, 2020.", + "meta": { + "date_accessed": "2020-11-24T00:00:00Z", + "date_published": "2016-08-31T00:00:00Z", + "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565(v=ws.11)#credential-manager-store" + ], + "source": "MITRE", + "title": "Cached and Stored Credentials Technical Overview" + }, + "related": [], + "uuid": "c949a29b-bb31-4bd7-a967-ddd48c7efb8e", + "value": "Microsoft Credential Manager store" + }, { "description": "Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021.", "meta": { @@ -9670,6 +9718,21 @@ "uuid": "7180c6a7-e6ea-54bf-bcd7-c5238bbc5f5b", "value": "Cadet Blizzard emerges as novel threat actor" }, + { + "description": "Matt Muir. (2022, April 6). Cado Discovers Denonia: The First Malware Specifically Targeting Lambda. Retrieved May 27, 2022.", + "meta": { + "date_accessed": "2022-05-27T00:00:00Z", + "date_published": "2022-04-06T00:00:00Z", + "refs": [ + "https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/" + ], + "source": "MITRE", + "title": "Cado Discovers Denonia: The First Malware Specifically Targeting Lambda" + }, + "related": [], + "uuid": "584e7ace-ef33-423b-9801-4728a447cb34", + "value": "Cado Security Denonia" + }, { "description": "jbowen. (2022, April 3). Cado Discovers Denonia: The First Malware Specifically Targeting Lambda. Retrieved April 11, 2024.", "meta": { @@ -9686,21 +9749,6 @@ "uuid": "b276c28d-1488-4a21-86d1-7acdfd77794b", "value": "Cado Denonia April 3 2022" }, - { - "description": "Matt Muir. (2022, April 6). Cado Discovers Denonia: The First Malware Specifically Targeting Lambda. Retrieved May 27, 2022.", - "meta": { - "date_accessed": "2022-05-27T00:00:00Z", - "date_published": "2022-04-06T00:00:00Z", - "refs": [ - "https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/" - ], - "source": "MITRE", - "title": "Cado Discovers Denonia: The First Malware Specifically Targeting Lambda" - }, - "related": [], - "uuid": "584e7ace-ef33-423b-9801-4728a447cb34", - "value": "Cado Security Denonia" - }, { "description": "William Turton. (2023, September 13). Caesars Entertainment Paid Millions to Hackers in Attack. Retrieved September 14, 2023.", "meta": { @@ -10681,6 +10729,22 @@ "uuid": "e3949201-c949-4126-9e02-34bfad4713c0", "value": "The Hacker News Velvet Ant Cisco July 2 2024" }, + { + "description": "Bill Toulas. (2024, September 9). Chinese hackers use new data theft malware in govt attacks. Retrieved September 13, 2024.", + "meta": { + "date_accessed": "2024-09-13T00:00:00Z", + "date_published": "2024-09-09T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.bleepingcomputer.com/news/security/chinese-hackers-use-new-data-theft-malware-in-govt-attacks/" + ], + "source": "Tidal Cyber", + "title": "Chinese hackers use new data theft malware in govt attacks" + }, + "related": [], + "uuid": "40774c9c-daca-4ea0-a504-ca73b11e4f29", + "value": "BleepingComputer Mustang Panda September 9 2024" + }, { "description": "Catalin Cimpanu. (2021, July 20). Chinese hacking group APT31 uses mesh of home routers to disguise attacks. Retrieved April 25, 2024.", "meta": { @@ -10817,6 +10881,22 @@ "uuid": "b019406c-6e39-41a2-a8b4-97f8d6482147", "value": "Azure AD Hybrid Identity" }, + { + "description": "Aedan Russell. (2022, May 25). ChromeLoader a pushy malvertiser. Retrieved September 26, 2024.", + "meta": { + "date_accessed": "2024-09-26T00:00:00Z", + "date_published": "2022-05-25T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://redcanary.com/blog/threat-detection/chromeloader/" + ], + "source": "Tidal Cyber", + "title": "ChromeLoader a pushy malvertiser" + }, + "related": [], + "uuid": "bffc87ac-e51b-47e3-8a9f-547e762e95c2", + "value": "Red Canary May 25 2022" + }, { "description": "Huntress. (n.d.). Retrieved March 14, 2024.", "meta": { @@ -10831,6 +10911,38 @@ "uuid": "c1b2d0e9-2396-5080-aea3-58a99c027d20", "value": "Chrome Remote Desktop" }, + { + "description": "Simon Hertzberg. (2024, August 30). Cicada 3301 - Ransomware-as-a-Service - Technical Analysis. Retrieved September 4, 2024.", + "meta": { + "date_accessed": "2024-09-04T00:00:00Z", + "date_published": "2024-08-30T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.truesec.com/hub/blog/dissecting-the-cicada" + ], + "source": "Tidal Cyber", + "title": "Cicada 3301 - Ransomware-as-a-Service - Technical Analysis" + }, + "related": [], + "uuid": "de2de0a9-17d2-41c2-838b-7850762b80ae", + "value": "Truesec AB August 30 2024" + }, + { + "description": "Sergiu Gatlan. (2024, September 20). CISA warns of Windows flaw used in infostealer malware attacks. Retrieved September 19, 2024.", + "meta": { + "date_accessed": "2024-09-19T00:00:00Z", + "date_published": "2024-09-20T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.bleepingcomputer.com/news/security/cisa-warns-of-windows-flaw-used-in-infostealer-malware-attacks/" + ], + "source": "Tidal Cyber", + "title": "CISA warns of Windows flaw used in infostealer malware attacks" + }, + "related": [], + "uuid": "2c9a2355-02c5-4718-ad6e-b2fac9ad4096", + "value": "BleepingComputer Void Banshee September 16 2024" + }, { "description": "Cisco. (2023, March 7). Cisco IOS Security Command Reference: Commands S to Z . Retrieved July 13, 2022.", "meta": { @@ -11260,20 +11372,6 @@ "uuid": "75b89502-21ed-4920-95cc-212eaf17f281", "value": "CL_Mutexverifiers.ps1 - LOLBAS Project" }, - { - "description": "Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021.", - "meta": { - "date_accessed": "2021-05-11T00:00:00Z", - "refs": [ - "https://www.cybereason.com/blog/cybereason-vs.-clop-ransomware" - ], - "source": "MITRE", - "title": "Clop Ransomware" - }, - "related": [], - "uuid": "f54d682d-100e-41bb-96be-6a79ea422066", - "value": "Cybereason Clop Dec 2020" - }, { "description": "Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021.", "meta": { @@ -11289,6 +11387,20 @@ "uuid": "458141bd-7dd2-41fd-82e8-7ea2e4a477ab", "value": "Mcafee Clop Aug 2019" }, + { + "description": "Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021.", + "meta": { + "date_accessed": "2021-05-11T00:00:00Z", + "refs": [ + "https://www.cybereason.com/blog/cybereason-vs.-clop-ransomware" + ], + "source": "MITRE", + "title": "Clop Ransomware" + }, + "related": [], + "uuid": "f54d682d-100e-41bb-96be-6a79ea422066", + "value": "Cybereason Clop Dec 2020" + }, { "description": "Sergiu Gatlan. (2023, February 10). Clop ransomware claims it breached 130 orgs using GoAnywhere zero-day. Retrieved May 8, 2023.", "meta": { @@ -12325,21 +12437,6 @@ "uuid": "ccd0d241-4ff7-4a15-b2b4-06945980c6bf", "value": "Windows RDP Sessions" }, - { - "description": "Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved June 24, 2015.", - "meta": { - "date_accessed": "2015-06-24T00:00:00Z", - "date_published": "2013-07-31T00:00:00Z", - "refs": [ - "https://technet.microsoft.com/en-us/library/dn408187.aspx" - ], - "source": "MITRE", - "title": "Configuring Additional LSA Protection" - }, - "related": [], - "uuid": "4adfc72b-cd32-46a6-bdf4-a4c2c6cffa73", - "value": "Microsoft Configure LSA" - }, { "description": "Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved February 13, 2015.", "meta": { @@ -12370,6 +12467,21 @@ "uuid": "da3f1d7d-188f-4500-9bc6-3299ba043b5c", "value": "Microsoft LSA Protection Mar 2014" }, + { + "description": "Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved June 24, 2015.", + "meta": { + "date_accessed": "2015-06-24T00:00:00Z", + "date_published": "2013-07-31T00:00:00Z", + "refs": [ + "https://technet.microsoft.com/en-us/library/dn408187.aspx" + ], + "source": "MITRE", + "title": "Configuring Additional LSA Protection" + }, + "related": [], + "uuid": "4adfc72b-cd32-46a6-bdf4-a4c2c6cffa73", + "value": "Microsoft Configure LSA" + }, { "description": "Google. (n.d.). Configuring Data Access audit logs. Retrieved October 16, 2020.", "meta": { @@ -12878,6 +12990,22 @@ "uuid": "96ce4324-57d2-422b-8403-f5d4f3ce410c", "value": "Palo Alto ARP" }, + { + "description": "Jakub Souček. (2024, September 10). CosmicBeetle steps up: Probation period at RansomHub. Retrieved September 13, 2024.", + "meta": { + "date_accessed": "2024-09-13T00:00:00Z", + "date_published": "2024-09-10T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.welivesecurity.com/en/eset-research/cosmicbeetle-steps-up-probation-period-ransomhub/" + ], + "source": "Tidal Cyber", + "title": "CosmicBeetle steps up: Probation period at RansomHub" + }, + "related": [], + "uuid": "8debba29-4d6d-41d2-8772-f97c7d49056b", + "value": "WeLiveSecurity CosmicBeetle September 10 2024" + }, { "description": "F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.", "meta": { @@ -13519,21 +13647,6 @@ "uuid": "51e67e37-2d61-4228-999b-bec6f80cf106", "value": "Bishop Fox Sliver Framework August 2019" }, - { - "description": "Okta Defensive Cyber Operations. (2023, August 31). Cross-Tenant Impersonation: Prevention and Detection. Retrieved February 15, 2024.", - "meta": { - "date_accessed": "2024-02-15T00:00:00Z", - "date_published": "2023-08-31T00:00:00Z", - "refs": [ - "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection" - ], - "source": "MITRE", - "title": "Cross-Tenant Impersonation: Prevention and Detection" - }, - "related": [], - "uuid": "d54188b5-86eb-52a0-8384-823c45431762", - "value": "Okta Cross-Tenant Impersonation 2023" - }, { "description": "Okta Defensive Cyber Operations. (2023, August 31). Cross-Tenant Impersonation: Prevention and Detection. Retrieved March 4, 2024.", "meta": { @@ -13549,6 +13662,21 @@ "uuid": "77dbd22f-ce57-50f7-9c6b-8dc874a4d80d", "value": "Okta Cross-Tenant Impersonation" }, + { + "description": "Okta Defensive Cyber Operations. (2023, August 31). Cross-Tenant Impersonation: Prevention and Detection. Retrieved February 15, 2024.", + "meta": { + "date_accessed": "2024-02-15T00:00:00Z", + "date_published": "2023-08-31T00:00:00Z", + "refs": [ + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection" + ], + "source": "MITRE", + "title": "Cross-Tenant Impersonation: Prevention and Detection" + }, + "related": [], + "uuid": "d54188b5-86eb-52a0-8384-823c45431762", + "value": "Okta Cross-Tenant Impersonation 2023" + }, { "description": "Crowdstrike. (2013, October 16). CrowdCasts Monthly: You Have an Adversary Problem. Retrieved March 1, 2017.", "meta": { @@ -13830,21 +13958,6 @@ "uuid": "be233077-7bb4-48be-aecf-03258931527d", "value": "Microsoft Subkey" }, - { - "description": "MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020.", - "meta": { - "date_accessed": "2020-12-30T00:00:00Z", - "date_published": "2020-12-13T00:00:00Z", - "refs": [ - "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/" - ], - "source": "MITRE", - "title": "Customer Guidance on Recent Nation-State Cyber Attacks" - }, - "related": [], - "uuid": "47031992-841f-4ef4-87c6-bb4c077fb8dc", - "value": "Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks" - }, { "description": "MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 17, 2020.", "meta": { @@ -13860,6 +13973,21 @@ "uuid": "b486ae40-a854-4998-bf1b-aaf6ea2047ed", "value": "Microsoft SolarWinds Customer Guidance" }, + { + "description": "MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020.", + "meta": { + "date_accessed": "2020-12-30T00:00:00Z", + "date_published": "2020-12-13T00:00:00Z", + "refs": [ + "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/" + ], + "source": "MITRE", + "title": "Customer Guidance on Recent Nation-State Cyber Attacks" + }, + "related": [], + "uuid": "47031992-841f-4ef4-87c6-bb4c077fb8dc", + "value": "Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks" + }, { "description": "Apple. (2016, September 13). Customizing Login and Logout. Retrieved April 1, 2022.", "meta": { @@ -15130,6 +15258,22 @@ "uuid": "4476aa0a-b1ef-4ac6-9e44-5721a0b3e92b", "value": "Nccgroup Gh0st April 2018" }, + { + "description": "Michael Gorelik. (2024, September 3). Decoding the Puzzle Cicada3301 Ransomware Threat Analysis. Retrieved September 5, 2024.", + "meta": { + "date_accessed": "2024-09-05T00:00:00Z", + "date_published": "2024-09-03T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://blog.morphisec.com/cicada3301-ransomware-threat-analysis" + ], + "source": "Tidal Cyber", + "title": "Decoding the Puzzle Cicada3301 Ransomware Threat Analysis" + }, + "related": [], + "uuid": "90549699-8815-45e8-820c-4f5a7fc584b8", + "value": "Morphisec September 3 2024" + }, { "description": "Segura, J. (2017, October 13). Decoy Microsoft Word document delivers malware through a RAT. Retrieved July 21, 2018.", "meta": { @@ -15671,6 +15815,22 @@ "uuid": "86053c5a-f2dd-4eb3-9dc2-6a6a4e1c2ae5", "value": "Apple Kernel Extension Deprecation" }, + { + "description": "Black Lotus Labs. (2024, September 18). Derailing the Raptor Train. Retrieved September 19, 2024.", + "meta": { + "date_accessed": "2024-09-19T00:00:00Z", + "date_published": "2024-09-18T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://blog.lumen.com/derailing-the-raptor-train/" + ], + "source": "Tidal Cyber", + "title": "Derailing the Raptor Train" + }, + "related": [], + "uuid": "21e26577-887b-4b8c-a3f8-4ab8868bed69", + "value": "Black Lotus Raptor Train September 18 2024" + }, { "description": "Amazon. (n.d.). describe-instance-information. Retrieved March 3, 2020.", "meta": { @@ -16328,6 +16488,22 @@ "uuid": "91efc6bf-e15c-514a-96c1-e838268d222f", "value": "Microsoft Royal ransomware November 2022" }, + { + "description": "Microsoft Threat Intelligence. (2022, October 25). DEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sector. Retrieved September 19, 2024.", + "meta": { + "date_accessed": "2024-09-19T00:00:00Z", + "date_published": "2022-10-25T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/" + ], + "source": "Tidal Cyber", + "title": "DEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sector" + }, + "related": [], + "uuid": "5b667611-649d-44d5-86e0-a79527608b3c", + "value": "MSTIC DEV-0832 October 25 2022" + }, { "description": "Felix 'FX' Lindner. (2008, February). Developments in Cisco IOS Forensics. Retrieved October 21, 2020.", "meta": { @@ -17237,21 +17413,6 @@ "uuid": "a1b987cc-7789-411c-9673-3cf6357b207c", "value": "ASERT Donot March 2018" }, - { - "description": "Simonian, Nick. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved January 17, 2024.", - "meta": { - "date_accessed": "2024-01-17T00:00:00Z", - "date_published": "2023-05-22T00:00:00Z", - "refs": [ - "https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse" - ], - "source": "MITRE", - "title": "Don't @ Me: URL Obfuscation Through Schema Abuse" - }, - "related": [], - "uuid": "d5ed4c98-6d37-5000-bba0-9aada295a50c", - "value": "mandiant-masking" - }, { "description": "Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved February 13, 2024.", "meta": { @@ -17282,6 +17443,21 @@ "uuid": "b63f5934-2ace-5326-89be-7a850469a563", "value": "Mandiant URL Obfuscation 2023" }, + { + "description": "Simonian, Nick. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved January 17, 2024.", + "meta": { + "date_accessed": "2024-01-17T00:00:00Z", + "date_published": "2023-05-22T00:00:00Z", + "refs": [ + "https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse" + ], + "source": "MITRE", + "title": "Don't @ Me: URL Obfuscation Through Schema Abuse" + }, + "related": [], + "uuid": "d5ed4c98-6d37-5000-bba0-9aada295a50c", + "value": "mandiant-masking" + }, { "description": "TheWover. (2019, May 9). donut. Retrieved March 25, 2022.", "meta": { @@ -17478,21 +17654,6 @@ "uuid": "9514c5cd-2ed6-4dbf-aa9e-1c425e969226", "value": "Symantec Dragonfly" }, - { - "description": "Symantec. (2017, October 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved April 19, 2022.", - "meta": { - "date_accessed": "2022-04-19T00:00:00Z", - "date_published": "2017-10-07T00:00:00Z", - "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks" - ], - "source": "MITRE", - "title": "Dragonfly: Western energy sector targeted by sophisticated attack group" - }, - "related": [], - "uuid": "a0439d4a-a3ea-4be5-9a01-f223ca259681", - "value": "Symantec Dragonfly 2.0 October 2017" - }, { "description": "Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.", "meta": { @@ -17508,6 +17669,21 @@ "uuid": "11bbeafc-ed5d-4d2b-9795-a0a9544fb64e", "value": "Symantec Dragonfly Sept 2017" }, + { + "description": "Symantec. (2017, October 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved April 19, 2022.", + "meta": { + "date_accessed": "2022-04-19T00:00:00Z", + "date_published": "2017-10-07T00:00:00Z", + "refs": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks" + ], + "source": "MITRE", + "title": "Dragonfly: Western energy sector targeted by sophisticated attack group" + }, + "related": [], + "uuid": "a0439d4a-a3ea-4be5-9a01-f223ca259681", + "value": "Symantec Dragonfly 2.0 October 2017" + }, { "description": "Slepogin, N. (2017, May 25). Dridex: A History of Evolution. Retrieved May 31, 2019.", "meta": { @@ -17985,20 +18161,6 @@ "uuid": "7b1f945b-2547-4bc6-98bf-30248bdf3587", "value": "Microsoft Dynamic Link Library Search Order" }, - { - "description": "Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved November 27, 2017.", - "meta": { - "date_accessed": "2017-11-27T00:00:00Z", - "refs": [ - "https://msdn.microsoft.com/library/windows/desktop/ff919712.aspx" - ], - "source": "MITRE", - "title": "Dynamic-Link Library Security" - }, - "related": [], - "uuid": "584490c7-b155-4f62-b68d-a5a2a1799e60", - "value": "Microsoft DLL Security" - }, { "description": "Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved July 25, 2016.", "meta": { @@ -18013,6 +18175,20 @@ "uuid": "e087442a-0a53-4cc8-9fd6-772cbd0295d5", "value": "Microsoft Dynamic-Link Library Security" }, + { + "description": "Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved November 27, 2017.", + "meta": { + "date_accessed": "2017-11-27T00:00:00Z", + "refs": [ + "https://msdn.microsoft.com/library/windows/desktop/ff919712.aspx" + ], + "source": "MITRE", + "title": "Dynamic-Link Library Security" + }, + "related": [], + "uuid": "584490c7-b155-4f62-b68d-a5a2a1799e60", + "value": "Microsoft DLL Security" + }, { "description": "Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved July 25, 2016.", "meta": { @@ -18072,6 +18248,22 @@ "uuid": "149c1446-d6a1-4a63-9420-def9272d6cb9", "value": "CrowdStrike StellarParticle January 2022" }, + { + "description": "Lenart Bermejo; Sunny Lu; Ted Lee Read time. (2024, September 9). Earth Preta Evolves its Attacks with New Malware and Strategies. Retrieved September 10, 2024.", + "meta": { + "date_accessed": "2024-09-10T00:00:00Z", + "date_published": "2024-09-09T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.trendmicro.com/en_us/research/24/i/earth-preta-new-malware-and-strategies.html" + ], + "source": "Tidal Cyber", + "title": "Earth Preta Evolves its Attacks with New Malware and Strategies" + }, + "related": [], + "uuid": "0fdc9ee2-5be2-43e0-afb9-c9a94fde3867", + "value": "Trend Micro September 9 2024" + }, { "description": "Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.", "meta": { @@ -18892,6 +19084,21 @@ "uuid": "ad3eda19-08eb-4d59-a2c9-3b5ed8302205", "value": "Google Ensuring Your Information is Safe" }, + { + "description": "Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.", + "meta": { + "date_accessed": "2024-02-09T00:00:00Z", + "date_published": "2018-11-13T00:00:00Z", + "refs": [ + "https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign" + ], + "source": "MITRE", + "title": "Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign" + }, + "related": [], + "uuid": "31796564-4154-54c0-958a-7d6802dfefad", + "value": "Ensilo Darkgate 2018" + }, { "description": "Fortinet Blog. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved October 20, 2023.", "meta": { @@ -18908,21 +19115,6 @@ "uuid": "1b9b5c48-d504-4c73-aedc-37e935c47f17", "value": "Fortinet Blog November 13 2018" }, - { - "description": "Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.", - "meta": { - "date_accessed": "2024-02-09T00:00:00Z", - "date_published": "2018-11-13T00:00:00Z", - "refs": [ - "https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign" - ], - "source": "MITRE", - "title": "Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign" - }, - "related": [], - "uuid": "31796564-4154-54c0-958a-7d6802dfefad", - "value": "Ensilo Darkgate 2018" - }, { "description": "Splunk Threat Research Team. (2024, January 17). Enter The Gates: An Analysis of the DarkGate AutoIt Loader. Retrieved March 29, 2024.", "meta": { @@ -19100,6 +19292,22 @@ "uuid": "691b4907-3544-4ad0-989c-b5c845e0330f", "value": "LOLBAS Esentutl" }, + { + "description": "ESET Research. (2024, May 14). ESET APT Activity Report Q4 2023-Q1 2024. Retrieved September 1, 2024.", + "meta": { + "date_accessed": "2024-09-01T00:00:00Z", + "date_published": "2024-05-14T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-apt-activity-report-q4-2023-q1-2024.pdf" + ], + "source": "Tidal Cyber", + "title": "ESET APT Activity Report Q4 2023-Q1 2024" + }, + "related": [], + "uuid": "896cc899-b667-4f9d-ba90-8650fb978535", + "value": "ESET APT Activity Report Q4 2023-Q1 2024" + }, { "description": "Cherepanov, Anton. (2019, November 10). ESETresearch discovered a trojanized IDA Pro installer. Retrieved March 2, 2022.", "meta": { @@ -20155,21 +20363,6 @@ "uuid": "186c1213-d0c5-4eb6-aa0f-0fd61b07a1f7", "value": "ThreatPost Social Media Phishing" }, - { - "description": "Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 30, 2022.", - "meta": { - "date_accessed": "2022-09-30T00:00:00Z", - "date_published": "2021-01-11T00:00:00Z", - "refs": [ - "https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/" - ], - "source": "MITRE", - "title": "FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts" - }, - "related": [], - "uuid": "785f7692-2be8-4f5d-921e-51efdfe0c0b9", - "value": "Sentinel Labs" - }, { "description": "Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022.", "meta": { @@ -20185,6 +20378,21 @@ "uuid": "34dc9010-e800-420c-ace4-4f426c915d2f", "value": "SentinelLabs reversing run-only applescripts 2021" }, + { + "description": "Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 30, 2022.", + "meta": { + "date_accessed": "2022-09-30T00:00:00Z", + "date_published": "2021-01-11T00:00:00Z", + "refs": [ + "https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/" + ], + "source": "MITRE", + "title": "FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts" + }, + "related": [], + "uuid": "785f7692-2be8-4f5d-921e-51efdfe0c0b9", + "value": "Sentinel Labs" + }, { "description": "Bill Toulas. (2024, June 17). Fake Google Chrome errors trick you into running malicious PowerShell scripts. Retrieved June 20, 2024.", "meta": { @@ -20774,21 +20982,6 @@ "uuid": "6ee27fdb-1753-4fdf-af72-3295b072ff10", "value": "FireEye FIN7 April 2017" }, - { - "description": "Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.", - "meta": { - "date_accessed": "2022-04-05T00:00:00Z", - "date_published": "2022-04-04T00:00:00Z", - "refs": [ - "https://www.mandiant.com/resources/evolution-of-fin7" - ], - "source": "MITRE", - "title": "FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7" - }, - "related": [], - "uuid": "be9919c0-ca52-593b-aea0-c5e9a262b570", - "value": "Mandiant FIN7 Apr 2022" - }, { "description": "Bryce Abdo, Zander Work, Ioana Teaca, Brendan McKeague. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved May 25, 2023.", "meta": { @@ -20805,6 +20998,21 @@ "uuid": "fbc3ea90-d3d4-440e-964d-6cd2e991df0c", "value": "Mandiant FIN7 April 4 2022" }, + { + "description": "Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.", + "meta": { + "date_accessed": "2022-04-05T00:00:00Z", + "date_published": "2022-04-04T00:00:00Z", + "refs": [ + "https://www.mandiant.com/resources/evolution-of-fin7" + ], + "source": "MITRE", + "title": "FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7" + }, + "related": [], + "uuid": "be9919c0-ca52-593b-aea0-c5e9a262b570", + "value": "Mandiant FIN7 Apr 2022" + }, { "description": "Gemini Advisory. (2021, October 21). FIN7 Recruits Talent For Push Into Ransomware. Retrieved February 2, 2022.", "meta": { @@ -21636,21 +21844,6 @@ "uuid": "02233ce3-abb2-4aed-95b8-56b65c68a665", "value": "Quick Heal Blog February 17 2023" }, - { - "description": "ALEXANDER MARVI, BRAD SLAYBAUGH, DAN EBREO, TUFAIL AHMED, MUHAMMAD UMAIR, TINA JOHNSON. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved May 15, 2023.", - "meta": { - "date_accessed": "2023-05-15T00:00:00Z", - "date_published": "2023-03-16T00:00:00Z", - "refs": [ - "https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem" - ], - "source": "MITRE", - "title": "Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation" - }, - "related": [], - "uuid": "a43dd8ce-23d6-5768-8522-6973dc45e1ac", - "value": "Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation" - }, { "description": "Marvi, A. et al.. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved March 22, 2023.", "meta": { @@ -21666,6 +21859,21 @@ "uuid": "7bdc5bbb-ebbd-5eb8-bd10-9087c883aea7", "value": "Mandiant Fortinet Zero Day" }, + { + "description": "ALEXANDER MARVI, BRAD SLAYBAUGH, DAN EBREO, TUFAIL AHMED, MUHAMMAD UMAIR, TINA JOHNSON. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved May 15, 2023.", + "meta": { + "date_accessed": "2023-05-15T00:00:00Z", + "date_published": "2023-03-16T00:00:00Z", + "refs": [ + "https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem" + ], + "source": "MITRE", + "title": "Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation" + }, + "related": [], + "uuid": "a43dd8ce-23d6-5768-8522-6973dc45e1ac", + "value": "Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation" + }, { "description": "Apple. (n.d.). Foundation. Retrieved July 1, 2020.", "meta": { @@ -22845,6 +23053,21 @@ "uuid": "16d0dd05-763a-4503-aa88-c8867d8f202d", "value": "GitHub ohpe Juicy Potato" }, + { + "description": "outflanknl. (n.d.). GitHub outflanknl Dumpert. Retrieved September 5, 2024.", + "meta": { + "date_accessed": "2024-09-05T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://github.com/outflanknl/Dumpert" + ], + "source": "Tidal Cyber", + "title": "GitHub outflanknl Dumpert" + }, + "related": [], + "uuid": "ab375812-def9-4491-a69f-62755fb26910", + "value": "GitHub outflanknl Dumpert" + }, { "description": "Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js. Retrieved January 11, 2021.", "meta": { @@ -23067,6 +23290,21 @@ "uuid": "c2556bcf-9cc9-4f46-8a0f-8f8d801dfdbf", "value": "GitHub Terminator" }, + { + "description": "wavestone-cdt. (n.d.). GitHub wavestone-cdt EDRSandBlast. Retrieved September 5, 2024.", + "meta": { + "date_accessed": "2024-09-05T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://github.com/wavestone-cdt/EDRSandblast" + ], + "source": "Tidal Cyber", + "title": "GitHub wavestone-cdt EDRSandBlast" + }, + "related": [], + "uuid": "228dd3e1-1952-447c-a500-31663a2efe45", + "value": "GitHub wavestone-cdt EDRSandBlast" + }, { "description": "xmrig. (n.d.). GitHub xmrig-proxy. Retrieved October 25, 2023.", "meta": { @@ -24541,21 +24779,6 @@ "uuid": "95d6d1ce-ceba-48ee-88c4-0fb30058bd80", "value": "Specter Ops - Cloud Credential Storage" }, - { - "description": "Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.", - "meta": { - "date_accessed": "2021-01-20T00:00:00Z", - "date_published": "2019-09-23T00:00:00Z", - "refs": [ - "https://securelist.com/my-name-is-dtrack/93338/" - ], - "source": "MITRE", - "title": "Hello! My name is Dtrack" - }, - "related": [], - "uuid": "49bd8841-a4b5-4ced-adfa-0ad0c8625ccd", - "value": "Securelist Dtrack" - }, { "description": "KONSTANTIN ZYKOV. (2019, September 23). Hello! My name is Dtrack. Retrieved September 30, 2022.", "meta": { @@ -24572,19 +24795,19 @@ "value": "Securelist Dtrack2" }, { - "description": "Baggett, M. (2012, November 8). Help eliminate unquoted path vulnerabilities. Retrieved December 4, 2014.", + "description": "Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.", "meta": { - "date_accessed": "2014-12-04T00:00:00Z", - "date_published": "2012-11-08T00:00:00Z", + "date_accessed": "2021-01-20T00:00:00Z", + "date_published": "2019-09-23T00:00:00Z", "refs": [ - "https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464" + "https://securelist.com/my-name-is-dtrack/93338/" ], "source": "MITRE", - "title": "Help eliminate unquoted path vulnerabilities" + "title": "Hello! My name is Dtrack" }, "related": [], - "uuid": "9b234329-5e05-4035-af38-dd8ab20fd68e", - "value": "Baggett 2012" + "uuid": "49bd8841-a4b5-4ced-adfa-0ad0c8625ccd", + "value": "Securelist Dtrack" }, { "description": "Mark Baggett. (2012, November 8). Help eliminate unquoted path vulnerabilities. Retrieved November 8, 2012.", @@ -24601,6 +24824,21 @@ "uuid": "23ad5a8c-cbe1-4f40-8757-f1784a4003a1", "value": "Help eliminate unquoted path" }, + { + "description": "Baggett, M. (2012, November 8). Help eliminate unquoted path vulnerabilities. Retrieved December 4, 2014.", + "meta": { + "date_accessed": "2014-12-04T00:00:00Z", + "date_published": "2012-11-08T00:00:00Z", + "refs": [ + "https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464" + ], + "source": "MITRE", + "title": "Help eliminate unquoted path vulnerabilities" + }, + "related": [], + "uuid": "9b234329-5e05-4035-af38-dd8ab20fd68e", + "value": "Baggett 2012" + }, { "description": "Kellie Eickmeyer. (2022, February 7). Helping users stay safe: Blocking internet macros by default in Office. Retrieved February 7, 2022.", "meta": { @@ -24915,6 +25153,22 @@ "uuid": "647f6be8-fe95-4045-8778-f7d7ff00c96c", "value": "Synack Secure Kernel Extension Broken" }, + { + "description": "Britton Manahan. (2024, September 14). Highway Blobbery: Data Theft using Azure Storage Explorer. Retrieved September 19, 2024.", + "meta": { + "date_accessed": "2024-09-19T00:00:00Z", + "date_published": "2024-09-14T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.modepush.com/blog/highway-blobbery-data-theft-using-azure-storage-explorer" + ], + "source": "Tidal Cyber", + "title": "Highway Blobbery: Data Theft using Azure Storage Explorer" + }, + "related": [], + "uuid": "a4c50b03-f0d7-4d29-a9de-e550be61390c", + "value": "modePUSH Azure Storage Explorer September 14 2024" + }, { "description": "Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.", "meta": { @@ -24961,21 +25215,6 @@ "uuid": "f5e43446-04ea-4dcd-be3a-22f8b10b8aa1", "value": "Hive Ransomware Analysis | Kroll" }, - { - "description": "Microsoft. (2017, April 20). HKLM\\SYSTEM\\CurrentControlSet\\Services Registry Tree. Retrieved March 16, 2020.", - "meta": { - "date_accessed": "2020-03-16T00:00:00Z", - "date_published": "2017-04-20T00:00:00Z", - "refs": [ - "https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree" - ], - "source": "MITRE", - "title": "HKLM\\SYSTEM\\CurrentControlSet\\Services Registry Tree" - }, - "related": [], - "uuid": "cb9b5391-773f-4b56-8c41-d4f548c7b835", - "value": "Microsoft CurrentControlSet Services" - }, { "description": "Microsoft. (2021, August 5). HKLM\\SYSTEM\\CurrentControlSet\\Services Registry Tree. Retrieved August 25, 2021.", "meta": { @@ -24991,6 +25230,21 @@ "uuid": "171cfdf1-d91c-4df3-831e-89b6237e3c8b", "value": "microsoft_services_registry_tree" }, + { + "description": "Microsoft. (2017, April 20). HKLM\\SYSTEM\\CurrentControlSet\\Services Registry Tree. Retrieved March 16, 2020.", + "meta": { + "date_accessed": "2020-03-16T00:00:00Z", + "date_published": "2017-04-20T00:00:00Z", + "refs": [ + "https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree" + ], + "source": "MITRE", + "title": "HKLM\\SYSTEM\\CurrentControlSet\\Services Registry Tree" + }, + "related": [], + "uuid": "cb9b5391-773f-4b56-8c41-d4f548c7b835", + "value": "Microsoft CurrentControlSet Services" + }, { "description": "Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.", "meta": { @@ -27090,6 +27344,22 @@ "uuid": "f5367abc-e776-41a0-b8e5-6dc60079c081", "value": "Cisco Talos Q2 Trends July 26 2023" }, + { + "description": "SentinelOne. (2023, September 21). Inc. Ransom. Retrieved January 1, 2024.", + "meta": { + "date_accessed": "2024-01-01T00:00:00Z", + "date_published": "2023-09-21T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.sentinelone.com/anthology/inc-ransom/" + ], + "source": "Tidal Cyber", + "title": "Inc. Ransom" + }, + "related": [], + "uuid": "7e793738-c132-47bf-90aa-1f0659564d16", + "value": "SentinelOne September 21 2023" + }, { "description": "Cybersecurity and Infrastructure Security Agency. (2023, July 6). Increased Truebot Activity Infects U.S. and Canada Based Networks. Retrieved July 6, 2023.", "meta": { @@ -28374,6 +28644,20 @@ "uuid": "956b3d80-4e19-4cab-a65f-ad86f233aa12", "value": "GitHub Invoke-Obfuscation" }, + { + "description": "Barrett Adams . (n.d.). Invoke-PSImage . Retrieved September 30, 2022.", + "meta": { + "date_accessed": "2022-09-30T00:00:00Z", + "refs": [ + "https://github.com/peewpw/Invoke-PSImage" + ], + "source": "MITRE", + "title": "Invoke-PSImage" + }, + "related": [], + "uuid": "449c873c-c5af-45b8-8bd7-505d2181a05c", + "value": "GitHub PSImage" + }, { "description": "Adams, B. (2017, December 17). Invoke-PSImage. Retrieved April 10, 2018.", "meta": { @@ -28389,20 +28673,6 @@ "uuid": "dd210b79-bd5f-4282-9542-4d1ae2f16438", "value": "GitHub Invoke-PSImage" }, - { - "description": "Barrett Adams . (n.d.). Invoke-PSImage . Retrieved September 30, 2022.", - "meta": { - "date_accessed": "2022-09-30T00:00:00Z", - "refs": [ - "https://github.com/peewpw/Invoke-PSImage" - ], - "source": "MITRE", - "title": "Invoke-PSImage" - }, - "related": [], - "uuid": "449c873c-c5af-45b8-8bd7-505d2181a05c", - "value": "GitHub PSImage" - }, { "description": "PowerShellMafia. (2016, December 14). Invoke-Shellcode. Retrieved May 25, 2023.", "meta": { @@ -29437,21 +29707,6 @@ "uuid": "26a554dc-39c0-4638-902d-7e84fe01b961", "value": "U.S. Justice Department GRU Botnet February 2024" }, - { - "description": "Dr. Nestori Syynimaa. (2020, June 13). Just looking: Azure Active Directory reconnaissance as an outsider. Retrieved February 1, 2022.", - "meta": { - "date_accessed": "2022-02-01T00:00:00Z", - "date_published": "2020-06-13T00:00:00Z", - "refs": [ - "https://o365blog.com/post/just-looking" - ], - "source": "MITRE", - "title": "Just looking: Azure Active Directory reconnaissance as an outsider" - }, - "related": [], - "uuid": "16565eaf-44fb-44f4-b490-40dc1160ff2b", - "value": "Azure AD Recon" - }, { "description": "Dr. Nestori Syynimaa. (2020, June 13). Just looking: Azure Active Directory reconnaissance as an outsider. Retrieved May 27, 2022.", "meta": { @@ -29467,6 +29722,21 @@ "uuid": "42dad2a3-5b33-4be4-a19b-58a27fb3ee5d", "value": "Azure Active Directory Reconnaisance" }, + { + "description": "Dr. Nestori Syynimaa. (2020, June 13). Just looking: Azure Active Directory reconnaissance as an outsider. Retrieved February 1, 2022.", + "meta": { + "date_accessed": "2022-02-01T00:00:00Z", + "date_published": "2020-06-13T00:00:00Z", + "refs": [ + "https://o365blog.com/post/just-looking" + ], + "source": "MITRE", + "title": "Just looking: Azure Active Directory reconnaissance as an outsider" + }, + "related": [], + "uuid": "16565eaf-44fb-44f4-b490-40dc1160ff2b", + "value": "Azure AD Recon" + }, { "description": "Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware turning to Golang. Retrieved December 17, 2020.", "meta": { @@ -29497,21 +29767,6 @@ "uuid": "459fcde2-7ac3-4640-a5bc-cd8750e54962", "value": "Kali Redsnarf" }, - { - "description": "Hull, D. (2014, May 3). Kansa: Service related collectors and analysis. Retrieved October 10, 2019.", - "meta": { - "date_accessed": "2019-10-10T00:00:00Z", - "date_published": "2014-05-03T00:00:00Z", - "refs": [ - "https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html" - ], - "source": "MITRE", - "title": "Kansa: Service related collectors and analysis" - }, - "related": [], - "uuid": "58d5bc0b-8548-4c3a-8302-e07df3b961ff", - "value": "TrustedSignal Service Failure" - }, { "description": "Hull, D.. (2014, May 3). Kansa: Service related collectors and analysis. Retrieved October 10, 2019.", "meta": { @@ -29527,6 +29782,21 @@ "uuid": "d854f84a-4d70-4ef4-9197-d8f5396feabb", "value": "Kansa Service related collectors" }, + { + "description": "Hull, D. (2014, May 3). Kansa: Service related collectors and analysis. Retrieved October 10, 2019.", + "meta": { + "date_accessed": "2019-10-10T00:00:00Z", + "date_published": "2014-05-03T00:00:00Z", + "refs": [ + "https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html" + ], + "source": "MITRE", + "title": "Kansa: Service related collectors and analysis" + }, + "related": [], + "uuid": "58d5bc0b-8548-4c3a-8302-e07df3b961ff", + "value": "TrustedSignal Service Failure" + }, { "description": "Cybersecurity and Infrastructure Security Agency. (2023, December 12). Karakurt Data Extortion Group. Retrieved May 1, 2024.", "meta": { @@ -30608,8 +30878,8 @@ "title": "Lazarus KillDisks Central American casino" }, "related": [], - "uuid": "454704b7-9ede-4d30-acfd-2cf16a89bcb3", - "value": "ESET Lazarus KillDisk April 2018" + "uuid": "6f931476-29e6-4bba-ba1b-37ab742f4b49", + "value": "Lazarus KillDisk" }, { "description": "Kálnai, P., Cherepanov A. (2018, April 03). Lazarus KillDisks Central American casino. Retrieved May 17, 2018.", @@ -30623,8 +30893,8 @@ "title": "Lazarus KillDisks Central American casino" }, "related": [], - "uuid": "6f931476-29e6-4bba-ba1b-37ab742f4b49", - "value": "Lazarus KillDisk" + "uuid": "454704b7-9ede-4d30-acfd-2cf16a89bcb3", + "value": "ESET Lazarus KillDisk April 2018" }, { "description": "Dinesh Devadoss, Phil Stokes. (2022, September 26). Lazarus \"Operation In(ter)ception\" Targets macOS Users Dreaming of Jobs in Crypto. Retrieved March 8, 2024.", @@ -30672,21 +30942,6 @@ "uuid": "ba6a5fcc-9391-42c0-8b90-57b729525f41", "value": "Kaspersky ThreatNeedle Feb 2021" }, - { - "description": "GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved October 3, 2018.", - "meta": { - "date_accessed": "2018-10-03T00:00:00Z", - "date_published": "2017-04-03T00:00:00Z", - "refs": [ - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf" - ], - "source": "MITRE", - "title": "Lazarus Under the Hood" - }, - "related": [], - "uuid": "312b30b1-3bd6-46ea-8f77-504f442499bc", - "value": "Kaspersky Lazarus Under The Hood APR 2017" - }, { "description": "GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019.", "meta": { @@ -30702,6 +30957,21 @@ "uuid": "a1e1ab6a-8db0-4593-95ec-78784607dfa0", "value": "Kaspersky Lazarus Under The Hood Blog 2017" }, + { + "description": "GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved October 3, 2018.", + "meta": { + "date_accessed": "2018-10-03T00:00:00Z", + "date_published": "2017-04-03T00:00:00Z", + "refs": [ + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf" + ], + "source": "MITRE", + "title": "Lazarus Under the Hood" + }, + "related": [], + "uuid": "312b30b1-3bd6-46ea-8f77-504f442499bc", + "value": "Kaspersky Lazarus Under The Hood APR 2017" + }, { "description": "Mclellan, M.. (2018, November 19). Lazy Passwords Become Rocket Fuel for Emotet SMB Spreader. Retrieved March 25, 2019.", "meta": { @@ -32435,21 +32705,6 @@ "uuid": "80bb8646-1eb0-442a-aa51-ee3efaf75915", "value": "alientvault macspy" }, - { - "description": "Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 18, 2021.", - "meta": { - "date_accessed": "2021-03-18T00:00:00Z", - "date_published": "2020-07-07T00:00:00Z", - "refs": [ - "https://blog.malwarebytes.com/detections/osx-thiefquest/" - ], - "source": "MITRE", - "title": "Mac ThiefQuest malware may not be ransomware after all" - }, - "related": [], - "uuid": "b265ef93-c1fb-440d-a9e0-89cf25a3de05", - "value": "Reed thiefquest fake ransom" - }, { "description": "Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 22, 2021.", "meta": { @@ -32465,6 +32720,21 @@ "uuid": "47b49df4-34f1-4a89-9983-e8bc19aadf8c", "value": "reed thiefquest ransomware analysis" }, + { + "description": "Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 18, 2021.", + "meta": { + "date_accessed": "2021-03-18T00:00:00Z", + "date_published": "2020-07-07T00:00:00Z", + "refs": [ + "https://blog.malwarebytes.com/detections/osx-thiefquest/" + ], + "source": "MITRE", + "title": "Mac ThiefQuest malware may not be ransomware after all" + }, + "related": [], + "uuid": "b265ef93-c1fb-440d-a9e0-89cf25a3de05", + "value": "Reed thiefquest fake ransom" + }, { "description": "Jerome Segura. (2023, September 6). Mac users targeted in new malvertising campaign delivering Atomic Stealer. Retrieved April 19, 2024.", "meta": { @@ -33174,21 +33444,6 @@ "uuid": "9b52a72b-938a-5eb6-a3b7-5a925657f0a3", "value": "Malware Monday VBE" }, - { - "description": "Wardle, P. (2015, April). Malware Persistence on OS X Yosemite. Retrieved April 6, 2018.", - "meta": { - "date_accessed": "2018-04-06T00:00:00Z", - "date_published": "2015-04-01T00:00:00Z", - "refs": [ - "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf" - ], - "source": "MITRE", - "title": "Malware Persistence on OS X Yosemite" - }, - "related": [], - "uuid": "7e3f3dda-c407-4b06-a6b0-8b72c4dad6e6", - "value": "RSAC 2015 San Francisco Patrick Wardle" - }, { "description": "Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. Retrieved July 10, 2017.", "meta": { @@ -33204,6 +33459,21 @@ "uuid": "d4e3b066-c439-4284-ba28-3b8bd8ec270e", "value": "Malware Persistence on OS X" }, + { + "description": "Wardle, P. (2015, April). Malware Persistence on OS X Yosemite. Retrieved April 6, 2018.", + "meta": { + "date_accessed": "2018-04-06T00:00:00Z", + "date_published": "2015-04-01T00:00:00Z", + "refs": [ + "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf" + ], + "source": "MITRE", + "title": "Malware Persistence on OS X Yosemite" + }, + "related": [], + "uuid": "7e3f3dda-c407-4b06-a6b0-8b72c4dad6e6", + "value": "RSAC 2015 San Francisco Patrick Wardle" + }, { "description": "Harbour, N. (2010, July 15). Malware Persistence without the Windows Registry. Retrieved November 17, 2020.", "meta": { @@ -34198,20 +34468,6 @@ "uuid": "aa7393ad-0760-4f27-a068-17beba17bbe3", "value": "Secureworks NICKEL ACADEMY Dec 2017" }, - { - "description": "Cybereason Nocturnus. (2020, November 19). Cybereason vs. MedusaLocker Ransomware. Retrieved June 23, 2021.", - "meta": { - "date_accessed": "2021-06-23T00:00:00Z", - "refs": [ - "https://www.cybereason.com/blog/medusalocker-ransomware" - ], - "source": "MITRE", - "title": "MedusaLocker Ransomware" - }, - "related": [], - "uuid": "f7b41120-8455-409f-ad9c-815c2c43edfd", - "value": "Cybereason Nocturnus MedusaLocker 2020" - }, { "description": "Health Sector Cybersecurity Coordination Center (HC3). (2023, February 24). MedusaLocker Ransomware. Retrieved August 11, 2023.", "meta": { @@ -34228,6 +34484,20 @@ "uuid": "49e314d6-5324-41e0-8bee-2b3e08d5e12f", "value": "HC3 Analyst Note MedusaLocker Ransomware February 2023" }, + { + "description": "Cybereason Nocturnus. (2020, November 19). Cybereason vs. MedusaLocker Ransomware. Retrieved June 23, 2021.", + "meta": { + "date_accessed": "2021-06-23T00:00:00Z", + "refs": [ + "https://www.cybereason.com/blog/medusalocker-ransomware" + ], + "source": "MITRE", + "title": "MedusaLocker Ransomware" + }, + "related": [], + "uuid": "f7b41120-8455-409f-ad9c-815c2c43edfd", + "value": "Cybereason Nocturnus MedusaLocker 2020" + }, { "description": "Lawrence Abrams. (2023, March 12). Medusa ransomware gang picks up steam as it targets companies worldwide. Retrieved September 14, 2023.", "meta": { @@ -34695,21 +34965,6 @@ "uuid": "f9daf15d-61ea-4cfa-a4e8-9d33d1acd28f", "value": "Microsoft HTML Help May 2018" }, - { - "description": "Cai, S., Flores, J., de Guzman, C., et. al.. (2019, August 27). Microsoft identity platform access tokens. Retrieved October 4, 2019.", - "meta": { - "date_accessed": "2019-10-04T00:00:00Z", - "date_published": "2019-08-27T00:00:00Z", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens" - ], - "source": "MITRE", - "title": "Microsoft identity platform access tokens" - }, - "related": [], - "uuid": "a39d976e-9b52-48f3-b5db-0ffd84ecd338", - "value": "Microsoft Identity Platform Access 2019" - }, { "description": "Microsoft. (2019, August 29). Microsoft identity platform access tokens. Retrieved September 12, 2019.", "meta": { @@ -34725,6 +34980,21 @@ "uuid": "44767d53-8cd7-44dd-a69d-8a7bebc1d87d", "value": "Microsoft - Azure AD Identity Tokens - Aug 2019" }, + { + "description": "Cai, S., Flores, J., de Guzman, C., et. al.. (2019, August 27). Microsoft identity platform access tokens. Retrieved October 4, 2019.", + "meta": { + "date_accessed": "2019-10-04T00:00:00Z", + "date_published": "2019-08-27T00:00:00Z", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens" + ], + "source": "MITRE", + "title": "Microsoft identity platform access tokens" + }, + "related": [], + "uuid": "a39d976e-9b52-48f3-b5db-0ffd84ecd338", + "value": "Microsoft Identity Platform Access 2019" + }, { "description": "Microsoft. (n.d.). Microsoft identity platform and OAuth 2.0 authorization code flow. Retrieved September 12, 2019.", "meta": { @@ -34886,21 +35156,6 @@ "uuid": "86955cd2-5980-44ba-aa7b-4b9f8e347730", "value": "Microsoft WDAC" }, - { - "description": "Jordan Geurten et al. . (2022, March 29). Microsoft recommended driver block rules. Retrieved April 7, 2022.", - "meta": { - "date_accessed": "2022-04-07T00:00:00Z", - "date_published": "2022-03-29T00:00:00Z", - "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "source": "MITRE", - "title": "Microsoft recommended driver block rules" - }, - "related": [], - "uuid": "9bb5c330-56bd-47e7-8414-729d8e6cb3b3", - "value": "Microsoft driver block rules - Duplicate" - }, { "description": "Microsoft. (2020, October 15). Microsoft recommended driver block rules. Retrieved March 16, 2021.", "meta": { @@ -34916,6 +35171,21 @@ "uuid": "2ad8414a-4490-4896-8266-556b8bdbb77f", "value": "Microsoft Driver Block Rules" }, + { + "description": "Jordan Geurten et al. . (2022, March 29). Microsoft recommended driver block rules. Retrieved April 7, 2022.", + "meta": { + "date_accessed": "2022-04-07T00:00:00Z", + "date_published": "2022-03-29T00:00:00Z", + "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "source": "MITRE", + "title": "Microsoft recommended driver block rules" + }, + "related": [], + "uuid": "9bb5c330-56bd-47e7-8414-729d8e6cb3b3", + "value": "Microsoft driver block rules - Duplicate" + }, { "description": "Microsoft. (n.d.). Retrieved January 24, 2020.", "meta": { @@ -35082,6 +35352,22 @@ "uuid": "0e7ea8d0-bdb8-48a6-9718-703f64d16460", "value": "Microsoft Threat Intelligence LinkedIn July 15 2024" }, + { + "description": "Microsoft Threat Intelligence. (2024, September 18). Microsoft Threat Intelligence LinkedIn Vanilla Tempest. Retrieved September 19, 2024.", + "meta": { + "date_accessed": "2024-09-19T00:00:00Z", + "date_published": "2024-09-18T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.linkedin.com/feed/update/urn:li:activity:7242222140853264385/" + ], + "source": "Tidal Cyber", + "title": "Microsoft Threat Intelligence LinkedIn Vanilla Tempest" + }, + "related": [], + "uuid": "24c11dff-21df-4ce9-b3df-2e0a886339ff", + "value": "MSTIC Vanilla Tempest September 18 2024" + }, { "description": "MsftSecIntel. (2023, May 26). Microsoft Threat Intelligence Tweet April 26 2023. Retrieved June 16, 2023.", "meta": { @@ -35357,21 +35643,6 @@ "uuid": "2a01a70c-28a8-444e-95a7-00a568d51ce6", "value": "Harmj0y DCSync Sept 2015" }, - { - "description": "Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved December 4, 2017.", - "meta": { - "date_accessed": "2017-12-04T00:00:00Z", - "date_published": "2015-09-25T00:00:00Z", - "refs": [ - "https://adsecurity.org/?p=1729" - ], - "source": "MITRE", - "title": "Mimikatz DCSync Usage, Exploitation, and Detection" - }, - "related": [], - "uuid": "856ed70b-29b0-4f56-b5ae-a98981a22eaf", - "value": "AdSecurity DCSync Sept 2015" - }, { "description": "Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved August 7, 2017.", "meta": { @@ -35387,6 +35658,21 @@ "uuid": "61b0bb42-2ed6-413d-b331-0a84df12a87d", "value": "ADSecurity Mimikatz DCSync" }, + { + "description": "Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved December 4, 2017.", + "meta": { + "date_accessed": "2017-12-04T00:00:00Z", + "date_published": "2015-09-25T00:00:00Z", + "refs": [ + "https://adsecurity.org/?p=1729" + ], + "source": "MITRE", + "title": "Mimikatz DCSync Usage, Exploitation, and Detection" + }, + "related": [], + "uuid": "856ed70b-29b0-4f56-b5ae-a98981a22eaf", + "value": "AdSecurity DCSync Sept 2015" + }, { "description": "Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz. Retrieved June 20, 2019.", "meta": { @@ -35507,21 +35793,6 @@ "uuid": "0110500c-bf67-43a5-97cb-16eb6c01040b", "value": "APT15 Intezer June 2018" }, - { - "description": "ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024.", - "meta": { - "date_accessed": "2024-03-13T00:00:00Z", - "date_published": "2019-11-19T00:00:00Z", - "refs": [ - "https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/" - ], - "source": "MITRE", - "title": "Mispadu: Advertisement for a discounted Unhappy Meal" - }, - "related": [], - "uuid": "e1b945f4-20e0-5b69-8fd7-f05afce8c0ba", - "value": "ESET Security Mispadu Facebook Ads 2019" - }, { "description": "ESET Research. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved April 4, 2024.", "meta": { @@ -35538,6 +35809,21 @@ "uuid": "a27753c1-2f7a-40c4-9e28-a37265bce28c", "value": "ESET Mispadu November 2019" }, + { + "description": "ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024.", + "meta": { + "date_accessed": "2024-03-13T00:00:00Z", + "date_published": "2019-11-19T00:00:00Z", + "refs": [ + "https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/" + ], + "source": "MITRE", + "title": "Mispadu: Advertisement for a discounted Unhappy Meal" + }, + "related": [], + "uuid": "e1b945f4-20e0-5b69-8fd7-f05afce8c0ba", + "value": "ESET Security Mispadu Facebook Ads 2019" + }, { "description": "Duarte, H., Morrison, B. (2012). (Mis)trusting and (ab)using ssh. Retrieved January 8, 2018.", "meta": { @@ -35938,6 +36224,22 @@ "uuid": "ea64a3a5-a248-44bb-98cd-f7e3d4c23d4e", "value": "Forcepoint Monsoon" }, + { + "description": "Nathaniel Morales; Joshua Paul Ignacio Read time. (2023, August 14). Monti Ransomware Unleashes a New Encryptor for Linux. Retrieved January 1, 2024.", + "meta": { + "date_accessed": "2024-01-01T00:00:00Z", + "date_published": "2023-08-14T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.trendmicro.com/en_us/research/23/h/monti-ransomware-unleashes-a-new-encryptor-for-linux.html" + ], + "source": "Tidal Cyber", + "title": "Monti Ransomware Unleashes a New Encryptor for Linux" + }, + "related": [], + "uuid": "12d2fbc5-f9cb-41b5-96a6-1cd100b5a173", + "value": "Trend Micro August 14 2023" + }, { "description": "Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks . Retrieved May 29, 2024.", "meta": { @@ -36194,21 +36496,6 @@ "uuid": "e208c277-e477-4123-8c3c-313d55cdc1ea", "value": "Volatility Detecting Hooks Sept 2012" }, - { - "description": "Robert Kugler. (2012, November 20). Mozilla Foundation Security Advisory 2012-98. Retrieved March 10, 2017.", - "meta": { - "date_accessed": "2017-03-10T00:00:00Z", - "date_published": "2012-11-20T00:00:00Z", - "refs": [ - "https://www.mozilla.org/en-US/security/advisories/mfsa2012-98/" - ], - "source": "MITRE", - "title": "Mozilla Foundation Security Advisory 2012-98" - }, - "related": [], - "uuid": "cd720550-a0b5-4d1d-85dd-98da97f45b62", - "value": "mozilla_sec_adv_2012" - }, { "description": "Kugler, R. (2012, November 20). Mozilla Foundation Security Advisory 2012-98. Retrieved March 10, 2017.", "meta": { @@ -36224,6 +36511,21 @@ "uuid": "920d1607-154e-4c74-b1eb-0d8299be536f", "value": "Mozilla Firefox Installer DLL Hijack" }, + { + "description": "Robert Kugler. (2012, November 20). Mozilla Foundation Security Advisory 2012-98. Retrieved March 10, 2017.", + "meta": { + "date_accessed": "2017-03-10T00:00:00Z", + "date_published": "2012-11-20T00:00:00Z", + "refs": [ + "https://www.mozilla.org/en-US/security/advisories/mfsa2012-98/" + ], + "source": "MITRE", + "title": "Mozilla Foundation Security Advisory 2012-98" + }, + "related": [], + "uuid": "cd720550-a0b5-4d1d-85dd-98da97f45b62", + "value": "mozilla_sec_adv_2012" + }, { "description": "LOLBAS. (2020, March 20). MpCmdRun.exe. Retrieved December 4, 2023.", "meta": { @@ -37648,21 +37950,6 @@ "uuid": "5695d3a2-6b6c-433a-9254-d4a2e001a8be", "value": "Bleeping Computer Evil Corp mimics PayloadBin gang 2022" }, - { - "description": "Windows Defender Research. (2016, March 22). New feature in Office 2016 can block macros and help prevent infection. Retrieved April 11, 2018.", - "meta": { - "date_accessed": "2018-04-11T00:00:00Z", - "date_published": "2016-03-22T00:00:00Z", - "refs": [ - "https://cloudblogs.microsoft.com/microsoftsecure/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/" - ], - "source": "MITRE", - "title": "New feature in Office 2016 can block macros and help prevent infection" - }, - "related": [], - "uuid": "4d0f4d0a-b812-42f8-a52c-a1f5c69e6337", - "value": "Microsoft Block Office Macros" - }, { "description": "Microsoft Malware Protection Center. (2016, March 22). New feature in Office 2016 can block macros and help prevent infection. Retrieved July 3, 2017.", "meta": { @@ -37678,6 +37965,21 @@ "uuid": "f14f08c5-de51-4827-ba3a-f0598dfbe505", "value": "TechNet Office Macro Security" }, + { + "description": "Windows Defender Research. (2016, March 22). New feature in Office 2016 can block macros and help prevent infection. Retrieved April 11, 2018.", + "meta": { + "date_accessed": "2018-04-11T00:00:00Z", + "date_published": "2016-03-22T00:00:00Z", + "refs": [ + "https://cloudblogs.microsoft.com/microsoftsecure/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/" + ], + "source": "MITRE", + "title": "New feature in Office 2016 can block macros and help prevent infection" + }, + "related": [], + "uuid": "4d0f4d0a-b812-42f8-a52c-a1f5c69e6337", + "value": "Microsoft Block Office Macros" + }, { "description": "Sudhakar Ramakrishna . (2021, January 11). New Findings From Our Investigation of SUNBURST. Retrieved January 13, 2021.", "meta": { @@ -37782,21 +38084,6 @@ "uuid": "1641553f-96e7-4829-8c77-d96388dac5c7", "value": "Avast CCleaner3 2018" }, - { - "description": "Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved December 17, 2020.", - "meta": { - "date_accessed": "2020-12-17T00:00:00Z", - "date_published": "2017-04-06T00:00:00Z", - "refs": [ - "https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/" - ], - "source": "MITRE", - "title": "New IoT/Linux Malware Targets DVRs, Forms Botnet" - }, - "related": [], - "uuid": "95b5b03e-f160-47cf-920c-8f4f3d4114a3", - "value": "Tsunami" - }, { "description": "Claud Xiao, Cong Zheng, Yanhui Jia. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved February 19, 2018.", "meta": { @@ -37812,6 +38099,21 @@ "uuid": "489a6c57-f64c-423b-a7bd-169fa36c4cdf", "value": "amnesia malware" }, + { + "description": "Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved December 17, 2020.", + "meta": { + "date_accessed": "2020-12-17T00:00:00Z", + "date_published": "2017-04-06T00:00:00Z", + "refs": [ + "https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/" + ], + "source": "MITRE", + "title": "New IoT/Linux Malware Targets DVRs, Forms Botnet" + }, + "related": [], + "uuid": "95b5b03e-f160-47cf-920c-8f4f3d4114a3", + "value": "Tsunami" + }, { "description": "ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.", "meta": { @@ -37918,21 +38220,6 @@ "uuid": "b1540c5c-0bbc-4b9d-9185-fae224ba31be", "value": "Gallagher 2015" }, - { - "description": "Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved December 18, 2017.", - "meta": { - "date_accessed": "2017-12-18T00:00:00Z", - "date_published": "2017-11-28T00:00:00Z", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html" - ], - "source": "MITRE", - "title": "Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection" - }, - "related": [], - "uuid": "9737055a-f583-448e-84d0-1d336c4da9a8", - "value": "FireEye TLS Nov 2017" - }, { "description": "Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved June 5, 2019.", "meta": { @@ -37948,6 +38235,21 @@ "uuid": "32c0b9d2-9f31-4e49-8b3a-c63ff4fffa47", "value": "FireEye Ursnif Nov 2017" }, + { + "description": "Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved December 18, 2017.", + "meta": { + "date_accessed": "2017-12-18T00:00:00Z", + "date_published": "2017-11-28T00:00:00Z", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html" + ], + "source": "MITRE", + "title": "Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection" + }, + "related": [], + "uuid": "9737055a-f583-448e-84d0-1d336c4da9a8", + "value": "FireEye TLS Nov 2017" + }, { "description": "Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.", "meta": { @@ -38233,6 +38535,22 @@ "uuid": "2263af27-9c30-4bf6-a204-2f148ebdd17c", "value": "Unit 42 MechaFlounder March 2019" }, + { + "description": "Bill Cozens. (2024, September 9). New RansomHub attack uses TDSSKiller and LaZagne, disables EDR. Retrieved September 13, 2024.", + "meta": { + "date_accessed": "2024-09-13T00:00:00Z", + "date_published": "2024-09-09T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.threatdown.com/blog/new-ransomhub-attack-uses-tdskiller-and-lazagne-disables-edr/" + ], + "source": "Tidal Cyber", + "title": "New RansomHub attack uses TDSSKiller and LaZagne, disables EDR" + }, + "related": [], + "uuid": "34422e6e-0e79-48ba-a942-9816e9b4ee7c", + "value": "ThreatDown RansomHub September 9 2024" + }, { "description": "Chiu, A. (2016, June 27). New Ransomware Variant \"Nyetya\" Compromises Systems Worldwide. Retrieved March 26, 2019.", "meta": { @@ -38578,21 +38896,6 @@ "uuid": "bc7755a0-5ee3-477b-b8d7-67174a59d0e2", "value": "Avira Mustang Panda January 2020" }, - { - "description": "Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.", - "meta": { - "date_accessed": "2016-08-17T00:00:00Z", - "date_published": "2016-05-24T00:00:00Z", - "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" - ], - "source": "MITRE", - "title": "New Wekby Attacks Use DNS Requests As Command and Control Mechanism" - }, - "related": [], - "uuid": "4a946c3f-ee0a-4649-8104-2bd9d90ebd49", - "value": "Palo Alto DNS Requests" - }, { "description": "Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018.", "meta": { @@ -38608,6 +38911,21 @@ "uuid": "6f08aa4e-c89f-4d3e-8f46-e856e21d2d50", "value": "PaloAlto DNS Requests May 2016" }, + { + "description": "Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.", + "meta": { + "date_accessed": "2016-08-17T00:00:00Z", + "date_published": "2016-05-24T00:00:00Z", + "refs": [ + "http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" + ], + "source": "MITRE", + "title": "New Wekby Attacks Use DNS Requests As Command and Control Mechanism" + }, + "related": [], + "uuid": "4a946c3f-ee0a-4649-8104-2bd9d90ebd49", + "value": "Palo Alto DNS Requests" + }, { "description": "Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.", "meta": { @@ -38846,21 +39164,6 @@ "uuid": "65f1bbaa-8ad1-4ad5-b726-660558d27efc", "value": "Nmap: the Network Mapper" }, - { - "description": "Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022.", - "meta": { - "date_accessed": "2022-03-25T00:00:00Z", - "date_published": "2021-10-25T00:00:00Z", - "refs": [ - "https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/" - ], - "source": "MITRE", - "title": "NOBELIUM targeting delegated administrative privileges to facilitate broader attacks" - }, - "related": [], - "uuid": "7b6cc308-9871-47e5-9039-a9a7e66ce373", - "value": "MSTIC Nobelium Oct 2021" - }, { "description": "Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved January 31, 2022.", "meta": { @@ -38876,6 +39179,21 @@ "uuid": "aa315293-77a5-4ad9-b024-9af844edff9a", "value": "Microsoft Nobelium Admin Privileges" }, + { + "description": "Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022.", + "meta": { + "date_accessed": "2022-03-25T00:00:00Z", + "date_published": "2021-10-25T00:00:00Z", + "refs": [ + "https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/" + ], + "source": "MITRE", + "title": "NOBELIUM targeting delegated administrative privileges to facilitate broader attacks" + }, + "related": [], + "uuid": "7b6cc308-9871-47e5-9039-a9a7e66ce373", + "value": "MSTIC Nobelium Oct 2021" + }, { "description": "Symantec Threat Hunter Team. (2022, September 22). Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics. Retrieved September 14, 2023.", "meta": { @@ -39025,6 +39343,22 @@ "uuid": "f8700002-5da6-4cb8-be62-34e421d2a573", "value": "Malwarebytes Pony April 2016" }, + { + "description": "Bill Toulas. (2024, September 10). NoName ransomware gang deploying RansomHub malware in recent attacks. Retrieved September 13, 2024.", + "meta": { + "date_accessed": "2024-09-13T00:00:00Z", + "date_published": "2024-09-10T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.bleepingcomputer.com/news/security/noname-ransomware-gang-deploying-ransomhub-malware-in-recent-attacks/" + ], + "source": "Tidal Cyber", + "title": "NoName ransomware gang deploying RansomHub malware in recent attacks" + }, + "related": [], + "uuid": "79752048-f2fd-4357-9e0a-15b9a2927852", + "value": "BleepingComputer NoName September 10 2024" + }, { "description": "Ruohonen, S. & Robinson, S. (2023, February 2). No Pineapple! -DPRK Targeting of Medical Research and Technology Sector. Retrieved July 10, 2023.", "meta": { @@ -39884,6 +40218,21 @@ "uuid": "e3d932fc-0148-43b9-bcc7-971dd7ba3bf8", "value": "Bitdefender Agent Tesla April 2020" }, + { + "description": "Council on Foreign Relations. (n.d.). OilRig. Retrieved September 1, 2024.", + "meta": { + "date_accessed": "2024-09-01T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.cfr.org/cyber-operations/oilrig" + ], + "source": "Tidal Cyber", + "title": "OilRig" + }, + "related": [], + "uuid": "db9985eb-d536-45b9-a82b-34d8cdd2b699", + "value": "CFR OilRig Profile" + }, { "description": "Falcone, R.. (2017, April 27). OilRig Actors Provide a Glimpse into Development and Testing Efforts. Retrieved May 3, 2017.", "meta": { @@ -39929,6 +40278,38 @@ "uuid": "14bbb07b-caeb-4d17-8e54-047322a5930c", "value": "Palo Alto OilRig Oct 2016" }, + { + "description": "ESET Research. (2024, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved September 3, 2024.", + "meta": { + "date_accessed": "2024-09-03T00:00:00Z", + "date_published": "2024-09-21T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.welivesecurity.com/en/eset-research/oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes/" + ], + "source": "Tidal Cyber", + "title": "OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes" + }, + "related": [], + "uuid": "21ee3e95-ac4b-48f7-b948-249e1884bc96", + "value": "ESET OilRig September 21 2023" + }, + { + "description": "Zuzana Hromcová, Adam Burgher. (2023, December 14). OilRig’s persistent attacks using cloud service-powered downloaders. Retrieved September 1, 2024.", + "meta": { + "date_accessed": "2024-09-01T00:00:00Z", + "date_published": "2023-12-14T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.welivesecurity.com/en/eset-research/oilrig-persistent-attacks-cloud-service-powered-downloaders/" + ], + "source": "Tidal Cyber", + "title": "OilRig’s persistent attacks using cloud service-powered downloaders" + }, + "related": [], + "uuid": "f96b74d5-ff75-47c6-a9a2-b2f43db351bc", + "value": "ESET OilRig December 14 2023" + }, { "description": "Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.", "meta": { @@ -40773,21 +41154,6 @@ "uuid": "4035e871-9291-4d7f-9c5f-d8482d4dc8a7", "value": "AhnLab Kimsuky Kabar Cobra Feb 2019" }, - { - "description": "Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.", - "meta": { - "date_accessed": "2014-11-12T00:00:00Z", - "date_published": "2014-01-01T00:00:00Z", - "refs": [ - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf" - ], - "source": "MITRE", - "title": "OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs" - }, - "related": [], - "uuid": "31504d92-6c4d-43f0-8548-ccc3aa05ba48", - "value": "Villeneuve et al 2014" - }, { "description": "Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.", "meta": { @@ -40803,6 +41169,21 @@ "uuid": "bb45cf96-ceae-4f46-a0f5-08cd89f699c9", "value": "Mandiant Operation Ke3chang November 2014" }, + { + "description": "Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.", + "meta": { + "date_accessed": "2014-11-12T00:00:00Z", + "date_published": "2014-01-01T00:00:00Z", + "refs": [ + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf" + ], + "source": "MITRE", + "title": "OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs" + }, + "related": [], + "uuid": "31504d92-6c4d-43f0-8548-ccc3aa05ba48", + "value": "Villeneuve et al 2014" + }, { "description": "Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023.", "meta": { @@ -41461,21 +41842,6 @@ "uuid": "55ee5bcc-ba56-58ac-9afb-2349aa75fe39", "value": "Kubernetes Cloud Native Security" }, - { - "description": "Apple. (2012, July 23). Overview of Dynamic Libraries. Retrieved September 7, 2023.", - "meta": { - "date_accessed": "2023-09-07T00:00:00Z", - "date_published": "2012-07-23T00:00:00Z", - "refs": [ - "https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html" - ], - "source": "MITRE", - "title": "Overview of Dynamic Libraries" - }, - "related": [], - "uuid": "39ffd162-4052-57ec-bd20-2fe6b8e6beab", - "value": "Apple Dev Dynamic Libraries" - }, { "description": "Apple Inc.. (2012, July 23). Overview of Dynamic Libraries. Retrieved March 24, 2021.", "meta": { @@ -41491,6 +41857,21 @@ "uuid": "e3b8cc52-2096-418c-b291-1bc76022961d", "value": "Apple Doco Archive Dynamic Libraries" }, + { + "description": "Apple. (2012, July 23). Overview of Dynamic Libraries. Retrieved September 7, 2023.", + "meta": { + "date_accessed": "2023-09-07T00:00:00Z", + "date_published": "2012-07-23T00:00:00Z", + "refs": [ + "https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html" + ], + "source": "MITRE", + "title": "Overview of Dynamic Libraries" + }, + "related": [], + "uuid": "39ffd162-4052-57ec-bd20-2fe6b8e6beab", + "value": "Apple Dev Dynamic Libraries" + }, { "description": "Google Cloud. (n.d.). Overview of IAM Conditions. Retrieved January 2, 2024.", "meta": { @@ -42279,6 +42660,22 @@ "uuid": "3ca2e78e-751e-460b-9f3c-f851d054bce4", "value": "Pentesting AD Forests" }, + { + "description": "U.S. Federal Bureau of Investigation. (2024, September 18). People’s Republic of China-Linked Actors Compromise Routers and IoT Devices for Botnet Operations. Retrieved September 19, 2024.", + "meta": { + "date_accessed": "2024-09-19T00:00:00Z", + "date_published": "2024-09-18T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.ic3.gov/Media/News/2024/240918.pdf" + ], + "source": "Tidal Cyber", + "title": "People’s Republic of China-Linked Actors Compromise Routers and IoT Devices for Botnet Operations" + }, + "related": [], + "uuid": "cfb6f191-6c43-423b-9289-02beb3d721d1", + "value": "FBI PRC Botnet September 18 2024" + }, { "description": "Cybersecurity and Infrastructure Security Agency. (2023, September 27). People's Republic of China-Linked Cyber Actors Hide in Router Firmware. Retrieved September 29, 2023.", "meta": { @@ -42493,21 +42890,6 @@ "uuid": "533b8ae2-2fc3-4cf4-bcaa-5d8bfcba91c0", "value": "Prevailion EvilNum May 2020" }, - { - "description": "Ryan Hanson. (2016, September 24). phishery. Retrieved October 23, 2020.", - "meta": { - "date_accessed": "2020-10-23T00:00:00Z", - "date_published": "2016-09-24T00:00:00Z", - "refs": [ - "https://github.com/ryhanson/phishery" - ], - "source": "MITRE", - "title": "phishery" - }, - "related": [], - "uuid": "6da51561-a813-4802-aa84-1b3de1bc2e14", - "value": "GitHub Phishery" - }, { "description": "Hanson, R. (2016, September 24). phishery. Retrieved July 21, 2018.", "meta": { @@ -42523,6 +42905,21 @@ "uuid": "7e643cf0-5df7-455d-add7-2342f36bdbcb", "value": "ryhanson phishery SEPT 2016" }, + { + "description": "Ryan Hanson. (2016, September 24). phishery. Retrieved October 23, 2020.", + "meta": { + "date_accessed": "2020-10-23T00:00:00Z", + "date_published": "2016-09-24T00:00:00Z", + "refs": [ + "https://github.com/ryhanson/phishery" + ], + "source": "MITRE", + "title": "phishery" + }, + "related": [], + "uuid": "6da51561-a813-4802-aa84-1b3de1bc2e14", + "value": "GitHub Phishery" + }, { "description": "ANSSI. (2021, December 6). PHISHING CAMPAIGNS BY THE NOBELIUM INTRUSION SET. Retrieved April 13, 2022.", "meta": { @@ -44328,21 +44725,6 @@ "uuid": "069ef9af-3402-4b13-8c60-b397b0b0bfd7", "value": "PaloAlto EncodedCommand March 2017" }, - { - "description": "Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved December 17, 2020.", - "meta": { - "date_accessed": "2020-12-17T00:00:00Z", - "date_published": "2018-12-06T00:00:00Z", - "refs": [ - "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat" - ], - "source": "MITRE", - "title": "Pulling Linux Rabbit/Rabbot Malware Out of a Hat" - }, - "related": [], - "uuid": "ec413dc7-028c-4153-9e98-abe85961747f", - "value": "anomali-linux-rabbit" - }, { "description": "Anomali Labs. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved March 4, 2019.", "meta": { @@ -44358,6 +44740,21 @@ "uuid": "e843eb47-21b0-44b9-8065-02aea0a0b05f", "value": "Anomali Linux Rabbit 2018" }, + { + "description": "Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved December 17, 2020.", + "meta": { + "date_accessed": "2020-12-17T00:00:00Z", + "date_published": "2018-12-06T00:00:00Z", + "refs": [ + "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat" + ], + "source": "MITRE", + "title": "Pulling Linux Rabbit/Rabbot Malware Out of a Hat" + }, + "related": [], + "uuid": "ec413dc7-028c-4153-9e98-abe85961747f", + "value": "anomali-linux-rabbit" + }, { "description": "CrowdStrike. (n.d.). Punk Spider. Retrieved February 20, 2024.", "meta": { @@ -45036,21 +45433,6 @@ "uuid": "e096e1f4-6b62-4756-8811-f263cf1dcecc", "value": "FBI Ransomware Tools November 7 2023" }, - { - "description": "Zafra, D., et al. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved March 2, 2021.", - "meta": { - "date_accessed": "2021-03-02T00:00:00Z", - "date_published": "2020-02-24T00:00:00Z", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html" - ], - "source": "MITRE", - "title": "Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT" - }, - "related": [], - "uuid": "44856547-2de5-45ff-898f-a523095bd593", - "value": "FireEye Ransomware Feb 2020" - }, { "description": "Zafra, D. Lunden, K. Brubaker, N. Kennelly, J.. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved February 9, 2021.", "meta": { @@ -45066,6 +45448,21 @@ "uuid": "9ffa0f35-98e4-4265-8b66-9c805a2b6525", "value": "FireEye Ransomware Disrupt Industrial Production" }, + { + "description": "Zafra, D., et al. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved March 2, 2021.", + "meta": { + "date_accessed": "2021-03-02T00:00:00Z", + "date_published": "2020-02-24T00:00:00Z", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html" + ], + "source": "MITRE", + "title": "Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT" + }, + "related": [], + "uuid": "44856547-2de5-45ff-898f-a523095bd593", + "value": "FireEye Ransomware Feb 2020" + }, { "description": "Check Point. (2020, November 6). Ransomware Alert: Pay2Key. Retrieved January 4, 2021.", "meta": { @@ -45112,6 +45509,22 @@ "uuid": "d0811fd4-e89d-4337-9bc1-a9a8774d44b1", "value": "Sophos News August 14 2024" }, + { + "description": "Rapid. (2024, September 12). Ransomware Groups Demystified Lynx Ransomware . Retrieved September 12, 2024.", + "meta": { + "date_accessed": "2024-09-12T00:00:00Z", + "date_published": "2024-09-12T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.rapid7.com/blog/post/2024/09/12/ransomware-groups-demystified-lynx-ransomware/" + ], + "source": "Tidal Cyber", + "title": "Ransomware Groups Demystified Lynx Ransomware" + }, + "related": [], + "uuid": "21d393ae-d135-4c5a-8c6d-1baa8c0a1e08", + "value": "Rapid7 Blog September 12 2024" + }, { "description": "Www.invictus-ir.com. (2024, January 11). Ransomware in the cloud. Retrieved April 17, 2024.", "meta": { @@ -46085,6 +46498,20 @@ "uuid": "f58ac1e4-c470-4aac-a077-7f358e25b0fa", "value": "Microsoft Registry Auditing Aug 2016" }, + { + "description": "Microsoft. (n.d.). Registry Key Security and Access Rights. Retrieved March 16, 2017.", + "meta": { + "date_accessed": "2017-03-16T00:00:00Z", + "refs": [ + "https://msdn.microsoft.com/library/windows/desktop/ms724878.aspx" + ], + "source": "MITRE", + "title": "Registry Key Security and Access Rights" + }, + "related": [], + "uuid": "c5627d86-1b59-4c2a-aac0-88f1b4dc6974", + "value": "MSDN Registry Key Security" + }, { "description": "Microsoft. (2018, May 31). Registry Key Security and Access Rights. Retrieved March 16, 2017.", "meta": { @@ -46100,20 +46527,6 @@ "uuid": "f8f12cbb-029c-48b1-87ce-624a7f98c8ab", "value": "Registry Key Security" }, - { - "description": "Microsoft. (n.d.). Registry Key Security and Access Rights. Retrieved March 16, 2017.", - "meta": { - "date_accessed": "2017-03-16T00:00:00Z", - "refs": [ - "https://msdn.microsoft.com/library/windows/desktop/ms724878.aspx" - ], - "source": "MITRE", - "title": "Registry Key Security and Access Rights" - }, - "related": [], - "uuid": "c5627d86-1b59-4c2a-aac0-88f1b4dc6974", - "value": "MSDN Registry Key Security" - }, { "description": "Microsoft. (2021, December 14). Registry Trees for Devices and Drivers. Retrieved March 28, 2023.", "meta": { @@ -47201,21 +47614,6 @@ "uuid": "d1d6b6fe-ef93-4417-844b-7cd8dc76934b", "value": "U.S. HHS Royal & BlackCat Alert" }, - { - "description": "Iacono, L. and Green, S. (2023, February 13). Royal Ransomware Deep Dive. Retrieved March 30, 2023.", - "meta": { - "date_accessed": "2023-03-30T00:00:00Z", - "date_published": "2023-02-13T00:00:00Z", - "refs": [ - "https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive" - ], - "source": "MITRE", - "title": "Royal Ransomware Deep Dive" - }, - "related": [], - "uuid": "dcdcc965-56d0-58e6-996b-d8bd40916745", - "value": "Kroll Royal Deep Dive February 2023" - }, { "description": "Laurie Iacono, Keith Wojcieszek, George Glass. (2023, February 13). Royal Ransomware Deep Dive. Retrieved June 17, 2024.", "meta": { @@ -47232,6 +47630,21 @@ "uuid": "de385ede-f928-4a1e-934c-8ce7a6e7f33b", "value": "Kroll Royal Ransomware February 13 2023" }, + { + "description": "Iacono, L. and Green, S. (2023, February 13). Royal Ransomware Deep Dive. Retrieved March 30, 2023.", + "meta": { + "date_accessed": "2023-03-30T00:00:00Z", + "date_published": "2023-02-13T00:00:00Z", + "refs": [ + "https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive" + ], + "source": "MITRE", + "title": "Royal Ransomware Deep Dive" + }, + "related": [], + "uuid": "dcdcc965-56d0-58e6-996b-d8bd40916745", + "value": "Kroll Royal Deep Dive February 2023" + }, { "description": "Morales, N. et al. (2023, February 20). Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers. Retrieved March 30, 2023.", "meta": { @@ -47791,19 +48204,20 @@ "value": "Unit42 Redaman January 2019" }, { - "description": "Cyber Security Infrastructure Agency. (2022, March 15). Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability. Retrieved May 31, 2022.", + "description": "Cybersecurity and Infrastructure Security Agency. (2024, September 5). Russian Military Cyber Actors Target US and Global Critical Infrastructure. Retrieved September 9, 2024.", "meta": { - "date_accessed": "2022-05-31T00:00:00Z", - "date_published": "2022-03-15T00:00:00Z", + "date_accessed": "2024-09-09T00:00:00Z", + "date_published": "2024-09-05T00:00:00Z", + "owner": "TidalCyberIan", "refs": [ - "https://www.cisa.gov/uscert/ncas/alerts/aa22-074a" + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a" ], - "source": "MITRE", - "title": "Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability" + "source": "Tidal Cyber", + "title": "Russian Military Cyber Actors Target US and Global Critical Infrastructure" }, "related": [], - "uuid": "00c6ff88-6eeb-486d-ae69-dffd5aebafe6", - "value": "Russians Exploit Default MFA Protocol - CISA March 2022" + "uuid": "9631a46d-3e0a-4f25-962b-0b2501c47926", + "value": "U.S. CISA Unit 29155 September 5 2024" }, { "description": "Cybersecurity and Infrastructure Security Agency. (2022, March 15). Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability. Retrieved March 16, 2022.", @@ -47820,6 +48234,21 @@ "uuid": "fa03324e-c79c-422e-80f1-c270fd87d4e2", "value": "CISA MFA PrintNightmare" }, + { + "description": "Cyber Security Infrastructure Agency. (2022, March 15). Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability. Retrieved May 31, 2022.", + "meta": { + "date_accessed": "2022-05-31T00:00:00Z", + "date_published": "2022-03-15T00:00:00Z", + "refs": [ + "https://www.cisa.gov/uscert/ncas/alerts/aa22-074a" + ], + "source": "MITRE", + "title": "Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability" + }, + "related": [], + "uuid": "00c6ff88-6eeb-486d-ae69-dffd5aebafe6", + "value": "Russians Exploit Default MFA Protocol - CISA March 2022" + }, { "description": "US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.", "meta": { @@ -48266,6 +48695,22 @@ "uuid": "3a60f7de-9ead-444e-9d08-689c655b26c7", "value": "Mandiant SCANdalous Jul 2020" }, + { + "description": "Jakub Souček. (2023, August 22). Scarabs colon-izing vulnerable servers. Retrieved September 13, 2024.", + "meta": { + "date_accessed": "2024-09-13T00:00:00Z", + "date_published": "2023-08-22T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.welivesecurity.com/en/eset-research/scarabs-colon-izing-vulnerable-servers/" + ], + "source": "Tidal Cyber", + "title": "Scarabs colon-izing vulnerable servers" + }, + "related": [], + "uuid": "7cbf97fe-1809-4089-b386-a8bfd083df39", + "value": "WeLiveSecurity Scarab August 22 2023" + }, { "description": "GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.", "meta": { @@ -48281,21 +48726,6 @@ "uuid": "2dd5b872-a4ab-4b77-8457-a3d947298fc0", "value": "Securelist ScarCruft May 2019" }, - { - "description": "SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. (2023, July 11). SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. Retrieved July 12, 2023.", - "meta": { - "date_accessed": "2023-07-12T00:00:00Z", - "date_published": "2023-07-11T00:00:00Z", - "refs": [ - "https://sysdig.com/blog/scarleteel-2-0/" - ], - "source": "MITRE", - "title": "SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto" - }, - "related": [], - "uuid": "90e60242-82d8-5648-b7e4-def6fd508e16", - "value": "Sysdig ScarletEel 2.0" - }, { "description": "Alessandro Brucato. (2023, July 11). SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. Retrieved September 25, 2023.", "meta": { @@ -48311,6 +48741,21 @@ "uuid": "285266e7-7a62-5f98-9b0f-fefde4b21c88", "value": "Sysdig ScarletEel 2.0 2023" }, + { + "description": "SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. (2023, July 11). SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. Retrieved July 12, 2023.", + "meta": { + "date_accessed": "2023-07-12T00:00:00Z", + "date_published": "2023-07-11T00:00:00Z", + "refs": [ + "https://sysdig.com/blog/scarleteel-2-0/" + ], + "source": "MITRE", + "title": "SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto" + }, + "related": [], + "uuid": "90e60242-82d8-5648-b7e4-def6fd508e16", + "value": "Sysdig ScarletEel 2.0" + }, { "description": "Alberto Pellitteri. (2023, February 28). SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theft. Retrieved February 2, 2023.", "meta": { @@ -48327,6 +48772,22 @@ "uuid": "18931f81-51bf-44af-9573-512ccb66c238", "value": "Sysdig Scarleteel February 28 2023" }, + { + "description": "Laura Brosnan. (2024, June 26). Scarlet Goldfinch Taking flight with NetSupport Manager - Red Canary. Retrieved June 26, 2024.", + "meta": { + "date_accessed": "2024-06-26T00:00:00Z", + "date_published": "2024-06-26T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://redcanary.com/blog/threat-intelligence/scarlet-goldfinch/" + ], + "source": "Tidal Cyber", + "title": "Scarlet Goldfinch Taking flight with NetSupport Manager - Red Canary" + }, + "related": [], + "uuid": "e0d62504-6fec-4d95-9f4a-e0dda7e7b6d9", + "value": "Red Canary June 26 2024" + }, { "description": "Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.", "meta": { @@ -48923,21 +49384,6 @@ "uuid": "3cc2c996-10e9-4e25-999c-21dc2c69e4af", "value": "CISA IDN ST05-016" }, - { - "description": "Dr. Nestori Syynimaa.. (2017, November 16). Security vulnerability in Azure AD & Office 365 identity federation. Retrieved February 1, 2022.", - "meta": { - "date_accessed": "2022-02-01T00:00:00Z", - "date_published": "2017-11-16T00:00:00Z", - "refs": [ - "https://o365blog.com/post/federation-vulnerability/" - ], - "source": "MITRE", - "title": "Security vulnerability in Azure AD & Office 365 identity federation" - }, - "related": [], - "uuid": "123995be-36f5-4cd6-b80a-d601c2d0971e", - "value": "Azure AD Federation Vulnerability" - }, { "description": "Dr. Nestori Syynimaa. (2017, November 16). Security vulnerability in Azure AD & Office 365 identity federation. Retrieved September 28, 2022.", "meta": { @@ -48953,6 +49399,21 @@ "uuid": "d2005eb6-4da4-4938-97fb-caa0e2381f4e", "value": "AADInternals zure AD Federated Domain" }, + { + "description": "Dr. Nestori Syynimaa.. (2017, November 16). Security vulnerability in Azure AD & Office 365 identity federation. Retrieved February 1, 2022.", + "meta": { + "date_accessed": "2022-02-01T00:00:00Z", + "date_published": "2017-11-16T00:00:00Z", + "refs": [ + "https://o365blog.com/post/federation-vulnerability/" + ], + "source": "MITRE", + "title": "Security vulnerability in Azure AD & Office 365 identity federation" + }, + "related": [], + "uuid": "123995be-36f5-4cd6-b80a-d601c2d0971e", + "value": "Azure AD Federation Vulnerability" + }, { "description": "ESET Research. (2015, July 10). Sednit APT Group Meets Hacking Team. Retrieved March 1, 2017.", "meta": { @@ -50865,6 +51326,21 @@ "uuid": "01d9c3ba-29e2-5090-b399-0e7adf50a6b9", "value": "SocGholish-update" }, + { + "description": "Milenkoski, A. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved March 22, 2024.", + "meta": { + "date_accessed": "2024-03-22T00:00:00Z", + "date_published": "2022-11-07T00:00:00Z", + "refs": [ + "https://www.sentinelone.com/labs/socgholish-diversifies-and-expands-its-malware-staging-infrastructure-to-counter-defenders/" + ], + "source": "MITRE", + "title": "SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders" + }, + "related": [], + "uuid": "8a26eeb6-6f80-58f1-b773-b38835c6781d", + "value": "SentinelOne SocGholish Infrastructure November 2022" + }, { "description": "Aleksandar Milenkoski. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved May 7, 2023.", "meta": { @@ -50881,21 +51357,6 @@ "uuid": "c2dd119c-25d8-4e48-8eeb-89552a5a096c", "value": "SentinelLabs SocGholish November 2022" }, - { - "description": "Milenkoski, A. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved March 22, 2024.", - "meta": { - "date_accessed": "2024-03-22T00:00:00Z", - "date_published": "2022-11-07T00:00:00Z", - "refs": [ - "https://www.sentinelone.com/labs/socgholish-diversifies-and-expands-its-malware-staging-infrastructure-to-counter-defenders/" - ], - "source": "MITRE", - "title": "SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders" - }, - "related": [], - "uuid": "8a26eeb6-6f80-58f1-b773-b38835c6781d", - "value": "SentinelOne SocGholish Infrastructure November 2022" - }, { "description": "Proofpoint. (2022, November 21). SocGholish Malware: A Real Threat from a Fake Update | Proofpoint US. Retrieved May 7, 2023.", "meta": { @@ -51170,6 +51631,22 @@ "uuid": "6fce30c3-17d6-42a0-8470-319e2930e573", "value": "solution_monitor_dhcp_scopes" }, + { + "description": "Sekoia TDR; Felix Aimé; Pierre-Antoine D; Charles M; Grégoire Clermont; Jeremy Scion. (2024, July 23). Solving the 7777 Botnet enigma A cybersecurity quest. Retrieved July 24, 2024.", + "meta": { + "date_accessed": "2024-07-24T00:00:00Z", + "date_published": "2024-07-23T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://blog.sekoia.io/solving-the-7777-botnet-enigma-a-cybersecurity-quest/" + ], + "source": "Tidal Cyber", + "title": "Solving the 7777 Botnet enigma A cybersecurity quest" + }, + "related": [], + "uuid": "ae84e72a-56b3-4dc4-b053-d3766764ac0d", + "value": "Sekoia.io Blog July 23 2024" + }, { "description": "SophosXOps. (2023, September 13). Sophos X-Ops Tweet September 13 2023. Retrieved September 22, 2023.", "meta": { @@ -51872,21 +52349,6 @@ "uuid": "edd0cab4-48f7-48d8-a318-ced118af6a63", "value": "Sekoia.io Stealc February 27 2023" }, - { - "description": "Syynimaa, N. (2022, February 15). Stealing and faking Azure AD device identities. Retrieved August 3, 2022.", - "meta": { - "date_accessed": "2022-08-03T00:00:00Z", - "date_published": "2022-02-15T00:00:00Z", - "refs": [ - "https://o365blog.com/post/deviceidentity/" - ], - "source": "MITRE", - "title": "Stealing and faking Azure AD device identities" - }, - "related": [], - "uuid": "ec94c043-92ef-4691-b21a-7ea68f39e338", - "value": "O365 Blog Azure AD Device IDs" - }, { "description": "Dr. Nestori Syynimaa. (2022, February 15). Stealing and faking Azure AD device identities. Retrieved February 21, 2023.", "meta": { @@ -51902,6 +52364,21 @@ "uuid": "b5ef16c4-1db0-51e9-93ab-54a8e480debc", "value": "AADInternals Azure AD Device Identities" }, + { + "description": "Syynimaa, N. (2022, February 15). Stealing and faking Azure AD device identities. Retrieved August 3, 2022.", + "meta": { + "date_accessed": "2022-08-03T00:00:00Z", + "date_published": "2022-02-15T00:00:00Z", + "refs": [ + "https://o365blog.com/post/deviceidentity/" + ], + "source": "MITRE", + "title": "Stealing and faking Azure AD device identities" + }, + "related": [], + "uuid": "ec94c043-92ef-4691-b21a-7ea68f39e338", + "value": "O365 Blog Azure AD Device IDs" + }, { "description": "Fuller, R. (2013, September 11). Stealing passwords every time they change. Retrieved November 21, 2017.", "meta": { @@ -52277,6 +52754,22 @@ "uuid": "ad96148c-8230-4923-86fd-4b1da211db1a", "value": "U.S. CISA Play Ransomware December 2023" }, + { + "description": "Cybersecurity and Infrastructure Security Agency. (2024, August 29). #StopRansomware: RansomHub Ransomware. Retrieved September 3, 2024.", + "meta": { + "date_accessed": "2024-09-03T00:00:00Z", + "date_published": "2024-08-29T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a" + ], + "source": "Tidal Cyber", + "title": "#StopRansomware: RansomHub Ransomware" + }, + "related": [], + "uuid": "af338cbd-6416-4dee-95c7-6915f78e2604", + "value": "U.S. CISA RansomHub Ransomware August 29 2024" + }, { "description": "Cybersecurity and Infrastructure Security Agency. (2023, November 15). #StopRansomware: Rhysida Ransomware. Retrieved November 16, 2023.", "meta": { @@ -52340,6 +52833,22 @@ "uuid": "0a754513-5f20-44a0-8cea-c5d9519106c8", "value": "U.S. CISA Vice Society September 2022" }, + { + "description": "Cybersecurity and Infrastructure Security Agency. (2022, August 11). #StopRansomware: Zeppelin Ransomware. Retrieved September 19, 2024.", + "meta": { + "date_accessed": "2024-09-19T00:00:00Z", + "date_published": "2022-08-11T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-223a" + ], + "source": "Tidal Cyber", + "title": "#StopRansomware: Zeppelin Ransomware" + }, + "related": [], + "uuid": "42d98de2-8c9a-4cc4-b5a1-9778c0da3286", + "value": "U.S. CISA Zeppelin Ransomware August 11 2022" + }, { "description": "LOLBAS. (2021, October 21). Stordiag.exe. Retrieved December 4, 2023.", "meta": { @@ -52622,8 +53131,8 @@ "title": "SUNBURST, TEARDROP and the NetSec New Normal" }, "related": [], - "uuid": "4e3d9201-83d4-5375-b3b7-e00dfb16342d", - "value": "CheckPoint Sunburst & Teardrop December 2020" + "uuid": "a6b75979-af51-42ed-9bb9-01d5fb9ceac9", + "value": "Check Point Sunburst Teardrop December 2020" }, { "description": "Check Point Research. (2020, December 22). SUNBURST, TEARDROP and the NetSec New Normal. Retrieved January 6, 2021.", @@ -52637,8 +53146,8 @@ "title": "SUNBURST, TEARDROP and the NetSec New Normal" }, "related": [], - "uuid": "a6b75979-af51-42ed-9bb9-01d5fb9ceac9", - "value": "Check Point Sunburst Teardrop December 2020" + "uuid": "4e3d9201-83d4-5375-b3b7-e00dfb16342d", + "value": "CheckPoint Sunburst & Teardrop December 2020" }, { "description": "CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.", @@ -53204,6 +53713,20 @@ "uuid": "2a3c5216-b153-4d89-b0b1-f32af3aa83d0", "value": "Peripheral Discovery macOS" }, + { + "description": "Microsoft. (n.d.). System Time. Retrieved November 25, 2016.", + "meta": { + "date_accessed": "2016-11-25T00:00:00Z", + "refs": [ + "https://msdn.microsoft.com/ms724961.aspx" + ], + "source": "MITRE", + "title": "System Time" + }, + "related": [], + "uuid": "5e15e03b-be8b-4f3d-a3ae-0df7a4ecfbec", + "value": "MSDN System Time" + }, { "description": "ArchLinux. (2024, February 1). System Time. Retrieved March 27, 2024.", "meta": { @@ -53219,20 +53742,6 @@ "uuid": "2dfd22d7-c78b-5967-b732-736f37ea5489", "value": "linux system time" }, - { - "description": "Microsoft. (n.d.). System Time. Retrieved November 25, 2016.", - "meta": { - "date_accessed": "2016-11-25T00:00:00Z", - "refs": [ - "https://msdn.microsoft.com/ms724961.aspx" - ], - "source": "MITRE", - "title": "System Time" - }, - "related": [], - "uuid": "5e15e03b-be8b-4f3d-a3ae-0df7a4ecfbec", - "value": "MSDN System Time" - }, { "description": "Atomic Red Team. (2023, November). T1003.007 - OS Credential Dumping: Proc Filesystem. Retrieved March 28, 2024.", "meta": { @@ -53715,6 +54224,22 @@ "uuid": "dfd168c0-40da-4402-a123-963eb8e2125a", "value": "dharma_ransomware" }, + { + "description": "Check Point Research. (2024, September 11). Targeted Iranian Attacks Against Iraqi Government Infrastructure - Check Point Research. Retrieved September 11, 2024.", + "meta": { + "date_accessed": "2024-09-11T00:00:00Z", + "date_published": "2024-09-11T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://research.checkpoint.com/2024/iranian-malware-attacks-iraqi-government/" + ], + "source": "Tidal Cyber", + "title": "Targeted Iranian Attacks Against Iraqi Government Infrastructure - Check Point Research" + }, + "related": [], + "uuid": "53320d81-4060-4414-b5b8-21d09362bc44", + "value": "Check Point Research September 11 2024" + }, { "description": "Check Point. (n.d.). Targeted SSL Stripping Attacks Are Real. Retrieved May 24, 2023.", "meta": { @@ -53940,21 +54465,6 @@ "uuid": "b98f1967-c62f-5afe-a2f7-4c426615d576", "value": "AquaSec TeamTNT 2023" }, - { - "description": "Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.", - "meta": { - "date_accessed": "2022-08-04T00:00:00Z", - "date_published": "2022-04-21T00:00:00Z", - "refs": [ - "https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" - ], - "source": "MITRE", - "title": "TeamTNT targeting AWS, Alibaba" - }, - "related": [], - "uuid": "f39b5f92-6e14-4c7f-b79d-7bade722e6d9", - "value": "Cisco Talos Intelligence Group" - }, { "description": "Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved July 8, 2022.", "meta": { @@ -53970,6 +54480,21 @@ "uuid": "acd1b4c5-da28-584e-b892-599180a8dbb0", "value": "Talos TeamTNT" }, + { + "description": "Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.", + "meta": { + "date_accessed": "2022-08-04T00:00:00Z", + "date_published": "2022-04-21T00:00:00Z", + "refs": [ + "https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" + ], + "source": "MITRE", + "title": "TeamTNT targeting AWS, Alibaba" + }, + "related": [], + "uuid": "f39b5f92-6e14-4c7f-b79d-7bade722e6d9", + "value": "Cisco Talos Intelligence Group" + }, { "description": "Cado Security. (2020, August 16). Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials. Retrieved September 22, 2021.", "meta": { @@ -54975,6 +55500,22 @@ "uuid": "7578541b-1ae3-58d0-a8b9-120bd6cd96f5", "value": "CrowdStrike Evolution of Pinchy Spider July 2021" }, + { + "description": "Abe Schneider, Bethany Hardin, Lavine Oluoch . (2022, September 19). The Evolution of the Chromeloader Malware. Retrieved September 26, 2024.", + "meta": { + "date_accessed": "2024-09-26T00:00:00Z", + "date_published": "2022-09-19T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://blogs.vmware.com/security/2022/09/the-evolution-of-the-chromeloader-malware.html" + ], + "source": "Tidal Cyber", + "title": "The Evolution of the Chromeloader Malware" + }, + "related": [], + "uuid": "5c2985f1-2d80-488b-ab63-fbd56aba229b", + "value": "VMware Chromeloader September 19 2022" + }, { "description": "Julia Kisielius. (2017, April 25). The Felismus RAT: Powerful Threat, Mysterious Purpose. Retrieved January 10, 2024.", "meta": { @@ -55346,8 +55887,8 @@ "title": "The LaZagne Project !!!" }, "related": [], - "uuid": "33cca4fa-72a8-59a3-a62f-12f71a499a15", - "value": "GitHub LaZange Dec 2018" + "uuid": "9347b507-3a41-405d-87f9-d4fc2bfc48e5", + "value": "GitHub LaZagne Dec 2018" }, { "description": "Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018.", @@ -55360,8 +55901,8 @@ "title": "The LaZagne Project !!!" }, "related": [], - "uuid": "9347b507-3a41-405d-87f9-d4fc2bfc48e5", - "value": "GitHub LaZagne Dec 2018" + "uuid": "33cca4fa-72a8-59a3-a62f-12f71a499a15", + "value": "GitHub LaZange Dec 2018" }, { "description": "SecureWorks. (2013). The Lifecycle of Peer-to-Peer (Gameover) ZeuS. Retrieved August 19, 2015.", @@ -55453,6 +55994,22 @@ "uuid": "ed5a2ec0-8328-40db-9f58-7eaac4ad39a0", "value": "Villeneuve 2011" }, + { + "description": "Tommy Madjar; Pim Trouerbach; Selena Larson; The Proofpoint Threat Research Team. (2024, August 29). The Malware That Must Not Be Named Suspected Espionage Campaign Delivers “Voldemort” . Retrieved August 29, 2024.", + "meta": { + "date_accessed": "2024-08-29T00:00:00Z", + "date_published": "2024-08-29T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" + ], + "source": "Tidal Cyber", + "title": "The Malware That Must Not Be Named Suspected Espionage Campaign Delivers “Voldemort”" + }, + "related": [], + "uuid": "548f23b2-3ab6-4ea0-839f-8f9c8745d91d", + "value": "Proofpoint August 29 2024" + }, { "description": "Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022.", "meta": { @@ -55932,6 +56489,22 @@ "uuid": "f8a8a3a0-5b30-5f3e-a7b0-f8a4aaae7ee7", "value": "Cofense Agent Tesla" }, + { + "description": "Laura Brosnan. (2024, March 18). The rise of Charcoal Stork . Retrieved September 26, 2024.", + "meta": { + "date_accessed": "2024-09-26T00:00:00Z", + "date_published": "2024-03-18T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://redcanary.com/blog/threat-intelligence/charcoal-stork/" + ], + "source": "Tidal Cyber", + "title": "The rise of Charcoal Stork" + }, + "related": [], + "uuid": "a86131cd-1a42-4222-9d39-221dd6e054ba", + "value": "Red Canary March 18 2024" + }, { "description": "Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.", "meta": { @@ -56595,6 +57168,22 @@ "uuid": "26d7134e-7b93-4aa1-a859-03cf964ca1b5", "value": "Atlas SEO" }, + { + "description": "Vanja Svajcer. (2024, September 3). Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloads. Retrieved September 3, 2024.", + "meta": { + "date_accessed": "2024-09-03T00:00:00Z", + "date_published": "2024-09-03T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://blog.talosintelligence.com/threat-actors-using-macropack/" + ], + "source": "Tidal Cyber", + "title": "Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloads" + }, + "related": [], + "uuid": "b222cabd-347d-45d4-aeaf-4135795d944d", + "value": "Cisco Talos Blog September 3 2024" + }, { "description": "Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019.", "meta": { @@ -56791,6 +57380,21 @@ "uuid": "5e1db76a-0a3e-42ce-a66c-f914fb1a3471", "value": "Unit 42 DGA Feb 2019" }, + { + "description": "Red Canary. (n.d.). Threat: ChromeLoader. Retrieved September 26, 2024.", + "meta": { + "date_accessed": "2024-09-26T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://redcanary.com/threat-detection-report/threats/chromeloader/" + ], + "source": "Tidal Cyber", + "title": "Threat: ChromeLoader" + }, + "related": [], + "uuid": "bcfe9d10-11fe-4241-8262-bce07e8a11c1", + "value": "Red Canary TDR ChromeLoader" + }, { "description": "Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.", "meta": { @@ -57523,21 +58127,6 @@ "uuid": "99e48516-f918-477c-b85e-4ad894cc031f", "value": "JScrip May 2018" }, - { - "description": "Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021.", - "meta": { - "date_accessed": "2021-09-02T00:00:00Z", - "date_published": "2021-05-13T00:00:00Z", - "refs": [ - "https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html" - ], - "source": "MITRE, Tidal Cyber", - "title": "Transparent Tribe APT expands its Windows malware arsenal" - }, - "related": [], - "uuid": "5d58c285-bc7d-4a8a-a96a-ac7118c1089d", - "value": "Talos Transparent Tribe May 2021" - }, { "description": "Malhotra, A., McKay, K. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal . Retrieved July 29, 2022.", "meta": { @@ -57553,6 +58142,21 @@ "uuid": "be1e3092-1981-457b-ae76-b55b057e1d73", "value": "tt_obliqueRAT" }, + { + "description": "Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021.", + "meta": { + "date_accessed": "2021-09-02T00:00:00Z", + "date_published": "2021-05-13T00:00:00Z", + "refs": [ + "https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html" + ], + "source": "MITRE, Tidal Cyber", + "title": "Transparent Tribe APT expands its Windows malware arsenal" + }, + "related": [], + "uuid": "5d58c285-bc7d-4a8a-a96a-ac7118c1089d", + "value": "Talos Transparent Tribe May 2021" + }, { "description": "N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022.", "meta": { @@ -57583,21 +58187,6 @@ "uuid": "9bdda422-dbf7-4b70-a7b1-9e3ad658c239", "value": "tt_httrack_fake_domains" }, - { - "description": "Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved April 1, 2021.", - "meta": { - "date_accessed": "2021-04-01T00:00:00Z", - "date_published": "2020-08-20T00:00:00Z", - "refs": [ - "https://securelist.com/transparent-tribe-part-1/98127/" - ], - "source": "MITRE", - "title": "Transparent Tribe: Evolution analysis, part 1" - }, - "related": [], - "uuid": "0db470b1-ab22-4b67-a858-472e4de7c6f0", - "value": "Securelist Trasparent Tribe 2020" - }, { "description": "Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.", "meta": { @@ -57613,6 +58202,21 @@ "uuid": "42c7faa2-f664-4e4a-9d23-93c88a09da5b", "value": "Kaspersky Transparent Tribe August 2020" }, + { + "description": "Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved April 1, 2021.", + "meta": { + "date_accessed": "2021-04-01T00:00:00Z", + "date_published": "2020-08-20T00:00:00Z", + "refs": [ + "https://securelist.com/transparent-tribe-part-1/98127/" + ], + "source": "MITRE", + "title": "Transparent Tribe: Evolution analysis, part 1" + }, + "related": [], + "uuid": "0db470b1-ab22-4b67-a858-472e4de7c6f0", + "value": "Securelist Trasparent Tribe 2020" + }, { "description": "Microsoft. (2016, June 1). Transport agents. Retrieved June 24, 2019.", "meta": { @@ -58330,21 +58934,6 @@ "uuid": "5d69d122-13bc-45c4-95ab-68283a21b699", "value": "TrendMicro Tropic Trooper Mar 2018" }, - { - "description": "Ray, V., et al. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved December 18, 2020.", - "meta": { - "date_accessed": "2020-12-18T00:00:00Z", - "date_published": "2016-11-22T00:00:00Z", - "refs": [ - "https://unit42.paloaltonetworks.com/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" - ], - "source": "MITRE", - "title": "Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy" - }, - "related": [], - "uuid": "47524b17-1acd-44b1-8de5-168369fa9455", - "value": "paloalto Tropic Trooper 2016" - }, { "description": "Ray, V. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved November 9, 2018.", "meta": { @@ -58360,6 +58949,21 @@ "uuid": "cad84e3d-9506-44f8-bdd9-d090e6ce9b06", "value": "Unit 42 Tropic Trooper Nov 2016" }, + { + "description": "Ray, V., et al. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved December 18, 2020.", + "meta": { + "date_accessed": "2020-12-18T00:00:00Z", + "date_published": "2016-11-22T00:00:00Z", + "refs": [ + "https://unit42.paloaltonetworks.com/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" + ], + "source": "MITRE", + "title": "Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy" + }, + "related": [], + "uuid": "47524b17-1acd-44b1-8de5-168369fa9455", + "value": "paloalto Tropic Trooper 2016" + }, { "description": "Microsoft. (2023, October 23). Troubleshooting Conditional Access policy changes. Retrieved January 2, 2024.", "meta": { @@ -60361,21 +60965,6 @@ "uuid": "32a30a3f-3ed1-4def-86b1-f40bbffa1cc5", "value": "Microsoft SMB Packet Signing" }, - { - "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", - "meta": { - "date_accessed": "2016-04-07T00:00:00Z", - "date_published": "2012-06-27T00:00:00Z", - "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ee791851(v=ws.11)?redirectedfrom=MSDN" - ], - "source": "MITRE", - "title": "Using Software Restriction Policies and AppLocker Policies" - }, - "related": [], - "uuid": "774e6598-0926-4adb-890f-00824de07ae0", - "value": "Microsoft Using Software Restriction" - }, { "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "meta": { @@ -60391,6 +60980,21 @@ "uuid": "84e1c53f-e858-4106-9c14-1b536d5b56f9", "value": "TechNet Applocker vs SRP" }, + { + "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", + "meta": { + "date_accessed": "2016-04-07T00:00:00Z", + "date_published": "2012-06-27T00:00:00Z", + "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ee791851(v=ws.11)?redirectedfrom=MSDN" + ], + "source": "MITRE", + "title": "Using Software Restriction Policies and AppLocker Policies" + }, + "related": [], + "uuid": "774e6598-0926-4adb-890f-00824de07ae0", + "value": "Microsoft Using Software Restriction" + }, { "description": "Jan Schaumann. (2015, November 5). Using the OS X Keychain to store and retrieve passwords. Retrieved March 31, 2022.", "meta": { @@ -60985,6 +61589,22 @@ "uuid": "90a5ab3c-c2a8-4b02-9bd7-628672907737", "value": "Offensive Security VNC Authentication Check" }, + { + "description": "Peter Girnus, Aliakbar Zahravi. (2024, July 15). Void Banshee Targets Windows Users. Retrieved September 19, 2024.", + "meta": { + "date_accessed": "2024-09-19T00:00:00Z", + "date_published": "2024-07-15T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html" + ], + "source": "Tidal Cyber", + "title": "Void Banshee Targets Windows Users" + }, + "related": [], + "uuid": "02c4dda2-3aae-43ec-9b14-df282b200def", + "value": "Trend Micro Void Banshee July 15 2024" + }, { "description": "Feike Hacquebord, Stephen Hilt, Fernando Merces, Lord Alfred Remorin. (2023, May 30). Void Rabisu’s Use of RomCom Backdoor Shows a Growing Shift in Threat Actors’ Goals. Retrieved June 4, 2023.", "meta": { @@ -61016,6 +61636,21 @@ "uuid": "a26344a2-63ca-422e-8cf9-0cf22a5bee72", "value": "CheckPoint Volatile Cedar March 2015" }, + { + "description": "Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023.", + "meta": { + "date_accessed": "2023-07-27T00:00:00Z", + "date_published": "2023-05-24T00:00:00Z", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/" + ], + "source": "MITRE", + "title": "Volt Typhoon targets US critical infrastructure with living-off-the-land techniques" + }, + "related": [], + "uuid": "8b74f0b7-9719-598c-b3ee-61d734393e6f", + "value": "Microsoft Volt Typhoon May 2023" + }, { "description": "Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved May 25, 2023.", "meta": { @@ -61032,21 +61667,6 @@ "uuid": "2e94c44a-d2a7-4e56-ac8a-df315fc14ec1", "value": "Microsoft Volt Typhoon May 24 2023" }, - { - "description": "Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023.", - "meta": { - "date_accessed": "2023-07-27T00:00:00Z", - "date_published": "2023-05-24T00:00:00Z", - "refs": [ - "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/" - ], - "source": "MITRE", - "title": "Volt Typhoon targets US critical infrastructure with living-off-the-land techniques" - }, - "related": [], - "uuid": "8b74f0b7-9719-598c-b3ee-61d734393e6f", - "value": "Microsoft Volt Typhoon May 2023" - }, { "description": "LOLBAS. (2023, July 12). VSDiagnostics.exe. Retrieved December 4, 2023.", "meta": { @@ -61143,21 +61763,6 @@ "uuid": "70c168a0-9ddf-408d-ba29-885c0c5c936a", "value": "vstest.console.exe - LOLBAS Project" }, - { - "description": "Kanthak, S. (2016, July 20). Vulnerability and Exploit Detector. Retrieved February 3, 2017.", - "meta": { - "date_accessed": "2017-02-03T00:00:00Z", - "date_published": "2016-07-20T00:00:00Z", - "refs": [ - "https://skanthak.homepage.t-online.de/sentinel.html" - ], - "source": "MITRE", - "title": "Vulnerability and Exploit Detector" - }, - "related": [], - "uuid": "94f99326-1512-47ca-8c99-9b382e4d0261", - "value": "Kanthak Sentinel" - }, { "description": "Kanthak, S.. (2016, July 20). Vulnerability and Exploit Detector. Retrieved February 3, 2017.", "meta": { @@ -61173,6 +61778,21 @@ "uuid": "d63d6e14-8fe7-4893-a42f-3752eaec8770", "value": "Vulnerability and Exploit Detector" }, + { + "description": "Kanthak, S. (2016, July 20). Vulnerability and Exploit Detector. Retrieved February 3, 2017.", + "meta": { + "date_accessed": "2017-02-03T00:00:00Z", + "date_published": "2016-07-20T00:00:00Z", + "refs": [ + "https://skanthak.homepage.t-online.de/sentinel.html" + ], + "source": "MITRE", + "title": "Vulnerability and Exploit Detector" + }, + "related": [], + "uuid": "94f99326-1512-47ca-8c99-9b382e4d0261", + "value": "Kanthak Sentinel" + }, { "description": "CertiK. (2020, June 30). Vulnerability in Electron-based Application: Unintentionally Giving Malicious Code Room to Run. Retrieved March 7, 2024.", "meta": { @@ -61667,20 +62287,6 @@ "uuid": "d316c581-646d-48e7-956e-34e2f957c67d", "value": "Cofense Astaroth Sept 2018" }, - { - "description": "Microsoft. (n.d.). wevtutil. Retrieved September 14, 2021.", - "meta": { - "date_accessed": "2021-09-14T00:00:00Z", - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil" - ], - "source": "MITRE", - "title": "wevtutil" - }, - "related": [], - "uuid": "25511dde-9e13-4e03-8ae4-2495e9f5eb5e", - "value": "Wevtutil Microsoft Documentation" - }, { "description": "Plett, C. et al.. (2017, October 16). wevtutil. Retrieved July 2, 2018.", "meta": { @@ -61696,6 +62302,20 @@ "uuid": "8896d802-96c6-4546-8a82-c1f7f2d71ea1", "value": "Microsoft wevtutil Oct 2017" }, + { + "description": "Microsoft. (n.d.). wevtutil. Retrieved September 14, 2021.", + "meta": { + "date_accessed": "2021-09-14T00:00:00Z", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil" + ], + "source": "MITRE", + "title": "wevtutil" + }, + "related": [], + "uuid": "25511dde-9e13-4e03-8ae4-2495e9f5eb5e", + "value": "Wevtutil Microsoft Documentation" + }, { "description": "LOLBAS. (2021, September 26). Wfc.exe. Retrieved December 4, 2023.", "meta": { @@ -62669,21 +63289,6 @@ "uuid": "92ac290c-4863-4774-b334-848ed72e3627", "value": "Trend Micro Privileged Container" }, - { - "description": "Mandiant Intelligence. (2023, September 14). Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety. Retrieved January 2, 2024.", - "meta": { - "date_accessed": "2024-01-02T00:00:00Z", - "date_published": "2023-09-14T00:00:00Z", - "refs": [ - "https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware" - ], - "source": "MITRE", - "title": "Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety" - }, - "related": [], - "uuid": "3a310dbd-4b5c-5eaf-a4ce-699e52007c9b", - "value": "Mandiant UNC3944 SMS Phishing 2023" - }, { "description": "Mandiant Intelligence. (2023, September 14). Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety. Retrieved November 16, 2023.", "meta": { @@ -62700,6 +63305,21 @@ "uuid": "7420d79f-c6a3-4932-9c2e-c9cc36e2ca35", "value": "Mandiant UNC3944 September 14 2023" }, + { + "description": "Mandiant Intelligence. (2023, September 14). Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety. Retrieved January 2, 2024.", + "meta": { + "date_accessed": "2024-01-02T00:00:00Z", + "date_published": "2023-09-14T00:00:00Z", + "refs": [ + "https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware" + ], + "source": "MITRE", + "title": "Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety" + }, + "related": [], + "uuid": "3a310dbd-4b5c-5eaf-a4ce-699e52007c9b", + "value": "Mandiant UNC3944 SMS Phishing 2023" + }, { "description": "Stack Overflow. (n.d.). Why do I see an \"Electron Security Warning\" after updating my Electron project to the latest version?. Retrieved March 7, 2024.", "meta": { @@ -62816,6 +63436,22 @@ "uuid": "806eadfc-f473-4f2b-b03b-8a1f1c0a2d96", "value": "ESET Carberp March 2012" }, + { + "description": "Microsoft Corporation. (2012, April 2). Win32Gamarue threat description - Microsoft Security Intelligence. Retrieved September 27, 2024.", + "meta": { + "date_accessed": "2024-09-27T00:00:00Z", + "date_published": "2012-04-02T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Gamarue" + ], + "source": "Tidal Cyber", + "title": "Win32Gamarue threat description - Microsoft Security Intelligence" + }, + "related": [], + "uuid": "de44abcc-9467-4c63-b0c4-c3a3b282ae39", + "value": "microsoft.com April 2 2012" + }, { "description": "Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.", "meta": { @@ -63168,21 +63804,6 @@ "uuid": "20ec94d1-4a5c-43f5-bb65-f3ea965d2b6e", "value": "TechNet PowerShell" }, - { - "description": "absolomb. (2018, January 26). Windows Privilege Escalation Guide. Retrieved August 10, 2018.", - "meta": { - "date_accessed": "2018-08-10T00:00:00Z", - "date_published": "2018-01-26T00:00:00Z", - "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/" - ], - "source": "MITRE", - "title": "Windows Privilege Escalation Guide" - }, - "related": [], - "uuid": "185154f2-5f2e-48bf-b609-991e9d6a037b", - "value": "Windows Privilege Escalation Guide" - }, { "description": "McFarland, R. (2018, January 26). Windows Privilege Escalation Guide. Retrieved August 10, 2018.", "meta": { @@ -63198,6 +63819,21 @@ "uuid": "c52945dc-eb20-4e69-8f8e-a262f33c244c", "value": "SploitSpren Windows Priv Jan 2018" }, + { + "description": "absolomb. (2018, January 26). Windows Privilege Escalation Guide. Retrieved August 10, 2018.", + "meta": { + "date_accessed": "2018-08-10T00:00:00Z", + "date_published": "2018-01-26T00:00:00Z", + "refs": [ + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/" + ], + "source": "MITRE", + "title": "Windows Privilege Escalation Guide" + }, + "related": [], + "uuid": "185154f2-5f2e-48bf-b609-991e9d6a037b", + "value": "Windows Privilege Escalation Guide" + }, { "description": "HackHappy. (2018, April 23). Windows Privilege Escalation – Unquoted Services. Retrieved August 10, 2018.", "meta": { @@ -63448,21 +64084,6 @@ "uuid": "25d54a16-59a0-497d-a4a5-021420da8f1c", "value": "Microsoft System Services Fundamentals" }, - { - "description": "Mathers, B. (2017, May 31). Windows Time Service Tools and Settings. Retrieved March 26, 2018.", - "meta": { - "date_accessed": "2018-03-26T00:00:00Z", - "date_published": "2017-05-31T00:00:00Z", - "refs": [ - "https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings" - ], - "source": "MITRE", - "title": "Windows Time Service Tools and Settings" - }, - "related": [], - "uuid": "9e3d8dec-745a-4744-b80c-d65897ebba3c", - "value": "Microsoft W32Time May 2017" - }, { "description": "Mathers, B. (2016, September 30). Windows Time Service Tools and Settings. Retrieved November 25, 2016.", "meta": { @@ -63478,6 +64099,21 @@ "uuid": "0d908e07-abc1-40fc-b147-9b9fd483b262", "value": "Technet Windows Time Service" }, + { + "description": "Mathers, B. (2017, May 31). Windows Time Service Tools and Settings. Retrieved March 26, 2018.", + "meta": { + "date_accessed": "2018-03-26T00:00:00Z", + "date_published": "2017-05-31T00:00:00Z", + "refs": [ + "https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings" + ], + "source": "MITRE", + "title": "Windows Time Service Tools and Settings" + }, + "related": [], + "uuid": "9e3d8dec-745a-4744-b80c-d65897ebba3c", + "value": "Microsoft W32Time May 2017" + }, { "description": "Microsoft. (2018, February 1). Windows Time Service (W32Time). Retrieved March 26, 2018.", "meta": { diff --git a/clusters/tidal-software.json b/clusters/tidal-software.json index 096cdd48..5b1a0f6c 100644 --- a/clusters/tidal-software.json +++ b/clusters/tidal-software.json @@ -28,10 +28,6 @@ { "dest-uuid": "6005f4a9-fe26-4237-a44e-3f6cbb1fe75c", "type": "used-by" - }, - { - "dest-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a", - "type": "similar" } ], "uuid": "71d76208-c465-4447-8d6e-c54f142b65a4", @@ -56,10 +52,6 @@ { "dest-uuid": "6005f4a9-fe26-4237-a44e-3f6cbb1fe75c", "type": "used-by" - }, - { - "dest-uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc", - "type": "similar" } ], "uuid": "a15142a3-4797-4fef-8ec6-065e3322a69b", @@ -72,7 +64,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5023", + "software_attack_id": "S3023", "source": "Tidal Cyber", "tags": [ "e551ae97-d1b4-484e-9267-89f33829ec2c", @@ -137,9 +129,10 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5299", + "software_attack_id": "S3061", "source": "Tidal Cyber", "tags": [ + "51946995-71d4-4bd3-9f7f-491b450f018b", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "5e7433ad-a894-4489-93bc-41e90da90019", @@ -181,10 +174,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "2c5281dd-b5fd-4531-8aea-c1bf8a0f8756", - "type": "similar" } ], "uuid": "3d33fbf5-c21e-4587-ba31-9aeec3cc10c0", @@ -209,10 +198,6 @@ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" - }, - { - "dest-uuid": "a0ebedca-d558-4e48-8ff7-4bf76208d90c", - "type": "similar" } ], "uuid": "394cadd0-bc4d-4181-ac53-858e84b8e3de", @@ -225,7 +210,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5203", + "software_attack_id": "S3324", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -246,7 +231,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5059", + "software_attack_id": "S3082", "source": "Tidal Cyber", "tags": [ "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c" @@ -284,10 +269,6 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" - }, - { - "dest-uuid": "04cecafd-cb5f-4daf-aa1f-73899116c4a2", - "type": "similar" } ], "uuid": "cf465790-3d6d-5767-bb8c-63a429f95d83", @@ -309,10 +290,6 @@ { "dest-uuid": "31bc763e-623f-4870-9780-86e43d732594", "type": "used-by" - }, - { - "dest-uuid": "36801ffb-5c85-4c50-9121-6122e389366d", - "type": "similar" } ], "uuid": "202781a3-d481-4984-9e5a-31caafc20135", @@ -334,10 +311,6 @@ { "dest-uuid": "f036b992-4c3f-47b7-a458-94ac133bce74", "type": "used-by" - }, - { - "dest-uuid": "0f1ad2ef-41d4-4b7a-9304-ddae68ea3005", - "type": "similar" } ], "uuid": "f52e759a-a725-4b50-84f2-12bef89d369e", @@ -350,7 +323,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5082", + "software_attack_id": "S3190", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -463,10 +436,6 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" - }, - { - "dest-uuid": "f59508a6-3615-47c3-b493-6676e1a39a87", - "type": "similar" } ], "uuid": "70559096-2a6b-4388-97e6-c2b16f3be78e", @@ -479,7 +448,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5204", + "software_attack_id": "S3325", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -500,7 +469,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5270", + "software_attack_id": "S3111", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -528,7 +497,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5024", + "software_attack_id": "S3024", "source": "Tidal Cyber", "tags": [ "c5a258ce-9045-48d9-b254-ec2bf6437bb5", @@ -586,7 +555,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5006", + "software_attack_id": "S3025", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -637,7 +606,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5025", + "software_attack_id": "S3026", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -672,7 +641,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5187", + "software_attack_id": "S3308", "source": "Tidal Cyber", "tags": [ "7a457caf-c3b6-4a48-84cf-c1f50a2eda27", @@ -708,10 +677,6 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "type": "similar" } ], "uuid": "ef7f4f5f-6f30-4059-87d1-cd8375bf1bee", @@ -733,12 +698,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39", - "type": "similar" - } - ], + "related": [], "uuid": "f27c9a91-c618-40c6-837d-089ba4d80f45", "value": "Agent.btz" }, @@ -749,7 +709,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5205", + "software_attack_id": "S3326", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -772,6 +732,7 @@ "software_attack_id": "S0331", "source": "MITRE", "tags": [ + "d11d22a2-518d-4727-975b-d04d8826e4c0", "16b47583-1c54-431f-9f09-759df7b5ddb7", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], @@ -787,10 +748,6 @@ { "dest-uuid": "e47ae2a7-d34d-4528-ba67-c9c07daa91ba", "type": "used-by" - }, - { - "dest-uuid": "e7a5229f-05eb-440e-b982-9a6d2b2b87c8", - "type": "similar" } ], "uuid": "304650b1-a0b5-460c-9210-23a5b53815a4", @@ -805,6 +762,7 @@ "software_attack_id": "S1129", "source": "MITRE", "tags": [ + "fde14c10-e749-4c04-b97f-1d9fbd6e72e7", "c5a258ce-9045-48d9-b254-ec2bf6437bb5", "cc4ea215-87ce-4351-9579-cf527caf5992", "e551ae97-d1b4-484e-9267-89f33829ec2c", @@ -825,10 +783,6 @@ { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" - }, - { - "dest-uuid": "6f6b2353-4b39-40ce-9d6d-d00b7a61e656", - "type": "similar" } ], "uuid": "96ae0e1e-975a-5e11-adbe-c79ee17cee11", @@ -886,10 +840,6 @@ { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" - }, - { - "dest-uuid": "05318127-5962-444b-b900-a9dcfe0ff6e9", - "type": "similar" } ], "uuid": "f173ec20-ef40-436b-a859-fef017e1e767", @@ -915,10 +865,6 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" - }, - { - "dest-uuid": "5f1d4579-4e8f-48e7-860e-2da773ae432e", - "type": "similar" } ], "uuid": "9521c535-1043-4b82-ba5d-e5eaeca500ee", @@ -936,12 +882,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "dcd9548e-df9e-47c2-81f3-bc084289959d", - "type": "similar" - } - ], + "related": [], "uuid": "69aac793-9e6a-5167-bc62-823189ee2f7b", "value": "ANDROMEDA" }, @@ -954,9 +895,10 @@ "Linux", "Windows" ], - "software_attack_id": "S5274", + "software_attack_id": "S3114", "source": "Tidal Cyber", "tags": [ + "d903e38b-600d-4736-9e3b-cf1a6e436481", "d819ae1a-e385-49fd-88d5-f66660729ecb", "e551ae97-d1b4-484e-9267-89f33829ec2c", "15787198-6c8b-4f79-bf50-258d55072fee", @@ -970,6 +912,10 @@ ] }, "related": [ + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + }, { "dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a", "type": "used-by" @@ -985,9 +931,11 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5007", + "software_attack_id": "S3027", "source": "Tidal Cyber", "tags": [ + "d903e38b-600d-4736-9e3b-cf1a6e436481", + "d819ae1a-e385-49fd-88d5-f66660729ecb", "c5a258ce-9045-48d9-b254-ec2bf6437bb5", "cc4ea215-87ce-4351-9579-cf527caf5992", "e551ae97-d1b4-484e-9267-89f33829ec2c", @@ -1017,6 +965,18 @@ "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", "type": "used-by" }, + { + "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", + "type": "used-by" + }, + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + }, + { + "dest-uuid": "efd2fca2-45fb-4eaf-82e7-0d20c156f84f", + "type": "used-by" + }, { "dest-uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0", "type": "used-by" @@ -1088,7 +1048,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5083", + "software_attack_id": "S3191", "source": "Tidal Cyber", "tags": [ "837cf289-ad09-48ca-adf9-b46b07015666", @@ -1125,10 +1085,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "e2d34c63-6f5a-41f5-86a2-e2380f27f858", - "type": "similar" } ], "uuid": "cdeb3110-07e5-4c3d-9eef-e6f2b760ef33", @@ -1154,10 +1110,6 @@ { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" - }, - { - "dest-uuid": "295721d2-ee20-4fa3-ade3-37f4146b4570", - "type": "similar" } ], "uuid": "9df2e42e-b454-46ea-b50d-2f7d999f3d42", @@ -1170,7 +1122,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5206", + "software_attack_id": "S3327", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -1191,7 +1143,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5286", + "software_attack_id": "S3001", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -1223,10 +1175,6 @@ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" - }, - { - "dest-uuid": "3161d76a-e2b2-4b97-9906-24909b735386", - "type": "similar" } ], "uuid": "7ba79887-d496-47aa-8b71-df7f46329322", @@ -1269,10 +1217,6 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" - }, - { - "dest-uuid": "30489451-5886-4c46-90c9-0dff9adc5252", - "type": "similar" } ], "uuid": "45b51950-6190-4572-b1a2-7c69d865251e", @@ -1285,7 +1229,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5084", + "software_attack_id": "S3192", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -1330,10 +1274,6 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" - }, - { - "dest-uuid": "56f46b17-8cfa-46c0-b501-dd52fef394e2", - "type": "similar" } ], "uuid": "a0cce010-9158-45e5-978a-f002e5c31a03", @@ -1348,18 +1288,14 @@ "software_attack_id": "S0373", "source": "MITRE", "tags": [ + "84d9893e-e338-442a-bfc0-3148ad5f716d", "4d767e87-4cf6-438a-927a-43d2d0beaab7" ], "type": [ "malware" ] }, - "related": [ - { - "dest-uuid": "edb24a93-1f7a-4bbf-a738-1397a14662c6", - "type": "similar" - } - ], + "related": [], "uuid": "ea719a35-cbe9-4503-873d-164f68ab4544", "value": "Astaroth" }, @@ -1372,15 +1308,14 @@ "software_attack_id": "S1087", "source": "MITRE", "tags": [ + "9eaf6107-4d57-4bc7-b6d2-4541d5936672", "af5e9be5-b86e-47af-91dd-966a5e34a186", "27a117ce-bb19-4f79-9bc2-a851b69c5c50", "6070668f-1cbd-4878-8066-c636d1d8659c", "61cdbb28-cbfd-498b-9ab1-1f14337f9524", "e551ae97-d1b4-484e-9267-89f33829ec2c", "15787198-6c8b-4f79-bf50-258d55072fee", - "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", - "2feda37d-5579-4102-a073-aa02e82cb49f", "fdd53e62-5bf1-41f1-8bd6-b970a866c39d", "d431939f-2dc0-410b-83f7-86c458125444" ], @@ -1400,10 +1335,6 @@ { "dest-uuid": "153c14a6-31b7-44f2-892e-6d9fdc152267", "type": "used-by" - }, - { - "dest-uuid": "6a5947f3-1a36-4653-8734-526df3e1d28d", - "type": "similar" } ], "uuid": "d587efff-4699-51c7-a4cc-bdbd1b302ed4", @@ -1440,10 +1371,6 @@ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" - }, - { - "dest-uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952", - "type": "similar" } ], "uuid": "af01dc7b-a2bc-4fda-bbfe-d2be889c2860", @@ -1456,7 +1383,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5085", + "software_attack_id": "S3194", "source": "Tidal Cyber", "tags": [ "85a29262-64bd-443c-9e08-3ee26aac859b", @@ -1478,7 +1405,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5014", + "software_attack_id": "S3008", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -1510,6 +1437,10 @@ "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, + { + "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", + "type": "used-by" + }, { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" @@ -1549,9 +1480,10 @@ "platforms": [ "macOS" ], - "software_attack_id": "S5314", + "software_attack_id": "S3127", "source": "Tidal Cyber", "tags": [ + "4d767e87-4cf6-438a-927a-43d2d0beaab7", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "2feda37d-5579-4102-a073-aa02e82cb49f" ], @@ -1575,12 +1507,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "8f423bd7-6ca7-4303-9e85-008c7ad5fdaa", - "type": "similar" - } - ], + "related": [], "uuid": "89c35e9f-b435-4f58-9073-f24c1ee8754f", "value": "Attor" }, @@ -1600,10 +1527,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "24b4ce59-eaac-4c8b-8634-9b093b7ccd92", - "type": "similar" } ], "uuid": "d0c25f14-5eb3-40c1-a890-2ab1349dff53", @@ -1617,6 +1540,9 @@ ], "software_attack_id": "S0129", "source": "MITRE", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" + ], "type": [ "malware" ] @@ -1629,10 +1555,6 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" - }, - { - "dest-uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300", - "type": "similar" } ], "uuid": "3f927596-5219-49eb-bd0d-57068b0e04ed", @@ -1645,7 +1567,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5277", + "software_attack_id": "S3117", "source": "Tidal Cyber", "tags": [ "d819ae1a-e385-49fd-88d5-f66660729ecb", @@ -1686,10 +1608,6 @@ { "dest-uuid": "31bc763e-623f-4870-9780-86e43d732594", "type": "used-by" - }, - { - "dest-uuid": "3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5", - "type": "similar" } ], "uuid": "649a4cfc-c0d0-412d-a28c-1bd4ed604ea8", @@ -1704,6 +1622,7 @@ "software_attack_id": "S0640", "source": "MITRE", "tags": [ + "8c65cb23-442d-4855-9d80-e0ac27bcfc48", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" @@ -1712,12 +1631,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "58c5a3a1-928f-4094-9e98-a5a4e56dd5f3", - "type": "similar" - } - ], + "related": [], "uuid": "bad92974-35f6-4183-8024-b629140c6ee6", "value": "Avaddon" }, @@ -1740,10 +1654,6 @@ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" - }, - { - "dest-uuid": "36ede314-7db4-4d09-b53d-81bbfbe5f6f8", - "type": "similar" } ], "uuid": "e5ca0192-e905-46a1-abef-ce1119c1f967", @@ -1772,15 +1682,45 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "0945a1a5-a79a-47c8-9079-10c16cdfcb5d", - "type": "similar" - } - ], + "related": [], "uuid": "e792dc8d-b0f4-5916-8850-a61ff53125d0", "value": "AvosLocker" }, + { + "description": "AzCopy is a command line tool that enables Azure storage data transfers. It facilitates file transfer activity for Azure Storage Explorer, another legitimate utility that has been abused by ransomware operations like the BianLian and Rhysida gangs.[[modePUSH Azure Storage Explorer September 14 2024](/references/a4c50b03-f0d7-4d29-a9de-e550be61390c)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Azure AD", + "Linux", + "macOS", + "Windows" + ], + "software_attack_id": "S3187", + "source": "Tidal Cyber", + "tags": [ + "c9c73000-30a5-4a16-8c8b-79169f9c24aa", + "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", + "8bf128ad-288b-41bc-904f-093f4fdde745", + "e1af18e3-3224-4e4c-9d0f-533768474508" + ], + "type": [ + "tool" + ] + }, + "related": [ + { + "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", + "type": "used-by" + }, + { + "dest-uuid": "0610cd57-2511-467a-97e3-3c810384074f", + "type": "used-by" + } + ], + "uuid": "aab3287b-932a-4208-af5e-d10abffb188b", + "value": "AzCopy" + }, { "description": "[Azorult](https://app.tidalcyber.com/software/cc68a7f0-c955-465f-bee0-2dacbb179078) is a commercial Trojan that is used to steal information from compromised hosts. [Azorult](https://app.tidalcyber.com/software/cc68a7f0-c955-465f-bee0-2dacbb179078) has been observed in the wild as early as 2016.\nIn July 2018, [Azorult](https://app.tidalcyber.com/software/cc68a7f0-c955-465f-bee0-2dacbb179078) was seen used in a spearphishing campaign against targets in North America. [Azorult](https://app.tidalcyber.com/software/cc68a7f0-c955-465f-bee0-2dacbb179078) has been seen used for cryptocurrency theft. [[Unit42 Azorult Nov 2018](https://app.tidalcyber.com/references/44ceddf6-bcbf-4a60-bb92-f8cdc675d185)][[Proofpoint Azorult July 2018](https://app.tidalcyber.com/references/a85c869a-3ba3-42c2-9460-d3d1f0874044)]", "meta": { @@ -1800,15 +1740,46 @@ { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" - }, - { - "dest-uuid": "f9b05f33-d45d-4e4d-aafe-c208d38a0080", - "type": "similar" } ], "uuid": "cc68a7f0-c955-465f-bee0-2dacbb179078", "value": "Azorult" }, + { + "description": "Azure Storage Explorer is a Microsoft application that provides a graphical interface for managing Azure storage elements, as well as file and folder download and upload capabilities. The associated AzCopy tool facilitates actual Azure Storage Explorer file transfer capabilities.[[modePUSH Azure Storage Explorer September 14 2024](/references/a4c50b03-f0d7-4d29-a9de-e550be61390c)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Azure AD", + "Linux", + "macOS", + "Windows" + ], + "software_attack_id": "S3186", + "source": "Tidal Cyber", + "tags": [ + "c9c73000-30a5-4a16-8c8b-79169f9c24aa", + "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", + "8bf128ad-288b-41bc-904f-093f4fdde745", + "e1af18e3-3224-4e4c-9d0f-533768474508" + ], + "type": [ + "tool" + ] + }, + "related": [ + { + "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", + "type": "used-by" + }, + { + "dest-uuid": "0610cd57-2511-467a-97e3-3c810384074f", + "type": "used-by" + } + ], + "uuid": "1674b306-aa70-44f5-b373-24bb5fc51cfa", + "value": "Azure Storage Explorer" + }, { "description": "[Babuk](https://app.tidalcyber.com/software/0dc07eb9-66df-4116-b1bc-7020ca6395a1) is a Ransomware-as-a-service (RaaS) malware that has been used since at least 2021. The operators of [Babuk](https://app.tidalcyber.com/software/0dc07eb9-66df-4116-b1bc-7020ca6395a1) employ a \"Big Game Hunting\" approach to targeting major enterprises and operate a leak site to post stolen data as part of their extortion scheme.[[Sogeti CERT ESEC Babuk March 2021](https://app.tidalcyber.com/references/e85e3bd9-6ddc-4d0f-a16c-b525a75baa7e)][[McAfee Babuk February 2021](https://app.tidalcyber.com/references/bb23ca19-78bb-4406-90a4-bf82bd467e04)][[CyberScoop Babuk February 2021](https://app.tidalcyber.com/references/0a0aeacd-0976-4c84-b40d-5704afca9f0e)]", "meta": { @@ -1837,12 +1808,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "61c7a91a-0b83-461d-ad32-75d96eed4a09", - "type": "similar" - } - ], + "related": [], "uuid": "0dc07eb9-66df-4116-b1bc-7020ca6395a1", "value": "Babuk" }, @@ -1865,10 +1831,6 @@ { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" - }, - { - "dest-uuid": "d1b7830a-fced-4be3-a99c-f495af9d9e1b", - "type": "similar" } ], "uuid": "ebb824a2-abff-4bfd-87f0-d63cb02b62e6", @@ -1893,10 +1855,6 @@ { "dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a", "type": "used-by" - }, - { - "dest-uuid": "c13d9621-aca7-436b-ab3d-3a95badb3d00", - "type": "similar" } ], "uuid": "2763ad8c-cf4e-42eb-88db-a40ff8f96cf9", @@ -1921,10 +1879,6 @@ { "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", "type": "used-by" - }, - { - "dest-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", - "type": "similar" } ], "uuid": "f7cc5974-767c-4cb4-acc7-36295a386ce5", @@ -1949,10 +1903,6 @@ { "dest-uuid": "be45ff95-6c74-4000-bc39-63044673d82f", "type": "used-by" - }, - { - "dest-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", - "type": "similar" } ], "uuid": "d0daaa00-68e1-4568-bb08-3f28bcd82c63", @@ -1965,7 +1915,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5026", + "software_attack_id": "S3028", "source": "Tidal Cyber", "tags": [ "d903e38b-600d-4736-9e3b-cf1a6e436481", @@ -2017,10 +1967,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "9dbdadb6-fdbf-490f-a35f-38762d06a0d2", - "type": "similar" } ], "uuid": "d7aa53a5-0912-4952-8f7f-55698e933c3b", @@ -2045,10 +1991,6 @@ { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" - }, - { - "dest-uuid": "57d83eac-a2ea-42b0-a7b2-c80c55157790", - "type": "similar" } ], "uuid": "8c454294-81cb-45d0-b299-818994ad3e6f", @@ -2070,10 +2012,6 @@ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" - }, - { - "dest-uuid": "3553b49d-d4ae-4fb6-ab17-0adbc520c888", - "type": "similar" } ], "uuid": "16481e0f-49d5-54c1-a1fe-16d9e7f8d08c", @@ -2095,10 +2033,6 @@ { "dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a", "type": "used-by" - }, - { - "dest-uuid": "e9595678-d269-469e-ae6b-75e49259de63", - "type": "similar" } ], "uuid": "34c24d27-c779-42a4-9f61-3f0d3fea6fd4", @@ -2116,12 +2050,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "9af05de0-bc09-4511-a350-5eb8b06185c1", - "type": "similar" - } - ], + "related": [], "uuid": "10e76722-4b52-47f6-9276-70e95fecb26b", "value": "BadPatch" }, @@ -2132,7 +2061,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5304", + "software_attack_id": "S3070", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -2174,10 +2103,6 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" - }, - { - "dest-uuid": "2eaa5319-5e1e-4dd7-bbc4-566fced3964a", - "type": "similar" } ], "uuid": "a1d86d8f-fa48-43aa-9833-7355750e455c", @@ -2192,8 +2117,6 @@ "software_attack_id": "S0234", "source": "MITRE", "tags": [ - "c6e1f516-1a18-4ff9-b563-e6ac8103b104", - "2feda37d-5579-4102-a073-aa02e82cb49f", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ @@ -2204,10 +2127,6 @@ { "dest-uuid": "7ad94dbf-9909-42dd-8b62-a435481bdb14", "type": "used-by" - }, - { - "dest-uuid": "835a79f1-842d-472d-b8f4-d54b545c341b", - "type": "similar" } ], "uuid": "5c0f8c35-88ff-40a1-977a-af5ce534e932", @@ -2232,10 +2151,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "1f6e3702-7ca1-4582-b2e7-4591297d05a8", - "type": "similar" } ], "uuid": "24b8471d-698f-48cc-b47a-8fbbaf28b293", @@ -2248,7 +2163,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5086", + "software_attack_id": "S3195", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -2269,7 +2184,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5027", + "software_attack_id": "S3029", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -2325,10 +2240,6 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" - }, - { - "dest-uuid": "99fdf3b4-96ef-4ab9-b191-fc683441cad0", - "type": "similar" } ], "uuid": "b35d9817-6ead-4dbd-a2fa-4b8e217f8eac", @@ -2353,10 +2264,6 @@ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" - }, - { - "dest-uuid": "f0fc920e-57a3-4af5-89be-9ea594c8b1ea", - "type": "similar" } ], "uuid": "3daa5ae1-464e-4c0a-aa46-15264a2a0126", @@ -2374,12 +2281,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", - "type": "similar" - } - ], + "related": [], "uuid": "be4dab36-d499-4ac3-b204-5e309e3a5331", "value": "BBSRAT" }, @@ -2402,10 +2304,6 @@ { "dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb", "type": "used-by" - }, - { - "dest-uuid": "805480f1-6caa-4a67-8ca9-b2b39650d986", - "type": "similar" } ], "uuid": "a114a498-fcfd-4e0a-9d1e-e26750d71af8", @@ -2418,7 +2316,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5207", + "software_attack_id": "S3328", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -2439,7 +2337,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5001", + "software_attack_id": "S3010", "source": "Tidal Cyber", "tags": [ "35e694ec-5133-46e3-b7e1-5831867c3b55", @@ -2466,7 +2364,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5292", + "software_attack_id": "S3009", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -2503,10 +2401,6 @@ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" - }, - { - "dest-uuid": "b8eb28e4-48a6-40ae-951a-328714f75eda", - "type": "similar" } ], "uuid": "3ad98097-2d10-4aa1-9594-7e74828a3643", @@ -2531,10 +2425,6 @@ { "dest-uuid": "9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c", "type": "used-by" - }, - { - "dest-uuid": "65ffc206-d7c1-45b3-b543-f6b726e7840d", - "type": "similar" } ], "uuid": "b898816e-610f-4c2f-9045-d9f28a54ee58", @@ -2560,10 +2450,6 @@ { "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", "type": "used-by" - }, - { - "dest-uuid": "fa766a65-5136-4ff3-8429-36d08eaa0100", - "type": "similar" } ], "uuid": "e7dec940-8701-4c06-9865-5b11c61c046d", @@ -2594,6 +2480,10 @@ ] }, "related": [ + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + }, { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" @@ -2625,10 +2515,6 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" - }, - { - "dest-uuid": "64764dc6-a032-495f-8250-1e4c06bdc163", - "type": "similar" } ], "uuid": "52a20d3d-1edd-4f17-87f0-b77c67d260b4", @@ -2643,6 +2529,7 @@ "software_attack_id": "S1070", "source": "MITRE", "tags": [ + "da5af5bf-d4f3-4bbb-9638-57ea2dc2c776", "89c5b94b-ecf4-4d53-9b74-3465086d4565", "d903e38b-600d-4736-9e3b-cf1a6e436481", "e551ae97-d1b4-484e-9267-89f33829ec2c", @@ -2664,10 +2551,6 @@ { "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", "type": "used-by" - }, - { - "dest-uuid": "8d242fb4-9033-4f13-8a88-4b9b4bcd9a53", - "type": "similar" } ], "uuid": "0d5b24ba-68dc-50fa-8268-3012180fe374", @@ -2683,6 +2566,7 @@ "software_attack_id": "S1068", "source": "MITRE", "tags": [ + "d5248609-d9ed-4aad-849a-aa0476f85dea", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "5e7433ad-a894-4489-93bc-41e90da90019", @@ -2698,6 +2582,10 @@ "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, + { + "dest-uuid": "efd2fca2-45fb-4eaf-82e7-0d20c156f84f", + "type": "used-by" + }, { "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", "type": "used-by" @@ -2709,10 +2597,6 @@ { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" - }, - { - "dest-uuid": "50c44c34-3abb-48ae-9433-a2337de5b0bc", - "type": "similar" } ], "uuid": "691369e5-ef74-5ff9-bc20-34efeb4b6c5b", @@ -2742,10 +2626,6 @@ { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" - }, - { - "dest-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43", - "type": "similar" } ], "uuid": "e85e2fca-9347-4448-bfc1-342f29d5d6a1", @@ -2770,10 +2650,6 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" - }, - { - "dest-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "type": "similar" } ], "uuid": "908216c7-3ad4-4e0c-9dd3-a7ed5d1c695f", @@ -2786,7 +2662,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5306", + "software_attack_id": "S3084", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -2818,10 +2694,6 @@ { "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" - }, - { - "dest-uuid": "63c4511b-2d6e-4bb2-b582-e2e99a8a467d", - "type": "similar" } ], "uuid": "da348a51-d047-4144-9ba4-34d2ce964a11", @@ -2835,9 +2707,10 @@ "Linux", "Windows" ], - "software_attack_id": "S5324", + "software_attack_id": "S3139", "source": "Tidal Cyber", "tags": [ + "2917207f-aa63-4c4a-b2d2-be7e16d1f25c", "e551ae97-d1b4-484e-9267-89f33829ec2c", "15787198-6c8b-4f79-bf50-258d55072fee", "a2e000da-8181-4327-bacd-32013dbd3654", @@ -2875,10 +2748,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "01dbc71d-0ee8-420d-abb4-3dfb6a4bf725", - "type": "similar" } ], "uuid": "1af8ea81-40df-4fba-8d63-1858b8b31217", @@ -2893,6 +2762,8 @@ "software_attack_id": "S0521", "source": "MITRE", "tags": [ + "d8f7e071-fbfd-46f8-b431-e241bb1513ac", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", "d819ae1a-e385-49fd-88d5-f66660729ecb", "e551ae97-d1b4-484e-9267-89f33829ec2c", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", @@ -2951,10 +2822,6 @@ { "dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", "type": "used-by" - }, - { - "dest-uuid": "066b057c-944e-4cfc-b654-e3dfba04b926", - "type": "similar" } ], "uuid": "72658763-8077-451e-8572-38858f8cacf3", @@ -2979,10 +2846,6 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" - }, - { - "dest-uuid": "8bd47506-29ae-44ea-a5c1-c57e8a1ab6b0", - "type": "similar" } ], "uuid": "3aaaaf86-638b-4a65-be18-c6e6dcdcdb97", @@ -3000,12 +2863,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "4c6d62c2-89f5-4159-8fab-0190b1f9d328", - "type": "similar" - } - ], + "related": [], "uuid": "3793db4b-f843-4cfd-89d2-ec28b62feda5", "value": "Bonadan" }, @@ -3017,6 +2875,9 @@ ], "software_attack_id": "S0360", "source": "MITRE", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" + ], "type": [ "malware" ] @@ -3025,10 +2886,6 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" - }, - { - "dest-uuid": "d5268dfb-ae2b-4e0e-ac07-02a460613d8a", - "type": "similar" } ], "uuid": "d8690218-5272-47d8-8189-35d3b518e66f", @@ -3043,6 +2900,7 @@ "software_attack_id": "S0635", "source": "MITRE", "tags": [ + "15126457-d8bb-4799-9cee-b18e17ef9703", "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ @@ -3053,10 +2911,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "c26f1c05-b861-4970-94dc-2f7f921a3074", - "type": "similar" } ], "uuid": "9d393f6f-855e-4348-8a26-008174e3605a", @@ -3081,10 +2935,6 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" - }, - { - "dest-uuid": "56d10a7f-bb42-4267-9b4c-63abb9c06010", - "type": "similar" } ], "uuid": "74a73624-d53b-4c84-a14b-8ae964fd577c", @@ -3102,12 +2952,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "da2ef4a9-7cbe-400a-a379-e2f230f28db3", - "type": "similar" - } - ], + "related": [], "uuid": "d47a4753-80f5-494e-aad7-d033aaff0d6d", "value": "BOOTRASH" }, @@ -3130,10 +2975,6 @@ { "dest-uuid": "988f5312-834e-48ea-93b7-e6e01ee0938d", "type": "used-by" - }, - { - "dest-uuid": "919a056e-5104-43b9-ad55-2ac929108b71", - "type": "similar" } ], "uuid": "d3e46011-3433-426c-83b3-61c2576d5f71", @@ -3155,10 +2996,6 @@ { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" - }, - { - "dest-uuid": "28b97733-ef07-4414-aaa5-df50b2d30cc5", - "type": "similar" } ], "uuid": "51b27e2c-c737-4006-a657-195ea1a1f4f0", @@ -3180,10 +3017,6 @@ { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" - }, - { - "dest-uuid": "79499993-a8d6-45eb-b343-bf58dea5bdde", - "type": "similar" } ], "uuid": "7942783c-73a7-413c-94d1-8981029a1c51", @@ -3198,6 +3031,7 @@ "software_attack_id": "S1063", "source": "MITRE", "tags": [ + "599dd679-c6a6-42b6-8b7a-29d840db2028", "e1af18e3-3224-4e4c-9d0f-533768474508", "e81ba503-60b0-4b64-8f20-ef93e7783796" ], @@ -3209,10 +3043,6 @@ { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" - }, - { - "dest-uuid": "75d8b521-6b6a-42ff-8af3-d97e20ce12a5", - "type": "similar" } ], "uuid": "23043b44-69a6-5cdf-8f60-5a68068680c7", @@ -3230,12 +3060,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "67fc172a-36fa-4a35-88eb-4ba730ed52a6", - "type": "similar" - } - ], + "related": [], "uuid": "c9e773de-0213-4b64-83fb-637060c8b5ed", "value": "BS2005" }, @@ -3258,10 +3083,6 @@ { "dest-uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", "type": "used-by" - }, - { - "dest-uuid": "123bd7b3-675c-4b1a-8482-c55782b20e2b", - "type": "similar" } ], "uuid": "2be4e3d2-e8c5-4406-8041-2c17bdb3a547", @@ -3286,10 +3107,6 @@ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" - }, - { - "dest-uuid": "d2c7f8ad-3b50-4cfa-bbb1-799eff06fb40", - "type": "similar" } ], "uuid": "c21d3e6c-0f6d-44a8-bdd5-5b3180a641c9", @@ -3316,10 +3133,6 @@ { "dest-uuid": "396a4361-3e84-47bc-9544-58e287c05799", "type": "used-by" - }, - { - "dest-uuid": "04378e79-4387-468a-a8f7-f974b8254e44", - "type": "similar" } ], "uuid": "cc155181-fb34-4aaf-b083-b7b57b140b7a", @@ -3334,18 +3147,14 @@ "software_attack_id": "S0482", "source": "MITRE", "tags": [ + "707e8a2b-e223-4d99-91c2-43de4b4459f6", "4d767e87-4cf6-438a-927a-43d2d0beaab7" ], "type": [ "malware" ] }, - "related": [ - { - "dest-uuid": "7bef1b56-4870-4e74-b32a-7dd88c390c44", - "type": "similar" - } - ], + "related": [], "uuid": "e9873bf1-9619-4c62-b4cf-1009e83de186", "value": "Bundlore" }, @@ -3361,12 +3170,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "29a0bb87-1162-4c83-9834-2a98a876051b", - "type": "similar" - } - ], + "related": [], "uuid": "44ed9567-2cb6-590e-b332-154557fb93f9", "value": "BUSHWALK" }, @@ -3386,10 +3190,6 @@ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" - }, - { - "dest-uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52", - "type": "similar" } ], "uuid": "7c03fb92-3cd8-4ce4-a1e0-75e47465e4bc", @@ -3402,9 +3202,10 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5309", + "software_attack_id": "S3107", "source": "Tidal Cyber", "tags": [ + "83a25621-55a6-4b0d-be67-4905b6d3a1c6", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "a2e000da-8181-4327-bacd-32013dbd3654", "562e535e-19f5-4d6c-81ed-ce2aec544f09", @@ -3440,12 +3241,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "b30d999d-64e0-4e35-9856-884e4b83d611", - "type": "similar" - } - ], + "related": [], "uuid": "62d0ddcd-790d-4d2d-9d94-276f54b40cf0", "value": "CaddyWiper" }, @@ -3465,10 +3261,6 @@ { "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "type": "used-by" - }, - { - "dest-uuid": "a705b085-1eae-455e-8f4d-842483d814eb", - "type": "similar" } ], "uuid": "c8a51b39-6906-4381-9bb4-4e9e612aa085", @@ -3490,10 +3282,6 @@ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" - }, - { - "dest-uuid": "5a84dc36-df0d-4053-9b7c-f0c388a57283", - "type": "similar" } ], "uuid": "ad859a79-c183-44f6-a89a-f734710672a9", @@ -3511,12 +3299,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "b8fdef82-d2cf-4948-8949-6466357b1be1", - "type": "similar" - } - ], + "related": [], "uuid": "6b5b408c-4f9d-4137-bfb1-830d12e9736c", "value": "Calisto" }, @@ -3536,10 +3319,6 @@ { "dest-uuid": "6c1bdc51-f633-4512-8b20-04a11c2d97f4", "type": "used-by" - }, - { - "dest-uuid": "cb7bcf6f-085f-41db-81ee-4b68481661b5", - "type": "similar" } ], "uuid": "352ee271-89e6-4d3f-9c26-98dbab0e2986", @@ -3561,10 +3340,6 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "d20b397a-ea47-48a9-b503-2e2a3551e11d", - "type": "similar" } ], "uuid": "790e931d-2571-496d-9f48-322774a7d482", @@ -3590,10 +3365,6 @@ { "dest-uuid": "72d9bea7-9ca1-43e6-8702-2fb7fb1355de", "type": "used-by" - }, - { - "dest-uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4", - "type": "similar" } ], "uuid": "4cb9294b-9e4c-41b9-b640-46213a01952d", @@ -3611,12 +3382,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "bbcd7a02-ef24-4171-ac94-a93540173b94", - "type": "similar" - } - ], + "related": [], "uuid": "df9491fd-5e24-4548-8e21-1268dce59d1f", "value": "Carberp" }, @@ -3636,10 +3402,6 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" - }, - { - "dest-uuid": "b7e9880a-7a7c-4162-bddb-e28e8ef2bf1f", - "type": "similar" } ], "uuid": "61f5d19c-1da2-43d1-ab20-51eacbca71f2", @@ -3660,12 +3422,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "b879758f-bbc4-4cab-b5ba-177ac9b009b4", - "type": "similar" - } - ], + "related": [], "uuid": "fa23acef-3034-43ee-9610-4fc322f0d80b", "value": "Cardinal RAT" }, @@ -3684,12 +3441,7 @@ "tool" ] }, - "related": [ - { - "dest-uuid": "5fc81b43-62b5-41b1-9113-c79ae5f030c4", - "type": "similar" - } - ], + "related": [], "uuid": "84bb4068-b441-435e-8535-02a458ffd50b", "value": "CARROTBALL" }, @@ -3705,12 +3457,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "1b9f0800-035e-4ed1-9648-b18294cc5bc8", - "type": "similar" - } - ], + "related": [], "uuid": "aefa893d-fc6e-41a9-8794-2700049db9e5", "value": "CARROTBAT" }, @@ -3730,10 +3477,6 @@ { "dest-uuid": "a3b39b07-0bfa-4c69-9f01-acf7dc6033b4", "type": "used-by" - }, - { - "dest-uuid": "8d9e758b-735f-4cbc-ba7c-32cd15138b2a", - "type": "similar" } ], "uuid": "04deccb5-9850-45c3-a900-5d7039a94190", @@ -3758,15 +3501,38 @@ { "dest-uuid": "7c3ef21c-0e1c-43d5-afb0-3a07c5a66937", "type": "used-by" - }, - { - "dest-uuid": "751b77e6-af1f-483b-93fe-eddf17f92a64", - "type": "similar" } ], "uuid": "ee88afaa-88bc-4c20-906f-332866388549", "value": "Caterpillar WebShell" }, + { + "description": "CBROVER is a first-stage backdoor, one of a series of software associated with China-based espionage actor Earth Preta (aka Mustang Panda) reported by researchers in September 2024.[[Trend Micro September 9 2024](/references/0fdc9ee2-5be2-43e0-afb9-c9a94fde3867)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3172", + "source": "Tidal Cyber", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", + "type": "used-by" + } + ], + "uuid": "73ff6a0c-12fd-43d6-b2ea-2949a7f748b1", + "value": "CBROVER" + }, { "description": "CC-Attack is a publicly available script that automates the use of open, external proxy servers as part of denial of service flood attacks. Its use has been promoted among the members of the Killnet hacktivist collective.[[Flashpoint Glossary Killnet](/references/502cc03b-350b-4e2d-9436-364c43a0a203)]", "meta": { @@ -3775,7 +3541,7 @@ "Linux", "Windows" ], - "software_attack_id": "S5062", + "software_attack_id": "S3085", "source": "Tidal Cyber", "tags": [ "62bde669-3020-4682-be68-36c83b2588a4" @@ -3808,12 +3574,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "b0f13390-cec7-4814-b37c-ccec01887faa", - "type": "similar" - } - ], + "related": [], "uuid": "4eb0720c-7046-4ff1-adfd-ae603506e499", "value": "CCBkdr" }, @@ -3829,12 +3590,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "a394448a-4576-41b8-81cc-9b61abad94ab", - "type": "similar" - } - ], + "related": [], "uuid": "e00c2a0c-bbe5-4eff-b0ad-b2543456a317", "value": "ccf32" }, @@ -3845,7 +3601,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5208", + "software_attack_id": "S3329", "source": "Tidal Cyber", "tags": [ "4479b9e9-d912-451a-9ad5-08b3d922422d", @@ -3860,6 +3616,33 @@ "uuid": "d9ea2696-7c47-44cd-8784-9aeef5e149ea", "value": "Cdb" }, + { + "description": "A credential dumping tool associated with Iran-linked espionage group OilRig.[[ESET OilRig September 21 2023](/references/21ee3e95-ac4b-48f7-b948-249e1884bc96)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3158", + "source": "Tidal Cyber", + "tags": [ + "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", + "type": "used-by" + } + ], + "uuid": "0dc7a5a5-c304-40bb-87d7-c0f77dd84b29", + "value": "CDumper" + }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used for installing certificates\n\n**Author:** Ensar Samil\n\n**Paths:**\n* c:\\windows\\system32\\certoc.exe\n* c:\\windows\\syswow64\\certoc.exe\n\n**Resources:**\n* [https://twitter.com/sblmsrsn/status/1445758411803480072?s=20](https://twitter.com/sblmsrsn/status/1445758411803480072?s=20)\n* [https://twitter.com/sblmsrsn/status/1452941226198671363?s=20](https://twitter.com/sblmsrsn/status/1452941226198671363?s=20)\n\n**Detection:**\n* Sigma: [proc_creation_win_certoc_load_dll.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml)\n* IOC: Process creation with given parameter\n* IOC: Unsigned DLL load via certoc.exe\n* IOC: Network connection via certoc.exe[[CertOC.exe - LOLBAS Project](/references/b906498e-2773-419b-8c6d-3e974925ac18)]", "meta": { @@ -3867,7 +3650,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5087", + "software_attack_id": "S3197", "source": "Tidal Cyber", "tags": [ "fb909648-ee44-4871-abe6-82c909c4d677", @@ -3889,7 +3672,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5088", + "software_attack_id": "S3198", "source": "Tidal Cyber", "tags": [ "35a798a2-eaab-48a3-9ee7-5538f36a4172", @@ -3986,10 +3769,6 @@ { "dest-uuid": "570198e3-b59c-5772-b1ee-15d7ea14d48a", "type": "used-by" - }, - { - "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", - "type": "similar" } ], "uuid": "2fe21578-ee31-4ee8-b6ab-b5f76f97d043", @@ -4010,12 +3789,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "77e0ecf7-ca91-4c06-8012-8e728986a87a", - "type": "similar" - } - ], + "related": [], "uuid": "0c8efcd0-bfdf-4771-8754-18aac836c359", "value": "Chaes" }, @@ -4035,12 +3809,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "5bcd5511-6756-4824-a692-e8bb109364af", - "type": "similar" - } - ], + "related": [], "uuid": "92c88765-6b12-42cd-b1d7-f6a65b2236e2", "value": "Chaos" }, @@ -4053,6 +3822,7 @@ "software_attack_id": "S0674", "source": "MITRE", "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", "4d767e87-4cf6-438a-927a-43d2d0beaab7" ], "type": [ @@ -4063,10 +3833,6 @@ { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" - }, - { - "dest-uuid": "7acb15b6-fe2c-4319-b136-6ab36ff0b2d4", - "type": "similar" } ], "uuid": "b1e3b56f-2e83-4cab-a1c1-16999009d056", @@ -4088,10 +3854,6 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" - }, - { - "dest-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", - "type": "similar" } ], "uuid": "3f2283ef-67c2-49a3-98ac-1aa9f0499361", @@ -4113,10 +3875,6 @@ { "dest-uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c", "type": "used-by" - }, - { - "dest-uuid": "5d3fa1db-5041-4560-b87b-8f61cc225c52", - "type": "similar" } ], "uuid": "6475bc8c-b95d-5cb3-92f0-aa7e2f18859a", @@ -4134,12 +3892,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "b2203c59-4089-4ee4-bfe1-28fa25f0dbfe", - "type": "similar" - } - ], + "related": [], "uuid": "2fd6f564-918e-4ee7-920a-2b4be858d11a", "value": "Cherry Picker" }, @@ -4195,10 +3948,6 @@ { "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", "type": "used-by" - }, - { - "dest-uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70", - "type": "similar" } ], "uuid": "723c5ab7-23ca-46f2-83bb-f1d1e550122c", @@ -4216,12 +3965,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "0b639373-5f03-430e-b8f9-2fe8c8faad8e", - "type": "similar" - } - ], + "related": [], "uuid": "7c36563a-9143-4766-8aef-4e1787e18d8c", "value": "Chinoxy" }, @@ -4232,7 +3976,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5063", + "software_attack_id": "S3087", "source": "Tidal Cyber", "tags": [ "e551ae97-d1b4-484e-9267-89f33829ec2c", @@ -4274,7 +4018,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5028", + "software_attack_id": "S3030", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -4323,15 +4067,40 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", - "type": "similar" } ], "uuid": "01c6c49a-f7c8-44cd-a377-4dfd358ffeba", "value": "CHOPSTICK" }, + { + "description": "ChromeLoader is a \"browser hijacking\" malware that is capable of adjusting victim web browser settings and in order to redirect user traffic to advertisement websites. ChromeLoader is notable for using a relatively uncommon technique whereby PowerShell is leveraged to inject the malware into the browser and add a malicious extension to it.[[Red Canary May 25 2022](/references/bffc87ac-e51b-47e3-8a9f-547e762e95c2)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "macOS", + "Windows" + ], + "software_attack_id": "S5281", + "source": "Tidal Cyber", + "tags": [ + "9775efc2-e8ac-47de-bd2a-bb08202b48fd", + "707e8a2b-e223-4d99-91c2-43de4b4459f6", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "6d23e83f-fd4f-4802-bd01-daff7348741d", + "type": "used-by" + } + ], + "uuid": "1523b0d7-9c95-4f39-a23b-7ca347748dc6", + "value": "ChromeLoader" + }, { "description": "[Chrommme](https://app.tidalcyber.com/software/df77ed2a-f135-4f00-9a5e-79b7a6a2ed14) is a backdoor tool written using the Microsoft Foundation Class (MFC) framework that was first reported in June 2021; security researchers noted infrastructure overlaps with [Gelsemium](https://app.tidalcyber.com/software/9a117508-1d22-4fea-aa65-db670c13a5c9) malware.[[ESET Gelsemium June 2021](https://app.tidalcyber.com/references/ea28cf8c-8c92-48cb-b499-ffb7ff0e3cf5)]", "meta": { @@ -4347,15 +4116,41 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "579607c2-d046-40df-99ab-beb479c37a2a", - "type": "similar" - } - ], + "related": [], "uuid": "df77ed2a-f135-4f00-9a5e-79b7a6a2ed14", "value": "Chrommme" }, + { + "description": "A ransomware binary used by the ransomware-as-a-service (\"RaaS\") group of the same name, which was first observed in June 2024. This ransomware is written in Rust and can run on Windows and Linux/ESXi hosts. Researchers have highlighted several notable overlaps between Cicada3301 and ALPHV/BlackCat ransomware.[[Truesec AB August 30 2024](/references/de2de0a9-17d2-41c2-838b-7850762b80ae)][[Morphisec September 3 2024](/references/90549699-8815-45e8-820c-4f5a7fc584b8)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Linux", + "Windows" + ], + "software_attack_id": "S3164", + "source": "Tidal Cyber", + "tags": [ + "a2e000da-8181-4327-bacd-32013dbd3654", + "562e535e-19f5-4d6c-81ed-ce2aec544f09", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "7a28cff6-80df-49e1-8457-a0305e736897", + "type": "used-by" + } + ], + "uuid": "a45b2ee6-43dd-47e8-9846-385a06c0c9ac", + "value": "Cicada3301" + }, { "description": "[Clambling](https://app.tidalcyber.com/software/4bac93bd-7e58-4ddb-a205-d99597b9e65e) is a modular backdoor written in C++ that has been used by [Threat Group-3390](https://app.tidalcyber.com/groups/79be2f31-5626-425e-844c-fd9c99e38fe5) since at least 2017.[[Trend Micro DRBControl February 2020](https://app.tidalcyber.com/references/4dfbf26d-023b-41dd-82c8-12fe18cb10e6)]", "meta": { @@ -4372,10 +4167,6 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" - }, - { - "dest-uuid": "6e95feb1-78ee-48d3-b421-4d76663b5c49", - "type": "similar" } ], "uuid": "4bac93bd-7e58-4ddb-a205-d99597b9e65e", @@ -4388,7 +4179,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5257", + "software_attack_id": "S3378", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -4409,7 +4200,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5255", + "software_attack_id": "S3376", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -4430,7 +4221,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5256", + "software_attack_id": "S3377", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -4453,8 +4244,7 @@ "software_attack_id": "S0611", "source": "MITRE", "tags": [ - "c6e1f516-1a18-4ff9-b563-e6ac8103b104", - "2feda37d-5579-4102-a073-aa02e82cb49f", + "0629ccb3-83b1-4aeb-a9cb-1585b6b21542", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "b15c16f7-b8c7-4962-9acc-a98a39f87b69", "b18b5401-d88d-4f28-8f50-a884a5e58349", @@ -4483,10 +4273,6 @@ { "dest-uuid": "ecdbd431-d62b-4b30-8663-b1ecb4304ec0", "type": "used-by" - }, - { - "dest-uuid": "cad3ba95-8c89-4146-ab10-08daa813f9de", - "type": "similar" } ], "uuid": "5321aa75-924c-47ae-b97a-b36f023abf2a", @@ -4499,7 +4285,7 @@ "platforms": [ "macOS" ], - "software_attack_id": "S5316", + "software_attack_id": "S3129", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -4532,10 +4318,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "cbf646f1-7db5-4dc6-808b-0094313949df", - "type": "similar" } ], "uuid": "b3dd424b-ee96-449c-aa52-abbc7d4dfb86", @@ -4564,6 +4346,10 @@ "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" }, + { + "dest-uuid": "04b73cf2-33f4-4206-be9e-c80c4c9b54e8", + "type": "used-by" + }, { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" @@ -4691,10 +4477,6 @@ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" - }, - { - "dest-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", - "type": "similar" } ], "uuid": "98d89476-63ec-4baf-b2b3-86c52170f5d8", @@ -4707,7 +4489,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5089", + "software_attack_id": "S3201", "source": "Tidal Cyber", "tags": [ "96bff827-e51f-47de-bde6-d2eec0f99767", @@ -4734,7 +4516,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5090", + "software_attack_id": "S3202", "source": "Tidal Cyber", "tags": [ "4c8f8830-0b2c-4c79-b1db-8659ede492f0", @@ -4756,7 +4538,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5091", + "software_attack_id": "S3203", "source": "Tidal Cyber", "tags": [ "65938118-2f00-48a1-856e-d1a75a08e3c6", @@ -4789,12 +4571,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "0c242cc5-58d3-4fe3-a866-b00a4b6fb817", - "type": "similar" - } - ], + "related": [], "uuid": "fbd3f71a-e123-5527-908c-9e7ea0d646e8", "value": "COATHANGER" }, @@ -4834,6 +4611,10 @@ "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", "type": "used-by" }, + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + }, { "dest-uuid": "b8a349a6-cde1-4d95-b20f-44c62bbfc786", "type": "used-by" @@ -4977,10 +4758,6 @@ { "dest-uuid": "713e2963-fbf4-406f-a8cf-6a4489d90439", "type": "used-by" - }, - { - "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616", - "type": "similar" } ], "uuid": "9b6bcbba-3ab4-4a4c-a233-cd12254823f6", @@ -4995,7 +4772,7 @@ "macOS", "Windows" ], - "software_attack_id": "S5057", + "software_attack_id": "S3080", "source": "Tidal Cyber", "tags": [ "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", @@ -5029,12 +4806,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "aa1462a1-d065-416c-b354-bedd04998c7f", - "type": "similar" - } - ], + "related": [], "uuid": "d4e6f9f7-7f4d-47c2-be24-b267d9317303", "value": "Cobian RAT" }, @@ -5045,7 +4817,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5185", + "software_attack_id": "S3306", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -5071,12 +4843,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "d1531eaa-9e17-473e-a680-3298469662c3", - "type": "similar" - } - ], + "related": [], "uuid": "b0d9b31a-072b-4744-8d2f-3a63256a932f", "value": "CoinTicker" }, @@ -5087,7 +4854,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5092", + "software_attack_id": "S3204", "source": "Tidal Cyber", "tags": [ "884eb1b1-aede-4db0-8443-ba50624682e1", @@ -5114,12 +4881,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "f4c80d39-ce10-4f74-9b50-a7e3f5df1f2e", - "type": "similar" - } - ], + "related": [], "uuid": "341fc709-4908-4e41-8df3-554dae6d72b0", "value": "Comnie" }, @@ -5142,10 +4904,6 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" - }, - { - "dest-uuid": "da5880b4-f7da-4869-85f2-e0aba84b8565", - "type": "similar" } ], "uuid": "300c5997-a486-4a61-8213-93a180c22849", @@ -5158,7 +4916,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5202", + "software_attack_id": "S3323", "source": "Tidal Cyber", "tags": [ "758c3085-2f79-40a8-ab95-f8a684737927", @@ -5203,12 +4961,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "58eddbaf-7416-419a-ad7b-e65b9d4c3b55", - "type": "similar" - } - ], + "related": [], "uuid": "ef33f1fa-18a3-4b30-b359-17b7930f43a7", "value": "Conficker" }, @@ -5219,7 +4972,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5093", + "software_attack_id": "S3205", "source": "Tidal Cyber", "tags": [ "d99039e1-e677-4226-8b63-e698d6642535", @@ -5241,7 +4994,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5094", + "software_attack_id": "S3206", "source": "Tidal Cyber", "tags": [ "ea54037d-e07b-42b0-afe6-33576ec36f44", @@ -5287,6 +5040,18 @@ ] }, "related": [ + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + }, + { + "dest-uuid": "7a28cff6-80df-49e1-8457-a0305e736897", + "type": "used-by" + }, + { + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "type": "used-by" + }, { "dest-uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0", "type": "used-by" @@ -5310,10 +5075,6 @@ { "dest-uuid": "b4d068ac-9b68-4cd8-bf0c-019f910ef8e3", "type": "used-by" - }, - { - "dest-uuid": "842976c7-f9c8-41b2-8371-41dc64fbe261", - "type": "similar" } ], "uuid": "6f9bb24d-cce2-49de-bedd-1849d9bde7a0", @@ -5328,6 +5089,7 @@ "software_attack_id": "S0575", "source": "MITRE", "tags": [ + "a3d78265-f5b3-4254-8af5-c629dbb795d4", "64d3f7d8-30b7-4b03-bee2-a6029672216c", "375983b3-6e87-4281-99e2-1561519dd17b", "3ed2343c-a29c-42e2-8259-410381164c6a", @@ -5359,10 +5121,6 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" - }, - { - "dest-uuid": "4dea7d8e-af94-4bfb-afe4-7ff54f59308b", - "type": "similar" } ], "uuid": "8e995c29-2759-4aeb-9a0f-bb7cd97b06e5", @@ -5375,7 +5133,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5095", + "software_attack_id": "S3207", "source": "Tidal Cyber", "tags": [ "53ac2b35-d302-4bdd-9931-5b6c6cb31b96", @@ -5402,12 +5160,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "eedc01d5-95e6-4d21-bcd4-1121b1df4586", - "type": "similar" - } - ], + "related": [], "uuid": "6e2c4aef-2f69-4507-9ee3-55432d76341e", "value": "CookieMiner" }, @@ -5430,10 +5183,6 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" - }, - { - "dest-uuid": "8ab98e25-1672-4b5f-a2fb-e60f08a5ea9e", - "type": "similar" } ], "uuid": "f13c8455-d615-4f8d-9d9c-5b31e593cd8a", @@ -5446,7 +5195,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5209", + "software_attack_id": "S3330", "source": "Tidal Cyber", "tags": [ "a19a158e-aec4-410a-8c3e-e9080b111183", @@ -5480,15 +5229,36 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", - "type": "similar" } ], "uuid": "3b193f62-2b49-4eff-bdf4-501fb8a28274", "value": "CORESHELL" }, + { + "description": "Corona is a suspected variant of the popular Mirai botnet, which has been observed since at least 2020 (its name likely relates to the COVID-19 pandemic).[[Akamai Corona Zero-Day August 28 2024](/references/140284f8-075c-4225-99dd-519ba5cebabe)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Linux" + ], + "software_attack_id": "S3167", + "source": "Tidal Cyber", + "tags": [ + "55cb344a-cbd5-4fd1-a1e9-30bbc956527e", + "f925e659-1120-4b76-92b6-071a7fb757d6", + "06236145-e9d6-461c-b7e4-284b3de5f561", + "a98d7a43-f227-478e-81de-e7299639a355", + "33d35d5e-f0cf-4c66-9be3-a3ffe6610b1a", + "e809d252-12cc-494d-94f5-954c49eb87ce" + ], + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "e4e37a06-ee31-44bf-a818-efa236ada136", + "value": "Corona (Mirai Botnet Variant)" + }, { "description": "[CosmicDuke](https://app.tidalcyber.com/software/43b317c6-5b4f-47b8-b7b4-15cd6f455091) is malware that was used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) from 2010 to 2015. [[F-Secure The Dukes](https://app.tidalcyber.com/references/cc0dc623-ceb5-4ac6-bfbb-4f8514d45a27)]", "meta": { @@ -5508,10 +5278,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", - "type": "similar" } ], "uuid": "43b317c6-5b4f-47b8-b7b4-15cd6f455091", @@ -5529,12 +5295,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "5d342981-5194-41e7-b33f-8e91998d7d88", - "type": "similar" - } - ], + "related": [], "uuid": "ea9e2d19-89fe-4039-a1e0-467b14554c6f", "value": "CostaBricks" }, @@ -5557,10 +5318,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", - "type": "similar" } ], "uuid": "c2353daa-fd4c-44e1-8013-55400439965a", @@ -5575,6 +5332,12 @@ "software_attack_id": "S0488", "source": "MITRE", "tags": [ + "af5e9be5-b86e-47af-91dd-966a5e34a186", + "35e694ec-5133-46e3-b7e1-5831867c3b55", + "d8f7e071-fbfd-46f8-b431-e241bb1513ac", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", "e1af18e3-3224-4e4c-9d0f-533768474508", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "e81ba503-60b0-4b64-8f20-ef93e7783796" @@ -5603,10 +5366,6 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" - }, - { - "dest-uuid": "c4810609-7da6-48ec-8057-1b70a7814db0", - "type": "similar" } ], "uuid": "47e710b4-1397-47cf-a979-20891192f313", @@ -5619,7 +5378,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5210", + "software_attack_id": "S3331", "source": "Tidal Cyber", "tags": [ "7beee233-2b65-4593-88e6-a5c0c02c6a08", @@ -5641,7 +5400,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5074", + "software_attack_id": "S3099", "source": "Tidal Cyber", "tags": [ "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", @@ -5682,10 +5441,6 @@ { "dest-uuid": "7fbd7514-76e9-4696-8c66-9f95546e3315", "type": "used-by" - }, - { - "dest-uuid": "750eb92a-7fdf-451e-9592-1d42357018f1", - "type": "similar" } ], "uuid": "7f7f05c3-fbb1-475e-b672-2113709065c8", @@ -5707,10 +5462,6 @@ { "dest-uuid": "7fbd7514-76e9-4696-8c66-9f95546e3315", "type": "used-by" - }, - { - "dest-uuid": "d23de441-f9cf-4802-b1ff-f588a11a896b", - "type": "similar" } ], "uuid": "11ce380c-481b-4c9b-b44e-06f1a91c01c1", @@ -5735,10 +5486,6 @@ { "dest-uuid": "441b91d1-256a-4763-bac6-8f1c76764a25", "type": "used-by" - }, - { - "dest-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", - "type": "similar" } ], "uuid": "3b3f296f-20a6-459a-98c5-62ebdee3701f", @@ -5762,10 +5509,6 @@ { "dest-uuid": "7ad94dbf-9909-42dd-8b62-a435481bdb14", "type": "used-by" - }, - { - "dest-uuid": "a5e91d50-24fa-44ec-9894-39a88f658cea", - "type": "similar" } ], "uuid": "38811c3b-f548-43fa-ab26-c7243b84a055", @@ -5787,10 +5530,6 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" - }, - { - "dest-uuid": "925a6c52-5cf0-4fec-99de-b0d6917d8593", - "type": "similar" } ], "uuid": "e1ad229b-d750-4148-a1f3-36e767b03cd1", @@ -5812,10 +5551,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "a04d9a4c-bb52-40bf-98ec-e350c2d6a862", - "type": "similar" } ], "uuid": "12ce6d04-ebe5-440e-b342-0283b7c8a0c8", @@ -5828,7 +5563,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5096", + "software_attack_id": "S3208", "source": "Tidal Cyber", "tags": [ "2ee25dd6-256c-4659-b1b6-f5afc943ccc1", @@ -5855,7 +5590,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5097", + "software_attack_id": "S3209", "source": "Tidal Cyber", "tags": [ "7cae5f59-dbbf-406f-928d-118430d2bdd0", @@ -5877,7 +5612,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5211", + "software_attack_id": "S3332", "source": "Tidal Cyber", "tags": [ "86bb7f3c-652c-4f77-af2a-34677ff42315", @@ -5908,10 +5643,6 @@ { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" - }, - { - "dest-uuid": "5256c0f8-9108-4c92-8b09-482dfacdcd94", - "type": "similar" } ], "uuid": "eb481db6-d7ba-4873-a171-76a228c9eb97", @@ -5955,10 +5686,6 @@ { "dest-uuid": "c2015888-72c0-4367-b2cf-df85688a56b7", "type": "used-by" - }, - { - "dest-uuid": "6cd07296-14aa-403d-9229-6343d03d4752", - "type": "similar" } ], "uuid": "095064c6-144e-4935-b878-f82151bc08e4", @@ -5971,7 +5698,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5098", + "software_attack_id": "S3210", "source": "Tidal Cyber", "tags": [ "536c3d51-9fc4-445e-9723-e11b69f0d6d5", @@ -6006,10 +5733,6 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" - }, - { - "dest-uuid": "b350b47f-88fe-4921-8538-6d9c59bac84e", - "type": "similar" } ], "uuid": "68792756-7dbf-41fd-8d48-ac3cc2b52712", @@ -6033,10 +5756,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "3aa169f8-bbf6-44bb-b57d-7f6ada5c2128", - "type": "similar" } ], "uuid": "9d521c18-09f0-47be-bfe5-e1bf26f7b928", @@ -6061,10 +5780,6 @@ { "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" - }, - { - "dest-uuid": "b8d48deb-450c-44f6-a934-ac8765aa89cb", - "type": "similar" } ], "uuid": "131c0eb2-9191-4ccd-a2d6-5f36046a8f2f", @@ -6097,10 +5812,6 @@ { "dest-uuid": "441b91d1-256a-4763-bac6-8f1c76764a25", "type": "used-by" - }, - { - "dest-uuid": "53ab35c2-d00e-491a-8753-41d35ae7e547", - "type": "similar" } ], "uuid": "74f88899-56d0-4de8-97de-539b3590ab90", @@ -6115,6 +5826,7 @@ "software_attack_id": "S1111", "source": "MITRE", "tags": [ + "7b774e30-5065-41bd-85e2-e02d09e419ed", "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ @@ -6125,10 +5837,6 @@ { "dest-uuid": "28f3dbcc-b248-442f-9ff3-234210bb2f2a", "type": "used-by" - }, - { - "dest-uuid": "6f6f67c9-556d-4459-95c2-78d272190e52", - "type": "similar" } ], "uuid": "39d81c48-8f7c-54cb-8fac-485598e31a55", @@ -6171,12 +5879,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "5faaf81a-aa5b-4a4b-bae5-522439e068f8", - "type": "similar" - } - ], + "related": [], "uuid": "35abcb6b-3259-57c1-94fc-50cfd5bde786", "value": "DarkTortilla" }, @@ -6195,12 +5898,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "63686509-069b-4143-99ea-4e59cad6cb2a", - "type": "similar" - } - ], + "related": [], "uuid": "740a0327-4caf-4d90-8b51-f3f9a4d59b37", "value": "DarkWatchman" }, @@ -6220,10 +5918,6 @@ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" - }, - { - "dest-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", - "type": "similar" } ], "uuid": "fad65026-57c4-4d4f-8803-87178dd4b887", @@ -6236,7 +5930,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5099", + "software_attack_id": "S3211", "source": "Tidal Cyber", "tags": [ "0576be43-65c6-4d1a-8a06-ed8232ca0120", @@ -6258,7 +5952,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5287", + "software_attack_id": "S3002", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -6293,10 +5987,6 @@ { "dest-uuid": "a41725c5-eb3a-4772-8d1e-17c3bbade79c", "type": "used-by" - }, - { - "dest-uuid": "5633ffd3-81ef-4f98-8f93-4896b03998f0", - "type": "similar" } ], "uuid": "26ae3cd1-6710-4807-b674-957bd67d3e76", @@ -6315,10 +6005,6 @@ { "dest-uuid": "021b3c71-6467-4e46-a413-8b726f066f2c", "type": "used-by" - }, - { - "dest-uuid": "d186c1d6-e3ac-4c3d-a534-9ddfeb8c57bb", - "type": "similar" } ], "uuid": "0657b804-a889-400a-97d7-a4989809a623", @@ -6339,12 +6025,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "c46eb8e6-bf29-4696-8008-3ddb0b4ca470", - "type": "similar" - } - ], + "related": [], "uuid": "e9533664-90c5-5b40-a40e-a69a2eda8bc9", "value": "DEADEYE" }, @@ -6367,10 +6048,6 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "8f460983-1bbb-4e7e-8094-f0b5e720f658", - "type": "similar" } ], "uuid": "64dc5d44-2304-4875-b517-316ab98512c2", @@ -6392,12 +6069,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "6de9cad1-eed2-4e27-b0b5-39fa29349ea0", - "type": "similar" - } - ], + "related": [], "uuid": "832f5ab1-1267-40c9-84ef-f32d6373be4e", "value": "DEATHRANSOM" }, @@ -6408,7 +6080,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5212", + "software_attack_id": "S3333", "source": "Tidal Cyber", "tags": [ "4f7be515-680e-4375-81f6-c71c83dd440d", @@ -6430,7 +6102,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5029", + "software_attack_id": "S3031", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -6477,10 +6149,6 @@ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" - }, - { - "dest-uuid": "f25aab1a-0cef-4910-a85d-bb38b32ea41a", - "type": "similar" } ], "uuid": "df4002d2-f557-4f95-af7a-9a4582fb7068", @@ -6493,7 +6161,7 @@ "platforms": [ "IaaS" ], - "software_attack_id": "S5313", + "software_attack_id": "S3126", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -6541,10 +6209,6 @@ { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" - }, - { - "dest-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", - "type": "similar" } ], "uuid": "9222aa77-922e-43c7-89ad-71067c428fb2", @@ -6557,7 +6221,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5188", + "software_attack_id": "S3309", "source": "Tidal Cyber", "tags": [ "7ad2b1d5-c228-4bf5-bf8e-c80a8fef0079", @@ -6579,7 +6243,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5100", + "software_attack_id": "S3212", "source": "Tidal Cyber", "tags": [ "acc0e091-a071-4e83-b0b1-4f3adebeafa3", @@ -6601,7 +6265,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5101", + "software_attack_id": "S3213", "source": "Tidal Cyber", "tags": [ "2a08c2eb-e90e-4bdb-a2dd-9da06de7ed25", @@ -6623,7 +6287,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5213", + "software_attack_id": "S3334", "source": "Tidal Cyber", "tags": [ "bb814941-0155-49b1-8f93-39626d4f0ddd", @@ -6645,7 +6309,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5214", + "software_attack_id": "S3335", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -6666,7 +6330,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5252", + "software_attack_id": "S3373", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -6687,7 +6351,7 @@ "platforms": [ "Linux" ], - "software_attack_id": "S5021", + "software_attack_id": "S3059", "source": "Tidal Cyber", "tags": [ "a98d7a43-f227-478e-81de-e7299639a355", @@ -6708,7 +6372,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5189", + "software_attack_id": "S3310", "source": "Tidal Cyber", "tags": [ "91fd24c3-f371-4c3b-b997-cd85e25c0967", @@ -6730,7 +6394,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5102", + "software_attack_id": "S3214", "source": "Tidal Cyber", "tags": [ "18d6d91d-7df0-44c8-88fe-986d9ba00b8d", @@ -6752,7 +6416,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5103", + "software_attack_id": "S3215", "source": "Tidal Cyber", "tags": [ "96f9b39f-0c59-48a0-9702-01920c1293a7", @@ -6787,10 +6451,6 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" - }, - { - "dest-uuid": "4e9bdf9a-4957-47f6-87b3-c76898d3f623", - "type": "similar" } ], "uuid": "d057b6e7-1de4-4f2f-b374-7e879caecd67", @@ -6812,10 +6472,6 @@ { "dest-uuid": "f036b992-4c3f-47b7-a458-94ac133bce74", "type": "used-by" - }, - { - "dest-uuid": "e170995d-4f61-4f17-b60e-04f9a06ee517", - "type": "similar" } ], "uuid": "226ee563-4d49-48c2-aa91-82999f43ce30", @@ -6837,10 +6493,6 @@ { "dest-uuid": "f31df12e-66ea-5a49-87bc-2bc1756a89fc", "type": "used-by" - }, - { - "dest-uuid": "e1445afd-c359-45ed-8f27-626dc4d5e157", - "type": "similar" } ], "uuid": "194314e3-4edc-5346-96b6-d2d7bf5d830a", @@ -6853,7 +6505,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5104", + "software_attack_id": "S3216", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -6874,7 +6526,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5016", + "software_attack_id": "S3217", "source": "Tidal Cyber", "tags": [ "a45f9597-09c4-4e70-a7d3-d8235d2451a3", @@ -6919,10 +6571,6 @@ { "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" - }, - { - "dest-uuid": "8a2867f9-e8fc-4bf1-a860-ef6e46311900", - "type": "similar" } ], "uuid": "e69a913d-4ddc-4d69-9961-25a31cae5899", @@ -6935,7 +6583,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5215", + "software_attack_id": "S3336", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -6968,10 +6616,6 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" - }, - { - "dest-uuid": "0852567d-7958-4f4b-8947-4f840ec8d57d", - "type": "similar" } ], "uuid": "81ce23c0-f505-4d75-9928-4fbd627d3bc2", @@ -6989,12 +6633,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "f36b2598-515f-4345-84e5-5ccde253edbe", - "type": "similar" - } - ], + "related": [], "uuid": "dfa14314-3c64-4a10-9889-0423b884f7aa", "value": "Dok" }, @@ -7014,12 +6653,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "4f1c389e-a80e-4a3e-9b0e-9be8c91df64f", - "type": "similar" - } - ], + "related": [], "uuid": "e6160c55-1868-47bd-bec6-7becbf236bbb", "value": "Doki" }, @@ -7043,10 +6677,6 @@ { "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", "type": "used-by" - }, - { - "dest-uuid": "a7b5df47-73bb-4d47-b701-869f185633a6", - "type": "similar" } ], "uuid": "40d25a38-91f4-4e07-bb97-8866bed8e44f", @@ -7059,7 +6689,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5216", + "software_attack_id": "S3337", "source": "Tidal Cyber", "tags": [ "09c24b93-bf06-4cbb-acb0-d7b9657a41dc", @@ -7074,6 +6704,33 @@ "uuid": "1bcd9c93-0944-4671-ab01-cabc5ffe30bf", "value": "Dotnet" }, + { + "description": "DOWNBAIT is a downloader, one of a series of software associated with China-based espionage actor Earth Preta (aka Mustang Panda) reported by researchers in September 2024.[[Trend Micro September 9 2024](/references/0fdc9ee2-5be2-43e0-afb9-c9a94fde3867)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3177", + "source": "Tidal Cyber", + "tags": [ + "84615fe0-c2a5-4e07-8957-78ebc29b4635", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", + "type": "used-by" + } + ], + "uuid": "bd55fa7c-7747-4d3d-8176-e6c56870b2a3", + "value": "DOWNBAIT" + }, { "description": "[Downdelph](https://app.tidalcyber.com/software/f7b64b81-f9e7-46bf-8f63-6d7520da832c) is a first-stage downloader written in Delphi that has been used by [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) in rare instances between 2013 and 2015. [[ESET Sednit Part 3](https://app.tidalcyber.com/references/7c2be444-a947-49bc-b5f6-8f6bec870c6a)]", "meta": { @@ -7093,10 +6750,6 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "08d20cd2-f084-45ee-8558-fa6ef5a18519", - "type": "similar" } ], "uuid": "f7b64b81-f9e7-46bf-8f63-6d7520da832c", @@ -7121,10 +6774,6 @@ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" - }, - { - "dest-uuid": "8be7c69e-d8e3-4970-9668-61de08e508cc", - "type": "similar" } ], "uuid": "20b796cf-6c90-4928-999e-88107078e15e", @@ -7138,6 +6787,9 @@ ], "software_attack_id": "S0186", "source": "MITRE", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" + ], "type": [ "malware" ] @@ -7146,10 +6798,6 @@ { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" - }, - { - "dest-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148", - "type": "similar" } ], "uuid": "fc433c9d-a7fe-4915-8aa0-06b58f288249", @@ -7167,12 +6815,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "56aa3c82-ed40-4b5a-84bf-7231356d9e96", - "type": "similar" - } - ], + "related": [], "uuid": "c6c79fc5-e4b1-4f6c-a71d-d22d699d5caf", "value": "DRATzarus" }, @@ -7199,10 +6842,6 @@ { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" - }, - { - "dest-uuid": "f01e2711-4b48-4192-a2e8-5f56c945ca19", - "type": "similar" } ], "uuid": "e3cd4405-b698-41d9-88e4-fff29e7a19e2", @@ -7224,10 +6863,6 @@ { "dest-uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6", "type": "used-by" - }, - { - "dest-uuid": "3ae6097d-d700-46c6-8b21-42fc0bcb48fa", - "type": "similar" } ], "uuid": "9c44d3f9-7a7b-4716-9cfa-640b36548ab0", @@ -7254,10 +6889,6 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "99164b38-1775-40bc-b77b-a2373b14540a", - "type": "similar" } ], "uuid": "bb7f7c19-ffb5-4bfe-99b1-ead3525c5e7b", @@ -7270,7 +6901,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5217", + "software_attack_id": "S3338", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -7310,10 +6941,6 @@ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" - }, - { - "dest-uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe", - "type": "similar" } ], "uuid": "06402bdc-a4a1-4e4a-bfc4-09f2c159af75", @@ -7338,10 +6965,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "f8774023-8021-4ece-9aca-383ac89d2759", - "type": "similar" } ], "uuid": "aa21462d-9653-48eb-a82e-5c93c9db5f7a", @@ -7354,7 +6977,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5218", + "software_attack_id": "S3339", "source": "Tidal Cyber", "tags": [ "0f09c7f5-ba57-4ef0-a196-e85558804496", @@ -7369,6 +6992,34 @@ "uuid": "13482336-e22b-48e9-bd49-c6e6fc6612ec", "value": "Dump64" }, + { + "description": "Dumpert is an open-source tool that provides credential dumping capabilities. It has been leveraged by adversaries including North Korean state-sponsored espionage groups.[[GitHub outflanknl Dumpert](/references/ab375812-def9-4491-a69f-62755fb26910)][[U.S. CISA Andariel July 25 2024](/references/b615953e-3c6c-4201-914c-4b75e45bb9ed)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3166", + "source": "Tidal Cyber", + "tags": [ + "bdeef9bf-b9d5-41ec-9d4c-0315709639a2", + "af5e9be5-b86e-47af-91dd-966a5e34a186", + "27a117ce-bb19-4f79-9bc2-a851b69c5c50", + "6070668f-1cbd-4878-8066-c636d1d8659c", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", + "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c", + "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96" + ], + "type": [ + "tool" + ] + }, + "related": [], + "uuid": "0ffc1b99-5ca1-4af4-95c7-7a311a32f911", + "value": "Dumpert" + }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Dump tool part Visual Studio 2022\n\n**Author:** mr.d0x\n\n**Paths:**\n* C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\\Common7\\IDE\\Extensions\\TestPlatform\\Extensions\n\n**Resources:**\n* [https://twitter.com/mrd0x/status/1511415432888131586](https://twitter.com/mrd0x/status/1511415432888131586)\n\n**Detection:**\n* Sigma: [proc_creation_win_dumpminitool_execution.yml](https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml)\n* Sigma: [proc_creation_win_dumpminitool_susp_execution.yml](https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml)\n* Sigma: [proc_creation_win_devinit_lolbin_usage.yml](https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml)[[DumpMinitool.exe - LOLBAS Project](/references/4634e025-c005-46fe-b97c-5d7dda455ba0)]", "meta": { @@ -7376,7 +7027,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5219", + "software_attack_id": "S3340", "source": "Tidal Cyber", "tags": [ "3b6ad94f-83ce-47bf-b82d-b98358d23434", @@ -7406,12 +7057,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "type": "similar" - } - ], + "related": [], "uuid": "d4a664e5-9819-4f33-8b2b-e6f8e6a64999", "value": "Duqu" }, @@ -7434,10 +7080,6 @@ { "dest-uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6", "type": "used-by" - }, - { - "dest-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", - "type": "similar" } ], "uuid": "77506f02-104f-4aac-a4e0-9649bd7efe2e", @@ -7450,7 +7092,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5220", + "software_attack_id": "S3341", "source": "Tidal Cyber", "tags": [ "6d065f28-e32d-4e87-b315-c43ebc45532a", @@ -7481,10 +7123,6 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" - }, - { - "dest-uuid": "63c2a130-8a5b-452f-ad96-07cf0af12ffe", - "type": "similar" } ], "uuid": "38e012f7-fb3a-4250-a129-92da3a488724", @@ -7497,7 +7135,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5013", + "software_attack_id": "S3053", "source": "Tidal Cyber", "tags": [ "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", @@ -7541,10 +7179,6 @@ { "dest-uuid": "eeb69751-8c22-4a5f-8da2-239cc7d7746c", "type": "used-by" - }, - { - "dest-uuid": "d6b3fcd0-1c86-4350-96f0-965ed02fcc51", - "type": "similar" } ], "uuid": "2375465a-e6a9-40ab-b631-a5b04cf5c689", @@ -7570,10 +7204,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "e928333f-f3df-4039-9b8b-556c2add0e42", - "type": "similar" } ], "uuid": "70f703b3-0e24-4ffe-9772-f0e386ec607f", @@ -7595,10 +7225,6 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" - }, - { - "dest-uuid": "292eb0c5-b8e8-4af6-9e8f-0fda6b4528d3", - "type": "similar" } ], "uuid": "6508d3dc-eb22-468c-9122-dcf541caa69c", @@ -7611,7 +7237,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5332", + "software_attack_id": "S3147", "source": "Tidal Cyber", "tags": [ "39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb", @@ -7626,11 +7252,72 @@ { "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", "type": "used-by" + }, + { + "dest-uuid": "04b73cf2-33f4-4206-be9e-c80c4c9b54e8", + "type": "used-by" } ], "uuid": "1233436f-2a00-4557-89a4-8cbc45e6f9f7", "value": "EDRKillShifter" }, + { + "description": "An open-source, multi-purpose tool with defense evasion, credential dumping, and privilege escalation capabilities, observed in use during ransomware intrusions.[[GitHub wavestone-cdt EDRSandBlast](/references/228dd3e1-1952-447c-a500-31663a2efe45)][[Morphisec September 3 2024](/references/90549699-8815-45e8-820c-4f5a7fc584b8)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3165", + "source": "Tidal Cyber", + "tags": [ + "835c9c79-3824-41ec-8d5a-1e2526e89e0b", + "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", + "7de7d799-f836-4555-97a4-0db776eb6932", + "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c", + "e1af18e3-3224-4e4c-9d0f-533768474508", + "39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb" + ], + "type": [ + "tool" + ] + }, + "related": [ + { + "dest-uuid": "7a28cff6-80df-49e1-8457-a0305e736897", + "type": "used-by" + } + ], + "uuid": "fbd2d7b0-0aa8-459f-8bfa-16daae769282", + "value": "EDRSandBlast" + }, + { + "description": "A credential dumping tool associated with Iran-linked espionage group OilRig.[[ESET OilRig September 21 2023](/references/21ee3e95-ac4b-48f7-b948-249e1884bc96)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3157", + "source": "Tidal Cyber", + "tags": [ + "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", + "type": "used-by" + } + ], + "uuid": "d1279b84-11f4-4804-9e5e-05c650960aac", + "value": "Edumper" + }, { "description": "[Egregor](https://app.tidalcyber.com/software/0e36b62f-a6e2-4406-b3d9-e05204e14a66) is a Ransomware-as-a-Service (RaaS) tool that was first observed in September 2020. Researchers have noted code similarities between [Egregor](https://app.tidalcyber.com/software/0e36b62f-a6e2-4406-b3d9-e05204e14a66) and Sekhmet ransomware, as well as [Maze](https://app.tidalcyber.com/software/3c206491-45c0-4ff7-9f40-45f9aae4de64) ransomware.[[NHS Digital Egregor Nov 2020](https://app.tidalcyber.com/references/92f74037-2a20-4667-820d-2ccc0e4dbd3d)][[Cyble Egregor Oct 2020](https://app.tidalcyber.com/references/545a131d-88fc-4b34-923c-0b759b45fc7f)][[Security Boulevard Egregor Oct 2020](https://app.tidalcyber.com/references/cd37a000-9e15-45a3-a7c9-bb508c10e55d)]", "meta": { @@ -7650,12 +7337,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "cc4c1287-9c86-4447-810c-744f3880ec37", - "type": "similar" - } - ], + "related": [], "uuid": "0e36b62f-a6e2-4406-b3d9-e05204e14a66", "value": "Egregor" }, @@ -7676,12 +7358,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "00e7d565-9883-4ee5-b642-8fd17fd6a3f5", - "type": "similar" - } - ], + "related": [], "uuid": "cd7821cb-32f3-4d81-a5d1-0cdee94a15c4", "value": "EKANS" }, @@ -7693,7 +7370,7 @@ "Linux", "Windows" ], - "software_attack_id": "S5330", + "software_attack_id": "S3145", "source": "Tidal Cyber", "tags": [ "a2e000da-8181-4327-bacd-32013dbd3654", @@ -7735,10 +7412,6 @@ { "dest-uuid": "2849455a-cf39-4a9f-bd89-c2b3c1e5dd52", "type": "used-by" - }, - { - "dest-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", - "type": "similar" } ], "uuid": "fd5efee9-8710-4536-861f-c88d882f4d24", @@ -7760,10 +7433,6 @@ { "dest-uuid": "06a05175-0812-44f5-a529-30eba07d1762", "type": "used-by" - }, - { - "dest-uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c", - "type": "similar" } ], "uuid": "6a3ca97e-6dd6-44e5-a5f0-7225099ab474", @@ -7785,10 +7454,6 @@ { "dest-uuid": "2849455a-cf39-4a9f-bd89-c2b3c1e5dd52", "type": "used-by" - }, - { - "dest-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", - "type": "similar" } ], "uuid": "fd95d38d-83f9-4b31-8292-ba2b04275b36", @@ -7823,10 +7488,6 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" - }, - { - "dest-uuid": "32066e94-3112-48ca-b9eb-ba2b59d2f023", - "type": "similar" } ], "uuid": "c987d255-a351-4736-913f-91e2f28d0654", @@ -7926,10 +7587,6 @@ { "dest-uuid": "345e553a-164d-4c9d-8bf9-19fcf8a51533", "type": "used-by" - }, - { - "dest-uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", - "type": "similar" } ], "uuid": "fea655ac-558f-4dd0-867f-9a5553626207", @@ -7944,6 +7601,7 @@ "software_attack_id": "S0634", "source": "MITRE", "tags": [ + "542316f4-baf4-4cf7-929b-b1deed09d23b", "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ @@ -7954,10 +7612,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "2f8229dc-da94-41c6-89ba-b5b6c32f6b7d", - "type": "similar" } ], "uuid": "8da6fbf0-a18d-49a0-9235-101300d49d5e", @@ -7982,10 +7636,6 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" - }, - { - "dest-uuid": "6b62e336-176f-417b-856a-8552dd8c44e1", - "type": "similar" } ], "uuid": "a7e71387-b276-413c-a0de-4cf07e39b158", @@ -8016,10 +7666,6 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" - }, - { - "dest-uuid": "c256da91-6dd5-40b2-beeb-ee3b22ab3d27", - "type": "similar" } ], "uuid": "a7589733-6b04-4215-a4e7-4b62cd4610fa", @@ -8032,7 +7678,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5105", + "software_attack_id": "S3219", "source": "Tidal Cyber", "tags": [ "59d03fb8-0620-468a-951c-069473cb86bc", @@ -8059,12 +7705,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "a8a778f5-0035-4870-bb25-53dc05029586", - "type": "similar" - } - ], + "related": [], "uuid": "300e8176-e7ee-44ef-8d10-dff96502f6c6", "value": "EvilBunny" }, @@ -8075,7 +7716,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5078", + "software_attack_id": "S3103", "source": "Tidal Cyber", "tags": [ "fe28cf32-a15c-44cf-892c-faa0360d6109", @@ -8119,10 +7760,6 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" - }, - { - "dest-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78", - "type": "similar" } ], "uuid": "e862419c-d6b6-4433-a02a-c1cc98ea6f9e", @@ -8147,10 +7784,6 @@ { "dest-uuid": "4bdc62c9-af6a-4377-8431-58a6f39235dd", "type": "used-by" - }, - { - "dest-uuid": "7cdfccda-2950-4167-981a-60872ff5d0db", - "type": "similar" } ], "uuid": "e0eaae6d-5137-4053-bf37-ff90bf5767a9", @@ -8172,10 +7805,6 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" - }, - { - "dest-uuid": "11194d8b-fdce-45d2-8047-df15bb8f16bd", - "type": "similar" } ], "uuid": "c773f709-b5fe-4514-9d88-24ceb0dd8063", @@ -8197,10 +7826,6 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" - }, - { - "dest-uuid": "051eaca1-958f-4091-9e5f-a9acd8f820b5", - "type": "similar" } ], "uuid": "21569dfb-c9f1-468e-903e-348f19dbae1f", @@ -8213,7 +7838,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5221", + "software_attack_id": "S3342", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -8234,7 +7859,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5054", + "software_attack_id": "S3077", "source": "Tidal Cyber", "tags": [ "8bf128ad-288b-41bc-904f-093f4fdde745" @@ -8269,12 +7894,7 @@ "tool" ] }, - "related": [ - { - "dest-uuid": "ca656c25-44f1-471b-9d9f-e2a3bbb84973", - "type": "similar" - } - ], + "related": [], "uuid": "5d7a39e3-c667-45b3-987e-3b0ca49cff61", "value": "Expand" }, @@ -8285,7 +7905,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5106", + "software_attack_id": "S3221", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -8324,10 +7944,6 @@ { "dest-uuid": "7c3ef21c-0e1c-43d5-afb0-3a07c5a66937", "type": "used-by" - }, - { - "dest-uuid": "6a21e3a4-5ffe-4581-af9a-6a54c7536f44", - "type": "similar" } ], "uuid": "572eec55-2855-49ac-a82e-2c21e9aca27e", @@ -8340,7 +7956,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5107", + "software_attack_id": "S3222", "source": "Tidal Cyber", "tags": [ "5b81675a-742a-4ffd-b410-44ce3f1b0831", @@ -8362,7 +7978,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5030", + "software_attack_id": "S3032", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -8397,7 +8013,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5108", + "software_attack_id": "S3223", "source": "Tidal Cyber", "tags": [ "92092803-19a9-4288-b7fb-08e92e8ea693", @@ -8428,10 +8044,6 @@ { "dest-uuid": "6c1bdc51-f633-4512-8b20-04a11c2d97f4", "type": "used-by" - }, - { - "dest-uuid": "bb3c1098-d654-4620-bf40-694386d28921", - "type": "similar" } ], "uuid": "8c64a330-1457-4c32-ab2f-12b6eb37d607", @@ -8444,7 +8056,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5321", + "software_attack_id": "S3136", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -8481,10 +8093,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e", - "type": "similar" } ], "uuid": "ea47f1fd-0171-4254-8c92-92b7a5eec5e1", @@ -8509,15 +8117,38 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "54a01db0-9fab-4d5f-8209-53cef8425f4a", - "type": "similar" } ], "uuid": "997ff740-1b00-40b6-887a-ef4101e93295", "value": "FatDuke" }, + { + "description": "FDMTP is a downloader, one of a series of software associated with China-based espionage actor Earth Preta (aka Mustang Panda) reported by researchers in September 2024.[[Trend Micro September 9 2024](/references/0fdc9ee2-5be2-43e0-afb9-c9a94fde3867)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3173", + "source": "Tidal Cyber", + "tags": [ + "84615fe0-c2a5-4e07-8957-78ebc29b4635", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", + "type": "used-by" + } + ], + "uuid": "8e623e62-524f-43de-934c-3792bfd69d3f", + "value": "FDMTP" + }, { "description": "[Felismus](https://app.tidalcyber.com/software/c66ed8ab-4692-4948-820e-5ce87cc78db5) is a modular backdoor that has been used by [Sowbug](https://app.tidalcyber.com/groups/6632f07f-7c6b-4d12-8544-82edc6a7a577). [[Symantec Sowbug Nov 2017](https://app.tidalcyber.com/references/14f49074-fc46-45d3-bf7e-30c896c39c07)] [[Forcepoint Felismus Mar 2017](https://app.tidalcyber.com/references/23b94586-3856-4937-9b02-4fe184b7ba01)]", "meta": { @@ -8534,10 +8165,6 @@ { "dest-uuid": "6632f07f-7c6b-4d12-8544-82edc6a7a577", "type": "used-by" - }, - { - "dest-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", - "type": "similar" } ], "uuid": "c66ed8ab-4692-4948-820e-5ce87cc78db5", @@ -8555,12 +8182,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "cf8df906-179c-4a78-bd6e-6605e30f6624", - "type": "similar" - } - ], + "related": [], "uuid": "4b1a07cd-4c1f-4d93-a454-07fd59b3039a", "value": "FELIXROOT" }, @@ -8580,10 +8202,6 @@ { "dest-uuid": "73da066d-b25f-45ba-862b-1a69228c6baa", "type": "used-by" - }, - { - "dest-uuid": "73d08401-005f-4e1f-90b9-8f45d120879f", - "type": "similar" } ], "uuid": "3e54ba7a-fd4c-477f-9c2d-34b4f69fc091", @@ -8601,12 +8219,7 @@ "tool" ] }, - "related": [ - { - "dest-uuid": "4f45dfeb-fe51-4df0-8db3-edf7dd0513fe", - "type": "similar" - } - ], + "related": [], "uuid": "1bbf04bb-d869-48c5-a538-70a25503de1d", "value": "Fgdump" }, @@ -8617,7 +8230,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5031", + "software_attack_id": "S3033", "source": "Tidal Cyber", "tags": [ "c5a258ce-9045-48d9-b254-ec2bf6437bb5", @@ -8676,10 +8289,6 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" - }, - { - "dest-uuid": "a2282af0-f9dd-4373-9b92-eaf9e11e0c71", - "type": "similar" } ], "uuid": "eb4dc358-e353-47fc-8207-b7cb10d580f7", @@ -8692,7 +8301,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5109", + "software_attack_id": "S3224", "source": "Tidal Cyber", "tags": [ "6ca537bb-94b6-4b12-8978-6250baa6a5cb", @@ -8733,10 +8342,6 @@ { "dest-uuid": "7ad94dbf-9909-42dd-8b62-a435481bdb14", "type": "used-by" - }, - { - "dest-uuid": "a5528622-3a8a-4633-86ce-8cdaf8423858", - "type": "similar" } ], "uuid": "41f54ce1-842c-428a-977f-518a5b63b4d7", @@ -8749,7 +8354,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5110", + "software_attack_id": "S3225", "source": "Tidal Cyber", "tags": [ "1da4f610-4c54-46a3-b9b3-c38a002b623e", @@ -8787,10 +8392,6 @@ { "dest-uuid": "2e2d3e75-1160-4ba5-80cc-8e7685fcfc44", "type": "used-by" - }, - { - "dest-uuid": "f464354c-7103-47c6-969b-8766f0157ed2", - "type": "similar" } ], "uuid": "84187393-2fe9-4136-8720-a6893734ee8c", @@ -8815,10 +8416,6 @@ { "dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb", "type": "used-by" - }, - { - "dest-uuid": "592260fb-dd5c-4a30-8d99-106a0485be0d", - "type": "similar" } ], "uuid": "977aaf8a-2216-40f0-8682-61dd91638147", @@ -8839,12 +8436,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", - "type": "similar" - } - ], + "related": [], "uuid": "87604333-638f-4f4a-94e0-16aa825dd5b8", "value": "Flame" }, @@ -8864,10 +8456,6 @@ { "dest-uuid": "be45ff95-6c74-4000-bc39-63044673d82f", "type": "used-by" - }, - { - "dest-uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a", - "type": "similar" } ], "uuid": "44a5e62a-6de4-49d2-8f1b-e68ecdf9f332", @@ -8896,10 +8484,6 @@ { "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "type": "used-by" - }, - { - "dest-uuid": "432555de-63bf-4f2a-a3fa-f720a4561078", - "type": "similar" } ], "uuid": "308dbe77-3d58-40bb-b0a5-cd00f152dc60", @@ -8914,6 +8498,7 @@ "software_attack_id": "S0383", "source": "MITRE", "tags": [ + "ede6e717-5e5f-4321-9ddd-d0d7ab315a89", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "15787198-6c8b-4f79-bf50-258d55072fee", "84615fe0-c2a5-4e07-8957-78ebc29b4635", @@ -8935,10 +8520,6 @@ { "dest-uuid": "eb10ed9e-ea8d-4b61-bfc3-5994d30970df", "type": "used-by" - }, - { - "dest-uuid": "43155329-3edf-47a6-9a14-7dac899b01e4", - "type": "similar" } ], "uuid": "c558e948-c817-4494-a95d-ad3207f10e26", @@ -8951,7 +8532,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5056", + "software_attack_id": "S3079", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -8991,10 +8572,6 @@ { "dest-uuid": "7902f5cc-d6a5-4a57-8d54-4c75e0c58b83", "type": "used-by" - }, - { - "dest-uuid": "0e18b800-906c-4e44-a143-b11c72b3448b", - "type": "similar" } ], "uuid": "18002747-ddcc-42c1-b0ca-1e598a9f1919", @@ -9007,7 +8584,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5111", + "software_attack_id": "S3226", "source": "Tidal Cyber", "tags": [ "49bbb074-2406-4f27-ad77-d2e433ba1ccb", @@ -9041,10 +8618,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "72911fe3-f085-40f7-b4f2-f25a4221fe44", - "type": "similar" } ], "uuid": "bc11844e-0348-4eed-a48a-0554d68db38c", @@ -9057,7 +8630,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5331", + "software_attack_id": "S3146", "source": "Tidal Cyber", "tags": [ "562e535e-19f5-4d6c-81ed-ce2aec544f09", @@ -9101,10 +8674,6 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "90ec2b22-7061-4469-b539-0989ec4f96c2", - "type": "similar" } ], "uuid": "c6dc67a6-587d-4700-a7de-bee043a0031a", @@ -9117,7 +8686,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5288", + "software_attack_id": "S3003", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -9144,12 +8713,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "bcaae558-9697-47a2-9ec7-c75000ddf58c", - "type": "similar" - } - ], + "related": [], "uuid": "83721b89-df58-50bf-be2a-0b696fb0da78", "value": "FRAMESTING" }, @@ -9166,10 +8730,6 @@ { "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "type": "used-by" - }, - { - "dest-uuid": "1cdbbcab-903a-414d-8eb0-439a97343737", - "type": "similar" } ], "uuid": "aef7cbbc-5163-419c-8e4b-3f73bed50474", @@ -9182,7 +8742,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5032", + "software_attack_id": "S3034", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -9222,12 +8782,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "4a98e44a-bd52-461e-af1e-a4457de87a36", - "type": "similar" - } - ], + "related": [], "uuid": "3a05085e-5a1f-4a74-b489-d679b80e2c18", "value": "FruitFly" }, @@ -9238,7 +8793,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5222", + "software_attack_id": "S3343", "source": "Tidal Cyber", "tags": [ "7a4b56fa-5419-411b-86fe-68c9b0ddd3c5", @@ -9269,7 +8824,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5223", + "software_attack_id": "S3344", "source": "Tidal Cyber", "tags": [ "c5d1a687-8a36-4995-b8cb-415f33661821", @@ -9291,7 +8846,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5112", + "software_attack_id": "S3228", "source": "Tidal Cyber", "tags": [ "76bb7541-94da-4d66-9a57-77f788330287", @@ -9346,10 +8901,6 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" - }, - { - "dest-uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565", - "type": "similar" } ], "uuid": "062deac9-8f05-44e2-b347-96b59ba166ca", @@ -9370,12 +8921,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "be25c1c0-1590-4219-a3d5-6f31799d1d1b", - "type": "similar" - } - ], + "related": [], "uuid": "d0490e1d-8287-44d3-8342-944d1203b237", "value": "FunnyDream" }, @@ -9395,10 +8941,6 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" - }, - { - "dest-uuid": "434ba392-ebdc-488b-b1ef-518deea65774", - "type": "similar" } ], "uuid": "be9a2ae5-373a-4dee-9c1e-b54235dafed0", @@ -9423,15 +8965,35 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "50d6688b-0985-4f3d-8cbe-0c796b30703b", - "type": "similar" } ], "uuid": "317a7647-aee7-4ce1-a8f8-33a61190f55d", "value": "Fysbis" }, + { + "description": "Gamarue is a longstanding family of malicious software which can provide backdoor access to a system. Researchers have observed Gamarue variants with worm-like redistribution capabilities. Gamarue is often observed being delivered via exploit kits, as an attachment to a spam email, or via USB or other removable media.[[microsoft.com April 2 2012](/references/de44abcc-9467-4c63-b0c4-c3a3b282ae39)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S5282", + "source": "Tidal Cyber", + "tags": [ + "ca440076-2a36-405a-bf4c-d4529e91b641", + "e809d252-12cc-494d-94f5-954c49eb87ce", + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "cac54152-17ad-4bb9-a412-53a35af1e95a", + "value": "Gamarue" + }, { "description": "[Gazer](https://app.tidalcyber.com/software/7a60b984-b0c8-4acc-be24-841f4b652872) is a backdoor used by [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2) since at least 2016. [[ESET Gazer Aug 2017](https://app.tidalcyber.com/references/9d1c40af-d4bc-4d4a-b667-a17378942685)]", "meta": { @@ -9451,10 +9013,6 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" - }, - { - "dest-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", - "type": "similar" } ], "uuid": "7a60b984-b0c8-4acc-be24-841f4b652872", @@ -9472,12 +9030,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "efa7c4d6-8e30-41d9-a8fd-26dc337f4a1b", - "type": "similar" - } - ], + "related": [], "uuid": "9a117508-1d22-4fea-aa65-db670c13a5c9", "value": "Gelsemium" }, @@ -9497,10 +9050,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6", - "type": "similar" } ], "uuid": "97f32f68-dcd2-4f80-9967-cc87305dc342", @@ -9525,10 +9074,6 @@ { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" - }, - { - "dest-uuid": "099ecff2-41b8-436d-843c-038a9aa9aa69", - "type": "similar" } ], "uuid": "a997aaaf-edfc-4489-80a9-3f8d64545de1", @@ -9541,7 +9086,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5186", + "software_attack_id": "S3307", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -9611,10 +9156,6 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" - }, - { - "dest-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", - "type": "similar" } ], "uuid": "269ef8f5-35c8-44ba-afe4-63f4c6431427", @@ -9632,12 +9173,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "554e010d-726b-439d-9a1a-f60fff0cc109", - "type": "similar" - } - ], + "related": [], "uuid": "5c1a1ce5-927c-5c79-8a14-2789756d41ee", "value": "GLASSTOKEN" }, @@ -9657,10 +9193,6 @@ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" - }, - { - "dest-uuid": "f2e8c7a1-cae1-45c4-baf0-6f21bdcbb2c2", - "type": "similar" } ], "uuid": "09fdec78-5253-433d-8680-294ba6847be9", @@ -9673,9 +9205,10 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5033", + "software_attack_id": "S3035", "source": "Tidal Cyber", "tags": [ + "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", @@ -9693,6 +9226,10 @@ ] }, "related": [ + { + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "type": "used-by" + }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" @@ -9725,10 +9262,6 @@ { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" - }, - { - "dest-uuid": "b9799466-9dd7-4098-b2d6-f999ce50b9a8", - "type": "similar" } ], "uuid": "348fdeb5-6a74-4803-ac6e-e0133ecd7263", @@ -9749,12 +9282,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "b9704a7d-feef-4af9-8898-5280f1686326", - "type": "similar" - } - ], + "related": [], "uuid": "1b135393-c799-4698-a880-c6a86782adee", "value": "GoldenSpy" }, @@ -9774,10 +9302,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "b7010785-699f-412f-ba49-524da6033c76", - "type": "similar" } ], "uuid": "4e8c58c5-443e-4f73-91e9-89146f04e307", @@ -9803,10 +9327,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "5c747acd-47f0-4c5a-b9e5-213541fc01e0", - "type": "similar" } ], "uuid": "b05a9763-4288-4656-bf4e-ba02bb8b35d6", @@ -9831,10 +9351,6 @@ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" - }, - { - "dest-uuid": "eac3d77f-2b7b-4599-ba74-948dc16633ad", - "type": "similar" } ], "uuid": "a75855fd-2b6b-43d8-99a5-2be03b544f34", @@ -9847,7 +9363,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5318", + "software_attack_id": "S3131", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -9875,9 +9391,10 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5289", + "software_attack_id": "S3004", "source": "Tidal Cyber", "tags": [ + "870fdd22-b373-4cb2-8a00-0acfa4aac897", "e551ae97-d1b4-484e-9267-89f33829ec2c", "15787198-6c8b-4f79-bf50-258d55072fee", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -9904,7 +9421,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5113", + "software_attack_id": "S3230", "source": "Tidal Cyber", "tags": [ "2ca5c5e4-ee7f-4698-84ec-ce04d2c1e9cc", @@ -9934,12 +9451,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "958b5d06-8bb0-4c5b-a2e7-0130fe654ac7", - "type": "similar" - } - ], + "related": [], "uuid": "61d277f2-abdc-4f2b-b50a-10d0fe91e588", "value": "Grandoreiro" }, @@ -9950,7 +9462,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5077", + "software_attack_id": "S3102", "source": "Tidal Cyber", "type": [ "malware" @@ -9977,12 +9489,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "1d1fce2f-0db5-402b-9843-4278a0694637", - "type": "similar" - } - ], + "related": [], "uuid": "08cb425d-7b7a-41dc-a897-9057ce57fea9", "value": "GravityRAT" }, @@ -10001,12 +9508,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "59c8a28c-200c-4565-9af1-cbdb24870ba0", - "type": "similar" - } - ], + "related": [], "uuid": "f5691425-6690-4e5e-8304-3ede9d2f5a90", "value": "Green Lambert" }, @@ -10026,10 +9528,6 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" - }, - { - "dest-uuid": "308b3d68-a084-4dfb-885a-3125e1a9c1e8", - "type": "similar" } ], "uuid": "f646e7f9-4d09-46f6-9831-54668fa20483", @@ -10054,10 +9552,6 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" - }, - { - "dest-uuid": "04fc1842-f9e4-47cf-8cb8-5c61becad142", - "type": "similar" } ], "uuid": "ad358082-d83a-4c22-81a1-6c34dd67af26", @@ -10086,10 +9580,6 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" - }, - { - "dest-uuid": "c9b99d03-ff11-4a48-95f0-82660d582c25", - "type": "similar" } ], "uuid": "c40a71d4-8592-4f82-8af5-18f763e52caf", @@ -10102,7 +9592,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5079", + "software_attack_id": "S3064", "source": "Tidal Cyber", "tags": [ "4d767e87-4cf6-438a-927a-43d2d0beaab7" @@ -10155,10 +9645,6 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" - }, - { - "dest-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54", - "type": "similar" } ], "uuid": "5ffe662f-9da1-4b6f-ad3a-f296383e828c", @@ -10173,20 +9659,13 @@ "software_attack_id": "S0561", "source": "MITRE", "tags": [ - "c6e1f516-1a18-4ff9-b563-e6ac8103b104", - "2feda37d-5579-4102-a073-aa02e82cb49f", "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, - "related": [ - { - "dest-uuid": "45c759ac-b490-48bb-80d4-c8eee3431027", - "type": "similar" - } - ], + "related": [], "uuid": "03e985d6-870b-4533-af13-08b1e0511444", "value": "GuLoader" }, @@ -10202,12 +9681,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", - "type": "similar" - } - ], + "related": [], "uuid": "5f1602fe-a4ce-4932-9cf9-ec842f2c58f1", "value": "H1N1" }, @@ -10220,12 +9694,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "4b62ab58-c23b-4704-9c15-edd568cd59f8", - "type": "similar" - } - ], + "related": [], "uuid": "75db2ac3-901e-4b1f-9a0d-bac6562d57a3", "value": "Hacking Team UEFI Rootkit" }, @@ -10242,10 +9711,6 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" - }, - { - "dest-uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f", - "type": "similar" } ], "uuid": "5edf0ef7-a960-4500-8a89-8c8b4fdf8824", @@ -10270,10 +9735,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4", - "type": "similar" } ], "uuid": "cc07f03f-9919-4856-9b30-f4d88940b0ec", @@ -10294,12 +9755,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "ef2247bf-8062-404b-894f-d65d00564817", - "type": "similar" - } - ], + "related": [], "uuid": "4eee3272-07fa-48ee-a7b9-9dfee3e4550a", "value": "Hancitor" }, @@ -10316,10 +9772,6 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" - }, - { - "dest-uuid": "211cfe9f-2676-4e1c-a5f5-2c8091da2a68", - "type": "similar" } ], "uuid": "c2c31b2e-5da6-4feb-80e3-14ea6d0ea7e8", @@ -10341,10 +9793,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "bd0536d7-b081-43ae-a773-cfb057c5b988", - "type": "similar" } ], "uuid": "ad0ae3b7-88aa-48b3-86ca-6a5d8b5309a7", @@ -10363,10 +9811,6 @@ { "dest-uuid": "e38bcb42-12c1-4202-a794-ec26cd830caa", "type": "used-by" - }, - { - "dest-uuid": "fbd727ea-c0dc-42a9-8448-9e12962d1ab5", - "type": "similar" } ], "uuid": "8bd36306-bd4b-4a76-8842-44acb0cedbcc", @@ -10384,12 +9828,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "12a7450d-b03e-4990-a5b8-b405ab9c803b", - "type": "similar" - } - ], + "related": [], "uuid": "392c5a32-53b5-4ce8-a946-226cb533cc4e", "value": "HAWKBALL" }, @@ -10409,10 +9848,6 @@ { "dest-uuid": "a0c31021-b281-4c41-9855-436768299fe7", "type": "used-by" - }, - { - "dest-uuid": "9e2bba94-950b-4fcf-8070-cb3f816c5f4e", - "type": "similar" } ], "uuid": "a7ffe1bd-45ca-4ca4-94da-3b6c583a868d", @@ -10434,10 +9869,6 @@ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" - }, - { - "dest-uuid": "007b44b6-e4c5-480b-b5b9-56f2081b1b7b", - "type": "similar" } ], "uuid": "f155b6f9-258d-4446-8867-fe5ee26d8c72", @@ -10467,10 +9898,6 @@ { "dest-uuid": "2e2d3e75-1160-4ba5-80cc-8e7685fcfc44", "type": "used-by" - }, - { - "dest-uuid": "5d11d418-95dd-4377-b782-23160dfa17b4", - "type": "similar" } ], "uuid": "813a4ca1-84fe-42dc-89de-5873d028f98d", @@ -10495,10 +9922,6 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" - }, - { - "dest-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "type": "similar" } ], "uuid": "d6560c81-1e7e-4d01-9814-4be4fb43e655", @@ -10519,12 +9942,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "a0ab8a96-40c9-4483-8a54-3fafa6d6007a", - "type": "similar" - } - ], + "related": [], "uuid": "f0456f14-4913-4861-b4ad-5e7f3960040e", "value": "HermeticWiper" }, @@ -10543,12 +9961,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "ff7ed9c1-dca3-4e62-9da6-72c5d388b8fa", - "type": "similar" - } - ], + "related": [], "uuid": "36ddc8cd-8f80-489e-a702-c682936b5393", "value": "HermeticWizard" }, @@ -10571,10 +9984,6 @@ { "dest-uuid": "454402a3-0503-45bf-b2e0-177fa2e2d412", "type": "used-by" - }, - { - "dest-uuid": "dff90475-9f72-41a6-84ed-1fbefd3874c0", - "type": "similar" } ], "uuid": "1841a6e8-6c23-46a1-9c81-783746083764", @@ -10587,7 +9996,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5114", + "software_attack_id": "S3231", "source": "Tidal Cyber", "tags": [ "7d028d1e-7a95-47f0-9367-55517f9ef170", @@ -10614,12 +10023,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "fc774af4-533b-4724-96d2-ac1026316794", - "type": "similar" - } - ], + "related": [], "uuid": "ec02fb9c-bf9f-404d-bc54-819f2b3fb040", "value": "HiddenWasp" }, @@ -10642,10 +10046,6 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "e669bb87-f773-4c7b-bfcc-a9ffebfdd8d4", - "type": "similar" } ], "uuid": "ce1af464-0b14-4fe9-8591-a6fe58aa96c7", @@ -10667,10 +10067,6 @@ { "dest-uuid": "90f4d3f9-3fe3-4a64-8dc1-172c6d037dca", "type": "used-by" - }, - { - "dest-uuid": "95047f03-4811-4300-922e-1ba937d53a61", - "type": "similar" } ], "uuid": "8046c80c-4339-4cfb-8bfd-464801db2bfe", @@ -10698,15 +10094,38 @@ { "dest-uuid": "325c11be-e1ee-47db-afa6-44ac5d16f0e7", "type": "used-by" - }, - { - "dest-uuid": "40a1b8ec-7295-416c-a6b1-68181d86f120", - "type": "similar" } ], "uuid": "7ef8cd3a-33cf-43bb-a3b8-a78fc844ce0c", "value": "Hildegard" }, + { + "description": "HIUPAN is a worm, one of a series of software associated with China-based espionage actor Earth Preta (aka Mustang Panda) reported by researchers in September 2024.[[Trend Micro September 9 2024](/references/0fdc9ee2-5be2-43e0-afb9-c9a94fde3867)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3174", + "source": "Tidal Cyber", + "tags": [ + "e809d252-12cc-494d-94f5-954c49eb87ce", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", + "type": "used-by" + } + ], + "uuid": "d4f74243-0d2d-4095-b66a-6d8291019125", + "value": "HIUPAN" + }, { "description": "[Hi-Zor](https://app.tidalcyber.com/software/286184d9-f28a-4d5a-a9dd-2216b3c47809) is a remote access tool (RAT) that has characteristics similar to [Sakula](https://app.tidalcyber.com/software/a316c704-144a-4d14-8e4e-685bb6ae391c). It was used in a campaign named INOCNATION. [[Fidelis Hi-Zor](https://app.tidalcyber.com/references/0c9ff201-283a-4527-8cb8-6f0d05a4f724)]", "meta": { @@ -10722,12 +10141,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc", - "type": "similar" - } - ], + "related": [], "uuid": "286184d9-f28a-4d5a-a9dd-2216b3c47809", "value": "Hi-Zor" }, @@ -10747,10 +10161,6 @@ { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" - }, - { - "dest-uuid": "7451bcf9-e6e6-4a70-bc3d-1599173d0035", - "type": "similar" } ], "uuid": "16db13f2-f350-4323-96cb-c5f4ac36c3e0", @@ -10776,10 +10186,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "454fe82d-6fd2-4ac6-91ab-28a33fe01369", - "type": "similar" } ], "uuid": "4d94594c-2224-46ca-8bc3-28b12ed139f9", @@ -10801,10 +10207,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "aad11e34-02ca-4220-91cd-2ed420af4db3", - "type": "similar" } ], "uuid": "a00e7fcc-b4e8-4f64-83d2-f9db64f0f3fe", @@ -10834,10 +10236,6 @@ { "dest-uuid": "225314a7-8f40-48d4-9cff-3ec39b177762", "type": "used-by" - }, - { - "dest-uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e", - "type": "similar" } ], "uuid": "b98d9fe7-9aa3-409a-bf5c-eadb01bac948", @@ -10863,10 +10261,6 @@ { "dest-uuid": "a0c31021-b281-4c41-9855-436768299fe7", "type": "used-by" - }, - { - "dest-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", - "type": "similar" } ], "uuid": "c4fe23f7-f18c-40f6-b431-0b104b497eaa", @@ -10888,10 +10282,6 @@ { "dest-uuid": "6005f4a9-fe26-4237-a44e-3f6cbb1fe75c", "type": "used-by" - }, - { - "dest-uuid": "e8268361-a599-4e45-bd3f-71c8c7e700c0", - "type": "similar" } ], "uuid": "bf19eba4-7ea1-4c24-95c6-6bcfb44f4c49", @@ -10917,10 +10307,6 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" - }, - { - "dest-uuid": "54089fba-8662-4f37-9a44-6ad25a5f630a", - "type": "similar" } ], "uuid": "2df88e4e-5a89-5535-ae1a-4c68b19d9078", @@ -10950,10 +10336,6 @@ { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" - }, - { - "dest-uuid": "73a4793a-ce55-4159-b2a6-208ef29b326f", - "type": "similar" } ], "uuid": "4ffbca79-358a-4ba5-bfbb-dc1694c45646", @@ -10968,6 +10350,7 @@ "software_attack_id": "S0398", "source": "MITRE", "tags": [ + "84e6dbc1-98c7-4619-b796-a8c8d562ea7b", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ @@ -10978,10 +10361,6 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" - }, - { - "dest-uuid": "5e814485-012d-423d-b769-026bfed0f451", - "type": "similar" } ], "uuid": "57cec527-26fb-44a1-b1a9-506a3af2c9f2", @@ -11003,10 +10382,6 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" - }, - { - "dest-uuid": "2cf7dec3-66fc-423f-b2c7-58f1de243b4e", - "type": "similar" } ], "uuid": "ba3236e9-c86b-4b5d-89ed-7f71940a0588", @@ -11024,12 +10399,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "dd889a55-fb2c-4ec7-8e9f-c399939a49e1", - "type": "similar" - } - ], + "related": [], "uuid": "5a73defd-6a1a-4132-8427-cec649e8267a", "value": "IceApple" }, @@ -11042,6 +10412,7 @@ "software_attack_id": "S0483", "source": "MITRE", "tags": [ + "7d2804e4-a4e4-4ef7-acd5-2fca9cc92556", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ @@ -11060,15 +10431,38 @@ { "dest-uuid": "e75a1b98-be68-467f-a8df-bcb7671543b3", "type": "used-by" - }, - { - "dest-uuid": "5147ef15-1cae-4707-8ea1-bee8d98b7f1d", - "type": "similar" } ], "uuid": "7f59bb7c-5fa9-497d-9d8e-ba9349fd9433", "value": "IcedID" }, + { + "description": "A credential dumping tool associated with Iran-linked espionage group OilRig.[[ESET OilRig September 21 2023](/references/21ee3e95-ac4b-48f7-b948-249e1884bc96)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3159", + "source": "Tidal Cyber", + "tags": [ + "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", + "type": "used-by" + } + ], + "uuid": "1c0ab9a0-eb02-4428-a319-83a504e1b22b", + "value": "Idumper" + }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Executes commands from a specially prepared ie4uinit.inf file.\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* c:\\windows\\system32\\ie4uinit.exe\n* c:\\windows\\sysWOW64\\ie4uinit.exe\n* c:\\windows\\system32\\ieuinit.inf\n* c:\\windows\\sysWOW64\\ieuinit.inf\n\n**Resources:**\n* [https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/](https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/)\n\n**Detection:**\n* IOC: ie4uinit.exe copied outside of %windir%\n* IOC: ie4uinit.exe loading an inf file (ieuinit.inf) from outside %windir%\n* Sigma: [proc_creation_win_lolbin_ie4uinit.yml](https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml)[[Ie4uinit.exe - LOLBAS Project](/references/01f9a368-5933-47a1-85a9-e5883a5ca266)]", "meta": { @@ -11076,7 +10470,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5116", + "software_attack_id": "S3233", "source": "Tidal Cyber", "tags": [ "f32f1513-7277-4257-9c35-c8ab3da17c84", @@ -11098,7 +10492,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5190", + "software_attack_id": "S3311", "source": "Tidal Cyber", "tags": [ "e794994d-c38a-44d9-9253-53191ca9e56b", @@ -11120,7 +10514,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5117", + "software_attack_id": "S3234", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -11141,7 +10535,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5118", + "software_attack_id": "S3235", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -11162,7 +10556,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5191", + "software_attack_id": "S3312", "source": "Tidal Cyber", "tags": [ "fc23fb85-8c48-4f0b-aeb6-b78fd6e25e0a", @@ -11186,12 +10580,7 @@ "tool" ] }, - "related": [ - { - "dest-uuid": "362dc67f-4e85-4562-9dac-1b6b7f3ec4b5", - "type": "similar" - } - ], + "related": [], "uuid": "93ab16d1-625e-4b1c-bb28-28974c269c47", "value": "ifconfig" }, @@ -11207,12 +10596,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "2cfe8a26-5be7-4a09-8915-ea3d9e787513", - "type": "similar" - } - ], + "related": [], "uuid": "71098f6e-a2c0-434f-b991-6c079fd3e82d", "value": "iKitten" }, @@ -11223,7 +10607,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5119", + "software_attack_id": "S3236", "source": "Tidal Cyber", "tags": [ "8bcce456-e1dc-4dd0-99a9-8334fd6f2847", @@ -11245,7 +10629,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5308", + "software_attack_id": "S3088", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -11272,7 +10656,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5115", + "software_attack_id": "S3232", "source": "Tidal Cyber", "tags": [ "796962fe-56d7-4816-9193-153da0be7c10", @@ -11310,10 +10694,6 @@ { "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", "type": "used-by" - }, - { - "dest-uuid": "8f8cd191-902c-4e83-bf20-b57c8c4640e9", - "type": "similar" } ], "uuid": "925fc0db-9315-4703-9353-1d0e9ecb1439", @@ -11357,6 +10737,10 @@ "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", "type": "used-by" }, + { + "dest-uuid": "04b73cf2-33f4-4206-be9e-c80c4c9b54e8", + "type": "used-by" + }, { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" @@ -11436,15 +10820,40 @@ { "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", "type": "used-by" - }, - { - "dest-uuid": "26c87906-d750-42c5-946c-d4162c73fc7b", - "type": "similar" } ], "uuid": "cf2c5666-e8ad-49c1-ac8f-30ed65f9e52c", "value": "Impacket" }, + { + "description": "INC is a ransomware operation that emerged in July 2023. Operators of INC ransomware typically publicly extort their victims.[[SentinelOne September 21 2023](/references/7e793738-c132-47bf-90aa-1f0659564d16)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Linux", + "Windows" + ], + "software_attack_id": "S3189", + "source": "Tidal Cyber", + "tags": [ + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "efd2fca2-45fb-4eaf-82e7-0d20c156f84f", + "type": "used-by" + } + ], + "uuid": "41b71db3-9779-445e-a0b5-7cd7174a7026", + "value": "INC Ransomware" + }, { "description": "[Industroyer](https://app.tidalcyber.com/software/09398a7c-aee5-44af-b99d-f73d3b39c299) is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.[[ESET Industroyer](https://app.tidalcyber.com/references/9197f712-3c53-4746-9722-30e248511611)] [Industroyer](https://app.tidalcyber.com/software/09398a7c-aee5-44af-b99d-f73d3b39c299) was used in the attacks on the Ukrainian power grid in December 2016.[[Dragos Crashoverride 2017](https://app.tidalcyber.com/references/c8f624e3-2ba2-4564-bd1c-f06b9a6a8bce)] This is the first publicly known malware specifically designed to target and impact operations in the electric grid.[[Dragos Crashoverride 2018](https://app.tidalcyber.com/references/d14442d5-2557-4a92-9a29-b15a20752f56)]", "meta": { @@ -11465,10 +10874,6 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" - }, - { - "dest-uuid": "e401d4fe-f0c9-44f0-98e6-f93487678808", - "type": "similar" } ], "uuid": "09398a7c-aee5-44af-b99d-f73d3b39c299", @@ -11491,10 +10896,6 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" - }, - { - "dest-uuid": "6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", - "type": "similar" } ], "uuid": "53c5fb76-a690-55c3-9e02-39577990da2a", @@ -11507,7 +10908,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5120", + "software_attack_id": "S3237", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -11533,12 +10934,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "c8b6cc43-ce61-42ae-87f3-a5f10526f952", - "type": "similar" - } - ], + "related": [], "uuid": "e42bf572-1e70-4467-a4b7-5e22c776c758", "value": "InnaputRAT" }, @@ -11549,7 +10945,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5121", + "software_attack_id": "S3238", "source": "Tidal Cyber", "tags": [ "a3f84674-3813-4993-9e34-39cdaa19cbd1", @@ -11571,7 +10967,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5049", + "software_attack_id": "S3073", "source": "Tidal Cyber", "tags": [ "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", @@ -11592,7 +10988,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5272", + "software_attack_id": "S3113", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -11619,12 +11015,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "47afe41c-4c08-485e-b062-c3bd209a1cce", - "type": "similar" - } - ], + "related": [], "uuid": "3ee4c49d-2f2c-4677-b193-69f16f2851a4", "value": "InvisiMole" }, @@ -11641,10 +11032,6 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" - }, - { - "dest-uuid": "b52d6583-14a2-4ddc-8527-87fd2142558f", - "type": "similar" } ], "uuid": "2200a647-3312-44c0-9691-4a26153febbb", @@ -11657,7 +11044,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5080", + "software_attack_id": "S3104", "source": "Tidal Cyber", "tags": [ "d819ae1a-e385-49fd-88d5-f66660729ecb", @@ -11776,10 +11163,6 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" - }, - { - "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", - "type": "similar" } ], "uuid": "4f519002-0576-4f8e-8add-73ebac9a86e6", @@ -11804,10 +11187,6 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" - }, - { - "dest-uuid": "b1595ddd-a783-482a-90e1-8afc8d48467e", - "type": "similar" } ], "uuid": "9ca96281-8ff9-4619-a79d-16c5a9594eae", @@ -11832,10 +11211,6 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" - }, - { - "dest-uuid": "5be33fef-39c0-4532-84ee-bea31e1b5324", - "type": "similar" } ], "uuid": "752ab0fc-7fa1-4e54-bd9a-7a280a38ed77", @@ -11857,10 +11232,6 @@ { "dest-uuid": "225314a7-8f40-48d4-9cff-3ec39b177762", "type": "used-by" - }, - { - "dest-uuid": "8beac7c2-48d2-4cd9-9b15-6c452f38ac06", - "type": "similar" } ], "uuid": "6dbf31cf-0ba0-48b4-be82-38889450845c", @@ -11873,7 +11244,7 @@ "platforms": [ "Network" ], - "software_attack_id": "S5061", + "software_attack_id": "S3067", "source": "Tidal Cyber", "tags": [ "b20e7912-6a8d-46e3-8e13-9a3fc4813852", @@ -11907,12 +11278,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "234e7770-99b0-4f65-b983-d3230f76a60b", - "type": "similar" - } - ], + "related": [], "uuid": "a4debf1f-8a37-4c89-8ebc-31de71d33f79", "value": "Janicab" }, @@ -11928,12 +11294,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "64122557-5940-4271-9123-25bfc0c693db", - "type": "similar" - } - ], + "related": [], "uuid": "853d3d18-d746-4650-a9bd-c36a0e86dd02", "value": "Javali" }, @@ -11950,12 +11311,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "aaf3fa65-8b27-4e68-91de-2b7738fe4c82", - "type": "similar" - } - ], + "related": [], "uuid": "41ec0bbc-65ca-4913-a763-1638215d7b2f", "value": "JCry" }, @@ -11978,10 +11334,6 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", - "type": "similar" } ], "uuid": "d50ef3fc-7d1c-4a82-b1cf-2319d83da3ae", @@ -12003,10 +11355,6 @@ { "dest-uuid": "f036b992-4c3f-47b7-a458-94ac133bce74", "type": "used-by" - }, - { - "dest-uuid": "de6cb631-52f6-4169-a73b-7965390b0c30", - "type": "similar" } ], "uuid": "c96fce69-6b9c-4bbc-bb42-f6a8fb6eb88f", @@ -12034,10 +11382,6 @@ { "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", "type": "used-by" - }, - { - "dest-uuid": "efece7e8-e40b-49c2-9f84-c55c5c93d05c", - "type": "similar" } ], "uuid": "42fe9795-5cf6-4ad7-b56e-2aa655377992", @@ -12050,7 +11394,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5122", + "software_attack_id": "S3239", "source": "Tidal Cyber", "tags": [ "ee16a0c7-b3cf-4303-9681-b3076da9bff0", @@ -12085,10 +11429,6 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" - }, - { - "dest-uuid": "f559f945-eb8b-48b1-904c-68568deebed3", - "type": "similar" } ], "uuid": "c67f3029-a26c-4752-b7f1-8e3369c2f79d", @@ -12101,9 +11441,10 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5303", + "software_attack_id": "S3069", "source": "Tidal Cyber", "tags": [ + "4ac8deac-b33f-4276-b9ee-2d810138aedc", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "2feda37d-5579-4102-a073-aa02e82cb49f" @@ -12137,10 +11478,6 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" - }, - { - "dest-uuid": "3c02fb1f-cbdb-48f5-abaf-8c81d6e0c322", - "type": "similar" } ], "uuid": "ca883d21-97ca-420d-a66b-ef19a8355467", @@ -12161,12 +11498,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", - "type": "similar" - } - ], + "related": [], "uuid": "1896b9c9-a93e-4220-b4c2-6c4c9c5ca297", "value": "Kasidet" }, @@ -12190,10 +11522,6 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" - }, - { - "dest-uuid": "536be338-e2ef-4a6b-afb6-8d5568b91eb2", - "type": "similar" } ], "uuid": "e93990a0-4841-4867-8b74-ac2806d787bf", @@ -12218,10 +11546,6 @@ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" - }, - { - "dest-uuid": "8c1d01ff-fdc0-4586-99bd-c248e0761af5", - "type": "similar" } ], "uuid": "17c28e46-1005-4737-8567-d4ad9f1aefd1", @@ -12239,12 +11563,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "c984b414-b766-44c5-814a-2fe96c913c12", - "type": "similar" - } - ], + "related": [], "uuid": "32f1e0d3-753f-4b51-aec5-cfaa393cedc3", "value": "Kessel" }, @@ -12264,10 +11583,6 @@ { "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" - }, - { - "dest-uuid": "e7863f5d-cb6a-4f81-8804-0a635eec160a", - "type": "similar" } ], "uuid": "b9730d7c-aa57-4d6f-9125-57dcb65b02e0", @@ -12289,10 +11604,6 @@ { "dest-uuid": "0a245c5e-c1a8-480f-8655-bb2594e3266b", "type": "used-by" - }, - { - "dest-uuid": "5dd649c0-bca4-488b-bd85-b180474ec62e", - "type": "similar" } ], "uuid": "6ec39371-d50b-43b6-937c-52de00491eab", @@ -12310,12 +11621,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "4b072c90-bc7a-432b-940e-016fc1c01761", - "type": "similar" - } - ], + "related": [], "uuid": "aefbe6ff-7ce4-479e-916d-e8f0259d81f6", "value": "Keydnap" }, @@ -12335,10 +11641,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "11e36d5b-6a92-4bf9-8eb7-85eb24f59e22", - "type": "similar" } ], "uuid": "a644f61e-6a9b-41ab-beca-72518351c27f", @@ -12361,10 +11663,6 @@ { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" - }, - { - "dest-uuid": "6c575670-d14c-4c7f-9b9d-fd1b363e255d", - "type": "similar" } ], "uuid": "ba9e56b9-7904-5ec8-bb39-7f82f7b2e89a", @@ -12386,10 +11684,6 @@ { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" - }, - { - "dest-uuid": "8bdfe255-e658-4ddd-a11c-b854762e451d", - "type": "similar" } ], "uuid": "c1e1ab6a-d5ce-4520-98c5-c6df41005fd9", @@ -12421,10 +11715,6 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" - }, - { - "dest-uuid": "e221eb77-1502-4129-af1d-fe1ad55e7ec6", - "type": "similar" } ], "uuid": "b5532e91-d267-4819-a05d-8c5358995add", @@ -12447,12 +11737,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "d6e55656-e43f-411f-a7af-45df650471c5", - "type": "similar" - } - ], + "related": [], "uuid": "7b4f157c-4b34-4f55-9c20-ff787495e9ba", "value": "Kinsing" }, @@ -12472,10 +11757,6 @@ { "dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb", "type": "used-by" - }, - { - "dest-uuid": "b2d134a1-7bd5-4293-94d4-8fc978cb1cd7", - "type": "similar" } ], "uuid": "673ed346-9562-4997-80b2-e701b1a99a58", @@ -12509,10 +11790,6 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "c8655260-9f4b-44e3-85e1-6538a5f6e4f4", - "type": "similar" } ], "uuid": "5e981594-d00a-4c7f-8ed0-3d4a60cc3fcd", @@ -12530,12 +11807,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "9abdda30-08e0-4ab1-9cf0-d447654c6de9", - "type": "similar" - } - ], + "related": [], "uuid": "bf918663-90bd-489e-91e7-6951a18a25fd", "value": "Kobalos" }, @@ -12555,10 +11827,6 @@ { "dest-uuid": "12279b62-289e-49ee-97cb-c780edd3d091", "type": "used-by" - }, - { - "dest-uuid": "df9b350b-d4f9-4e79-a826-75cc75fbc1eb", - "type": "similar" } ], "uuid": "3e13d07d-d9e1-4456-bec3-b2375e404753", @@ -12580,10 +11848,6 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "f108215f-3487-489d-be8b-80e346d32518", - "type": "similar" } ], "uuid": "2cf1be0d-2fba-4fd0-ab2f-3695716d1735", @@ -12605,10 +11869,6 @@ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" - }, - { - "dest-uuid": "7dbb67c7-270a-40ad-836e-c45f8948aa5a", - "type": "similar" } ], "uuid": "3067f148-2e2b-4aac-9652-59823b3ad4f1", @@ -12629,12 +11889,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "86b92f6c-9c05-4c51-b361-4c7bb13e21a1", - "type": "similar" - } - ], + "related": [], "uuid": "d381de2a-30cb-4d50-bbce-fd1e489c4889", "value": "KONNI" }, @@ -12654,10 +11909,6 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" - }, - { - "dest-uuid": "09fcc02f-f9d4-43fa-8609-5e5e186b7103", - "type": "similar" } ], "uuid": "d09c4459-1aa3-547d-99f4-7ac73b8043f0", @@ -12679,10 +11930,6 @@ { "dest-uuid": "863b7013-133d-4a82-93d2-51b53a8fd30e", "type": "used-by" - }, - { - "dest-uuid": "c2417bab-3189-4d4d-9d60-96de2cdaf0ab", - "type": "similar" } ], "uuid": "35ac4018-8506-4025-a9e3-bd017700b3b3", @@ -12695,7 +11942,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5258", + "software_attack_id": "S3379", "source": "Tidal Cyber", "tags": [ "5be0da70-9249-44fa-8c3b-7394ef26b2e0", @@ -12742,6 +11989,10 @@ ] }, "related": [ + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + }, { "dest-uuid": "9da726e6-af02-49b8-8ebe-7ea4235513c9", "type": "used-by" @@ -12809,10 +12060,6 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" - }, - { - "dest-uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b", - "type": "similar" } ], "uuid": "f5558af4-e3e2-47c2-b8fe-72850bd30f37", @@ -12825,7 +12072,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5017", + "software_attack_id": "S3240", "source": "Tidal Cyber", "tags": [ "cea43301-9f7a-46a5-be3a-3a09f0f3c09e", @@ -12861,7 +12108,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5020", + "software_attack_id": "S3022", "source": "Tidal Cyber", "tags": [ "15787198-6c8b-4f79-bf50-258d55072fee", @@ -12889,7 +12136,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5067", + "software_attack_id": "S3092", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -12930,10 +12177,6 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" - }, - { - "dest-uuid": "6ba1d7ae-d60b-43e6-9f08-a8b787e9d9cb", - "type": "similar" } ], "uuid": "c9d2f023-d54b-4d08-9598-a42fb92b3161", @@ -12951,12 +12194,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "5dc9e8ec-9917-4de7-b8ab-16007899dd80", - "type": "similar" - } - ], + "related": [], "uuid": "1b3af76f-f9a1-58ce-8c7d-aec535f8d0c0", "value": "LIGHTWIRE" }, @@ -12967,7 +12205,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5034", + "software_attack_id": "S3036", "source": "Tidal Cyber", "tags": [ "e551ae97-d1b4-484e-9267-89f33829ec2c", @@ -12992,6 +12230,10 @@ "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", "type": "used-by" }, + { + "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", + "type": "used-by" + }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" @@ -13011,7 +12253,7 @@ "platforms": [ "Network" ], - "software_attack_id": "S5284", + "software_attack_id": "S3132", "source": "Tidal Cyber", "tags": [ "a159c91c-5258-49ea-af7d-e803008d97d3", @@ -13036,7 +12278,7 @@ "platforms": [ "Network" ], - "software_attack_id": "S5285", + "software_attack_id": "S3133", "source": "Tidal Cyber", "tags": [ "a159c91c-5258-49ea-af7d-e803008d97d3", @@ -13071,10 +12313,6 @@ { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" - }, - { - "dest-uuid": "e9e9bfe2-76f4-4870-a2a1-b7af89808613", - "type": "similar" } ], "uuid": "925975f8-e8ff-411f-a40e-f799968046f7", @@ -13096,12 +12334,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "0efefea5-78da-4022-92bc-d726139e8883", - "type": "similar" - } - ], + "related": [], "uuid": "d017e133-fce9-4982-a2df-6867a80089e7", "value": "Linux Rabbit" }, @@ -13124,10 +12357,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "95e2cbae-d82c-4f7b-b63c-16462015d35d", - "type": "similar" } ], "uuid": "71e4028c-9ca1-45ce-bc44-98209ae9f6bd", @@ -13149,10 +12378,6 @@ { "dest-uuid": "73da066d-b25f-45ba-862b-1a69228c6baa", "type": "used-by" - }, - { - "dest-uuid": "9020f5c7-efde-4125-a4f1-1b70f1274ddd", - "type": "similar" } ], "uuid": "cc568409-71ff-468b-9c38-d0dd9020e409", @@ -13170,12 +12395,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "19256855-65e9-48f2-8b74-9f3d0a994428", - "type": "similar" - } - ], + "related": [], "uuid": "c9c5e7ad-6e95-5d53-b4db-f6b51c7167ca", "value": "LITTLELAMB.WOOLTEA" }, @@ -13205,10 +12425,6 @@ { "dest-uuid": "393da13e-016c-41a3-9d89-b33173adecbf", "type": "used-by" - }, - { - "dest-uuid": "f74a5069-015d-4404-83ad-5ca01056c0dc", - "type": "similar" } ], "uuid": "65d46aab-b3ce-4f5b-b1fc-871db2573fa1", @@ -13221,9 +12437,10 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5047", + "software_attack_id": "S3015", "source": "Tidal Cyber", "tags": [ + "ba2210ad-0cf7-4a28-8d40-c1dbec5fb202", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "fdd53e62-5bf1-41f1-8bd6-b970a866c39d", "d431939f-2dc0-410b-83f7-86c458125444", @@ -13271,10 +12488,6 @@ { "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "type": "used-by" - }, - { - "dest-uuid": "5af7a825-2d9f-400d-931a-e00eb9e27f48", - "type": "similar" } ], "uuid": "65bc8e81-0a08-49f6-9d04-a2d63d512342", @@ -13296,10 +12509,6 @@ { "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", "type": "used-by" - }, - { - "dest-uuid": "452da2d9-706c-4185-ad6f-f5edaf4b9f48", - "type": "similar" } ], "uuid": "d28c3706-df25-59e2-939f-131abaf8a1eb", @@ -13312,7 +12521,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5073", + "software_attack_id": "S3098", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -13361,10 +12570,6 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "b865dded-0553-4962-a44b-6fe7863effed", - "type": "similar" } ], "uuid": "039f34e9-f379-4a24-a53f-b28ba579854c", @@ -13389,10 +12594,6 @@ { "dest-uuid": "e47ae2a7-d34d-4528-ba67-c9c07daa91ba", "type": "used-by" - }, - { - "dest-uuid": "cb741463-f0fe-42e0-8d45-bc7e8335f5ae", - "type": "similar" } ], "uuid": "4fead65c-499d-4f44-8879-2c35b24dac68", @@ -13410,12 +12611,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "c9ccc4df-1f56-49e7-ad57-b383e1451688", - "type": "similar" - } - ], + "related": [], "uuid": "bfd2a077-5000-4500-82c4-5c85fb98dd5a", "value": "LookBack" }, @@ -13426,7 +12622,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5035", + "software_attack_id": "S3037", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -13470,12 +12666,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "f99f3dcc-683f-4936-8791-075ac5e58f10", - "type": "similar" - } - ], + "related": [], "uuid": "f503535b-406c-4e24-8123-0e22fec995bb", "value": "LoudMiner" }, @@ -13495,10 +12686,6 @@ { "dest-uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", "type": "used-by" - }, - { - "dest-uuid": "2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b", - "type": "similar" } ], "uuid": "fce1117a-e699-4aef-b1fc-04c3967acc33", @@ -13523,10 +12710,6 @@ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" - }, - { - "dest-uuid": "2fab555f-7664-4623-b4e0-1675ae38190b", - "type": "similar" } ], "uuid": "37a5ae23-3da5-4cbc-a21a-a7ef98a3b7cc", @@ -13544,12 +12727,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "54a73038-1937-4d71-a253-316e76d5413c", - "type": "similar" - } - ], + "related": [], "uuid": "723d9a27-74fd-4333-a8db-63df2a8b4dd4", "value": "Lucifer" }, @@ -13569,15 +12747,34 @@ { "dest-uuid": "60936d3c-37ed-4116-a407-868da3aa4446", "type": "used-by" - }, - { - "dest-uuid": "251fbae2-78f6-4de7-84f6-194c727a64ad", - "type": "similar" } ], "uuid": "0cc9e24b-d458-4782-a332-4e4fd68c057b", "value": "Lurid" }, + { + "description": "Lynx is a Windows-focused ransomware that was identified in July 2024. Rapid7 researchers note potential code similarities between Lynx and INC ransomware.[[Rapid7 Blog September 12 2024](/references/21d393ae-d135-4c5a-8c6d-1baa8c0a1e08)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3169", + "source": "Tidal Cyber", + "tags": [ + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "f5d55fa5-afb8-46ff-b5b5-c792060fd7d3", + "value": "Lynx Ransomware" + }, { "description": "[Machete](https://app.tidalcyber.com/software/be8a1630-9562-41ad-a621-65989f961a10) is a cyber espionage toolset used by [Machete](https://app.tidalcyber.com/groups/a3be79a2-3d4f-4697-a8a1-83f0884220af). It is a Python-based backdoor targeting Windows machines that was first observed in 2010.[[ESET Machete July 2019](https://app.tidalcyber.com/references/408d5e33-fcb6-4d21-8be9-7aa5a8bd3385)][[Securelist Machete Aug 2014](https://app.tidalcyber.com/references/fc7be240-bd15-4ec4-bc01-f8891d7210d9)][[360 Machete Sep 2020](https://app.tidalcyber.com/references/682c843d-1bb8-4f30-9d2e-35e8d41b1976)]", "meta": { @@ -13594,10 +12791,6 @@ { "dest-uuid": "a3be79a2-3d4f-4697-a8a1-83f0884220af", "type": "used-by" - }, - { - "dest-uuid": "35cd1d01-1ede-44d2-b073-a264d727bc04", - "type": "similar" } ], "uuid": "be8a1630-9562-41ad-a621-65989f961a10", @@ -13615,12 +12808,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "bdee9574-7479-4073-a7dc-e86d8acd073a", - "type": "similar" - } - ], + "related": [], "uuid": "7e5a643d-ebfd-4ec6-9fdc-79d6f47fafdb", "value": "MacMa" }, @@ -13636,12 +12824,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "2a59a237-1530-4d55-91f9-2aebf961cc37", - "type": "similar" - } - ], + "related": [], "uuid": "74feb557-21bc-40fb-8ab5-45d3af84c380", "value": "macOS.OSAMiner" }, @@ -13657,12 +12840,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "f72251cb-2be5-421f-a081-99c29a1209e7", - "type": "similar" - } - ], + "related": [], "uuid": "e5e67c67-e658-45b5-850b-044312be4258", "value": "MacSpy" }, @@ -13682,10 +12860,6 @@ { "dest-uuid": "a3a3a1d3-7fe7-5578-8c5f-9c0f2f68079b", "type": "used-by" - }, - { - "dest-uuid": "3be1fb7a-0f7e-415e-8e3a-74a80d596e68", - "type": "similar" } ], "uuid": "7506616c-b808-54fb-9982-072a0dcf8a04", @@ -13713,10 +12887,6 @@ { "dest-uuid": "b5c28235-d441-40d9-8da2-d49ba2f2568b", "type": "used-by" - }, - { - "dest-uuid": "999c4e6e-b8dc-4b4f-8d6e-1b829f29997e", - "type": "similar" } ], "uuid": "d762974a-ca7e-45ee-bc1d-f5218bf46c84", @@ -13729,7 +12899,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5123", + "software_attack_id": "S3241", "source": "Tidal Cyber", "tags": [ "758c3085-2f79-40a8-ab95-f8a684737927", @@ -13765,7 +12935,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5259", + "software_attack_id": "S3380", "source": "Tidal Cyber", "tags": [ "ff10869f-fed4-4f21-b83a-9939e7381d6e", @@ -13780,6 +12950,33 @@ "uuid": "9b6b705e-55ae-4d9e-9c57-baf1358cc324", "value": "Manage-bde" }, + { + "description": "A backdoor capability associated with Iran-linked espionage group OilRig.[[ESET OilRig September 21 2023](/references/21ee3e95-ac4b-48f7-b948-249e1884bc96)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3162", + "source": "Tidal Cyber", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", + "type": "used-by" + } + ], + "uuid": "9702e486-e5b9-486f-84f3-289c599d3d72", + "value": "Mango" + }, { "description": "[MarkiRAT](https://app.tidalcyber.com/software/40806539-1496-4a64-b740-66f6a1467f40) is a remote access Trojan (RAT) compiled with Visual Studio that has been used by [Ferocious Kitten](https://app.tidalcyber.com/groups/275ca7b0-3b21-4c3a-8b6f-57b6f0ffb6fb) since at least 2015.[[Kaspersky Ferocious Kitten Jun 2021](https://app.tidalcyber.com/references/b8f8020d-3f5c-4b5e-8761-6ecdd63fcd50)]", "meta": { @@ -13799,10 +12996,6 @@ { "dest-uuid": "275ca7b0-3b21-4c3a-8b6f-57b6f0ffb6fb", "type": "used-by" - }, - { - "dest-uuid": "532c6004-b1e8-415b-9516-f7c14ba783b1", - "type": "similar" } ], "uuid": "40806539-1496-4a64-b740-66f6a1467f40", @@ -13817,7 +13010,7 @@ "macOS", "Windows" ], - "software_attack_id": "S5282", + "software_attack_id": "S3121", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -13858,10 +13051,6 @@ { "dest-uuid": "6a8f5eca-8ecc-4bff-9c5f-5380e044ed5b", "type": "used-by" - }, - { - "dest-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", - "type": "similar" } ], "uuid": "eeb700ea-2819-46f4-936d-f7592f20dedc", @@ -13874,7 +13063,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5124", + "software_attack_id": "S3242", "source": "Tidal Cyber", "tags": [ "724c3509-ad5e-46a3-a72c-6f3807b13793", @@ -13898,6 +13087,7 @@ "software_attack_id": "S0449", "source": "MITRE", "tags": [ + "5b4ce6cb-0929-4f74-a3b2-bd1afa916d36", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "3c3f9078-5d1e-4c29-a5eb-28f237bbd1ad", "1cc90752-70a3-4a17-b370-e1473a212f79", @@ -13920,10 +13110,6 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" - }, - { - "dest-uuid": "d9f7383c-95ec-4080-bbce-121c9384457b", - "type": "similar" } ], "uuid": "3c206491-45c0-4ff7-9f40-45f9aae4de64", @@ -13936,7 +13122,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5297", + "software_attack_id": "S3020", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -13972,10 +13158,6 @@ { "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", "type": "used-by" - }, - { - "dest-uuid": "975737f1-b10d-476f-8bda-3ec26ea57172", - "type": "similar" } ], "uuid": "939cbe39-5b63-4651-b0c0-85ac39cb9f0e", @@ -13997,10 +13179,6 @@ { "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "type": "used-by" - }, - { - "dest-uuid": "dfa03c7d-79ed-4ce2-b9d1-ddc9dbf56ad2", - "type": "similar" } ], "uuid": "31cbe3c8-be88-4a4f-891d-04c3bb7ed482", @@ -14013,9 +13191,10 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5022", + "software_attack_id": "S3066", "source": "Tidal Cyber", "tags": [ + "0512bbd3-0596-4426-9ee6-d2bfeb8fd219", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" @@ -14054,10 +13233,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "65370d0b-3bd4-4653-8cf9-daf56f6be830", - "type": "similar" } ], "uuid": "6c3bbcae-3217-43c7-b709-5c54bc7636b1", @@ -14072,7 +13247,7 @@ "Linux", "Windows" ], - "software_attack_id": "S5328", + "software_attack_id": "S3143", "source": "Tidal Cyber", "tags": [ "8bf128ad-288b-41bc-904f-093f4fdde745", @@ -14111,12 +13286,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "909617c3-6d87-4330-8f32-bd3af38c3b92", - "type": "similar" - } - ], + "related": [], "uuid": "d8a4a817-2914-47b0-867c-ad8eeb7efd10", "value": "MegaCortex" }, @@ -14129,7 +13299,7 @@ "macOS", "Windows" ], - "software_attack_id": "S5005", + "software_attack_id": "S3021", "source": "Tidal Cyber", "tags": [ "c5a258ce-9045-48d9-b254-ec2bf6437bb5", @@ -14153,6 +13323,10 @@ ] }, "related": [ + { + "dest-uuid": "efd2fca2-45fb-4eaf-82e7-0d20c156f84f", + "type": "used-by" + }, { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" @@ -14201,12 +13375,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "d3105fb5-c494-4fd1-a7be-414eab9e0c96", - "type": "similar" - } - ], + "related": [], "uuid": "aa844e6b-feda-4928-8c6d-c59f7be88da0", "value": "Melcoz" }, @@ -14226,10 +13395,6 @@ { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" - }, - { - "dest-uuid": "9b19d6b4-cfcb-492f-8ca8-8449e7331573", - "type": "similar" } ], "uuid": "15d7e478-349d-42e6-802d-f16302b98319", @@ -14251,10 +13416,6 @@ { "dest-uuid": "a3a3a1d3-7fe7-5578-8c5f-9c0f2f68079b", "type": "used-by" - }, - { - "dest-uuid": "df350889-4de9-44e5-8cb3-888b8343e97c", - "type": "similar" } ], "uuid": "0a9874bf-4f02-5fab-8ab6-d0f42c6bc71d", @@ -14275,12 +13436,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "81c57a96-fc8c-4f91-af8e-63e24c2927c2", - "type": "similar" - } - ], + "related": [], "uuid": "ca607087-25ad-4a91-af83-608646cccbcb", "value": "Metamorfo" }, @@ -14293,9 +13449,12 @@ "macOS", "Windows" ], - "software_attack_id": "S5050", + "software_attack_id": "S3068", "source": "Tidal Cyber", "tags": [ + "677c5953-3cc8-44bb-89bc-d9a31f9d170c", + "d903e38b-600d-4736-9e3b-cf1a6e436481", + "d819ae1a-e385-49fd-88d5-f66660729ecb", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "2feda37d-5579-4102-a073-aa02e82cb49f", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", @@ -14307,6 +13466,10 @@ ] }, "related": [ + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" @@ -14326,7 +13489,7 @@ "platforms": [ "macOS" ], - "software_attack_id": "S5315", + "software_attack_id": "S3128", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -14348,16 +13511,14 @@ ], "software_attack_id": "S0688", "source": "MITRE", + "tags": [ + "f68659fd-4d2f-4c9c-959d-b9f7ef91c228" + ], "type": [ "malware" ] }, - "related": [ - { - "dest-uuid": "d79e7a60-5de9-448e-a074-f95d2d80f8d0", - "type": "similar" - } - ], + "related": [], "uuid": "ee07030e-ff50-404b-ad27-ab999fc1a23a", "value": "Meteor" }, @@ -14368,7 +13529,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5224", + "software_attack_id": "S3345", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -14401,10 +13562,6 @@ { "dest-uuid": "e3c5164e-49cf-5bb1-955d-6775585abb14", "type": "used-by" - }, - { - "dest-uuid": "8c050cea-86e1-4b63-bf21-7af4fa483349", - "type": "similar" } ], "uuid": "5879efc1-f122-43ec-a80d-e25aa449594d", @@ -14417,7 +13574,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5225", + "software_attack_id": "S3346", "source": "Tidal Cyber", "tags": [ "eb75bfce-e0d6-41b3-a3f0-df34e6e9b476", @@ -14439,7 +13596,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5125", + "software_attack_id": "S3243", "source": "Tidal Cyber", "tags": [ "b48e3fa8-25b4-42be-97e7-086068a150c5", @@ -14473,10 +13630,6 @@ { "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" - }, - { - "dest-uuid": "aea6d6b8-d832-4c90-a1bb-f52c6684db6c", - "type": "similar" } ], "uuid": "57545dbc-c72a-409d-a373-bc35e25160cd", @@ -14526,6 +13679,10 @@ "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", "type": "used-by" }, + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + }, { "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "type": "used-by" @@ -14761,10 +13918,6 @@ { "dest-uuid": "570198e3-b59c-5772-b1ee-15d7ea14d48a", "type": "used-by" - }, - { - "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", - "type": "similar" } ], "uuid": "b8e7c0b4-49e4-4e8d-9467-b17f305ddf16", @@ -14789,10 +13942,6 @@ { "dest-uuid": "325c11be-e1ee-47db-afa6-44ac5d16f0e7", "type": "used-by" - }, - { - "dest-uuid": "5a33468d-844d-4b1f-98c9-0e786c556b27", - "type": "similar" } ], "uuid": "42350632-b59a-4cc5-995e-d95d8c608553", @@ -14807,12 +13956,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "17dec760-9c8f-4f1b-9b4b-0ac47a453234", - "type": "similar" - } - ], + "related": [], "uuid": "c0dea9db-1551-4f6c-8a19-182efc34093a", "value": "Miner-C" }, @@ -14835,10 +13979,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", - "type": "similar" } ], "uuid": "2bb16809-6bc3-46c3-b28a-39cb49410340", @@ -14863,10 +14003,6 @@ { "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "type": "used-by" - }, - { - "dest-uuid": "e3cedcfe-6515-4348-af65-7f2c4157bf0d", - "type": "similar" } ], "uuid": "535f1b97-7a70-4d18-be4e-3a9f74ccf78a", @@ -14884,12 +14020,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", - "type": "similar" - } - ], + "related": [], "uuid": "4048afa2-79c8-4d38-8219-2207adddd884", "value": "Misdat" }, @@ -14912,10 +14043,6 @@ { "dest-uuid": "803f8018-6e45-5b0f-978f-1fe96b217120", "type": "used-by" - }, - { - "dest-uuid": "4e6464d2-69df-4e56-8d4c-1973f84d7b80", - "type": "similar" } ], "uuid": "758e5226-6015-5cc7-af4b-20fa35c9bac1", @@ -14933,12 +14060,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", - "type": "similar" - } - ], + "related": [], "uuid": "fe554d2e-f974-41d6-8e7a-701bd758355d", "value": "Mis-Type" }, @@ -14958,15 +14080,38 @@ { "dest-uuid": "43f826a1-e8c8-47b8-9b00-38e1b3e4293b", "type": "used-by" - }, - { - "dest-uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3", - "type": "similar" } ], "uuid": "f603ea32-91c3-4b62-a60f-57670433b080", "value": "Mivast" }, + { + "description": "A credential dumping tool associated with Iran-linked espionage group OilRig.[[ESET OilRig September 21 2023](/references/21ee3e95-ac4b-48f7-b948-249e1884bc96)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3160", + "source": "Tidal Cyber", + "tags": [ + "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", + "type": "used-by" + } + ], + "uuid": "7bded42d-ad82-4b00-88c7-c1129c11894d", + "value": "MKG" + }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Load snap-ins to locally and remotely manage Windows systems\n\n**Author:** @bohops\n\n**Paths:**\n* C:\\Windows\\System32\\mmc.exe\n* C:\\Windows\\SysWOW64\\mmc.exe\n\n**Resources:**\n* [https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/](https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/)\n* [https://offsec.almond.consulting/UAC-bypass-dotnet.html](https://offsec.almond.consulting/UAC-bypass-dotnet.html)\n\n**Detection:**\n* Sigma: [proc_creation_win_mmc_susp_child_process.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_mmc_susp_child_process.yml)\n* Sigma: [file_event_win_uac_bypass_dotnet_profiler.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml)[[Mmc.exe - LOLBAS Project](/references/490b6769-e386-4a3d-972e-5a919cb2f6f5)]", "meta": { @@ -14974,7 +14119,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5126", + "software_attack_id": "S3244", "source": "Tidal Cyber", "tags": [ "f9e6382f-e41e-438e-bd7e-57a57046d9e6", @@ -15002,10 +14147,6 @@ { "dest-uuid": "6c1bdc51-f633-4512-8b20-04a11c2d97f4", "type": "used-by" - }, - { - "dest-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4", - "type": "similar" } ], "uuid": "116f913c-0d5e-43d1-ba0d-3a12127af8f6", @@ -15030,10 +14171,6 @@ { "dest-uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6", "type": "used-by" - }, - { - "dest-uuid": "8a59f456-79a0-4151-9f56-9b1a67332af2", - "type": "similar" } ], "uuid": "7ca5debb-f813-4e06-98f8-d1186552e5d2", @@ -15058,15 +14195,35 @@ { "dest-uuid": "454402a3-0503-45bf-b2e0-177fa2e2d412", "type": "used-by" - }, - { - "dest-uuid": "6fb36c6f-bb3d-4ed6-9471-cb9933e5c154", - "type": "similar" } ], "uuid": "7f5355b3-e819-4c82-a0fa-b80fda8fd6e6", "value": "Mongall" }, + { + "description": "Monti is a ransomware identified in June 2022. Researchers have drawn comparisons between Monti and Conti ransomware, whose source code was leaked earlier that year. Windows and Linux variants of Monti have been identified.[[Trend Micro August 14 2023](/references/12d2fbc5-f9cb-41b5-96a6-1cd100b5a173)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Linux", + "Windows" + ], + "software_attack_id": "S3170", + "source": "Tidal Cyber", + "tags": [ + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "7d7905f9-22cf-4b30-bb8f-5b5da52d1036", + "value": "Monti Ransomware" + }, { "description": "[MoonWind](https://app.tidalcyber.com/software/a699f32f-6596-4060-8fcd-42587a844b80) is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand. [[Palo Alto MoonWind March 2017](https://app.tidalcyber.com/references/4f3d7a08-2cf5-49ed-8bcd-6df180f3d194)]", "meta": { @@ -15079,12 +14236,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", - "type": "similar" - } - ], + "related": [], "uuid": "a699f32f-6596-4060-8fcd-42587a844b80", "value": "MoonWind" }, @@ -15115,10 +14267,6 @@ { "dest-uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", "type": "used-by" - }, - { - "dest-uuid": "bfd2738c-8b43-43c3-bc9f-d523c8e88bf4", - "type": "similar" } ], "uuid": "69f202e7-4bc9-4f4f-943f-330c053ae977", @@ -15132,6 +14280,9 @@ ], "software_attack_id": "S1047", "source": "MITRE", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" + ], "type": [ "malware" ] @@ -15140,10 +14291,6 @@ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" - }, - { - "dest-uuid": "7e100ca4-e639-48d9-9a9d-8ad84aa7b448", - "type": "similar" } ], "uuid": "385e1eaf-9ba8-4381-981a-3c7af718a77d", @@ -15168,10 +14315,6 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" - }, - { - "dest-uuid": "92b55426-109f-4d93-899f-1833ce91ff90", - "type": "similar" } ], "uuid": "c3939dad-d728-4ddb-804e-cf1e3743a55d", @@ -15184,7 +14327,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5127", + "software_attack_id": "S3245", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -15205,7 +14348,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5128", + "software_attack_id": "S3246", "source": "Tidal Cyber", "tags": [ "dfda978e-e0a0-4e1a-85c7-d9ab2cd7ccc5", @@ -15227,7 +14370,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5129", + "software_attack_id": "S3247", "source": "Tidal Cyber", "tags": [ "7e20fe4e-6883-457d-81f9-b4010e739f89", @@ -15249,7 +14392,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5226", + "software_attack_id": "S3347", "source": "Tidal Cyber", "tags": [ "11452158-b8d2-4a33-952a-8896f961a2f5", @@ -15271,7 +14414,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5130", + "software_attack_id": "S3248", "source": "Tidal Cyber", "tags": [ "8c30b46b-3651-4ccd-9d91-34fe89bc6843", @@ -15293,7 +14436,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5131", + "software_attack_id": "S3249", "source": "Tidal Cyber", "tags": [ "5bd3af6b-cb96-4d96-9576-26521dd76513", @@ -15315,7 +14458,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5182", + "software_attack_id": "S3303", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -15336,7 +14479,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5183", + "software_attack_id": "S3304", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -15357,7 +14500,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5132", + "software_attack_id": "S3250", "source": "Tidal Cyber", "tags": [ "d819ae1a-e385-49fd-88d5-f66660729ecb", @@ -15444,7 +14587,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5192", + "software_attack_id": "S3313", "source": "Tidal Cyber", "tags": [ "46338353-52ee-4f8d-9f18-f1b32644dd76", @@ -15466,7 +14609,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5133", + "software_attack_id": "S3251", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -15510,7 +14653,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5227", + "software_attack_id": "S3348", "source": "Tidal Cyber", "tags": [ "874c053b-d6b8-42c2-accc-cd256bb4d350", @@ -15532,7 +14675,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5228", + "software_attack_id": "S3349", "source": "Tidal Cyber", "tags": [ "a523dcb0-9181-4170-a113-126df84594ca", @@ -15554,7 +14697,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5229", + "software_attack_id": "S3350", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -15589,10 +14732,6 @@ { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" - }, - { - "dest-uuid": "049ff071-0b3c-4712-95d2-d21c6aa54501", - "type": "similar" } ], "uuid": "768111f9-0948-474b-82a6-cd5455079513", @@ -15616,12 +14755,7 @@ "tool" ] }, - "related": [ - { - "dest-uuid": "d505fc8b-2e64-46eb-96d6-9ef7ffca5b66", - "type": "similar" - } - ], + "related": [], "uuid": "f1398367-a0af-4a89-b240-50cae4985ed9", "value": "Mythic" }, @@ -15644,10 +14778,6 @@ { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" - }, - { - "dest-uuid": "48523614-309e-43bf-a2b8-705c2b45d7b2", - "type": "similar" } ], "uuid": "5cfd6135-c53b-4234-a17e-759494b2101f", @@ -15669,10 +14799,6 @@ { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" - }, - { - "dest-uuid": "705f0783-5f7d-4491-b6b7-9628e6e006d2", - "type": "similar" } ], "uuid": "0e28dfc9-8948-4c08-b7d8-9e80e19cc464", @@ -15710,10 +14836,6 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" - }, - { - "dest-uuid": "b4d80f8b-d2b9-4448-8844-4bef777ed676", - "type": "similar" } ], "uuid": "db05dbaa-eb3a-4303-b37e-18d67e7e85a1", @@ -15738,10 +14860,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "b4783be3-35d9-4a56-ac8d-1f3e1c9d9a84", - "type": "similar" } ], "uuid": "a814fd1d-8c2c-41b3-bb3a-30c4318c74c0", @@ -15766,10 +14884,6 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" - }, - { - "dest-uuid": "53a42597-1974-4b8e-84fd-3675e8992053", - "type": "similar" } ], "uuid": "b410d30c-4db6-4239-950e-9b0e0521f0d2", @@ -15821,10 +14935,6 @@ { "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", "type": "used-by" - }, - { - "dest-uuid": "b63970b7-ddfb-4aee-97b1-80d335e033a8", - "type": "similar" } ], "uuid": "950f13e6-3ae3-411e-a2b2-4ba1afe6cb76", @@ -15843,10 +14953,6 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" - }, - { - "dest-uuid": "b35068ec-107a-4266-bda8-eb7036267aea", - "type": "similar" } ], "uuid": "81c2fc9b-8c2c-40f6-a327-dcdd64b70a7e", @@ -15868,10 +14974,6 @@ { "dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a", "type": "used-by" - }, - { - "dest-uuid": "d1183cb9-258e-4f2f-8415-50ac8252c49e", - "type": "similar" } ], "uuid": "6d42e6c5-3056-4ff1-8d5d-a736807ec84c", @@ -15893,10 +14995,6 @@ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" - }, - { - "dest-uuid": "22b17791-45bf-45c0-9322-ff1a0af5cf2b", - "type": "similar" } ], "uuid": "38510bab-aece-4d7b-b621-7594c2c4fe14", @@ -15921,10 +15019,6 @@ { "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "type": "used-by" - }, - { - "dest-uuid": "4d7bf2ac-f953-4907-b114-be44dc174d67", - "type": "similar" } ], "uuid": "8662e29e-5766-4311-894e-5ca52515ccbe", @@ -15946,10 +15040,6 @@ { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" - }, - { - "dest-uuid": "c251e4a5-9a2e-4166-8e42-442af75c3b9a", - "type": "similar" } ], "uuid": "de8b18c9-ebab-4126-96a9-282fa8829877", @@ -16134,10 +15224,6 @@ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" - }, - { - "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", - "type": "similar" } ], "uuid": "c9b8522f-126d-40ff-b44e-1f46098bd8cc", @@ -16159,10 +15245,6 @@ { "dest-uuid": "c8cc6ce8-d421-42e6-a6eb-2ea9d2d9ab07", "type": "used-by" - }, - { - "dest-uuid": "fde50aaa-f5de-4cb8-989a-babb57d6a704", - "type": "similar" } ], "uuid": "947c6212-4da8-48dd-9da9-ce4b077dd759", @@ -16187,10 +15269,6 @@ { "dest-uuid": "be45ff95-6c74-4000-bc39-63044673d82f", "type": "used-by" - }, - { - "dest-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", - "type": "similar" } ], "uuid": "852c300d-9313-442d-9b49-9883522c3f4b", @@ -16264,10 +15342,6 @@ { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" - }, - { - "dest-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", - "type": "similar" } ], "uuid": "803192b8-747b-4108-ae15-2d7481d39162", @@ -16338,10 +15412,6 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" - }, - { - "dest-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", - "type": "similar" } ], "uuid": "132fb908-9f13-4bcf-aa64-74cbc72f5491", @@ -16356,9 +15426,10 @@ "Linux", "Windows" ], - "software_attack_id": "S5320", + "software_attack_id": "S3135", "source": "Tidal Cyber", "tags": [ + "6307a146-7a64-41a7-b765-8ea935027895", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "e1af18e3-3224-4e4c-9d0f-533768474508", "e727eaa6-ef41-4965-b93a-8ad0c51d0236", @@ -16370,6 +15441,10 @@ ] }, "related": [ + { + "dest-uuid": "54a13c54-a1d5-46e9-b155-56d981a5ad8f", + "type": "used-by" + }, { "dest-uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0", "type": "used-by" @@ -16401,10 +15476,6 @@ { "dest-uuid": "e343c1f1-458c-467b-bc4a-c1b97b2127e3", "type": "used-by" - }, - { - "dest-uuid": "cafd0bf8-2b9c-46c7-ae3c-3e0f42c5062e", - "type": "similar" } ], "uuid": "1b8f9cf9-db8f-437d-800e-5ddd090fe30d", @@ -16419,6 +15490,7 @@ "software_attack_id": "S0457", "source": "MITRE", "tags": [ + "24f88c63-2917-4895-b0ea-e3a5556b85c1", "89c5b94b-ecf4-4d53-9b74-3465086d4565", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "242bc007-5ac5-4d96-8638-699a06d06d24", @@ -16434,12 +15506,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "754effde-613c-4244-a83e-fb659b2a4d06", - "type": "similar" - } - ], + "related": [], "uuid": "5b4b395f-f61a-4bd6-94c1-fb45ed3cd13d", "value": "Netwalker" }, @@ -16454,6 +15521,7 @@ "software_attack_id": "S0198", "source": "MITRE", "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", "6c6c0125-9631-4c2c-90ab-cfef374d5198" ], "type": [ @@ -16476,10 +15544,6 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" - }, - { - "dest-uuid": "2a70812b-f1ef-44db-8578-a496a227aef2", - "type": "similar" } ], "uuid": "c7d0e881-80a1-49ea-9c1f-b6e53cf399a8", @@ -16492,7 +15556,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5278", + "software_attack_id": "S3118", "source": "Tidal Cyber", "tags": [ "d819ae1a-e385-49fd-88d5-f66660729ecb", @@ -16526,12 +15590,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "72b5f07f-5448-4e00-9ff2-08bc193a7b77", - "type": "similar" - } - ], + "related": [], "uuid": "48b161fe-3ae1-5551-9f26-d6f2d6b5afb9", "value": "NGLite" }, @@ -16610,10 +15669,6 @@ { "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", "type": "used-by" - }, - { - "dest-uuid": "2f7f03bb-f367-4a5a-ad9b-310a12a48906", - "type": "similar" } ], "uuid": "316ecd9d-ac0b-58c7-8083-5d9214c770f6", @@ -16626,7 +15681,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5333", + "software_attack_id": "S3148", "source": "Tidal Cyber", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", @@ -16662,10 +15717,6 @@ { "dest-uuid": "06549082-ff70-43bf-985e-88c695c7113c", "type": "used-by" - }, - { - "dest-uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe", - "type": "similar" } ], "uuid": "3ae9acd7-39f8-45c6-b557-c7d9a40eed2c", @@ -16687,10 +15738,6 @@ { "dest-uuid": "f31df12e-66ea-5a49-87bc-2bc1756a89fc", "type": "used-by" - }, - { - "dest-uuid": "91c57ed3-7c32-4c68-b388-7db00cb8dac6", - "type": "similar" } ], "uuid": "b1963876-dbdc-5beb-ace3-acb6d7705543", @@ -16712,10 +15759,6 @@ { "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", "type": "used-by" - }, - { - "dest-uuid": "023254de-caaf-4a05-b2c7-e4e2f283f7a5", - "type": "similar" } ], "uuid": "2dd26ff0-22d6-591b-9054-78e84fa3e05c", @@ -16728,7 +15771,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5271", + "software_attack_id": "S3112", "source": "Tidal Cyber", "tags": [ "d819ae1a-e385-49fd-88d5-f66660729ecb", @@ -16800,10 +15843,6 @@ { "dest-uuid": "441b91d1-256a-4763-bac6-8f1c76764a25", "type": "used-by" - }, - { - "dest-uuid": "d906e6f7-434c-44c0-b51a-ed50af8f7945", - "type": "similar" } ], "uuid": "82996f6f-0575-45cd-8f7c-ba1b063d5b9f", @@ -16823,12 +15862,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "bd2ebee8-7c38-408a-871d-221012104222", - "type": "similar" - } - ], + "related": [], "uuid": "e26988e0-e755-54a4-8234-e8f961266d82", "value": "NKAbuse" }, @@ -16894,10 +15928,6 @@ { "dest-uuid": "e75a1b98-be68-467f-a8df-bcb7671543b3", "type": "used-by" - }, - { - "dest-uuid": "981acc4c-2ede-4b56-be6e-fa1a75f37acf", - "type": "similar" } ], "uuid": "fbb1546a-f288-4e43-9e5c-14c94423c4f6", @@ -16910,9 +15940,12 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5051", + "software_attack_id": "S3074", "source": "Tidal Cyber", "tags": [ + "af5e9be5-b86e-47af-91dd-966a5e34a186", + "d903e38b-600d-4736-9e3b-cf1a6e436481", + "d819ae1a-e385-49fd-88d5-f66660729ecb", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", "96d58ca1-ab18-4e53-8891-d8ba62a47e5d", "6070668f-1cbd-4878-8066-c636d1d8659c", @@ -16932,6 +15965,10 @@ ] }, "related": [ + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + }, { "dest-uuid": "7c3ef21c-0e1c-43d5-afb0-3a07c5a66937", "type": "used-by" @@ -16971,10 +16008,6 @@ { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" - }, - { - "dest-uuid": "071d5d65-83ec-4a55-acfa-be7d5f28ba9a", - "type": "similar" } ], "uuid": "31aa0433-fb6b-4290-8af5-a0d0c6c18548", @@ -17004,10 +16037,6 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" - }, - { - "dest-uuid": "5719af9d-6b16-46f9-9b28-fb019541ddbb", - "type": "similar" } ], "uuid": "2538e0fe-1290-4ae1-aef9-e55d83c9eb23", @@ -17020,7 +16049,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5052", + "software_attack_id": "S3075", "source": "Tidal Cyber", "tags": [ "15787198-6c8b-4f79-bf50-258d55072fee", @@ -17041,7 +16070,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5018", + "software_attack_id": "S3057", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -17114,10 +16143,6 @@ { "dest-uuid": "441b91d1-256a-4763-bac6-8f1c76764a25", "type": "used-by" - }, - { - "dest-uuid": "5864e59f-eb4c-43ad-83b2-b5e4fae056c9", - "type": "similar" } ], "uuid": "97e8148c-e146-444c-9de5-6e2fdbda2f9f", @@ -17135,12 +16160,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "288fa242-e894-4c7e-ac86-856deedf5cea", - "type": "similar" - } - ], + "related": [], "uuid": "f1723994-058b-4525-8e11-2f0c80d8f3a4", "value": "OceanSalt" }, @@ -17160,15 +16180,39 @@ { "dest-uuid": "5f8c6ee0-f302-403b-b712-f1e3df064c0c", "type": "used-by" - }, - { - "dest-uuid": "e2031fd5-02c2-43d4-85e2-b64f474530c2", - "type": "similar" } ], "uuid": "8f04e609-8773-4529-b247-d32f530cc453", "value": "Octopus" }, + { + "description": "This is one of a series of malicious downloaders attributed to Iran-linked espionage actor OilRig, which were found to rely on legitimate cloud service providers for command and control purposes.[[ESET OilRig December 14 2023](/references/f96b74d5-ff75-47c6-a9a2-b2f43db351bc)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3155", + "source": "Tidal Cyber", + "tags": [ + "15f2277a-a17e-4d85-8acd-480bf84f16b4", + "84615fe0-c2a5-4e07-8957-78ebc29b4635", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", + "type": "used-by" + } + ], + "uuid": "0dd8fad0-9f4a-487d-b3f7-570bd2046e8a", + "value": "ODAgent" + }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used in Windows for managing ODBC connections\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\odbcconf.exe\n* C:\\Windows\\SysWOW64\\odbcconf.exe\n\n**Resources:**\n* [https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b](https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b)\n* [https://github.com/woanware/application-restriction-bypasses](https://github.com/woanware/application-restriction-bypasses)\n* [https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/](https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/)\n\n**Detection:**\n* Sigma: [proc_creation_win_odbcconf_response_file.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml)\n* Sigma: [proc_creation_win_odbcconf_response_file_susp.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml)\n* Elastic: [defense_evasion_unusual_process_network_connection.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml)\n* Elastic: [defense_evasion_network_connection_from_windows_binary.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml)[[LOLBAS Odbcconf](/references/febcaaec-b535-4347-a4c7-b3284b251897)]", "meta": { @@ -17176,7 +16220,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5134", + "software_attack_id": "S3253", "source": "Tidal Cyber", "tags": [ "64825d12-3cd6-4446-a93c-ff7d8ec13dc8", @@ -17203,7 +16247,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5135", + "software_attack_id": "S3254", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -17217,6 +16261,62 @@ "uuid": "8bc7c62a-110d-451b-9ca6-bc48a13e72d4", "value": "OfflineScannerShell" }, + { + "description": "This is one of a series of malicious downloaders attributed to Iran-linked espionage actor OilRig, which were found to rely on legitimate cloud service providers for command and control purposes.[[ESET OilRig December 14 2023](/references/f96b74d5-ff75-47c6-a9a2-b2f43db351bc)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3153", + "source": "Tidal Cyber", + "tags": [ + "15f2277a-a17e-4d85-8acd-480bf84f16b4", + "84615fe0-c2a5-4e07-8957-78ebc29b4635", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", + "type": "used-by" + } + ], + "uuid": "01f8ef57-5c22-4dad-9300-12c0b0d63c1f", + "value": "OilBooster" + }, + { + "description": "This is one of a series of malicious downloaders attributed to Iran-linked espionage actor OilRig, which were found to rely on legitimate cloud service providers for command and control purposes.[[ESET OilRig December 14 2023](/references/f96b74d5-ff75-47c6-a9a2-b2f43db351bc)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3154", + "source": "Tidal Cyber", + "tags": [ + "15f2277a-a17e-4d85-8acd-480bf84f16b4", + "84615fe0-c2a5-4e07-8957-78ebc29b4635", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", + "type": "used-by" + } + ], + "uuid": "f41dcc5a-017d-4e79-86c1-c7055bd3b513", + "value": "OilCheck" + }, { "description": "[Okrum](https://app.tidalcyber.com/software/f9bcf0a1-f287-44ec-8f53-6859d41e041c) is a Windows backdoor that has been seen in use since December 2016 with strong links to [Ke3chang](https://app.tidalcyber.com/groups/26c0925f-1a3c-4df6-b27a-62b9731299b8).[[ESET Okrum July 2019](https://app.tidalcyber.com/references/197163a8-1a38-4edd-ba73-f44e7a329f41)]", "meta": { @@ -17236,10 +16336,6 @@ { "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "type": "used-by" - }, - { - "dest-uuid": "4b6ec280-7bbb-48ff-ae59-b189520ebe83", - "type": "similar" } ], "uuid": "f9bcf0a1-f287-44ec-8f53-6859d41e041c", @@ -17264,10 +16360,6 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be", - "type": "similar" } ], "uuid": "479814e2-2656-4ea2-9e79-fcdb818f703e", @@ -17292,10 +16384,6 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" - }, - { - "dest-uuid": "3249e92a-870b-426d-8790-ba311c1abfb4", - "type": "similar" } ], "uuid": "073b5288-11d6-4db0-9f2c-a1816847d15c", @@ -17308,7 +16396,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5136", + "software_attack_id": "S3255", "source": "Tidal Cyber", "tags": [ "b6116080-8fbf-4e9f-9206-20b025f2cf23", @@ -17342,10 +16430,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "b136d088-a829-432c-ac26-5529c26d4c7e", - "type": "similar" } ], "uuid": "6056bf36-fb45-498d-a285-5f98ae08b090", @@ -17370,10 +16454,6 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" - }, - { - "dest-uuid": "8e101fdd-9f7f-4916-bb04-6bd9e94c129c", - "type": "similar" } ], "uuid": "4f1894d4-d085-4348-af50-dfda257a9e18", @@ -17386,7 +16466,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5230", + "software_attack_id": "S3351", "source": "Tidal Cyber", "tags": [ "1dd2d703-fed1-41d2-9843-7b276ef3d6f2", @@ -17408,7 +16488,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5273", + "software_attack_id": "S3017", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -17470,10 +16550,6 @@ { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" - }, - { - "dest-uuid": "06d735e7-1db1-4dbe-ab4b-acbe419f902b", - "type": "similar" } ], "uuid": "45a52a29-00c0-458a-b705-1040e06a43f2", @@ -17495,10 +16571,6 @@ { "dest-uuid": "9da726e6-af02-49b8-8ebe-7ea4235513c9", "type": "used-by" - }, - { - "dest-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", - "type": "similar" } ], "uuid": "fa1e13b8-2fb7-42e8-b630-25f0edfbca65", @@ -17523,10 +16595,6 @@ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" - }, - { - "dest-uuid": "b00f90b6-c75c-4bfd-b813-ca9e6c9ebf29", - "type": "similar" } ], "uuid": "a45904b5-0ada-4567-be4c-947146c7f574", @@ -17544,12 +16612,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "f1314e75-ada8-49f4-b281-b1fb8b48f2a7", - "type": "similar" - } - ], + "related": [], "uuid": "4d91d625-21d8-484a-b63f-0a3daa4ed434", "value": "OSX/Shlayer" }, @@ -17569,10 +16632,6 @@ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" - }, - { - "dest-uuid": "80c815bb-b24a-4b9c-9d73-ff4c075a278d", - "type": "similar" } ], "uuid": "273b1e8d-a23d-4c22-8493-80f3d6639352", @@ -17598,10 +16657,6 @@ { "dest-uuid": "407274be-1820-4a84-939e-629313f4de1d", "type": "used-by" - }, - { - "dest-uuid": "c113230f-f044-423b-af63-9b63c802f5ae", - "type": "similar" } ], "uuid": "042fe42b-f60e-45e1-b47d-a913e0677976", @@ -17619,12 +16674,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5", - "type": "similar" - } - ], + "related": [], "uuid": "6d8a8510-e6f1-49a7-b3a5-bd4664937147", "value": "OwaAuth" }, @@ -17640,12 +16690,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "b2c5d3ca-b43a-4888-ad8d-e2d43497bf85", - "type": "similar" - } - ], + "related": [], "uuid": "916f8a7c-e487-4446-b6ee-c8da712a9569", "value": "P2P ZeuS" }, @@ -17665,10 +16710,6 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" - }, - { - "dest-uuid": "7c58fff0-d206-4db1-96b1-e3a9e0e320b9", - "type": "similar" } ], "uuid": "1933ad3d-3085-4b1b-82b9-ac51b440e2bf", @@ -17691,10 +16732,6 @@ { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" - }, - { - "dest-uuid": "647215dd-29a6-4528-b354-ca8b5e08fca1", - "type": "similar" } ], "uuid": "13856c51-d81c-5d75-bb6a-0bbdcc857cdd", @@ -17727,10 +16764,6 @@ { "dest-uuid": "788ffbf6-1a36-481a-a504-bbcd9f907886", "type": "used-by" - }, - { - "dest-uuid": "1b3b8f96-43b1-4460-8e02-1f53d7802fb9", - "type": "similar" } ], "uuid": "e90eb529-1665-5fd7-a44e-695715e4081b", @@ -17759,10 +16792,6 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" - }, - { - "dest-uuid": "a545456a-f9a7-47ad-9ea6-8b017def38d1", - "type": "similar" } ], "uuid": "320b0784-4f0f-46ea-99e9-c34bfcca1c2e", @@ -17784,10 +16813,6 @@ { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" - }, - { - "dest-uuid": "e811ff6a-4cef-4856-a6ae-a7daf9ed39ae", - "type": "similar" } ], "uuid": "3f018e73-d09b-4c8d-815b-8b2c8faf7055", @@ -17806,10 +16831,6 @@ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" - }, - { - "dest-uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69", - "type": "similar" } ], "uuid": "8d007d52-8898-494c-8d72-354abd93da1e", @@ -17822,7 +16843,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5037", + "software_attack_id": "S3039", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -17870,10 +16891,6 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" - }, - { - "dest-uuid": "4800d0f9-00aa-47cd-a4d2-92198585b8fd", - "type": "similar" } ], "uuid": "4d79530c-2fd9-4438-a8da-74f42119695a", @@ -17900,10 +16917,6 @@ { "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", "type": "used-by" - }, - { - "dest-uuid": "77ca1aa3-280c-4b67-abaa-e8fb891a8f83", - "type": "similar" } ], "uuid": "9aa21e50-726e-4002-8b7b-75697a03eb2b", @@ -17916,7 +16929,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5137", + "software_attack_id": "S3256", "source": "Tidal Cyber", "tags": [ "074533ec-e14a-4dc3-98ae-c029904e3d6d", @@ -17947,10 +16960,6 @@ { "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", "type": "used-by" - }, - { - "dest-uuid": "e4feffc2-53d1-45c9-904e-adb9faca0d15", - "type": "similar" } ], "uuid": "873ede85-548b-5fc0-a29e-80bd5afc5bf4", @@ -17963,7 +16972,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5038", + "software_attack_id": "S3040", "source": "Tidal Cyber", "tags": [ "c5a258ce-9045-48d9-b254-ec2bf6437bb5", @@ -18021,10 +17030,6 @@ { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" - }, - { - "dest-uuid": "3a53b207-aba2-4a2b-9cdb-273d633669e7", - "type": "similar" } ], "uuid": "71eb2211-39aa-4b89-bd51-9dcabd363149", @@ -18037,7 +17042,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5138", + "software_attack_id": "S3257", "source": "Tidal Cyber", "tags": [ "62496b72-7820-4512-b3f9-188464bb8161", @@ -18059,7 +17064,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5193", + "software_attack_id": "S3314", "source": "Tidal Cyber", "tags": [ "ff5c357e-6b9b-4ef3-a7ed-e5d4c0091c0c", @@ -18099,10 +17104,6 @@ { "dest-uuid": "788ffbf6-1a36-481a-a504-bbcd9f907886", "type": "used-by" - }, - { - "dest-uuid": "79dd477a-8226-4b3d-ad15-28623675f221", - "type": "similar" } ], "uuid": "52a19c73-2454-4893-8f84-8d05c37a9472", @@ -18124,10 +17125,6 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" - }, - { - "dest-uuid": "d18cb958-f4ad-4fb3-bb4f-e8994d206550", - "type": "similar" } ], "uuid": "951fad62-f636-4c01-b924-bb0ce87f5b20", @@ -18149,10 +17146,6 @@ { "dest-uuid": "441b91d1-256a-4763-bac6-8f1c76764a25", "type": "used-by" - }, - { - "dest-uuid": "6c2550d5-a01a-4bbb-a004-6ead348ba623", - "type": "similar" } ], "uuid": "1f080577-c002-4b49-a342-fa70983c1d58", @@ -18165,7 +17158,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5264", + "software_attack_id": "S3385", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -18186,9 +17179,10 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5279", + "software_attack_id": "S3119", "source": "Tidal Cyber", "tags": [ + "288f845a-9683-4bd7-a7a7-b25cbf297532", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "d819ae1a-e385-49fd-88d5-f66660729ecb", "e551ae97-d1b4-484e-9267-89f33829ec2c", @@ -18216,7 +17210,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5307", + "software_attack_id": "S3086", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -18256,10 +17250,6 @@ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" - }, - { - "dest-uuid": "f6ae7a52-f3b6-4525-9daf-640c083f006e", - "type": "similar" } ], "uuid": "fd63cec1-9f72-4ed0-9926-2dbbb3d9cead", @@ -18272,9 +17262,10 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5265", + "software_attack_id": "S3106", "source": "Tidal Cyber", "tags": [ + "ac70a2da-0b1a-40bd-9d1b-21b9ac789832", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], @@ -18310,10 +17301,6 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" - }, - { - "dest-uuid": "bd7a9e13-69fa-4243-a5e5-04326a63f9f2", - "type": "similar" } ], "uuid": "db5d718b-1344-4aa2-8e6a-54e68d8adfb1", @@ -18338,10 +17325,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164", - "type": "similar" } ], "uuid": "ba2208c8-5e1e-46cd-bef1-ffa7a2be3be4", @@ -18423,10 +17406,6 @@ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" - }, - { - "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", - "type": "similar" } ], "uuid": "4ea12106-c0a1-4546-bb64-a1675d9f5dc7", @@ -18439,7 +17418,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5003", + "software_attack_id": "S3012", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -18489,10 +17468,6 @@ { "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" - }, - { - "dest-uuid": "3a0f6128-0a01-421d-8eca-e57d8671b1f1", - "type": "similar" } ], "uuid": "4360cc62-7263-48b2-bd2a-a7737563545c", @@ -18514,10 +17489,6 @@ { "dest-uuid": "6932662a-53a7-4e43-877f-6e940e2d744b", "type": "used-by" - }, - { - "dest-uuid": "8393dac0-0583-456a-9372-fd81691bca20", - "type": "similar" } ], "uuid": "92744f7b-9f1a-472c-bae0-2d4a7ce68bb4", @@ -18539,10 +17510,6 @@ { "dest-uuid": "a0c31021-b281-4c41-9855-436768299fe7", "type": "used-by" - }, - { - "dest-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", - "type": "similar" } ], "uuid": "14e65c5d-5164-41a3-92de-67fdd1d529d2", @@ -18560,12 +17527,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "d79b1800-3b5d-4a4f-8863-8251eca793e2", - "type": "similar" - } - ], + "related": [], "uuid": "c0e56f14-9768-5547-abcb-aa3f220d0e40", "value": "PITSTOP" }, @@ -18576,7 +17538,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5139", + "software_attack_id": "S3258", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -18606,10 +17568,6 @@ { "dest-uuid": "021b3c71-6467-4e46-a413-8b726f066f2c", "type": "used-by" - }, - { - "dest-uuid": "21c0b55b-5ff3-4654-a05e-e3fc1ee1ce1b", - "type": "similar" } ], "uuid": "9445f18a-a796-447a-a35f-94a9fb72411c", @@ -18622,9 +17580,10 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5300", + "software_attack_id": "S3062", "source": "Tidal Cyber", "tags": [ + "8208249d-1f4c-4781-ba14-b591f74c081c", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "5e7433ad-a894-4489-93bc-41e90da90019", @@ -18664,10 +17623,6 @@ { "dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb", "type": "used-by" - }, - { - "dest-uuid": "b57f419e-8b12-49d3-886b-145383725dcd", - "type": "similar" } ], "uuid": "9a890a85-afbe-4c35-a3e7-1adad481bdf7", @@ -18680,7 +17635,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5041", + "software_attack_id": "S3043", "source": "Tidal Cyber", "tags": [ "27a117ce-bb19-4f79-9bc2-a851b69c5c50", @@ -18797,10 +17752,6 @@ { "dest-uuid": "6932662a-53a7-4e43-877f-6e940e2d744b", "type": "used-by" - }, - { - "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", - "type": "similar" } ], "uuid": "070b56f4-7810-4dad-b85f-bdfce9c08c10", @@ -18822,10 +17773,6 @@ { "dest-uuid": "6005f4a9-fe26-4237-a44e-3f6cbb1fe75c", "type": "used-by" - }, - { - "dest-uuid": "800bdfba-6d66-480f-9f45-15845c05cb5d", - "type": "similar" } ], "uuid": "95c273d2-3081-4cb5-8d41-37eb4e90264d", @@ -18838,7 +17785,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5140", + "software_attack_id": "S3259", "source": "Tidal Cyber", "tags": [ "6d924d43-5de3-45de-8466-a8c47a5b9e68", @@ -18865,12 +17812,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c", - "type": "similar" - } - ], + "related": [], "uuid": "79b4f277-3b18-4aa7-9f96-44b35b23166b", "value": "PoetRAT" }, @@ -18949,10 +17891,6 @@ { "dest-uuid": "60936d3c-37ed-4116-a407-868da3aa4446", "type": "used-by" - }, - { - "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", - "type": "similar" } ], "uuid": "1d87a695-7989-49ae-ac1a-b6601db565c3", @@ -18977,10 +17915,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "3d57dcc4-be99-4613-9482-d5218f5ec13e", - "type": "similar" } ], "uuid": "3b7179fa-7b8b-4068-b224-d8d9c642964d", @@ -19001,12 +17935,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "222ba512-32d9-49ac-aefd-50ce981ce2ce", - "type": "similar" - } - ], + "related": [], "uuid": "555b612e-3f0d-421d-b2a7-63eb2d1ece5f", "value": "Pony" }, @@ -19026,10 +17955,6 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" - }, - { - "dest-uuid": "53d47b09-09c2-4015-8d37-6633ecd53f79", - "type": "similar" } ], "uuid": "1353d695-5bae-4593-988f-9bd07a6fd1bb", @@ -19042,7 +17967,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5336", + "software_attack_id": "S3151", "source": "Tidal Cyber", "tags": [ "39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb", @@ -19103,10 +18028,6 @@ { "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" - }, - { - "dest-uuid": "4b57c098-f043-4da2-83ef-7588a6d426bc", - "type": "similar" } ], "uuid": "a3a03835-79bf-4558-8e80-7983aeb842fb", @@ -19131,10 +18052,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808", - "type": "similar" } ], "uuid": "b92f28c4-cbc8-4721-ac79-2d8bdf5247e5", @@ -19159,10 +18076,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", - "type": "similar" } ], "uuid": "d9e4f4a1-dd41-424e-986a-b9a39ebea805", @@ -19176,6 +18089,9 @@ ], "software_attack_id": "S1012", "source": "MITRE", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" + ], "type": [ "malware" ] @@ -19184,10 +18100,6 @@ { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" - }, - { - "dest-uuid": "35ee9bf3-264b-4411-8a8f-b58cec8f35e4", - "type": "similar" } ], "uuid": "8b9159c1-db48-472b-9897-34325da5dca7", @@ -19202,12 +18114,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "0a9c51e0-825d-4b9b-969d-ce86ed8ce3c3", - "type": "similar" - } - ], + "related": [], "uuid": "018ee1d9-35af-49dc-a667-11b77cd76f46", "value": "Power Loader" }, @@ -19218,7 +18125,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5231", + "software_attack_id": "S3352", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -19251,10 +18158,6 @@ { "dest-uuid": "41e8b4a4-2d31-46ee-bc56-12375084d067", "type": "used-by" - }, - { - "dest-uuid": "d52291b4-bb23-45a8-aef0-3dc7e986ba15", - "type": "similar" } ], "uuid": "e7cdaf70-5e28-442a-b34d-894484788dc5", @@ -19276,10 +18179,6 @@ { "dest-uuid": "d7c58e7f-f0b0-44c6-b205-5adcfb56f0e6", "type": "used-by" - }, - { - "dest-uuid": "53486bc7-7748-4716-8190-e4f1fde04c53", - "type": "similar" } ], "uuid": "2ca245de-77a9-4857-ba93-fd0d6988df9d", @@ -19304,10 +18203,6 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" - }, - { - "dest-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351", - "type": "similar" } ], "uuid": "a4700431-6578-489f-9782-52e394277296", @@ -19374,10 +18269,6 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" - }, - { - "dest-uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d", - "type": "similar" } ], "uuid": "82fad10d-c921-4a87-a533-49def83d002b", @@ -19402,10 +18293,6 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" - }, - { - "dest-uuid": "dcac85c1-6485-4790-84f6-de5e6f6b91dd", - "type": "similar" } ], "uuid": "837bcf97-37a7-4001-a466-306574fd7890", @@ -19430,10 +18317,6 @@ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" - }, - { - "dest-uuid": "e8545794-b98c-492b-a5b3-4b5a02682e37", - "type": "similar" } ], "uuid": "39fc59c6-f1aa-4c93-8e43-1f41563e9d9e", @@ -19447,6 +18330,9 @@ ], "software_attack_id": "S0371", "source": "MITRE", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" + ], "type": [ "malware" ] @@ -19455,10 +18341,6 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" - }, - { - "dest-uuid": "e85cae1a-bce3-4ac4-b36b-b00acac0567b", - "type": "similar" } ], "uuid": "b3c28750-3825-4e4d-ab92-f39a6b0827dd", @@ -19471,7 +18353,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5039", + "software_attack_id": "S3041", "source": "Tidal Cyber", "tags": [ "c5a258ce-9045-48d9-b254-ec2bf6437bb5", @@ -19495,6 +18377,10 @@ ] }, "related": [ + { + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "type": "used-by" + }, { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" @@ -19526,7 +18412,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5294", + "software_attack_id": "S3016", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -19565,10 +18451,6 @@ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" - }, - { - "dest-uuid": "c19d19ae-dd58-4584-8469-966bbeaa80e3", - "type": "similar" } ], "uuid": "7ed984bb-d098-4d0a-90fd-b03e68842479", @@ -19593,10 +18475,6 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" - }, - { - "dest-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", - "type": "similar" } ], "uuid": "67cdb7a6-5142-43fa-8b8d-d9bdd2a4dae4", @@ -19609,7 +18487,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5141", + "software_attack_id": "S3260", "source": "Tidal Cyber", "tags": [ "0661bf1f-76ec-490c-937a-efa3f02bc59b", @@ -19633,6 +18511,7 @@ "software_attack_id": "S1058", "source": "MITRE", "tags": [ + "92ce4726-c01f-4e51-a36d-f72fcfa77d79", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], @@ -19644,10 +18523,6 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" - }, - { - "dest-uuid": "1da748a5-875d-4212-9222-b4c23ab861be", - "type": "similar" } ], "uuid": "4fb5b109-5a5c-5441-a0f9-f639ead5405e", @@ -19668,12 +18543,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "type": "similar" - } - ], + "related": [], "uuid": "1da989a8-41cc-4e89-a435-a88acb72ae0d", "value": "Prikormka" }, @@ -19684,7 +18554,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5142", + "software_attack_id": "S3261", "source": "Tidal Cyber", "tags": [ "01aca077-8cfb-4d1d-9b83-3678cd26f050", @@ -19706,7 +18576,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5143", + "software_attack_id": "S3262", "source": "Tidal Cyber", "tags": [ "37a70ca8-a027-458c-9a48-7e0d307462be", @@ -19728,7 +18598,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5036", + "software_attack_id": "S3038", "source": "Tidal Cyber", "tags": [ "27a117ce-bb19-4f79-9bc2-a851b69c5c50", @@ -19771,7 +18641,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5040", + "software_attack_id": "S3042", "source": "Tidal Cyber", "tags": [ "d819ae1a-e385-49fd-88d5-f66660729ecb", @@ -19829,12 +18699,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "471d0e9f-2c8a-4e4b-8f3b-f85d2407806e", - "type": "similar" - } - ], + "related": [], "uuid": "c8af096e-c71e-4751-b203-70c285b7a7bd", "value": "ProLock" }, @@ -19845,7 +18710,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5232", + "software_attack_id": "S3353", "source": "Tidal Cyber", "tags": [ "77131d00-b8b2-42ef-afbd-1fbfc12729df", @@ -19872,12 +18737,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "c541efb4-e7b1-4ad6-9da8-b4e113f5dd42", - "type": "similar" - } - ], + "related": [], "uuid": "d3bcdbc4-5998-4e50-bd45-cba6a3278427", "value": "Proton" }, @@ -19888,7 +18748,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5144", + "software_attack_id": "S3263", "source": "Tidal Cyber", "tags": [ "9e5ec91c-0d0f-4e40-846d-d7b7eb941e17", @@ -19903,6 +18763,34 @@ "uuid": "83e1ac24-3928-40ba-b701-d72549a9430c", "value": "Provlaunch" }, + { + "description": "According to joint Cybersecurity Advisory AA24-249A (September 2024), ProxyChains is \"a tool used to route internal traffic through a series of proxies\". It has been abused by adversaries including Unit 29155 Russian military cyber actors.[[U.S. CISA Unit 29155 September 5 2024](/references/9631a46d-3e0a-4f25-962b-0b2501c47926)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "macOS", + "Linux" + ], + "software_attack_id": "S3168", + "source": "Tidal Cyber", + "tags": [ + "af5e9be5-b86e-47af-91dd-966a5e34a186", + "35e694ec-5133-46e3-b7e1-5831867c3b55", + "d8f7e071-fbfd-46f8-b431-e241bb1513ac", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", + "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", + "be319849-fb2c-4b5f-8055-0bde562c280b" + ], + "type": [ + "tool" + ] + }, + "related": [], + "uuid": "b62c13d5-729c-46a8-ae4d-98bc1ab919cb", + "value": "ProxyChains" + }, { "description": "[Proxysvc](https://app.tidalcyber.com/software/94f43629-243e-49dc-8c2b-cdf4fc15cf83) is a malicious DLL used by [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) in a campaign known as Operation GhostSecret. It has appeared to be operating undetected since 2017 and was mostly observed in higher education organizations. The goal of [Proxysvc](https://app.tidalcyber.com/software/94f43629-243e-49dc-8c2b-cdf4fc15cf83) is to deliver additional payloads to the target and to maintain control for the attacker. It is in the form of a DLL that can also be executed as a standalone process. [[McAfee GhostSecret](https://app.tidalcyber.com/references/d1cd4f5b-253c-4833-8905-49fb58e7c016)]", "meta": { @@ -19919,10 +18807,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "069af411-9b24-4e85-b26c-623d035bbe84", - "type": "similar" } ], "uuid": "94f43629-243e-49dc-8c2b-cdf4fc15cf83", @@ -19940,12 +18824,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "13183cdf-280b-46be-913a-5c6df47831e7", - "type": "similar" - } - ], + "related": [], "uuid": "8cd401ac-a233-4395-a8ae-d75db9d5b845", "value": "PS1" }, @@ -19958,6 +18837,8 @@ "software_attack_id": "S0029", "source": "MITRE", "tags": [ + "d8f7e071-fbfd-46f8-b431-e241bb1513ac", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", "d903e38b-600d-4736-9e3b-cf1a6e436481", "e551ae97-d1b4-484e-9267-89f33829ec2c", "d819ae1a-e385-49fd-88d5-f66660729ecb", @@ -19985,6 +18866,10 @@ "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", "type": "used-by" }, + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + }, { "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "type": "used-by" @@ -20160,10 +19045,6 @@ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" - }, - { - "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", - "type": "similar" } ], "uuid": "73eb32af-4bd3-4e21-8048-355edc55a9c6", @@ -20176,7 +19057,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5145", + "software_attack_id": "S3264", "source": "Tidal Cyber", "tags": [ "08f4ef8d-94bb-42f7-b76d-71bcc809bcc9", @@ -20207,10 +19088,6 @@ { "dest-uuid": "6c1bdc51-f633-4512-8b20-04a11c2d97f4", "type": "used-by" - }, - { - "dest-uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b", - "type": "similar" } ], "uuid": "8c35d349-2f70-4edb-8668-e1cc2b67e4a0", @@ -20235,15 +19112,65 @@ { "dest-uuid": "41e8b4a4-2d31-46ee-bc56-12375084d067", "type": "used-by" - }, - { - "dest-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", - "type": "similar" } ], "uuid": "7fed4276-807e-4656-95f5-90878b6e2dbb", "value": "Pteranodon" }, + { + "description": "PTSOCKET is an exfiltration tool, one of a series of software associated with China-based espionage actor Earth Preta (aka Mustang Panda) reported by researchers in September 2024.[[Trend Micro September 9 2024](/references/0fdc9ee2-5be2-43e0-afb9-c9a94fde3867)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3175", + "source": "Tidal Cyber", + "tags": [ + "8bf128ad-288b-41bc-904f-093f4fdde745", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", + "type": "used-by" + } + ], + "uuid": "c1215fe3-95e4-49e1-9cb2-54d1827df0aa", + "value": "PTSOCKET" + }, + { + "description": "PUBLOAD is a multi-purpose tool primarily used to orchestrate command and control, one of a series of software associated with China-based espionage actor Earth Preta (aka Mustang Panda) reported by researchers in September 2024.[[Trend Micro September 9 2024](/references/0fdc9ee2-5be2-43e0-afb9-c9a94fde3867)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3176", + "source": "Tidal Cyber", + "tags": [ + "84615fe0-c2a5-4e07-8957-78ebc29b4635", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", + "type": "used-by" + } + ], + "uuid": "13ee9058-0902-484e-8096-670c882cb18d", + "value": "PUBLOAD" + }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Proxy execution with Pubprn.vbs\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\Printing_Admin_Scripts\\en-US\\pubprn.vbs\n* C:\\Windows\\SysWOW64\\Printing_Admin_Scripts\\en-US\\pubprn.vbs\n\n**Resources:**\n* [https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/](https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/)\n* [https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology](https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology)\n* [https://github.com/enigma0x3/windows-operating-system-archaeology](https://github.com/enigma0x3/windows-operating-system-archaeology)\n\n**Detection:**\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)\n* Sigma: [proc_creation_win_lolbin_pubprn.yml](https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml)[[Pubprn.vbs - LOLBAS Project](/references/d2b6b9fd-5f80-41c0-ac22-06b78c86a9e5)]", "meta": { @@ -20251,7 +19178,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5260", + "software_attack_id": "S3381", "source": "Tidal Cyber", "tags": [ "8177e8ac-f80d-477d-b0af-c2ea243ddf00", @@ -20288,10 +19215,6 @@ { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" - }, - { - "dest-uuid": "9a097d18-d15f-4635-a4f1-189df7efdc40", - "type": "similar" } ], "uuid": "d777204c-f93c-54d9-b80e-41641a3d55ce", @@ -20304,7 +19227,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5068", + "software_attack_id": "S3093", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -20344,10 +19267,6 @@ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" - }, - { - "dest-uuid": "5c6ed2dc-37f4-40ea-b2e1-4c76140a388c", - "type": "similar" } ], "uuid": "d8999d60-3818-4d75-8756-8a55531254d8", @@ -20372,10 +19291,6 @@ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" - }, - { - "dest-uuid": "c4de7d83-e875-4c88-8b5d-06c41e5b7e79", - "type": "similar" } ], "uuid": "1638d99b-fbcf-40ec-ac48-802ce5be520a", @@ -20404,10 +19319,6 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" - }, - { - "dest-uuid": "cb69b20d-56d0-41ab-8440-4a4b251614d4", - "type": "similar" } ], "uuid": "0a8bedc2-b404-4a9a-b4f5-ff90ff8294be", @@ -20420,7 +19331,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5291", + "software_attack_id": "S3007", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -20442,9 +19353,11 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5065", + "software_attack_id": "S3090", "source": "Tidal Cyber", "tags": [ + "d903e38b-600d-4736-9e3b-cf1a6e436481", + "d819ae1a-e385-49fd-88d5-f66660729ecb", "af5e9be5-b86e-47af-91dd-966a5e34a186", "27a117ce-bb19-4f79-9bc2-a851b69c5c50", "6070668f-1cbd-4878-8066-c636d1d8659c", @@ -20463,6 +19376,14 @@ "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", "type": "used-by" }, + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + }, + { + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "type": "used-by" + }, { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" @@ -20484,6 +19405,7 @@ "software_attack_id": "S0006", "source": "MITRE", "tags": [ + "c1f5abc0-340f-4b93-96d7-ca6ea7942b64", "4d767e87-4cf6-438a-927a-43d2d0beaab7" ], "type": [ @@ -20514,10 +19436,6 @@ { "dest-uuid": "7902f5cc-d6a5-4a57-8d54-4c75e0c58b83", "type": "used-by" - }, - { - "dest-uuid": "9de2308e-7bed-43a3-8e58-f194b3586700", - "type": "similar" } ], "uuid": "77f629db-d971-49d8-8b73-c7c779b7de3e", @@ -20542,10 +19460,6 @@ { "dest-uuid": "a41725c5-eb3a-4772-8d1e-17c3bbade79c", "type": "used-by" - }, - { - "dest-uuid": "2ac41e8b-4865-4ced-839d-78e7852c47f3", - "type": "similar" } ], "uuid": "51b2c56e-7d64-4e15-b1bd-45a980c9c44d", @@ -20568,12 +19482,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "a19c1197-9414-46e3-986f-0f609ff4a46b", - "type": "similar" - } - ], + "related": [], "uuid": "e0d5ecce-eca0-4f01-afcc-0c8e92323016", "value": "Pysa" }, @@ -20613,10 +19522,6 @@ { "dest-uuid": "8951bff3-c444-4374-8a9e-b2115d9125b2", "type": "used-by" - }, - { - "dest-uuid": "edc5e045-5401-42bb-ad92-52b5b2ee0de9", - "type": "similar" } ], "uuid": "9050b418-5ffd-481a-a30d-f9059b0871ea", @@ -20630,7 +19535,7 @@ "Linux", "Windows" ], - "software_attack_id": "S5326", + "software_attack_id": "S3141", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -20660,7 +19565,7 @@ "platforms": [ "Linux" ], - "software_attack_id": "S5310", + "software_attack_id": "S3123", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -20678,6 +19583,33 @@ "uuid": "01a33c16-7eb3-4494-8c05-b163f871b951", "value": "Qilin Ransomware (Linux)" }, + { + "description": "This object reflects ATT&CK Techniques associated with 7777 or Quad7, a botnet used to compromise network devices such as TP-LINK small office/home office (\"SOHO\") routers and use the infected devices to relay password spraying attacks against Microsoft 365 accounts.\n\nAdditional Techniques associated with the botnet's operators can be found in the related Group object, \"Quad7 Botnet Operators\".[[Sekoia.io Blog July 23 2024](/references/ae84e72a-56b3-4dc4-b053-d3766764ac0d)][[Sekoia.io Blog September 9 2024](/references/eb4a1888-3b04-449b-9738-d96ae26adfee)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Network" + ], + "software_attack_id": "S3171", + "source": "Tidal Cyber", + "tags": [ + "e809d252-12cc-494d-94f5-954c49eb87ce", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "bf3d1108-0bcd-47ae-8d71-4df48e3e2b43", + "type": "used-by" + } + ], + "uuid": "adcf70d6-74e0-4436-bc92-f05bc924bf80", + "value": "Quad7 Botnet" + }, { "description": "[QUADAGENT](https://app.tidalcyber.com/software/2bf68242-1dbd-405b-ac35-330eda887081) is a PowerShell backdoor used by [OilRig](https://app.tidalcyber.com/groups/d01abdb1-0378-4654-aa38-1a4a292703e2). [[Unit 42 QUADAGENT July 2018](https://app.tidalcyber.com/references/320f49df-7b0a-4a6a-8542-17b0f56c94c9)]", "meta": { @@ -20697,15 +19629,44 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" - }, - { - "dest-uuid": "7e6c2a9d-9dc1-4eb0-b27c-91e8076a9d77", - "type": "similar" } ], "uuid": "2bf68242-1dbd-405b-ac35-330eda887081", "value": "QUADAGENT" }, + { + "description": "Quantum Locker is a ransomware payload that derives from the MountLocker, AstroLocker, and XingLocker ransomware families. Actors that deploy Quantum ransomware are known to publicly extort their victims.[[Cybereason Quantum Ransomware May 9 2022](/references/19027620-216a-4921-8d78-f56377778a12)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3184", + "source": "Tidal Cyber", + "tags": [ + "562e535e-19f5-4d6c-81ed-ce2aec544f09", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "efd2fca2-45fb-4eaf-82e7-0d20c156f84f", + "type": "used-by" + }, + { + "dest-uuid": "e75a1b98-be68-467f-a8df-bcb7671543b3", + "type": "used-by" + } + ], + "uuid": "b0c18cd8-a859-4cd2-9558-33e5bcd4610c", + "value": "Quantum Locker" + }, { "description": "[QuasarRAT](https://app.tidalcyber.com/software/4bab7c2b-5ec4-467e-8df4-f2e6996e136b) is an open-source, remote access tool that has been publicly available on GitHub since at least 2014. [QuasarRAT](https://app.tidalcyber.com/software/4bab7c2b-5ec4-467e-8df4-f2e6996e136b) is developed in the C# language.[[GitHub QuasarRAT](https://app.tidalcyber.com/references/c87e4427-af97-4e93-9596-ad5a588aa171)][[Volexity Patchwork June 2018](https://app.tidalcyber.com/references/d3ed7dd9-0941-4160-aa6a-c0244c63560f)]", "meta": { @@ -20741,10 +19702,6 @@ { "dest-uuid": "e5b0da2b-12bc-4113-9459-9c51329c9ae0", "type": "used-by" - }, - { - "dest-uuid": "da04ac30-27da-4959-a67d-450ce47d9470", - "type": "similar" } ], "uuid": "4bab7c2b-5ec4-467e-8df4-f2e6996e136b", @@ -20757,7 +19714,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5319", + "software_attack_id": "S3134", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -20795,12 +19752,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "93289ecf-4d15-4d6b-a9c3-4ab27e145ef4", - "type": "similar" - } - ], + "related": [], "uuid": "52d3515c-5184-5257-bf24-56adccb4cccd", "value": "QUIETCANARY" }, @@ -20823,10 +19775,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "4816d361-f82b-4a18-aa05-b215e7cf9200", - "type": "similar" } ], "uuid": "947ab087-7550-577f-9ae9-5e82e9910610", @@ -20851,10 +19799,6 @@ { "dest-uuid": "41e8b4a4-2d31-46ee-bc56-12375084d067", "type": "used-by" - }, - { - "dest-uuid": "03eb4a05-6a02-43f6-afb7-3c7835501828", - "type": "similar" } ], "uuid": "dcdb74c5-4445-49bd-9f9c-236a7ecc7904", @@ -20867,7 +19811,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5053", + "software_attack_id": "S3076", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -20908,7 +19852,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5070", + "software_attack_id": "S3095", "source": "Tidal Cyber", "tags": [ "15787198-6c8b-4f79-bf50-258d55072fee", @@ -20934,7 +19878,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5281", + "software_attack_id": "S3120", "source": "Tidal Cyber", "tags": [ "c5a258ce-9045-48d9-b254-ec2bf6437bb5", @@ -20976,8 +19920,6 @@ "software_attack_id": "S0481", "source": "MITRE", "tags": [ - "c6e1f516-1a18-4ff9-b563-e6ac8103b104", - "2feda37d-5579-4102-a073-aa02e82cb49f", "cb5803f0-8ab4-4ada-8540-7758dfc126e2", "5e7433ad-a894-4489-93bc-41e90da90019", "a2e000da-8181-4327-bacd-32013dbd3654", @@ -20991,10 +19933,6 @@ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" - }, - { - "dest-uuid": "54895630-efd2-4608-9c24-319de972a9eb", - "type": "similar" } ], "uuid": "d25f7acd-a995-4b8b-8ffe-ccc9703cdf5f", @@ -21019,10 +19957,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "4efc3e00-72f2-466a-ab7c-8a7dc6603b19", - "type": "similar" } ], "uuid": "80295aeb-59e3-4c5d-ac39-9879158f8d23", @@ -21044,10 +19978,6 @@ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" - }, - { - "dest-uuid": "29231689-5837-4a7a-aafc-1b65b3f50cc7", - "type": "similar" } ], "uuid": "42b775bd-0c1d-4ad3-8f7f-cbb0ba84e19e", @@ -21065,12 +19995,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "ba09b86c-1c40-4ff1-bda0-0d8c4ca35997", - "type": "similar" - } - ], + "related": [], "uuid": "dc307b3c-9bc5-4624-b0bc-4807fa1fc57b", "value": "Ramsay" }, @@ -21081,9 +20006,12 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5325", + "software_attack_id": "S3140", "source": "Tidal Cyber", "tags": [ + "d903e38b-600d-4736-9e3b-cf1a6e436481", + "d819ae1a-e385-49fd-88d5-f66660729ecb", + "15787198-6c8b-4f79-bf50-258d55072fee", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "89c5b94b-ecf4-4d53-9b74-3465086d4565", "562e535e-19f5-4d6c-81ed-ce2aec544f09", @@ -21107,6 +20035,10 @@ { "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", "type": "used-by" + }, + { + "dest-uuid": "04b73cf2-33f4-4206-be9e-c80c4c9b54e8", + "type": "used-by" } ], "uuid": "a3044fb5-3aae-4590-b589-cc88bf0d1f34", @@ -21129,15 +20061,41 @@ { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" - }, - { - "dest-uuid": "880f7b3e-ad27-4158-8b03-d44c9357950b", - "type": "similar" } ], "uuid": "129abb68-7992-554e-92fa-fa376279c0b6", "value": "RAPIDPULSE" }, + { + "description": "Raptor Train is a large botnet, linked to Chinese espionage actor Flax Typhoon, that consisted of compromised small office/home office (SOHO) and IoT devices. Raptor Train is believed to have acted as a proxy to conceal further malicious activity such as targeted compromises of U.S. and Taiwanese networks.[[Black Lotus Raptor Train September 18 2024](/references/21e26577-887b-4b8c-a3f8-4ab8868bed69)][[FBI PRC Botnet September 18 2024](/references/cfb6f191-6c43-423b-9289-02beb3d721d1)]\n\nInitial compromises typically occurred through exploit of a large number of previously disclosed vulnerabilities, a list of which is provided in a [September 2024 U.S. cybersecurity advisory](https://www.ic3.gov/Media/News/2024/240918.pdf).[[FBI PRC Botnet September 18 2024](/references/cfb6f191-6c43-423b-9289-02beb3d721d1)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Network" + ], + "software_attack_id": "S3188", + "source": "Tidal Cyber", + "tags": [ + "33d35d5e-f0cf-4c66-9be3-a3ffe6610b1a", + "a159c91c-5258-49ea-af7d-e803008d97d3", + "70dc52b0-f317-4134-8a42-71aea1443707", + "b20e7912-6a8d-46e3-8e13-9a3fc4813852", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "b39d8eae-12e3-4903-a387-4c31d16a73b2", + "type": "used-by" + } + ], + "uuid": "6d516363-4f83-4ba9-9726-1821b167e5e3", + "value": "Raptor Train" + }, { "description": "[RARSTONE](https://app.tidalcyber.com/software/a9c9fda8-c156-44f2-bc7e-1b696f3fbaa2) is malware used by the [Naikon](https://app.tidalcyber.com/groups/a80c00b2-b8b6-4780-99bb-df8fe921947d) group that has some characteristics similar to [PlugX](https://app.tidalcyber.com/software/070b56f4-7810-4dad-b85f-bdfce9c08c10). [[Aquino RARSTONE](https://app.tidalcyber.com/references/2327592e-4e8a-481e-bdf9-d548c776adee)]", "meta": { @@ -21157,10 +20115,6 @@ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" - }, - { - "dest-uuid": "8c553311-0baa-4146-997a-f79acef3d831", - "type": "similar" } ], "uuid": "a9c9fda8-c156-44f2-bc7e-1b696f3fbaa2", @@ -21173,7 +20127,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5146", + "software_attack_id": "S3265", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -21194,9 +20148,14 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5002", + "software_attack_id": "S3011", "source": "Tidal Cyber", "tags": [ + "af5e9be5-b86e-47af-91dd-966a5e34a186", + "35e694ec-5133-46e3-b7e1-5831867c3b55", + "d8f7e071-fbfd-46f8-b431-e241bb1513ac", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "15787198-6c8b-4f79-bf50-258d55072fee", "e809d252-12cc-494d-94f5-954c49eb87ce" @@ -21230,10 +20189,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "9b325b06-35a1-457d-be46-a4ecc0b7ff0c", - "type": "similar" } ], "uuid": "40466d7d-a107-46aa-a6fc-180e0eef2c6b", @@ -21255,10 +20210,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "3ffbdc1f-d2bf-41ab-91a2-c7b857e98079", - "type": "similar" } ], "uuid": "d86a562d-d235-4481-9a3f-273fa3ebe89a", @@ -21280,10 +20231,6 @@ { "dest-uuid": "7902f5cc-d6a5-4a57-8d54-4c75e0c58b83", "type": "used-by" - }, - { - "dest-uuid": "9752aef4-a1f3-4328-929f-b64eb0536090", - "type": "similar" } ], "uuid": "6ea1bf95-fed8-4b94-8071-aa19a3af5e34", @@ -21300,6 +20247,8 @@ "software_attack_id": "S1040", "source": "MITRE", "tags": [ + "d8f7e071-fbfd-46f8-b431-e241bb1513ac", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", "d903e38b-600d-4736-9e3b-cf1a6e436481", "d819ae1a-e385-49fd-88d5-f66660729ecb", "c5a258ce-9045-48d9-b254-ec2bf6437bb5", @@ -21327,6 +20276,10 @@ "dest-uuid": "fcbf6963-839b-4853-8b80-73ff6831b7d7", "type": "used-by" }, + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + }, { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" @@ -21374,10 +20327,6 @@ { "dest-uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c", "type": "used-by" - }, - { - "dest-uuid": "59096109-a1dd-463b-87e7-a8d110fe3a79", - "type": "similar" } ], "uuid": "1f3f15fa-1b4b-494d-abc8-c7f8a227b7b4", @@ -21406,10 +20355,6 @@ { "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", "type": "used-by" - }, - { - "dest-uuid": "03acae53-9b98-46f6-b204-16b930839055", - "type": "similar" } ], "uuid": "38c4d208-fe38-4965-871c-709fa1479ba3", @@ -21422,7 +20367,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5233", + "software_attack_id": "S3354", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -21455,10 +20400,6 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" - }, - { - "dest-uuid": "4b346d12-7f91-48d2-8f06-b26ffa0d825b", - "type": "similar" } ], "uuid": "567da30e-fd4d-4ec5-a308-bf08788f3bfb", @@ -21483,10 +20424,6 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" - }, - { - "dest-uuid": "065196de-d7e8-4888-acfb-b2134022ba1b", - "type": "similar" } ], "uuid": "ca4e973c-da15-46a9-8f3a-0b1560c9a783", @@ -21499,7 +20436,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5012", + "software_attack_id": "S3052", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -21529,7 +20466,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5147", + "software_attack_id": "S3266", "source": "Tidal Cyber", "tags": [ "9fbc403c-bd2e-458a-a202-a65b8201e973", @@ -21556,12 +20493,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", - "type": "similar" - } - ], + "related": [], "uuid": "ca544771-d43e-4747-80e5-cf0f4a4836f3", "value": "Reaver" }, @@ -21581,10 +20513,6 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" - }, - { - "dest-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", - "type": "similar" } ], "uuid": "5264c3ab-14e1-4ae1-854e-889ebde029b4", @@ -21654,10 +20582,6 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" - }, - { - "dest-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", - "type": "similar" } ], "uuid": "d796615c-fa3d-4afd-817a-1a3db8c73532", @@ -21670,7 +20594,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5148", + "software_attack_id": "S3268", "source": "Tidal Cyber", "tags": [ "7d31d8f7-375b-4fb3-a631-51b42e58d95a", @@ -21704,10 +20628,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "47124daf-44be-4530-9c63-038bc64318dd", - "type": "similar" } ], "uuid": "52dc08d8-82cc-46dc-91ae-383193d72963", @@ -21720,7 +20640,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5149", + "software_attack_id": "S3269", "source": "Tidal Cyber", "tags": [ "36affa3d-c949-4e1b-8667-299490580dd5", @@ -21747,12 +20667,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0", - "type": "similar" - } - ], + "related": [], "uuid": "e88bf527-bb9c-45c3-b86b-04a07dcd91fd", "value": "Regin" }, @@ -21763,7 +20678,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5150", + "software_attack_id": "S3270", "source": "Tidal Cyber", "tags": [ "288c6e19-cf6c-451a-aff3-547f371ff4ad", @@ -21785,7 +20700,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5151", + "software_attack_id": "S3271", "source": "Tidal Cyber", "tags": [ "d379a1fb-1028-4986-ae6c-eb8cc068aa68", @@ -21807,7 +20722,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5152", + "software_attack_id": "S3272", "source": "Tidal Cyber", "tags": [ "141e4dce-00be-4bd7-9f81-6202939f0359", @@ -21829,7 +20744,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5153", + "software_attack_id": "S3273", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -21895,6 +20810,7 @@ "software_attack_id": "S0332", "source": "MITRE", "tags": [ + "db8f1478-995a-4d9e-ad48-fd8583730e0b", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ @@ -21909,10 +20825,6 @@ { "dest-uuid": "12279b62-289e-49ee-97cb-c780edd3d091", "type": "used-by" - }, - { - "dest-uuid": "7cd0bc75-055b-4098-a00e-83dc8beaff14", - "type": "similar" } ], "uuid": "2eb92fa8-514e-4018-adc4-c9fe4f082567", @@ -21934,10 +20846,6 @@ { "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "type": "used-by" - }, - { - "dest-uuid": "ecc2f65a-b452-4eaf-9689-7e181f17f7a5", - "type": "similar" } ], "uuid": "82d0bb4d-4711-49e3-9fe5-c522bbe5e8bb", @@ -21950,7 +20858,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5234", + "software_attack_id": "S3355", "source": "Tidal Cyber", "tags": [ "828f1559-b13d-4426-9dcf-5f601fcb6ff0", @@ -21981,10 +20889,6 @@ { "dest-uuid": "9da726e6-af02-49b8-8ebe-7ea4235513c9", "type": "used-by" - }, - { - "dest-uuid": "4e6b9625-bbda-4d96-a652-b3bb45453f26", - "type": "similar" } ], "uuid": "57fa64ea-975a-470a-a194-3428148ae9ee", @@ -22006,10 +20910,6 @@ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" - }, - { - "dest-uuid": "03c6e0ea-96d3-4b23-9afb-05055663cf4b", - "type": "similar" } ], "uuid": "8a7fa0df-c688-46be-94bf-462fae33b788", @@ -22031,10 +20931,6 @@ { "dest-uuid": "deb573c6-071a-4b50-9e92-4aa648d8bdc1", "type": "used-by" - }, - { - "dest-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "type": "similar" } ], "uuid": "e3729cff-f25e-4c01-a7a1-e8b83e903b30", @@ -22047,7 +20943,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5154", + "software_attack_id": "S3274", "source": "Tidal Cyber", "tags": [ "accb4d24-4b40-41ce-ae2e-adcca7e80b41", @@ -22068,6 +20964,8 @@ "software_attack_id": "S0174", "source": "MITRE", "tags": [ + "35e694ec-5133-46e3-b7e1-5831867c3b55", + "15787198-6c8b-4f79-bf50-258d55072fee", "af5e9be5-b86e-47af-91dd-966a5e34a186", "6070668f-1cbd-4878-8066-c636d1d8659c", "d8f7e071-fbfd-46f8-b431-e241bb1513ac", @@ -22087,10 +20985,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "a1dd2dbd-1550-44bf-abcc-1a4c52e97719", - "type": "similar" } ], "uuid": "2a5ea3a7-9873-4a2e-b4b5-4e27a80db305", @@ -22116,10 +21010,6 @@ { "dest-uuid": "830079fe-9824-405b-93e0-c28592155c49", "type": "used-by" - }, - { - "dest-uuid": "bdb27a1d-1844-42f1-a0c0-826027ae0326", - "type": "similar" } ], "uuid": "f99712b4-37a2-437c-92d7-fb4f94a1f892", @@ -22134,6 +21024,7 @@ "software_attack_id": "S0496", "source": "MITRE", "tags": [ + "e755f9bf-0007-411c-950d-4b66934298b4", "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "286918d5-0b48-4655-9118-907b53de0ee0", @@ -22165,10 +21056,6 @@ { "dest-uuid": "28f3dbcc-b248-442f-9ff3-234210bb2f2a", "type": "used-by" - }, - { - "dest-uuid": "ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", - "type": "similar" } ], "uuid": "9314531e-bf46-4cba-9c19-198279ccf9cd", @@ -22193,10 +21080,6 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" - }, - { - "dest-uuid": "b9eec47e-98f4-4b3c-b574-3fa8a87ebe05", - "type": "similar" } ], "uuid": "d5649d69-52d4-4198-9683-b250348dea32", @@ -22209,9 +21092,10 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5302", + "software_attack_id": "S3065", "source": "Tidal Cyber", "tags": [ + "abea659c-fe23-4252-afc0-17b8adaa24f7", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "5e7433ad-a894-4489-93bc-41e90da90019", @@ -22223,6 +21107,10 @@ ] }, "related": [ + { + "dest-uuid": "efd2fca2-45fb-4eaf-82e7-0d20c156f84f", + "type": "used-by" + }, { "dest-uuid": "0610cd57-2511-467a-97e3-3c810384074f", "type": "used-by" @@ -22247,10 +21135,6 @@ { "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", "type": "used-by" - }, - { - "dest-uuid": "44c75271-0e4d-496f-ae0a-a6d883a42a65", - "type": "similar" } ], "uuid": "ca5ae7c8-467a-4434-82fc-db50ce3fc671", @@ -22272,10 +21156,6 @@ { "dest-uuid": "225314a7-8f40-48d4-9cff-3ec39b177762", "type": "used-by" - }, - { - "dest-uuid": "ad4f146f-e3ec-444a-ba71-24bffd7f0f8e", - "type": "similar" } ], "uuid": "00fa4cc2-6f99-4b18-b927-689964ef57e1", @@ -22293,12 +21173,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "56e6b6c2-e573-4969-8bab-783205cebbbf", - "type": "similar" - } - ], + "related": [], "uuid": "19b1f1c8-5ef3-4328-b605-38e0bafc084d", "value": "Rising Sun" }, @@ -22318,10 +21193,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "6dbdc657-d8e0-4f2f-909b-7251b3e72c6d", - "type": "similar" } ], "uuid": "15bc8e94-64d1-4f1f-bc99-08cfbac417dc", @@ -22344,12 +21215,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "0a607c53-df52-45da-a75d-0e53df4dad5f", - "type": "similar" - } - ], + "related": [], "uuid": "b65956ef-439a-463d-b85e-6606467f508a", "value": "RobbinHood" }, @@ -22369,10 +21235,6 @@ { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" - }, - { - "dest-uuid": "cba78a1c-186f-4112-9e6a-be1839f030f7", - "type": "similar" } ], "uuid": "cb7aa34e-312f-4210-be7b-47a1e3f5b7b5", @@ -22394,10 +21256,6 @@ { "dest-uuid": "f2b31240-0b4a-4fa4-82a4-6bb00e146e75", "type": "used-by" - }, - { - "dest-uuid": "8ec6e3b4-b06d-4805-b6aa-af916acc2122", - "type": "similar" } ], "uuid": "852cf78d-9cdc-4971-a972-405921027436", @@ -22422,10 +21280,6 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" - }, - { - "dest-uuid": "60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f", - "type": "similar" } ], "uuid": "a3479628-af0b-4088-8d2a-fafa384731dd", @@ -22438,7 +21292,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5295", + "software_attack_id": "S3018", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -22474,10 +21328,6 @@ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" - }, - { - "dest-uuid": "08e844a8-371f-4fe3-9d1f-e056e64a7fde", - "type": "similar" } ], "uuid": "169bfcf6-544c-5824-a7cd-2d5070304b57", @@ -22500,10 +21350,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "c11ac61d-50f4-444f-85d8-6f006067f0de", - "type": "similar" } ], "uuid": "3b755518-9085-474e-8bc4-4f9344d9c8af", @@ -22521,12 +21367,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", - "type": "similar" - } - ], + "related": [], "uuid": "ef38ff3e-fa36-46f2-a720-3abaca167b04", "value": "Rover" }, @@ -22539,6 +21380,7 @@ "software_attack_id": "S1073", "source": "MITRE", "tags": [ + "b05fef45-bf36-47a0-b96a-cc76ac8a4f1e", "e551ae97-d1b4-484e-9267-89f33829ec2c", "a2e000da-8181-4327-bacd-32013dbd3654", "5e7433ad-a894-4489-93bc-41e90da90019", @@ -22557,10 +21399,6 @@ { "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", "type": "used-by" - }, - { - "dest-uuid": "802a874d-7463-4f2a-99e3-6a1f5a919a21", - "type": "similar" } ], "uuid": "221e24cb-910f-5988-9473-578ef350870c", @@ -22573,7 +21411,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5155", + "software_attack_id": "S3275", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -22594,7 +21432,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5076", + "software_attack_id": "S3101", "source": "Tidal Cyber", "tags": [ "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96" @@ -22628,10 +21466,6 @@ { "dest-uuid": "666ab5f0-3ef1-4e74-8a10-65c60a7d1acd", "type": "used-by" - }, - { - "dest-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "type": "similar" } ], "uuid": "1836485e-a3a6-4fae-a15d-d0990788811a", @@ -22659,6 +21493,10 @@ "dest-uuid": "fcbf6963-839b-4853-8b80-73ff6831b7d7", "type": "used-by" }, + { + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "type": "used-by" + }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" @@ -22670,10 +21508,6 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" - }, - { - "dest-uuid": "e33267fe-099f-4af2-8730-63d49f8813b2", - "type": "similar" } ], "uuid": "2e54f40c-ab62-535e-bbab-3f3a835ff55a", @@ -22696,10 +21530,6 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" - }, - { - "dest-uuid": "90ac9266-68ce-46f2-b24f-5eb3b2a8ea38", - "type": "similar" } ], "uuid": "69563cbd-7dc1-4396-b576-d5886df11046", @@ -22712,7 +21542,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5156", + "software_attack_id": "S3276", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -22812,7 +21642,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5157", + "software_attack_id": "S3277", "source": "Tidal Cyber", "tags": [ "270a347d-d2e1-4d46-9b32-37e8d7264301", @@ -22839,12 +21669,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "60d50676-459a-47dd-92e9-a827a9fe9c58", - "type": "similar" - } - ], + "related": [], "uuid": "e8afda1f-fa83-4fc3-b6fb-7d5daca7173f", "value": "RunningRAT" }, @@ -22855,7 +21680,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5158", + "software_attack_id": "S3278", "source": "Tidal Cyber", "tags": [ "065db33d-c152-4ba9-8bf9-13616f78ae05", @@ -22877,7 +21702,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5159", + "software_attack_id": "S3279", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -22900,6 +21725,7 @@ "software_attack_id": "S0446", "source": "MITRE", "tags": [ + "74eb9cdd-409f-41d6-bb4f-39af6d1b3232", "89c5b94b-ecf4-4d53-9b74-3465086d4565", "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647", "562e535e-19f5-4d6c-81ed-ce2aec544f09", @@ -22926,10 +21752,6 @@ { "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "type": "used-by" - }, - { - "dest-uuid": "a020a61c-423f-4195-8c46-ba1d21abba37", - "type": "similar" } ], "uuid": "8ae86854-4cdc-49eb-895a-d1fa742f7974", @@ -22954,10 +21776,6 @@ { "dest-uuid": "407274be-1820-4a84-939e-629313f4de1d", "type": "used-by" - }, - { - "dest-uuid": "7724581b-06ff-4d2b-b77c-80dc8d53070b", - "type": "similar" } ], "uuid": "d66e5d18-e9f5-4091-bdf4-acdac129e2e0", @@ -22982,15 +21800,39 @@ { "dest-uuid": "43f826a1-e8c8-47b8-9b00-38e1b3e4293b", "type": "used-by" - }, - { - "dest-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", - "type": "similar" } ], "uuid": "a316c704-144a-4d14-8e4e-685bb6ae391c", "value": "Sakula" }, + { + "description": "This is one of a series of malicious downloaders attributed to Iran-linked espionage actor OilRig, which were found to rely on legitimate cloud service providers for command and control purposes.[[ESET OilRig December 14 2023](/references/f96b74d5-ff75-47c6-a9a2-b2f43db351bc)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3156", + "source": "Tidal Cyber", + "tags": [ + "15f2277a-a17e-4d85-8acd-480bf84f16b4", + "84615fe0-c2a5-4e07-8957-78ebc29b4635", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", + "type": "used-by" + } + ], + "uuid": "5276226d-5453-42db-8701-a83b2b061b5b", + "value": "SampleCheck5000" + }, { "description": "[SamSam](https://app.tidalcyber.com/software/88831e9f-453e-466f-9510-9acaa1f20368) is ransomware that appeared in early 2016. Unlike some ransomware, its variants have required operators to manually interact with the malware to execute some of its core components.[[US-CERT SamSam 2018](https://app.tidalcyber.com/references/b9d14fea-2330-4eed-892c-b4e05a35d273)][[Talos SamSam Jan 2018](https://app.tidalcyber.com/references/0965bb64-be96-46b9-b60f-6829c43a661f)][[Sophos SamSam Apr 2018](https://app.tidalcyber.com/references/4da5e9c3-7205-4a6e-b147-be7c971380f0)][[Symantec SamSam Oct 2018](https://app.tidalcyber.com/references/c5022a91-bdf4-4187-9967-dfe6362219ea)]", "meta": { @@ -23007,12 +21849,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "4d56e6e9-1a6d-46e3-896c-dfdf3cc96e62", - "type": "similar" - } - ], + "related": [], "uuid": "88831e9f-453e-466f-9510-9acaa1f20368", "value": "SamSam" }, @@ -23032,10 +21869,6 @@ { "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", "type": "used-by" - }, - { - "dest-uuid": "ae91fb8f-5031-4f57-9839-e3be3ed503f0", - "type": "similar" } ], "uuid": "bd75c822-7be6-5e6f-bd2e-0512be6d38d9", @@ -23057,10 +21890,6 @@ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" - }, - { - "dest-uuid": "0c52f5bc-557d-4083-bd27-66d7cdb794bb", - "type": "similar" } ], "uuid": "9ab0d523-3496-5e64-9ca1-bb756f5e64e0", @@ -23073,7 +21902,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5160", + "software_attack_id": "S3280", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -23087,6 +21916,56 @@ "uuid": "41be663f-ecc9-4ab6-afeb-c52737f84858", "value": "Sc" }, + { + "description": "Scarab is a ransomware written in Delphi.[[WeLiveSecurity Scarab August 22 2023](/references/7cbf97fe-1809-4089-b386-a8bfd083df39)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3181", + "source": "Tidal Cyber", + "tags": [ + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "04b73cf2-33f4-4206-be9e-c80c4c9b54e8", + "type": "used-by" + } + ], + "uuid": "da077c2b-9e7a-4f35-b187-af2876496799", + "value": "Scarab Ransomware" + }, + { + "description": "ScService is a custom tool used by CosmicBeetle, mainly used as an orchestrator for other tools during the group's intrusions.[[WeLiveSecurity Scarab August 22 2023](/references/7cbf97fe-1809-4089-b386-a8bfd083df39)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3180", + "source": "Tidal Cyber", + "tags": [ + "be319849-fb2c-4b5f-8055-0bde562c280b", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "3d3f0187-d08a-468a-8956-b3502fdeaea5", + "value": "ScHackTool" + }, { "description": "[schtasks](https://app.tidalcyber.com/software/2aacbf3a-a359-41d2-9a71-76447f0545b5) is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time. [[TechNet Schtasks](https://app.tidalcyber.com/references/17c03e27-222d-41b5-9fa2-34f0939e5371)]", "meta": { @@ -23151,15 +22030,39 @@ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" - }, - { - "dest-uuid": "c9703cd3-141c-43a0-a926-380082be5d04", - "type": "similar" } ], "uuid": "2aacbf3a-a359-41d2-9a71-76447f0545b5", "value": "schtasks" }, + { + "description": "ScRansom is a custom ransomware used by the CosmicBeetle group, serving as a successor to the previously used Scarab Ransomware.[[WeLiveSecurity CosmicBeetle September 10 2024](/references/8debba29-4d6d-41d2-8772-f97c7d49056b)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3178", + "source": "Tidal Cyber", + "tags": [ + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "04b73cf2-33f4-4206-be9e-c80c4c9b54e8", + "type": "used-by" + } + ], + "uuid": "34964908-7162-4bcc-ab2a-d0dc1b3b82ef", + "value": "ScRansom" + }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Execute binary through proxy binary to evade defensive counter measures\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\scriptrunner.exe\n* C:\\Windows\\SysWOW64\\scriptrunner.exe\n\n**Resources:**\n* [https://twitter.com/KyleHanslovan/status/914800377580503040](https://twitter.com/KyleHanslovan/status/914800377580503040)\n* [https://twitter.com/NickTyrer/status/914234924655312896](https://twitter.com/NickTyrer/status/914234924655312896)\n* [https://github.com/MoooKitty/Code-Execution](https://github.com/MoooKitty/Code-Execution)\n\n**Detection:**\n* Sigma: [proc_creation_win_servu_susp_child_process.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_servu_susp_child_process.yml)\n* IOC: Scriptrunner.exe should not be in use unless App-v is deployed[[Scriptrunner.exe - LOLBAS Project](/references/805d16cc-8bd0-4f80-b0ac-c5b5df51427c)]", "meta": { @@ -23167,7 +22070,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5161", + "software_attack_id": "S3282", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -23188,7 +22091,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5194", + "software_attack_id": "S3315", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -23202,6 +22105,28 @@ "uuid": "101f7867-9c5c-482e-b26e-9fdb8ff9b2c7", "value": "Scrobj" }, + { + "description": "ScService is a custom, \"simple\" backdoor used by the CosmicBeetle group.[[WeLiveSecurity Scarab August 22 2023](/references/7cbf97fe-1809-4089-b386-a8bfd083df39)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3179", + "source": "Tidal Cyber", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "f9840d08-eb55-4c19-a1af-964e10dae0d4", + "value": "ScService" + }, { "description": "[SDBbot](https://app.tidalcyber.com/software/046bbd0c-bff5-46fc-9028-cbe46a9f8ec5) is a backdoor with installer and loader components that has been used by [TA505](https://app.tidalcyber.com/groups/b3220638-6682-4a4e-ab64-e7dc4202a3f1) since at least 2019.[[Proofpoint TA505 October 2019](https://app.tidalcyber.com/references/711ea2b3-58e2-4b38-aa71-877029c12e64)][[IBM TA505 April 2020](https://app.tidalcyber.com/references/bcef8bf8-5fc2-4921-b920-74ef893b8a27)]", "meta": { @@ -23221,10 +22146,6 @@ { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" - }, - { - "dest-uuid": "92b03a94-7147-4952-9d5a-b4d24da7487c", - "type": "similar" } ], "uuid": "046bbd0c-bff5-46fc-9028-cbe46a9f8ec5", @@ -23261,10 +22182,6 @@ { "dest-uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", "type": "used-by" - }, - { - "dest-uuid": "d8d19e33-94fd-4aa3-b94a-08ee801a2153", - "type": "similar" } ], "uuid": "3d4be65d-231b-44bb-8d12-5038a3d48bae", @@ -23289,10 +22206,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", - "type": "similar" } ], "uuid": "ae30d58e-21c5-41a4-9ebb-081dc1f26863", @@ -23314,10 +22227,6 @@ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" - }, - { - "dest-uuid": "b45747dc-87ca-4597-a245-7e16a61bc491", - "type": "similar" } ], "uuid": "3527b09b-f3f6-4716-9f90-64ea7d3b9d8a", @@ -23342,10 +22251,6 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" - }, - { - "dest-uuid": "0998045d-f96e-4284-95ce-3c8219707486", - "type": "similar" } ], "uuid": "42c8504c-8a18-46d2-a145-35b0cd8ba669", @@ -23358,7 +22263,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5042", + "software_attack_id": "S3044", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -23393,9 +22298,13 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5072", + "software_attack_id": "S3097", "source": "Tidal Cyber", "tags": [ + "af5e9be5-b86e-47af-91dd-966a5e34a186", + "d8f7e071-fbfd-46f8-b431-e241bb1513ac", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "61b7b81d-3f98-4bed-97a9-d6c536b8969b", "35e694ec-5133-46e3-b7e1-5831867c3b55", @@ -23435,7 +22344,7 @@ "Linux", "Windows" ], - "software_attack_id": "S5329", + "software_attack_id": "S3144", "source": "Tidal Cyber", "tags": [ "96d58ca1-ab18-4e53-8891-d8ba62a47e5d", @@ -23478,10 +22387,6 @@ { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" - }, - { - "dest-uuid": "aae22730-e571-4d17-b037-65f2a3e26213", - "type": "similar" } ], "uuid": "704ed49d-103c-4b33-b85c-73670cc1d719", @@ -23503,12 +22408,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "f931a0b9-0361-4b1b-bacf-955062c35746", - "type": "similar" - } - ], + "related": [], "uuid": "fb47c051-d22b-4a05-94a7-cf979419b60a", "value": "Seth-Locker" }, @@ -23519,7 +22419,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5162", + "software_attack_id": "S3283", "source": "Tidal Cyber", "tags": [ "d75511ab-cbff-46d3-8268-427e3cff134a", @@ -23541,7 +22441,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5163", + "software_attack_id": "S3284", "source": "Tidal Cyber", "tags": [ "8929bc83-9ed6-4579-b837-40236b59b383", @@ -23563,7 +22463,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5195", + "software_attack_id": "S3316", "source": "Tidal Cyber", "tags": [ "da405033-3571-4f98-9810-53d9df1ac0fb", @@ -23587,6 +22487,7 @@ "software_attack_id": "S0596", "source": "MITRE", "tags": [ + "a7346d6d-d5c9-497c-b3b3-54fb95dd4d68", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ @@ -23613,10 +22514,6 @@ { "dest-uuid": "9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c", "type": "used-by" - }, - { - "dest-uuid": "ec9e00dd-0313-4d5b-8105-c20aa47abffc", - "type": "similar" } ], "uuid": "5190f50d-7e54-410a-9961-79ab751ddbab", @@ -23637,12 +22534,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "type": "similar" - } - ], + "related": [], "uuid": "840db1db-e262-4d6f-b6e3-2a64696a41c5", "value": "Shamoon" }, @@ -23665,10 +22557,6 @@ { "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" - }, - { - "dest-uuid": "99854cc8-f202-4e03-aa0a-4f8a4af93229", - "type": "similar" } ], "uuid": "278da5e8-4d4c-4c45-ad72-8f078872fb4a", @@ -23681,7 +22569,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5075", + "software_attack_id": "S3100", "source": "Tidal Cyber", "tags": [ "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96" @@ -23715,10 +22603,6 @@ { "dest-uuid": "f31df12e-66ea-5a49-87bc-2bc1756a89fc", "type": "used-by" - }, - { - "dest-uuid": "1fefb062-feda-484a-8f10-0cebf65e20e3", - "type": "similar" } ], "uuid": "4ed1e83b-a208-5518-bed2-d07c1b289da2", @@ -23731,7 +22615,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5327", + "software_attack_id": "S3142", "source": "Tidal Cyber", "tags": [ "8bf128ad-288b-41bc-904f-093f4fdde745", @@ -23760,7 +22644,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5275", + "software_attack_id": "S3115", "source": "Tidal Cyber", "tags": [ "c5a258ce-9045-48d9-b254-ec2bf6437bb5", @@ -23801,7 +22685,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5060", + "software_attack_id": "S3083", "source": "Tidal Cyber", "tags": [ "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", @@ -23827,9 +22711,10 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5004", + "software_attack_id": "S3013", "source": "Tidal Cyber", "tags": [ + "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "cd1b5d44-226e-4405-8985-800492cf2865", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", @@ -23842,6 +22727,10 @@ ] }, "related": [ + { + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "type": "used-by" + }, { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" @@ -23870,10 +22759,6 @@ { "dest-uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6", "type": "used-by" - }, - { - "dest-uuid": "0ba9281c-93fa-4b29-8e9e-7ef918c7b13a", - "type": "similar" } ], "uuid": "564643fd-7113-490e-9f6a-f0cc3f0e1a4c", @@ -23898,10 +22783,6 @@ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" - }, - { - "dest-uuid": "73c4711b-407a-449d-b269-e3b1531fe7a9", - "type": "similar" } ], "uuid": "f655306f-f7b4-4eec-9bd6-ac75142fcb43", @@ -23914,7 +22795,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5196", + "software_attack_id": "S3317", "source": "Tidal Cyber", "tags": [ "2c0f0b44-9b09-49a0-8dc5-d9fdcc515825", @@ -23936,7 +22817,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5197", + "software_attack_id": "S3318", "source": "Tidal Cyber", "tags": [ "e0b9882e-b9bb-4c16-b3d9-9268866eded0", @@ -23958,7 +22839,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5198", + "software_attack_id": "S3319", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -23988,10 +22869,6 @@ { "dest-uuid": "8bc69792-c26d-4493-87e3-d8e47605fed8", "type": "used-by" - }, - { - "dest-uuid": "5763217a-05b6-4edd-9bca-057e47b5e403", - "type": "similar" } ], "uuid": "a3287231-351f-472f-96cc-24db2e3829c7", @@ -24013,10 +22890,6 @@ { "dest-uuid": "8bc69792-c26d-4493-87e3-d8e47605fed8", "type": "used-by" - }, - { - "dest-uuid": "115f88dd-0618-4389-83cb-98d33ae81848", - "type": "similar" } ], "uuid": "77d9c948-93e3-4e12-9764-4da7570d9275", @@ -24035,10 +22908,6 @@ { "dest-uuid": "be45ff95-6c74-4000-bc39-63044673d82f", "type": "used-by" - }, - { - "dest-uuid": "b1de6916-7a22-4460-8d26-6b5483ffaa2a", - "type": "similar" } ], "uuid": "3db0b464-ec5d-4cdd-86c2-62eac9c8acd6", @@ -24060,10 +22929,6 @@ { "dest-uuid": "9da726e6-af02-49b8-8ebe-7ea4235513c9", "type": "used-by" - }, - { - "dest-uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb", - "type": "similar" } ], "uuid": "49351818-579e-4298-9137-03b3dc699e22", @@ -24082,10 +22947,6 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" - }, - { - "dest-uuid": "4189a679-72ed-4a89-a57c-7f689712ecf8", - "type": "similar" } ], "uuid": "5b2d82a6-ed96-485d-bca9-2320590de890", @@ -24100,6 +22961,7 @@ "software_attack_id": "S0589", "source": "MITRE", "tags": [ + "a95bb8df-9089-4cea-9810-be32b99c3c5d", "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ @@ -24110,10 +22972,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "979adb5a-dc30-48f0-9e3d-9a26d866928c", - "type": "similar" } ], "uuid": "ea0a1282-f2bf-4ae0-a19c-d7e379c2309b", @@ -24138,10 +22996,6 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" - }, - { - "dest-uuid": "df4cd566-ff2f-4d08-976d-8c86e95782de", - "type": "similar" } ], "uuid": "61227a76-d315-4339-803a-e024f96e089e", @@ -24159,12 +23013,7 @@ "tool" ] }, - "related": [ - { - "dest-uuid": "1244e058-fa10-48cb-b484-0bcf671107ae", - "type": "similar" - } - ], + "related": [], "uuid": "4765999f-c35e-4a9f-8284-9f10a17e6c34", "value": "SILENTTRINITY" }, @@ -24184,12 +23033,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "4fbd565b-bf55-4ac7-80b4-b183a7b64b9c", - "type": "similar" - } - ], + "related": [], "uuid": "8ea75674-cc08-40cf-824c-40eb5cd6097e", "value": "Siloscape" }, @@ -24209,10 +23053,6 @@ { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" - }, - { - "dest-uuid": "89f63ae4-f229-4a5c-95ad-6f22ed2b5c49", - "type": "similar" } ], "uuid": "206453a4-a298-4cab-9fdf-f136a4e0c761", @@ -24230,12 +23070,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "4b68b5ea-2e1b-4225-845b-8632f702b9a0", - "type": "similar" - } - ], + "related": [], "uuid": "cc91d3d4-bbf5-4a9c-b43a-2ba034db4858", "value": "Skidmap" }, @@ -24256,10 +23091,6 @@ { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" - }, - { - "dest-uuid": "d1008b78-960c-4b36-bdc4-39a734e1e4e3", - "type": "similar" } ], "uuid": "c8fed4fc-5721-5db2-b107-b2a9b677244e", @@ -24276,6 +23107,10 @@ "software_attack_id": "S0633", "source": "MITRE", "tags": [ + "0fa3a7df-9e1e-4540-996e-590715e8314a", + "d903e38b-600d-4736-9e3b-cf1a6e436481", + "d819ae1a-e385-49fd-88d5-f66660729ecb", + "15787198-6c8b-4f79-bf50-258d55072fee", "e81ba503-60b0-4b64-8f20-ef93e7783796" ], "type": [ @@ -24283,6 +23118,10 @@ ] }, "related": [ + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + }, { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" @@ -24290,10 +23129,6 @@ { "dest-uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c", "type": "used-by" - }, - { - "dest-uuid": "11f8d7eb-1927-4806-9267-3a11d4d4d6be", - "type": "similar" } ], "uuid": "bbd16b7b-7e35-4a11-86ff-9b19e17bdab3", @@ -24311,12 +23146,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "feb2d7bb-aacb-48df-ad04-ccf41a30cd90", - "type": "similar" - } - ], + "related": [], "uuid": "563c6534-497e-4d65-828c-420d5bb2041a", "value": "SLOTHFULMEDIA" }, @@ -24336,10 +23166,6 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" - }, - { - "dest-uuid": "414dc555-c79e-4b24-a2da-9b607f7eaf16", - "type": "similar" } ], "uuid": "7c047a54-93cf-4dfc-ab20-d905791aebb2", @@ -24361,10 +23187,6 @@ { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" - }, - { - "dest-uuid": "f8fc98ac-ad6d-44db-b6e2-f0c6eb4eace4", - "type": "similar" } ], "uuid": "37e264a6-5ad3-5a79-bf2c-db725622206e", @@ -24389,10 +23211,6 @@ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" - }, - { - "dest-uuid": "ff41b9b6-4c1d-407b-a7e2-835109c8dbc5", - "type": "similar" } ], "uuid": "c58028b9-2e79-4bc9-9b04-d24ea4dd4948", @@ -24413,12 +23231,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "7e0f8b0f-716e-494d-827e-310bd6ed709e", - "type": "similar" - } - ], + "related": [], "uuid": "9ae4154d-ee48-4aeb-b76f-6e40dbe18ff3", "value": "SMOKEDHAM" }, @@ -24448,10 +23261,6 @@ { "dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a", "type": "used-by" - }, - { - "dest-uuid": "0c824410-58ff-49b2-9cf2-1c96b182bdf0", - "type": "similar" } ], "uuid": "2244253f-a4ad-4ea9-a4bf-fa2f4d895853", @@ -24473,10 +23282,6 @@ { "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", "type": "used-by" - }, - { - "dest-uuid": "4327aff5-f194-440c-b499-4d9730cc1eab", - "type": "similar" } ], "uuid": "f587dc27-92be-5894-a4a8-d6c8bbcf8ede", @@ -24498,10 +23303,6 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" - }, - { - "dest-uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870", - "type": "similar" } ], "uuid": "d6c24f7c-fe79-4094-8f3c-68c4446ae4c7", @@ -24526,10 +23327,6 @@ { "dest-uuid": "0898e7cb-118e-5eeb-b856-04e56ed18182", "type": "used-by" - }, - { - "dest-uuid": "5911d2ca-64f6-49b3-b94f-29b5d185085c", - "type": "similar" } ], "uuid": "ab84f259-9b9a-51d8-a68a-2bcd7512d760", @@ -24547,12 +23344,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "e494ad79-37ee-4cd0-866b-299c521d8b94", - "type": "similar" - } - ], + "related": [], "uuid": "c1906bb6-0b5b-4916-8b29-37f7e272f6b3", "value": "Socksbot" }, @@ -24575,10 +23367,6 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" - }, - { - "dest-uuid": "94d6d788-07bb-4dcc-b62f-e02626b00108", - "type": "similar" } ], "uuid": "6ecd970c-427b-4421-a831-69f46047d22a", @@ -24593,7 +23381,7 @@ "Linux", "Windows" ], - "software_attack_id": "S5305", + "software_attack_id": "S3071", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -24620,7 +23408,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5008", + "software_attack_id": "S3045", "source": "Tidal Cyber", "tags": [ "d903e38b-600d-4736-9e3b-cf1a6e436481", @@ -24682,6 +23470,33 @@ "uuid": "4272447f-8803-4947-b66f-051eecdd3385", "value": "SoftPerfect Network Scanner" }, + { + "description": "A backdoor capability associated with Iran-linked espionage group OilRig.[[ESET OilRig September 21 2023](/references/21ee3e95-ac4b-48f7-b948-249e1884bc96)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3161", + "source": "Tidal Cyber", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", + "type": "used-by" + } + ], + "uuid": "07a94239-bdde-42e7-ba9c-a1d0c81e0c3b", + "value": "Solar" + }, { "description": "[SombRAT](https://app.tidalcyber.com/software/0ec24158-d5d7-4d2e-b5a5-bc862328a317) is a modular backdoor written in C++ that has been used since at least 2019 to download and execute malicious payloads, including [FIVEHANDS](https://app.tidalcyber.com/software/84187393-2fe9-4136-8720-a6893734ee8c) ransomware.[[BlackBerry CostaRicto November 2020](https://app.tidalcyber.com/references/93a23447-641c-4ee2-9fbd-64b2adea8a5f)][[FireEye FiveHands April 2021](https://app.tidalcyber.com/references/832aeb46-b248-43e8-9157-a2f56bcd1806)][[CISA AR21-126A FIVEHANDS May 2021](https://app.tidalcyber.com/references/f98604dd-2881-4024-8e43-6f5f48c6c9fa)]", "meta": { @@ -24697,12 +23512,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "425771c5-48b4-4ecd-9f95-74ed3fc9da59", - "type": "similar" - } - ], + "related": [], "uuid": "0ec24158-d5d7-4d2e-b5a5-bc862328a317", "value": "SombRAT" }, @@ -24725,10 +23535,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "e33e4603-afab-402d-b2a1-248d435b5fe0", - "type": "similar" } ], "uuid": "3e959586-14ff-407b-a0d0-4e9580546f3f", @@ -24750,10 +23556,6 @@ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" - }, - { - "dest-uuid": "9ca488bd-9587-48ef-b923-1743523e63b2", - "type": "similar" } ], "uuid": "069538a5-3cb8-4eb4-9fbb-83867bb4d826", @@ -24775,10 +23577,6 @@ { "dest-uuid": "be45ff95-6c74-4000-bc39-63044673d82f", "type": "used-by" - }, - { - "dest-uuid": "8b880b41-5139-4807-baa9-309690218719", - "type": "similar" } ], "uuid": "0f8d0a73-9cd3-475a-b31b-d457278c921a", @@ -24803,10 +23601,6 @@ { "dest-uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6", "type": "used-by" - }, - { - "dest-uuid": "03ea629c-517a-41e3-94f8-c7e5368cf8f4", - "type": "similar" } ], "uuid": "93f8c180-6794-4e9c-b716-6b31f42eb72d", @@ -24825,15 +23619,37 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "a5575606-9b85-4e3d-9cd2-40ef30e3672d", - "type": "similar" - } - ], + "related": [], "uuid": "b9b67878-4eb1-4a0b-9b36-a798881ed566", "value": "SpeakUp" }, + { + "description": "Spearal is a .NET-based backdoor malware linked to the OilRig Iranian espionage group, which uses DNS tunneling for command and control communication.[[Check Point Research September 11 2024](/references/53320d81-4060-4414-b5b8-21d09362bc44)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3183", + "source": "Tidal Cyber", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", + "type": "used-by" + } + ], + "uuid": "25c85bfb-3833-4c57-867a-b7d9ff6c5a40", + "value": "Spearal" + }, { "description": "SpectralBlur is a malware targeting macOS systems that has backdoor functionality. Researchers have linked the malware to \"TA444/Bluenoroff\" actors.[[Objective_See 1 4 2024](/references/c96535be-4859-4ae3-9ba0-d482f1195863)]", "meta": { @@ -24841,7 +23657,7 @@ "platforms": [ "macOS" ], - "software_attack_id": "S5311", + "software_attack_id": "S3124", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -24868,7 +23684,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5055", + "software_attack_id": "S3078", "source": "Tidal Cyber", "tags": [ "562e535e-19f5-4d6c-81ed-ce2aec544f09", @@ -24907,10 +23723,6 @@ { "dest-uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", "type": "used-by" - }, - { - "dest-uuid": "599cd7b5-37b5-4cdd-8174-2811531ce9d0", - "type": "similar" } ], "uuid": "2be9e22d-0af8-46f5-b30e-b3712ccf716d", @@ -24923,7 +23735,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5009", + "software_attack_id": "S3046", "source": "Tidal Cyber", "tags": [ "d903e38b-600d-4736-9e3b-cf1a6e436481", @@ -24986,7 +23798,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5322", + "software_attack_id": "S3137", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -25026,10 +23838,6 @@ { "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "type": "used-by" - }, - { - "dest-uuid": "33b9e38f-103c-412d-bdcf-904a91fff1e4", - "type": "similar" } ], "uuid": "0fdabff3-d996-493c-af67-f3ac02e4b00b", @@ -25042,7 +23850,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5235", + "software_attack_id": "S3356", "source": "Tidal Cyber", "tags": [ "e992169d-832d-44e9-8218-0f4ab0ff72b4", @@ -25074,10 +23882,6 @@ { "dest-uuid": "e38bcb42-12c1-4202-a794-ec26cd830caa", "type": "used-by" - }, - { - "dest-uuid": "9a2640c2-9f43-46fe-b13f-bde881e55555", - "type": "similar" } ], "uuid": "96c224a6-6ca4-4ac1-9990-d863ec5a317a", @@ -25090,7 +23894,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5236", + "software_attack_id": "S3357", "source": "Tidal Cyber", "tags": [ "da7e88fd-2d71-4928-81ce-e3d455b3d418", @@ -25121,10 +23925,6 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" - }, - { - "dest-uuid": "8fc6c9e7-a162-4ca4-a488-f1819e9a7b06", - "type": "similar" } ], "uuid": "612f780a-239a-4bd0-a29f-63beadf3ed22", @@ -25137,7 +23937,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5237", + "software_attack_id": "S3358", "source": "Tidal Cyber", "tags": [ "f4867256-402a-4bcb-97d3-e071ee0993c1", @@ -25159,7 +23959,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5238", + "software_attack_id": "S3359", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -25188,12 +23988,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "3c18ad16-9eaf-4649-984e-68551bff0d47", - "type": "similar" - } - ], + "related": [], "uuid": "46943a69-0b19-4d3a-b2a3-1302e85239a3", "value": "Squirrelwaffle" }, @@ -25204,7 +23999,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5164", + "software_attack_id": "S3285", "source": "Tidal Cyber", "tags": [ "6070668f-1cbd-4878-8066-c636d1d8659c", @@ -25237,10 +24032,6 @@ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" - }, - { - "dest-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", - "type": "similar" } ], "uuid": "3334a124-3e74-4a90-8ed1-55eea3274b19", @@ -25262,10 +24053,6 @@ { "dest-uuid": "6632f07f-7c6b-4d12-8544-82edc6a7a577", "type": "used-by" - }, - { - "dest-uuid": "96566860-9f11-4b6f-964d-1c924e4f24a4", - "type": "similar" } ], "uuid": "fc18e220-2200-4d70-a426-0700ba14c4c0", @@ -25290,10 +24077,6 @@ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" - }, - { - "dest-uuid": "e355fc84-6f3c-4888-8e0a-d7fa9c378532", - "type": "similar" } ], "uuid": "764c6121-2d15-4a10-ac53-b1c431dc8b47", @@ -25311,12 +24094,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "ca0fead6-5277-427a-825b-42ff1fbe476e", - "type": "similar" - } - ], + "related": [], "uuid": "ea561f0b-b891-5735-aa99-97cc8818fbef", "value": "STEADYPULSE" }, @@ -25327,7 +24105,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5298", + "software_attack_id": "S3060", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -25349,7 +24127,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5296", + "software_attack_id": "S3019", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -25388,10 +24166,6 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" - }, - { - "dest-uuid": "8dbadf80-468c-4a62-b817-4e4d8b606887", - "type": "similar" } ], "uuid": "9eee52a2-5ac1-4561-826c-23ec7fbc7876", @@ -25404,7 +24178,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5337", + "software_attack_id": "S3152", "source": "Tidal Cyber", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635", @@ -25426,7 +24200,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5165", + "software_attack_id": "S3286", "source": "Tidal Cyber", "tags": [ "f0e3d6ea-d7ea-4d73-b868-1076fac744a8", @@ -25457,10 +24231,6 @@ { "dest-uuid": "43f826a1-e8c8-47b8-9b00-38e1b3e4293b", "type": "used-by" - }, - { - "dest-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86", - "type": "similar" } ], "uuid": "502b490c-2067-40a4-8f73-7245d7910851", @@ -25485,10 +24255,6 @@ { "dest-uuid": "a41725c5-eb3a-4772-8d1e-17c3bbade79c", "type": "used-by" - }, - { - "dest-uuid": "fb78294a-7d7a-4d38-8ad0-92e67fddc9f0", - "type": "similar" } ], "uuid": "dd8bb0a3-6cb1-412d-adeb-cbaae98462a9", @@ -25510,10 +24276,6 @@ { "dest-uuid": "cc798766-8662-4b55-8536-6d057fbc58f0", "type": "used-by" - }, - { - "dest-uuid": "20945359-3b39-4542-85ef-08ecb4e1c174", - "type": "similar" } ], "uuid": "ed563524-235e-4e06-8c69-3f9d8ddbfd8a", @@ -25535,12 +24297,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "088f1d6e-0783-47c6-9923-9c79b2af43d4", - "type": "similar" - } - ], + "related": [], "uuid": "3fdf3833-fca9-4414-8d2e-779dabc4ee31", "value": "Stuxnet" }, @@ -25556,12 +24313,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", - "type": "similar" - } - ], + "related": [], "uuid": "b19b6c38-d38b-46f2-a535-d0bfc5790368", "value": "S-Type" }, @@ -25577,12 +24329,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "9c10cede-c0bb-4c5c-91c0-8baec30abaf6", - "type": "similar" - } - ], + "related": [], "uuid": "6ff7bf2e-286c-4b1b-92a0-1e5322870c59", "value": "SUGARDUMP" }, @@ -25598,12 +24345,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "44e2a842-415b-47f4-8549-83fbdb8a5674", - "type": "similar" - } - ], + "related": [], "uuid": "004c781a-3d7d-446b-9677-a042c8f6566e", "value": "SUGARUSH" }, @@ -25626,10 +24368,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "a8839c95-029f-44cf-8f3d-a3cf2039e927", - "type": "similar" } ], "uuid": "6b04e98e-c541-4958-a8a5-d433e575ce78", @@ -25655,10 +24393,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "bf48e7f8-752c-4ce8-bf8f-748edacd8fa6", - "type": "similar" } ], "uuid": "66966a12-3db3-4e43-a7e8-6c6836ccd8fe", @@ -25676,12 +24410,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "b2b0b946-be0a-4a7f-9c32-a2e5211d1cd9", - "type": "similar" - } - ], + "related": [], "uuid": "f02abaee-237b-4891-bb5d-30ca86dfc2c8", "value": "SUPERNOVA" }, @@ -25700,12 +24429,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "7230ded7-3b1a-4d6e-9735-d0ffd47af9f6", - "type": "similar" - } - ], + "related": [], "uuid": "a8110f81-5ee9-5819-91ce-3a57aa330dcb", "value": "SVCReady" }, @@ -25721,12 +24445,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", - "type": "similar" - } - ], + "related": [], "uuid": "ae749f9c-cf46-42ce-b0b8-f0be8660e3f3", "value": "Sykipot" }, @@ -25746,12 +24465,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "04227b24-7817-4de1-9050-b7b1b57f5866", - "type": "similar" - } - ], + "related": [], "uuid": "19ae8345-745e-4872-8a29-d56c8800d626", "value": "SynAck" }, @@ -25762,7 +24476,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5261", + "software_attack_id": "S3382", "source": "Tidal Cyber", "tags": [ "9e504206-7a84-40a5-b896-8995d82e3586", @@ -25784,7 +24498,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5166", + "software_attack_id": "S3287", "source": "Tidal Cyber", "tags": [ "acda137a-d1c9-4216-9c08-d07c8d899725", @@ -25814,12 +24528,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "84c1ecc6-e5a2-4e8a-bf4b-651a618e0053", - "type": "similar" - } - ], + "related": [], "uuid": "69ab291d-5066-4e47-9862-1f5c7bac7200", "value": "SYNful Knock" }, @@ -25839,10 +24548,6 @@ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" - }, - { - "dest-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481", - "type": "similar" } ], "uuid": "2df35a92-2295-417a-af5a-ba5c943ef40d", @@ -25863,12 +24568,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "edf5aee2-9b1c-4252-8e64-25b12f14c8b3", - "type": "similar" - } - ], + "related": [], "uuid": "ea556a8d-4959-423f-a2dd-622d0497d484", "value": "SYSCON" }, @@ -25879,7 +24579,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5199", + "software_attack_id": "S3320", "source": "Tidal Cyber", "tags": [ "9105775d-bdcb-45cc-895d-6c7bbb3d30ce", @@ -25901,7 +24601,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5058", + "software_attack_id": "S3081", "source": "Tidal Cyber", "tags": [ "e551ae97-d1b4-484e-9267-89f33829ec2c", @@ -25917,6 +24617,10 @@ "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", "type": "used-by" }, + { + "dest-uuid": "efd2fca2-45fb-4eaf-82e7-0d20c156f84f", + "type": "used-by" + }, { "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", "type": "used-by" @@ -25999,10 +24703,6 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" - }, - { - "dest-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", - "type": "similar" } ], "uuid": "cecea681-a753-47b5-9d77-c10a5b4403ab", @@ -26025,10 +24725,6 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" - }, - { - "dest-uuid": "c009560a-f097-45a3-8f9f-78ec1440a783", - "type": "similar" } ], "uuid": "148d587c-3b1e-4e71-bdfb-8c37005e7e77", @@ -26046,12 +24742,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", - "type": "similar" - } - ], + "related": [], "uuid": "c5647cc4-0d46-4a41-8591-9179737747a2", "value": "T9000" }, @@ -26062,7 +24753,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5066", + "software_attack_id": "S3091", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -26076,6 +24767,10 @@ ] }, "related": [ + { + "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", + "type": "used-by" + }, { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" @@ -26096,12 +24791,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "b143dfa4-e944-43ff-8429-bfffc308c517", - "type": "similar" - } - ], + "related": [], "uuid": "9334df79-9023-44bb-bc28-16c1f07b836b", "value": "Taidoor" }, @@ -26112,7 +24802,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5069", + "software_attack_id": "S3094", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -26150,10 +24840,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "7f4bbe05-1674-4087-8a16-8f1ad61b6152", - "type": "similar" } ], "uuid": "1548c94a-fb4d-43d8-9956-ea26f5cc552f", @@ -26171,12 +24857,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "b51797f7-57da-4210-b8ac-b8632ee75d70", - "type": "similar" - } - ], + "related": [], "uuid": "b1b7a8d9-6df3-4e89-8622-a6eea3da729b", "value": "TajMahal" }, @@ -26187,7 +24868,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5334", + "software_attack_id": "S3149", "source": "Tidal Cyber", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", @@ -26214,9 +24895,10 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5167", + "software_attack_id": "S3288", "source": "Tidal Cyber", "tags": [ + "25b4fafc-4691-4008-8baa-35dbbcce752a", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], @@ -26244,10 +24926,6 @@ { "dest-uuid": "1bcc9382-ccfe-4b04-91f3-ef1250df5e5b", "type": "used-by" - }, - { - "dest-uuid": "988976ff-beeb-4fb5-b07d-ca7437ea66e8", - "type": "similar" } ], "uuid": "7bb9d181-4405-4938-bafb-b13cc98b6cd8", @@ -26319,10 +24997,6 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" - }, - { - "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", - "type": "similar" } ], "uuid": "abae8f19-9497-4a71-82b6-ae6edd26ad98", @@ -26337,7 +25011,7 @@ "macOS", "Windows" ], - "software_attack_id": "S5267", + "software_attack_id": "S3108", "source": "Tidal Cyber", "tags": [ "96d58ca1-ab18-4e53-8891-d8ba62a47e5d", @@ -26369,7 +25043,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5044", + "software_attack_id": "S3047", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -26389,6 +25063,10 @@ ] }, "related": [ + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" @@ -26413,10 +25091,6 @@ { "dest-uuid": "6a8f5eca-8ecc-4bff-9c5f-5380e044ed5b", "type": "used-by" - }, - { - "dest-uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a", - "type": "similar" } ], "uuid": "e7116740-fe7c-45e2-b98d-0c594a7dff2f", @@ -26429,7 +25103,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5239", + "software_attack_id": "S3360", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -26450,7 +25124,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5240", + "software_attack_id": "S3361", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -26471,7 +25145,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5010", + "software_attack_id": "S3048", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -26554,10 +25228,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "32f49626-87f4-4d6c-8f59-a0dca953fe26", - "type": "similar" } ], "uuid": "bae20f59-469c-451c-b4ca-70a9a04a1574", @@ -26570,7 +25240,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5011", + "software_attack_id": "S3051", "source": "Tidal Cyber", "tags": [ "1dc8fd1e-0737-405a-98a1-111dd557f1b5", @@ -26592,7 +25262,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5283", + "software_attack_id": "S3122", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -26623,7 +25293,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5241", + "software_attack_id": "S3362", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -26656,10 +25326,6 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" - }, - { - "dest-uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47", - "type": "similar" } ], "uuid": "49d0ae81-d51b-4534-b1e0-08371a47ef79", @@ -26682,12 +25348,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "727afb95-3d0f-4451-b297-362a43909923", - "type": "similar" - } - ], + "related": [], "uuid": "2ed5f691-68eb-49dd-b730-793dc8a7d134", "value": "ThiefQuest" }, @@ -26707,10 +25368,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "16040b1c-ed28-4850-9d8f-bb8b81c42092", - "type": "similar" } ], "uuid": "b31c7b8e-dbdd-4ad5-802e-dcdc72b7462e", @@ -26723,7 +25380,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5045", + "software_attack_id": "S3049", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -26758,7 +25415,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5335", + "software_attack_id": "S3150", "source": "Tidal Cyber", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", @@ -26787,7 +25444,7 @@ "macOS", "Windows" ], - "software_attack_id": "S5015", + "software_attack_id": "S3054", "source": "Tidal Cyber", "tags": [ "e551ae97-d1b4-484e-9267-89f33829ec2c", @@ -26841,10 +25498,6 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" - }, - { - "dest-uuid": "2a7c1bb7-cd12-456e-810d-ab3bf8457bab", - "type": "similar" } ], "uuid": "39f0371c-b755-4655-a97e-82a572f2fae4", @@ -26866,10 +25519,6 @@ { "dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a", "type": "used-by" - }, - { - "dest-uuid": "85b39628-204a-48d2-b377-ec368cbcb7ca", - "type": "similar" } ], "uuid": "0e009cb8-848e-427a-9581-d3a4fd9f6a87", @@ -26891,10 +25540,6 @@ { "dest-uuid": "c8cc6ce8-d421-42e6-a6eb-2ea9d2d9ab07", "type": "used-by" - }, - { - "dest-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", - "type": "similar" } ], "uuid": "277290fe-51f3-4822-bb46-8b69fd1c8ae5", @@ -26912,12 +25557,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "327b3a25-9e60-4431-b3b6-93b9c64eacbc", - "type": "similar" - } - ], + "related": [], "uuid": "eff417ad-c775-4a95-9f36-a1b5a675ba82", "value": "Tomiris" }, @@ -26970,10 +25610,6 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68", - "type": "similar" } ], "uuid": "8c70d85b-b06d-423c-8bab-ecff18f332d6", @@ -26991,12 +25627,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "0715560d-4299-4e84-9e20-6e80ab57e4f2", - "type": "similar" - } - ], + "related": [], "uuid": "4bce135b-91ba-45ae-88f9-09e01f983a74", "value": "Torisma" }, @@ -27007,7 +25638,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5242", + "software_attack_id": "S3363", "source": "Tidal Cyber", "tags": [ "3c9b26cf-9bda-4feb-ab42-ef7865cc80fd", @@ -27041,10 +25672,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "bdad6f3b-de88-42fa-9295-d29b5271808e", - "type": "similar" } ], "uuid": "7a6ae9f8-5f8b-4e94-8716-d8ee82027197", @@ -27077,10 +25704,6 @@ { "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", "type": "used-by" - }, - { - "dest-uuid": "00806466-754d-44ea-ad6f-0caf59cb8556", - "type": "similar" } ], "uuid": "c2bd4213-fc7b-474f-b5a0-28145b07c51d", @@ -27102,10 +25725,6 @@ { "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", "type": "used-by" - }, - { - "dest-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d", - "type": "similar" } ], "uuid": "b88c4891-40da-4832-ba42-6c6acd455bd1", @@ -27123,12 +25742,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "c5e9cb46-aced-466c-85ea-7db5572ad9ec", - "type": "similar" - } - ], + "related": [], "uuid": "f8a4213d-633b-4e3d-8e59-a769e852b93b", "value": "Trojan.Mebromi" }, @@ -27139,9 +25753,10 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5000", + "software_attack_id": "S3005", "source": "Tidal Cyber", "tags": [ + "4e00b987-cd79-4b6a-9afe-c3b291ee2938", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "15787198-6c8b-4f79-bf50-258d55072fee", "a98d7a43-f227-478e-81de-e7299639a355", @@ -27185,10 +25800,6 @@ { "dest-uuid": "cc798766-8662-4b55-8536-6d057fbc58f0", "type": "used-by" - }, - { - "dest-uuid": "691c60e2-273d-4d56-9ce6-b67e0f8719ad", - "type": "similar" } ], "uuid": "50844dba-8999-42ba-ba29-511e3faf4bc3", @@ -27210,10 +25821,6 @@ { "dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb", "type": "used-by" - }, - { - "dest-uuid": "76ac7989-c5cc-42e2-93e3-d6c476f01ace", - "type": "similar" } ], "uuid": "9872ab5a-c76e-4404-91f9-5b745722443b", @@ -27228,7 +25835,7 @@ "macOS", "Windows" ], - "software_attack_id": "S5268", + "software_attack_id": "S3109", "source": "Tidal Cyber", "tags": [ "e1be4b53-7524-4e88-bf6d-358cfdf96772", @@ -27251,7 +25858,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5168", + "software_attack_id": "S3289", "source": "Tidal Cyber", "tags": [ "fc67aea7-f207-4cf5-8413-e33c76538cf6", @@ -27273,7 +25880,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5169", + "software_attack_id": "S3290", "source": "Tidal Cyber", "tags": [ "3c4e3160-4e82-49ce-b6a3-17879dd4b83c", @@ -27305,10 +25912,6 @@ { "dest-uuid": "e5b0da2b-12bc-4113-9459-9c51329c9ae0", "type": "used-by" - }, - { - "dest-uuid": "350f12cf-fd3b-4dad-b323-14b943090df4", - "type": "similar" } ], "uuid": "571a45a7-68c9-452c-99bf-1d5b5fdd08b3", @@ -27322,6 +25925,9 @@ ], "software_attack_id": "S0199", "source": "MITRE", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" + ], "type": [ "malware" ] @@ -27330,10 +25936,6 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" - }, - { - "dest-uuid": "db1355a7-e5c9-4e2c-8da7-eccf2ae9bf5c", - "type": "similar" } ], "uuid": "c7f10715-cf13-4360-8511-aa3f93dd7688", @@ -27358,10 +25960,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "7ba0fc46-197d-466d-8b9f-f1c64d5d81e5", - "type": "similar" } ], "uuid": "6c93d3c4-cae5-48a9-948d-bc5264230316", @@ -27373,6 +25971,7 @@ "software_attack_id": "S0116", "source": "MITRE", "tags": [ + "8450b5c7-acf1-41df-afc2-5c20e12436c0", "7de7d799-f836-4555-97a4-0db776eb6932", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96" ], @@ -27380,12 +25979,7 @@ "tool" ] }, - "related": [ - { - "dest-uuid": "102c3898-85e0-43ee-ae28-62a0a3ed9507", - "type": "similar" - } - ], + "related": [], "uuid": "5788edee-d1b7-4406-9122-bee596362236", "value": "UACMe" }, @@ -27401,12 +25995,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "518bb5f1-91f4-4ff2-b09d-5a94e1ebe95f", - "type": "similar" - } - ], + "related": [], "uuid": "5214ae01-ccd5-4e97-8f9c-14eb16e75544", "value": "UBoatRAT" }, @@ -27422,12 +26011,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "3d8e547d-9456-4f32-a895-dc86134e282f", - "type": "similar" - } - ], + "related": [], "uuid": "227c12df-8126-4e79-b9bd-0e4633fa12fa", "value": "Umbreon" }, @@ -27438,7 +26022,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5276", + "software_attack_id": "S3116", "source": "Tidal Cyber", "tags": [ "d819ae1a-e385-49fd-88d5-f66660729ecb", @@ -27477,10 +26061,6 @@ { "dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a", "type": "used-by" - }, - { - "dest-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56", - "type": "similar" } ], "uuid": "846b3762-3949-4501-b781-6dca22db088f", @@ -27493,7 +26073,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5170", + "software_attack_id": "S3291", "source": "Tidal Cyber", "tags": [ "40f11d0d-09f2-4bd1-bc79-1430464a52a7", @@ -27515,7 +26095,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5243", + "software_attack_id": "S3364", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -27545,10 +26125,6 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" - }, - { - "dest-uuid": "fb4e3792-e915-4fdd-a9cd-92dfa2ace7aa", - "type": "similar" } ], "uuid": "a3c211f8-52aa-4bfd-8382-940f2194af28", @@ -27561,7 +26137,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5200", + "software_attack_id": "S3321", "source": "Tidal Cyber", "tags": [ "34505028-b7d8-4da4-8dee-9926f3dbd37a", @@ -27597,10 +26173,6 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" - }, - { - "dest-uuid": "80a014ba-3fef-4768-990b-37d8bd10d7f4", - "type": "similar" } ], "uuid": "89ffc27c-b81f-473a-87d6-907cacdce61c", @@ -27615,6 +26187,7 @@ "software_attack_id": "S0386", "source": "MITRE", "tags": [ + "88f27876-7be0-413b-8d91-5fa031d469fb", "15787198-6c8b-4f79-bf50-258d55072fee", "4d767e87-4cf6-438a-927a-43d2d0beaab7", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" @@ -27639,10 +26212,6 @@ { "dest-uuid": "8951bff3-c444-4374-8a9e-b2115d9125b2", "type": "used-by" - }, - { - "dest-uuid": "1492d0f8-7e14-4af3-9239-bc3fe10d3407", - "type": "similar" } ], "uuid": "3e501609-87e4-4c47-bd88-5054be0f1037", @@ -27664,10 +26233,6 @@ { "dest-uuid": "0a245c5e-c1a8-480f-8655-bb2594e3266b", "type": "used-by" - }, - { - "dest-uuid": "75bba379-4ba1-467e-8c60-ec2b269ee984", - "type": "similar" } ], "uuid": "26d93db8-dbc3-44b5-a393-2b219cef4f5b", @@ -27692,10 +26257,6 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", - "type": "similar" } ], "uuid": "50eab018-8d52-46f5-8252-95942c2c0a89", @@ -27708,7 +26269,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5262", + "software_attack_id": "S3383", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -27741,10 +26302,6 @@ { "dest-uuid": "8951bff3-c444-4374-8a9e-b2115d9125b2", "type": "used-by" - }, - { - "dest-uuid": "ade37ada-14af-4b44-b36c-210eec255d53", - "type": "similar" } ], "uuid": "b149f12f-3cf4-4547-841d-c63b7677547d", @@ -27769,10 +26326,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "96eca9b9-b37f-42f1-96dc-a2c441403194", - "type": "similar" } ], "uuid": "63940761-8dea-4362-8795-7bc0653ce1d4", @@ -27794,10 +26347,6 @@ { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" - }, - { - "dest-uuid": "f4d8a2d6-c684-453a-8a14-cf4a94f755c5", - "type": "similar" } ], "uuid": "fe116518-cd0c-4b10-8190-4f57208df4e4", @@ -27810,7 +26359,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5171", + "software_attack_id": "S3292", "source": "Tidal Cyber", "tags": [ "bc6f5172-90af-491e-817d-2eaa522f93af", @@ -27841,15 +26390,39 @@ { "dest-uuid": "d7c58e7f-f0b0-44c6-b205-5adcfb56f0e6", "type": "used-by" - }, - { - "dest-uuid": "8caa18af-4758-4fd3-9600-e8af579e89ed", - "type": "similar" } ], "uuid": "150b6079-bb10-48a8-b570-fbe8b0e3287c", "value": "VBShower" }, + { + "description": "Veaty is a .NET-based backdoor malware linked to the OilRig Iranian espionage group, which uses emails for command and control communication.[[Check Point Research September 11 2024](/references/53320d81-4060-4414-b5b8-21d09362bc44)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3182", + "source": "Tidal Cyber", + "tags": [ + "15f2277a-a17e-4d85-8acd-480bf84f16b4", + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", + "type": "used-by" + } + ], + "uuid": "36c06aee-5574-4094-a579-8ec7c9929040", + "value": "Veaty" + }, { "description": "A prominent ransomware family.[[HC3 Analyst Note Venus Ransomware November 2022](/references/bd6e6a59-3a73-48f6-84cd-e7c027c8671f)]", "meta": { @@ -27857,9 +26430,10 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5293", + "software_attack_id": "S3014", "source": "Tidal Cyber", "tags": [ + "537bb659-7c9b-4354-b1da-03989ce412c8", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "5e7433ad-a894-4489-93bc-41e90da90019", @@ -27881,7 +26455,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5172", + "software_attack_id": "S3293", "source": "Tidal Cyber", "tags": [ "4e91036d-809b-4eae-8a09-86bdc6cd1f0e", @@ -27908,12 +26482,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "5189f018-fea2-45d7-b0ed-23f9ee0a46f3", - "type": "similar" - } - ], + "related": [], "uuid": "afa4023f-aa2e-45d6-bb3c-38e61f876eac", "value": "VERMIN" }, @@ -27924,9 +26493,10 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5071", + "software_attack_id": "S3096", "source": "Tidal Cyber", "tags": [ + "26028765-3b6d-419c-92b5-5fbe345a26d1", "fdd53e62-5bf1-41f1-8bd6-b970a866c39d", "d431939f-2dc0-410b-83f7-86c458125444", "15787198-6c8b-4f79-bf50-258d55072fee", @@ -27952,7 +26522,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5246", + "software_attack_id": "S3367", "source": "Tidal Cyber", "tags": [ "5e096dac-47b7-4657-a57b-752ef7da0263", @@ -27967,6 +26537,30 @@ "uuid": "acfbcd12-25fd-41cd-83ef-c7af7cb59fff", "value": "VisualUiaVerifyNative" }, + { + "description": "According to Proofpoint researchers, Voldemort is a custom backdoor malware written in C. It has the ability to collect victim system information and to drop additional payloads.[[Proofpoint August 29 2024](/references/548f23b2-3ab6-4ea0-839f-8f9c8745d91d)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3163", + "source": "Tidal Cyber", + "tags": [ + "fe28cf32-a15c-44cf-892c-faa0360d6109", + "82009876-294a-4e06-8cfc-3236a429bda4", + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "e1dcbb6c-00ef-46f1-9da2-44b43b533256", + "value": "Voldemort" + }, { "description": "[Volgmer](https://app.tidalcyber.com/software/7fcfba45-5752-4f0c-8023-db67729ae34e) is a backdoor Trojan designed to provide covert access to a compromised system. It has been used since at least 2013 to target the government, financial, automotive, and media industries. Its primary delivery mechanism is suspected to be spearphishing. [[US-CERT Volgmer Nov 2017](https://app.tidalcyber.com/references/c48c7ac0-8d55-4b62-9606-a9ce420459b6)]", "meta": { @@ -27983,10 +26577,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", - "type": "similar" } ], "uuid": "7fcfba45-5752-4f0c-8023-db67729ae34e", @@ -27999,7 +26589,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5244", + "software_attack_id": "S3365", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -28020,7 +26610,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5247", + "software_attack_id": "S3368", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -28041,7 +26631,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5245", + "software_attack_id": "S3366", "source": "Tidal Cyber", "tags": [ "0bf195a2-c577-4317-973e-a72dde5a06e6", @@ -28063,7 +26653,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5248", + "software_attack_id": "S3369", "source": "Tidal Cyber", "tags": [ "71bc284c-bfce-4191-80e0-ef70ff4315bf", @@ -28085,7 +26675,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5253", + "software_attack_id": "S3374", "source": "Tidal Cyber", "tags": [ "375cb8ad-2b6a-49b7-8eb3-757aaaf72d8b", @@ -28107,7 +26697,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5301", + "software_attack_id": "S3063", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -28134,7 +26724,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5254", + "software_attack_id": "S3375", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -28155,7 +26745,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5173", + "software_attack_id": "S3294", "source": "Tidal Cyber", "tags": [ "a53c9f4b-6f0d-4afa-b1ac-8e2d91279210", @@ -28196,10 +26786,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", - "type": "similar" } ], "uuid": "6e7d1bcf-a308-4861-8aa5-0f4c6f126b0a", @@ -28217,12 +26803,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "a5818d36-e9b0-46da-842d-b727a5e36ea6", - "type": "similar" - } - ], + "related": [], "uuid": "9a592b49-1701-5e4c-95cf-9b8c98b80527", "value": "WARPWIRE" }, @@ -28235,6 +26816,7 @@ "software_attack_id": "S0670", "source": "MITRE", "tags": [ + "b10ffa34-c6ef-4473-b951-9a05dacf68b5", "15787198-6c8b-4f79-bf50-258d55072fee" ], "type": [ @@ -28257,10 +26839,6 @@ { "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", "type": "used-by" - }, - { - "dest-uuid": "fde19a18-e502-467f-be14-58c71b4e7f4b", - "type": "similar" } ], "uuid": "cfebe868-15cb-4be5-b7ed-38b52f2a0722", @@ -28286,10 +26864,6 @@ { "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", "type": "used-by" - }, - { - "dest-uuid": "46cbafbc-8907-42d3-9002-5327c26f8927", - "type": "similar" } ], "uuid": "0ba6ee8d-2b29-4980-8e55-348ea05f00ad", @@ -28311,10 +26885,6 @@ { "dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb", "type": "used-by" - }, - { - "dest-uuid": "f3f1fbed-7e29-49cb-8579-4a378f858deb", - "type": "similar" } ], "uuid": "56872a5b-dc01-455c-85d5-06c577abb030", @@ -28339,10 +26909,6 @@ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" - }, - { - "dest-uuid": "1d808f62-cf63-4063-9727-ff6132514c22", - "type": "similar" } ], "uuid": "f228af8f-8938-4836-9461-c6ca220ed7c5", @@ -28367,10 +26933,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "959f3b19-2dc8-48d5-8942-c66813a5101a", - "type": "similar" } ], "uuid": "b936a1b3-5493-4d6c-9b69-29addeace418", @@ -28396,10 +26958,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "3a4197ae-ec63-4162-907b-9a073d1157e4", - "type": "similar" } ], "uuid": "20725ec7-ee35-44cf-bed6-91158aa03ce4", @@ -28452,10 +27010,6 @@ { "dest-uuid": "0610cd57-2511-467a-97e3-3c810384074f", "type": "used-by" - }, - { - "dest-uuid": "f91162cc-1686-4ff8-8115-bf3f61a4cc7a", - "type": "similar" } ], "uuid": "2bcbcea6-192a-4501-aab1-1edde53875fa", @@ -28468,7 +27022,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5249", + "software_attack_id": "S3370", "source": "Tidal Cyber", "tags": [ "be621f15-1788-490f-b8bb-85511a5a8074", @@ -28492,6 +27046,13 @@ "software_attack_id": "S0689", "source": "MITRE", "tags": [ + "af5e9be5-b86e-47af-91dd-966a5e34a186", + "35e694ec-5133-46e3-b7e1-5831867c3b55", + "d8f7e071-fbfd-46f8-b431-e241bb1513ac", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", + "768c90a8-21b2-403b-8ddc-28181bca7aca", "2e621fc5-dea4-4cb9-987e-305845986cd3" ], "type": [ @@ -28502,10 +27063,6 @@ { "dest-uuid": "407274be-1820-4a84-939e-629313f4de1d", "type": "used-by" - }, - { - "dest-uuid": "49fee0b0-390e-4bde-97f8-97ed46bd19b7", - "type": "similar" } ], "uuid": "791f0afd-c2c4-4e23-8aee-1d14462667f5", @@ -28527,10 +27084,6 @@ { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" - }, - { - "dest-uuid": "039814a0-88de-46c5-a4fb-b293db21880a", - "type": "similar" } ], "uuid": "7b393608-c141-48af-ae3d-3eff13c3e01c", @@ -28579,10 +27132,6 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" - }, - { - "dest-uuid": "242f3da3-4425-4d11-8f5c-b842886da966", - "type": "similar" } ], "uuid": "7c2c44d7-b307-4e13-b181-52352975a6f5", @@ -28601,10 +27150,6 @@ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" - }, - { - "dest-uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c", - "type": "similar" } ], "uuid": "ed50dcf7-e283-451e-95b1-a8485f8dd214", @@ -28626,10 +27171,6 @@ { "dest-uuid": "4e880d01-313a-4926-8470-78c48824aa82", "type": "used-by" - }, - { - "dest-uuid": "0d1f9f5b-11ea-42c3-b5f4-63cce0122541", - "type": "similar" } ], "uuid": "3afe711d-ed58-4c94-a9b6-9c847e1e8a2f", @@ -28648,10 +27189,6 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" - }, - { - "dest-uuid": "49abab73-3c5c-476e-afd5-69b5c732d845", - "type": "similar" } ], "uuid": "5f994df7-55b0-4383-8ebc-506d4987292a", @@ -28678,10 +27215,6 @@ { "dest-uuid": "d428f9be-6faf-4d57-b677-4a927fea5f7e", "type": "used-by" - }, - { - "dest-uuid": "96fd6cc4-a693-4118-83ec-619e5352d07d", - "type": "similar" } ], "uuid": "65d5b524-0e84-417d-9884-e2c501abfacd", @@ -28703,10 +27236,6 @@ { "dest-uuid": "3a660ef3-9954-4252-8946-f903f3f42d0c", "type": "used-by" - }, - { - "dest-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", - "type": "similar" } ], "uuid": "3e70078f-407e-4b03-b604-bdc05b372f37", @@ -28719,7 +27248,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5174", + "software_attack_id": "S3295", "source": "Tidal Cyber", "tags": [ "61f778ca-b2f1-4877-b0f5-fd5e87b6ddab", @@ -28750,10 +27279,6 @@ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" - }, - { - "dest-uuid": "22addc7b-b39f-483d-979a-1b35147da5de", - "type": "similar" } ], "uuid": "e10423c2-71a7-4878-96ba-343191136c19", @@ -28779,10 +27304,6 @@ { "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", "type": "used-by" - }, - { - "dest-uuid": "8787e86d-8475-4f13-acea-d33eb83b6105", - "type": "similar" } ], "uuid": "e384e711-0796-4cbc-8854-8c3f939faf57", @@ -28804,10 +27325,6 @@ { "dest-uuid": "6932662a-53a7-4e43-877f-6e940e2d744b", "type": "used-by" - }, - { - "dest-uuid": "d3afa961-a80c-4043-9509-282cdf69ab21", - "type": "similar" } ], "uuid": "245c216e-41c3-4dec-8b23-bfc7c6a46d6e", @@ -28820,7 +27337,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5081", + "software_attack_id": "S3105", "source": "Tidal Cyber", "tags": [ "af5e9be5-b86e-47af-91dd-966a5e34a186", @@ -28869,7 +27386,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5263", + "software_attack_id": "S3384", "source": "Tidal Cyber", "tags": [ "2eecd309-e75d-4f7b-8f6f-e11213f48b12", @@ -28891,7 +27408,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5046", + "software_attack_id": "S3050", "source": "Tidal Cyber", "tags": [ "27a117ce-bb19-4f79-9bc2-a851b69c5c50", @@ -28923,6 +27440,10 @@ "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", "type": "used-by" }, + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + }, { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" @@ -28970,7 +27491,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5250", + "software_attack_id": "S3371", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -29003,12 +27524,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "a19c49aa-36fe-4c05-b817-23e1c7a7d085", - "type": "similar" - } - ], + "related": [], "uuid": "627e05c2-c02e-433e-9288-c2d78bce156f", "value": "Wiper" }, @@ -29024,12 +27540,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "c93e3079-43fb-4d8d-9e99-db63d07eadc9", - "type": "similar" - } - ], + "related": [], "uuid": "93b02819-8acc-5d7d-ad11-abb33f9309cc", "value": "WIREFIRE" }, @@ -29042,7 +27553,7 @@ "macOS", "Windows" ], - "software_attack_id": "S5269", + "software_attack_id": "S3110", "source": "Tidal Cyber", "tags": [ "dbe18a6a-c8f9-451e-837e-5a7f25dcf913", @@ -29065,7 +27576,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5175", + "software_attack_id": "S3296", "source": "Tidal Cyber", "tags": [ "ebf92004-6e43-434c-8380-3671cf3640a2", @@ -29087,7 +27598,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5176", + "software_attack_id": "S3297", "source": "Tidal Cyber", "tags": [ "d819ae1a-e385-49fd-88d5-f66660729ecb", @@ -29156,12 +27667,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "3bc7e862-5610-4c02-9c48-15b2e2dc1ddb", - "type": "similar" - } - ], + "related": [], "uuid": "1f374a54-c839-5139-b755-555c66a21c12", "value": "Woody RAT" }, @@ -29172,7 +27678,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5177", + "software_attack_id": "S3298", "source": "Tidal Cyber", "tags": [ "b5581207-a45f-4f7f-b637-14444d716ad1", @@ -29194,7 +27700,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5178", + "software_attack_id": "S3299", "source": "Tidal Cyber", "tags": [ "b4520b56-73e3-43fd-9f0d-70191132b451", @@ -29225,7 +27731,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5251", + "software_attack_id": "S3372", "source": "Tidal Cyber", "tags": [ "96ebb518-7c1f-4011-a3ec-42aa78a95e4f", @@ -29247,7 +27753,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5179", + "software_attack_id": "S3300", "source": "Tidal Cyber", "tags": [ "291fab5d-e732-4b19-83e4-ee642b2ae0f0", @@ -29269,7 +27775,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5184", + "software_attack_id": "S3305", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -29290,7 +27796,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5180", + "software_attack_id": "S3301", "source": "Tidal Cyber", "tags": [ "03f0e493-63ae-47b5-8353-238390a895a8", @@ -29326,10 +27832,6 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", - "type": "similar" } ], "uuid": "6f411b69-6643-4cc7-9cbd-e15d9219e99c", @@ -29348,12 +27850,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "6a92d80f-cc65-45f6-aa66-3cdea6786b3c", - "type": "similar" - } - ], + "related": [], "uuid": "ab442140-0761-4227-bd9e-151da5d0a04f", "value": "Xbash" }, @@ -29373,10 +27870,6 @@ { "dest-uuid": "988f5312-834e-48ea-93b7-e6e01ee0938d", "type": "used-by" - }, - { - "dest-uuid": "21583311-6321-4891-8a37-3eb4e57b0fb1", - "type": "similar" } ], "uuid": "11a0dff4-1dc8-4553-8a38-90a07b01bfcd", @@ -29395,10 +27888,6 @@ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" - }, - { - "dest-uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b", - "type": "similar" } ], "uuid": "d943d3d9-3a99-464f-94f0-95aa7963d858", @@ -29411,7 +27900,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5019", + "software_attack_id": "S3058", "source": "Tidal Cyber", "tags": [ "758c3085-2f79-40a8-ab95-f8a684737927", @@ -29455,12 +27944,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "e14085cb-0e8d-4be6-92ba-e3b93ee5978f", - "type": "similar" - } - ], + "related": [], "uuid": "3672ecfa-20bf-4d69-948d-876be343563f", "value": "XCSSET" }, @@ -29471,7 +27955,7 @@ "platforms": [ "macOS" ], - "software_attack_id": "S5317", + "software_attack_id": "S3130", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -29492,9 +27976,10 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5064", + "software_attack_id": "S3089", "source": "Tidal Cyber", "tags": [ + "2a54c431-2075-4ed5-a691-fa452c11dd13", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "15787198-6c8b-4f79-bf50-258d55072fee", "291c006e-f77a-4c9c-ae7e-084974c0e1eb", @@ -29526,7 +28011,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5048", + "software_attack_id": "S3072", "source": "Tidal Cyber", "tags": [ "15787198-6c8b-4f79-bf50-258d55072fee", @@ -29556,10 +28041,6 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", - "type": "similar" } ], "uuid": "133136f0-7254-4cec-8710-0ab99d5da4e5", @@ -29572,7 +28053,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5181", + "software_attack_id": "S3302", "source": "Tidal Cyber", "tags": [ "c37d2f5f-91da-43c6-869e-192bf0e0ae90", @@ -29594,7 +28075,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5290", + "software_attack_id": "S3006", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -29630,10 +28111,6 @@ { "dest-uuid": "0a245c5e-c1a8-480f-8655-bb2594e3266b", "type": "used-by" - }, - { - "dest-uuid": "cb444a16-3ea5-4a91-88c6-f329adcb8af3", - "type": "similar" } ], "uuid": "0844bc42-5c29-47c3-b1b3-6bfffbf1732a", @@ -29646,7 +28123,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5323", + "software_attack_id": "S3138", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -29681,12 +28158,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "0817aaf2-afea-4c32-9285-4dcd1df5bf14", - "type": "similar" - } - ], + "related": [], "uuid": "e0962ff7-5524-4683-9b95-0e4ba07dccb2", "value": "yty" }, @@ -29709,15 +28181,40 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "a4f57468-fbd5-49e4-8476-52088220b92d", - "type": "similar" } ], "uuid": "e317b8a6-1722-4017-be33-717a5a93ef1c", "value": "Zebrocy" }, + { + "description": "Zeppelin is a ransomware derived from the Vega family of Delphi-based malware. Used from 2019 through at least June 2022, Zeppelin was distributed as ransomware-as-a-service (\"RaaS\").[[U.S. CISA Zeppelin Ransomware August 11 2022](/references/42d98de2-8c9a-4cc4-b5a1-9778c0da3286)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3185", + "source": "Tidal Cyber", + "tags": [ + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", + "562e535e-19f5-4d6c-81ed-ce2aec544f09", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "efd2fca2-45fb-4eaf-82e7-0d20c156f84f", + "type": "used-by" + } + ], + "uuid": "e8820bf1-1e70-469c-a93b-770c1f23b058", + "value": "Zeppelin Ransomware" + }, { "description": "[Zeroaccess](https://app.tidalcyber.com/software/2f52b513-5293-4833-9c4d-b120e7a84341) is a kernel-mode [Rootkit](https://app.tidalcyber.com/technique/cf2b56f6-3ebd-48ec-b9d9-835397acef89) that attempts to add victims to the ZeroAccess botnet, often for monetary gain. [[Sophos ZeroAccess](https://app.tidalcyber.com/references/41b51767-62f1-45c2-98cb-47c44c975a58)]", "meta": { @@ -29727,12 +28224,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "552462b9-ae79-49dd-855c-5973014e157f", - "type": "similar" - } - ], + "related": [], "uuid": "2f52b513-5293-4833-9c4d-b120e7a84341", "value": "Zeroaccess" }, @@ -29755,10 +28247,6 @@ { "dest-uuid": "e343c1f1-458c-467b-bc4a-c1b97b2127e3", "type": "used-by" - }, - { - "dest-uuid": "4ab44516-ad75-4e43-a280-705dc0420e2f", - "type": "similar" } ], "uuid": "f51df90e-ea1b-4eeb-9aff-ec5abf4a5dfd", @@ -29779,12 +28267,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "198db886-47af-4f4c-bff5-11b891f85946", - "type": "similar" - } - ], + "related": [], "uuid": "be8add13-40d7-495e-91eb-258d3a4711bc", "value": "Zeus Panda" }, @@ -29795,7 +28278,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5201", + "software_attack_id": "S3322", "source": "Tidal Cyber", "tags": [ "0d0098b4-e159-4502-973d-714011ba605f", @@ -29822,12 +28305,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "d9765cbd-4c88-4805-ba98-4c6ccb56b864", - "type": "similar" - } - ], + "related": [], "uuid": "976a7797-3008-5316-9e28-19c9a05959d0", "value": "ZIPLINE" }, @@ -29843,12 +28321,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", - "type": "similar" - } - ], + "related": [], "uuid": "1ac8d363-2903-43da-9c1d-2b28179638c8", "value": "ZLib" }, @@ -29859,7 +28332,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5312", + "software_attack_id": "S3125", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -29896,10 +28369,6 @@ { "dest-uuid": "90f4d3f9-3fe3-4a64-8dc1-172c6d037dca", "type": "used-by" - }, - { - "dest-uuid": "fb28627c-d6ea-4c35-b138-ab5e96ae5445", - "type": "similar" } ], "uuid": "75dd9acb-fcff-4b0b-b45b-f943fb589d78", @@ -29920,12 +28389,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "54e8672d-5338-4ad1-954a-a7c986bee530", - "type": "similar" - } - ], + "related": [], "uuid": "49314d4e-dc04-456f-918e-a3bedfc3192a", "value": "zwShell" }, @@ -29960,10 +28424,6 @@ { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" - }, - { - "dest-uuid": "cfc75b0d-e579-40ae-ad07-a1ce00d49a6c", - "type": "similar" } ], "uuid": "eea89ff2-036d-4fa6-bbed-f89502c62318", @@ -29985,10 +28445,6 @@ { "dest-uuid": "3a02aa1b-851a-43e1-b83b-58037f3c7025", "type": "used-by" - }, - { - "dest-uuid": "97cfbdc6-504d-41e9-a46c-78a9f806ff0d", - "type": "similar" } ], "uuid": "91e1ee26-d6ae-4203-a466-93c9e5019b47", From 52d06097ebfb84771398c14a1cc02772f2e3bb8f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 3 Oct 2024 14:46:19 +0200 Subject: [PATCH 24/42] chg: [threat-actor] version updated --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 498caf6c..34844edf 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16920,5 +16920,5 @@ "value": "UNC1860" } ], - "version": 315 + "version": 316 } From d6ade514bc86e4dca450e936b766a8402ae2f564 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 7 Oct 2024 03:58:02 -0700 Subject: [PATCH 25/42] [threat-actors] Add SkidSec --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 34844edf..dab0b0e7 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16918,6 +16918,20 @@ }, "uuid": "80a874d5-0645-4245-aeb6-9b33a8689928", "value": "UNC1860" + }, + { + "description": "SkidSec is a threat group that has engaged in operations targeting exposed printers in South Korea to disseminate North Korean propaganda, utilizing techniques such as printer exploitation and social engineering for evidence collection. The group has also experienced a leadership change following the loss of their leader, Govadmin, while continuing to mobilize their followers for various missions. They have humorously solicited financial support for their activities, framing it as a means to support their cause. Additionally, they have been noted for their potential to leak sensitive information from compromised devices.", + "meta": { + "refs": [ + "https://socradar.io/dark-peep-7-shadows-of-betrayal-and-leadership-in-flux/", + "https://medium.com/@criminalip/skidsec-hacker-group-announces-plans-to-spread-north-korean-propaganda-through-hacked-printers-in-fdd314178dc4" + ], + "synonyms": [ + "SkidSec Leaks" + ] + }, + "uuid": "afca4b9c-2bdb-47ef-becc-1d5683d3d2fb", + "value": "SkidSec" } ], "version": 316 From dfe6e6dfabc46068929494c23c02105ace990cdc Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 7 Oct 2024 03:58:02 -0700 Subject: [PATCH 26/42] [threat-actors] Add Awaken Likho --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index dab0b0e7..78ed7f8c 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16932,6 +16932,20 @@ }, "uuid": "afca4b9c-2bdb-47ef-becc-1d5683d3d2fb", "value": "SkidSec" + }, + { + "description": "Awaken Likho is an APT group that has targeted Russian government agencies and industrial enterprises, employing techniques such as information gathering via search engines and using MeshCentral for remote access. The group has been active since at least December 2021 and has ramped up its activities following the Russo-Ukrainian conflict. Recent reports indicate that they are focusing on espionage against critical infrastructure in the defense and energy sectors. Analysis of their malware reveals a new version that is still in development, suggesting ongoing operational capabilities.", + "meta": { + "refs": [ + "https://securelist.com/awaken-likho-apt-new-implant-campaign/114101/", + "https://bi.zone/eng/expertise/blog/core-werewolf-protiv-opk-i-kriticheskoy-infrastruktury/" + ], + "synonyms": [ + "Core Werewolf" + ] + }, + "uuid": "b3a4c34f-0ad6-4083-938a-958deb34b6c7", + "value": "Awaken Likho" } ], "version": 316 From 182102f73899b7345d623d8d50359c282ffc5e67 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 7 Oct 2024 03:58:02 -0700 Subject: [PATCH 27/42] [threat-actors] Add CeranaKeeper --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 78ed7f8c..4e3e5223 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16946,6 +16946,17 @@ }, "uuid": "b3a4c34f-0ad6-4083-938a-958deb34b6c7", "value": "Awaken Likho" + }, + { + "description": "CeranaKeeper is a China-aligned APT that has been active since at least early 2022, primarily targeting governmental institutions in Asian countries. The group employs custom backdoors like TONESHELL and OneDoor, leveraging cloud services such as Dropbox and OneDrive for data exfiltration. CeranaKeeper utilizes techniques like side-loading, brute-force attacks, and the deployment of BAT scripts to extend its reach within compromised networks. Their operations are characterized by a relentless pursuit of sensitive data, adapting their toolset and methods to evade detection.", + "meta": { + "country": "CN", + "refs": [ + "https://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/" + ] + }, + "uuid": "a798eb63-b0b2-4da5-8a9e-d6e821f775eb", + "value": "CeranaKeeper" } ], "version": 316 From 2137a86586816edac3a9362b749f63276553231b Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 7 Oct 2024 03:58:02 -0700 Subject: [PATCH 28/42] [threat-actors] Add SongXY --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4e3e5223..db5c3d8e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16957,6 +16957,17 @@ }, "uuid": "a798eb63-b0b2-4da5-8a9e-d6e821f775eb", "value": "CeranaKeeper" + }, + { + "description": "SongXY is a Chinese APT group that employs phishing tactics to initiate cyberespionage campaigns. They utilize the Royal Road RTF builder, exploiting the CVE-2018-0798 vulnerability in Microsoft Equation Editor. In one instance, they sent a document containing a link to an attacker-controlled server, which automatically triggered upon opening, allowing them to gather information about the target's system configuration.", + "meta": { + "refs": [ + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/", + "http://www.ptsecurity.com/upload/corporate/ww-en/analytics/APT-Attacks-eng.pdf" + ] + }, + "uuid": "439a65b0-c4b4-4a09-a9c9-2c70476574ab", + "value": "SongXY" } ], "version": 316 From 8c9ee3b293adafa1b0ed45afeba5ebc36bd17523 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 7 Oct 2024 03:58:02 -0700 Subject: [PATCH 29/42] [threat-actors] Add TaskMasters --- clusters/threat-actor.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index db5c3d8e..40c3e415 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16968,6 +16968,21 @@ }, "uuid": "439a65b0-c4b4-4a09-a9c9-2c70476574ab", "value": "SongXY" + }, + { + "description": "TaskMasters is a state-sponsored Chinese APT that has been active since at least 2010, primarily targeting industrial, energy, and government sectors in Russia and the CIS. The group has been linked to the Webdav-O Trojan, which employs techniques to bypass network defenses by connecting to legitimate services. Investigations suggest that TaskMasters may have been involved in attacks against Russian federal executive authorities in 2020, potentially alongside another Chinese group, TA428. Additionally, the group has been associated with the BackDoor.RemShell.24 malware, indicating a diverse toolkit in their operations.", + "meta": { + "country": "CN", + "refs": [ + "https://www.group-ib.com/blog/task/", + "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/?utm_source=rss&utm_medium=rss&utm_campaign=apt-group-targeting-governmental-agencies-in-east-asia" + ], + "synonyms": [ + "BlueTraveller" + ] + }, + "uuid": "f6134b6c-56f1-4eda-be0f-79411d627f19", + "value": "TaskMasters" } ], "version": 316 From 3ac6bb3080c3ca42f23ea32ead3a262d01738ca4 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 7 Oct 2024 03:58:03 -0700 Subject: [PATCH 30/42] [threat actors] Update README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index bea1cdeb..1e1075d8 100644 --- a/README.md +++ b/README.md @@ -599,7 +599,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements [Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group. -Category: *actor* - source: *MISP Project* - total: *746* elements +Category: *actor* - source: *MISP Project* - total: *751* elements [[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)] From e7ac294850a16f024c7dca9b2c8edda0e7a39c8a Mon Sep 17 00:00:00 2001 From: rectifyq <170057705+rectifyq@users.noreply.github.com> Date: Wed, 9 Oct 2024 12:57:36 +0000 Subject: [PATCH 31/42] chg: [producer] added Recorded Future, Cyble, Cyfirma, SentinelOne, Fortinet, Zscaler, Splunk and Huntress. --- clusters/producer.json | 252 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 251 insertions(+), 1 deletion(-) diff --git a/clusters/producer.json b/clusters/producer.json index 72fa059e..6e61eb28 100644 --- a/clusters/producer.json +++ b/clusters/producer.json @@ -668,7 +668,257 @@ "description": "Cloudflare, Inc. is an American company that provides content delivery network services, cloud cybersecurity, DDoS mitigation, wide area network services, reverse proxies, Domain Name Service, and ICANN-accredited domain registration services. Cloudflare's headquarters are in San Francisco, California.", "uuid": "a0a87034-b8ff-4991-9ae1-e650a43292ef", "value": "Cloudflare" + }, + { + "description": "Recorded Future, Inc. is an American privately held cybersecurity company founded in 2009, with headquarters in Somerville, Massachusetts.", + "meta": { + "company-type": "Cyber Security Vendor", + "country": "US", + "official-refs": [ + "https://www.recordedfuture.com/" + ], + "product-type": [ + "Digital Risk Protection", + "Threat Intelligence", + "Exposure Management", + "Threat Intelligence Feeds" + ], + "products": [ + "Threat Intelligence", + "Brand Intelligence", + "SecOps Intelligence", + "Vulnerability Intelligence", + "Third-Party Intelligence", + "Geopolitical Intelligence", + "Attack Surface Intelligence", + "Identity Intelligence", + "Payment Fraud Intelligence", + "Analyst On Demand" + ], + "refs": [ + "https://en.wikipedia.org/wiki/Recorded_Future", + "https://www.recordedfuture.com/resources" + ], + "synonyms": [ + "Recorded Future, Inc", + "Insikt Group" + ] + }, + "uuid": "ad7032df-0e9a-4ea9-b35c-c68ff854be80", + "value": "Recorded Future" + }, + { + "description": "Cyble empowers organizations to take control of their cyber risks with AI-driven, cybersecurity platforms.", + "meta": { + "company-type": "Cyber Security Vendor", + "country": "US", + "official-refs": [ + "https://cyble.com/" + ], + "product-type": [ + "Digital Risk Protection", + "Threat Intelligence", + "Exposure Management" + ], + "products": [ + "Cyble Vision", + "Cyble Hawk", + "AmIBreached", + "Odin", + "The Cyber Express" + ], + "refs": [ + "https://cyble.com/resources/", + "https://thecyberexpress.com/" + ], + "synonyms": "The Cyber Express" + }, + "uuid": "43e3e0a8-a12d-450a-8f2d-94915123549c", + "value": "Cyble" + }, + { + "description": "CYFIRMA is a threat discovery and cyber-intelligence company with the world’s first platform that can deliver predictive cyber-intelligence", + "meta": { + "company-type": "Cyber Intelligence Provider", + "country": "SG", + "official-refs": [ + "https://www.cyfirma.com/" + ], + "product-type": [ + "Threat Intelligence", + "Digital Risk Protection", + "Mobile App" + ], + "products": [ + "DeCYFIR", + "DeTCT", + "DeFNCE" + ], + "refs": [ + "https://www.cyfirma.com/research/", + "https://golden.com/wiki/CYFIRMA-K46ZYP8" + ] + }, + "uuid": "9d804c53-f307-421c-9f4d-41061c7eee62", + "value": "Cyfirma" + }, + { + "description": "SentinelOne, Inc. is an American cybersecurity company listed on NYSE based in Mountain View, California.", + "meta": { + "company-type": "Cyber Security Vendor", + "country": "US", + "official-refs": [ + "https://www.sentinelone.com/" + ], + "product-type": [ + "Endpoint Protection", + "Endpoint Detection Response", + "Deception Technology" + ], + "products": [ + "Singularity Platform", + "Singularity Identity", + "Singularity Hologram" + ], + "refs": "https://www.sentinelone.com/labs/", + "synonyms": "Sentinel One" + }, + "uuid": "996c48de-7bb8-414d-b6fe-ec94abb5f461", + "value": "SentinelOne" + }, + { + "description": "Fortinet, Inc. is a cybersecurity company with headquarters in Sunnyvale, California. The company develops and sells security solutions like firewalls, endpoint security and intrusion detection systems.", + "meta": { + "company-type": "Cyber Security Vendor", + "country": "US", + "official-refs": [ + "https://www.fortinet.com/" + ], + "product-type": [ + "Firewall", + "Application delivery controller", + "SOAR", + "Web application firewall / API security", + "Network security platform" + ], + "products": [ + "FortiADC", + "FortiAnalyzer", + "FortiAuthenticator", + "FortiCASB", + "FortiClient", + "FortiEDR", + "FortiCNP", + "FortiDDos", + "FortiDeceptor", + "FortiExtender", + "FortiGate", + "FortiIsolator", + "FortiMail", + "FortiManager", + "FortiNAC", + "FortiPAM", + "FortiSandbox", + "FortiSIEM", + "FortiSASE", + "FortiSOAR", + "FortiSwitch", + "FortiTester", + "FortiToken", + "FortiVoice", + "FortiWeb" + ], + "refs": [ + "https://en.wikipedia.org/wiki/Fortinet", + "https://www.fortinet.com/blog/threat-research" + ] + }, + "uuid": "bfafdca5-3171-4953-86ab-c74f44822fd3", + "value": "Fortinet" + }, + { + "description": "Zscaler, Inc. (/ˈziːˌskeɪlər/) is an American cloud security company based in San Jose, California. The company offers cloud-based services to protect enterprise networks and data.", + "meta": { + "company-type": "Cyber Security Vendor", + "country": "US", + "official-refs": [ + "https://www.zscaler.com/" + ], + "product-type": [ + "Secure Web Gateway", + "SASE", + "VPN", + "CASB", + "DLP" + ], + "products": [ + "Zscaler Internet Access", + "Zscaler Private Access", + "Zscaler Digital Experience", + "Zscaler Zero Trust Exchange" + ], + "refs": [ + "https://www.zscaler.com/blogs?type=security-research", + "https://en.wikipedia.org/wiki/Zscaler" + ] + }, + "uuid": "1427d7df-a9b8-4809-afe0-1180cfdd930d", + "value": "Zscaler" + }, + { + "description": "Splunk Inc. is an American software company based in San Francisco, California, that produces software for searching, monitoring, and analyzing machine-generated data via a web-style interface.", + "meta": { + "company-type": "Cyber Security Vendor", + "country": "US", + "product-type": [ + "SIEM", + "Observability", + "SOAR", + "UEBA" + ], + "products": [ + "Splunk Enterprise Security", + "Splunk ITSI", + "Splunk SOAR", + "Splunk Observability Cloud", + "Splunk UEBA" + ], + "refs": [ + "https://www.splunk.com/", + "https://www.splunk.com/en_us/blog/security.html", + "https://en.wikipedia.org/wiki/Splunk" + ] + }, + "uuid": "7acb73f9-83c8-4a1d-88e5-873bad8659fa", + "value": "Splunk" + }, + { + "description": "Huntress Labs Incorporated operates as a security software solution provider. The Company provides managed threat detection and response services to uncover, address persistent footholds that prevent defenses. Huntress Labs serves customers in the United States.", + "meta": { + "company-type": "Cyber Security Vendor", + "country": "US", + "official-refs": [ + "https://www.huntress.com/" + ], + "product-type": [ + "Managed Security", + "Endpoint Detection Response", + "Security Awareness Training" + ], + "products": [ + "Managed EDR", + "MDR for Microsoft 365", + "Security Awareness Training", + "Managed SIEM" + ], + "refs": [ + "https://www.huntress.com/", + "https://www.huntress.com/blog" + ] + }, + "uuid": "9bfc59a7-ab20-4ef0-8034-871956d4a9cc", + "value": "Huntress" } ], - "version": 12 + "version": 13 } From 4c58ed03b09ed3bcdbc240183e861146e74184c3 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 10 Oct 2024 06:37:03 +0200 Subject: [PATCH 32/42] fix: [producer] refs are arrays --- clusters/producer.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/clusters/producer.json b/clusters/producer.json index 6e61eb28..c26e25a0 100644 --- a/clusters/producer.json +++ b/clusters/producer.json @@ -780,7 +780,9 @@ "Singularity Identity", "Singularity Hologram" ], - "refs": "https://www.sentinelone.com/labs/", + "refs": [ + "https://www.sentinelone.com/labs/" + ], "synonyms": "Sentinel One" }, "uuid": "996c48de-7bb8-414d-b6fe-ec94abb5f461", @@ -920,5 +922,5 @@ "value": "Huntress" } ], - "version": 13 + "version": 14 } From e2985c368693d4063fc4a67f3ecee20e35fd8069 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 10 Oct 2024 06:40:15 +0200 Subject: [PATCH 33/42] fix: [producer] must be an array --- clusters/producer.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/clusters/producer.json b/clusters/producer.json index c26e25a0..e54bbdb3 100644 --- a/clusters/producer.json +++ b/clusters/producer.json @@ -731,7 +731,9 @@ "https://cyble.com/resources/", "https://thecyberexpress.com/" ], - "synonyms": "The Cyber Express" + "synonyms": [ + "The Cyber Express" + ] }, "uuid": "43e3e0a8-a12d-450a-8f2d-94915123549c", "value": "Cyble" From a4d1cdc1ce7fe01af3380ba5678e370cff4707ec Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 10 Oct 2024 09:33:12 +0200 Subject: [PATCH 34/42] chg: [producer] updated --- clusters/producer.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/clusters/producer.json b/clusters/producer.json index e54bbdb3..a6f456b9 100644 --- a/clusters/producer.json +++ b/clusters/producer.json @@ -785,7 +785,9 @@ "refs": [ "https://www.sentinelone.com/labs/" ], - "synonyms": "Sentinel One" + "synonyms": [ + "Sentinel One" + ] }, "uuid": "996c48de-7bb8-414d-b6fe-ec94abb5f461", "value": "SentinelOne" @@ -924,5 +926,5 @@ "value": "Huntress" } ], - "version": 14 + "version": 15 } From 0e9544c6c8172efe721486205676b49176ee0b9e Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 10 Oct 2024 14:59:51 +0200 Subject: [PATCH 35/42] chg: [doc] README updated --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1e1075d8..d48457f4 100644 --- a/README.md +++ b/README.md @@ -487,7 +487,7 @@ Category: *measure* - source: *MISP Project* - total: *20* elements [Producer](https://www.misp-galaxy.org/producer) - List of threat intelligence producer from security vendors to CERTs including any producer of intelligence at large. -Category: *actor* - source: *MISP Project* - total: *38* elements +Category: *actor* - source: *MISP Project* - total: *46* elements [[HTML](https://www.misp-galaxy.org/producer)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/producer.json)] From f50ce73d12ff9fe4ad1c3a549843f91f40704325 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 10 Oct 2024 20:37:16 +0200 Subject: [PATCH 36/42] chg: [ransomware] updated --- clusters/ransomware.json | 108 +++++++++++++++++++++++++++++++++++---- 1 file changed, 99 insertions(+), 9 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 5980df9c..cb71b770 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -16079,7 +16079,13 @@ "description": "Ransomware", "meta": { "links": [ - "http://black3gnkizshuynieigw6ejgpblb53mpasftzd6pydqpmq2vn2xf6yd.onion" + "http://black3gnkizshuynieigw6ejgpblb53mpasftzd6pydqpmq2vn2xf6yd.onion", + "http://4qyjonpyksc52bc3fsgfgedssqgo4a6vlfsjknqnkncbyl4layqkqjid.onion/", + "http://eleav2eq3ioyiuevbyvqaz3vruwvpislphszo4cm7n56itbpnupxngyd.onion/", + "http://2cyxmof76rxeqze5snxxooqmhzjtcploqswxoxmenfayphumdhrtrzqd.onion/", + "http://rqqn25k3hgmfkh7ykjbmakjgidwweomr7cbpy6pfecpxs57r5iwzwtyd.onion/", + "http://mu6se7h7qfwuqclr4cc6zy7qevod6gyk37aq5vwnayrtbx3qqycx2fyd.onion/", + "http://urey23jtg6z7xx3tiybmc4sgcim7dawiz2abl6crpup2lfobf7yb5wyd.onion/" ], "refs": [ "https://www.ransomlook.io/group/blackout" @@ -26757,7 +26763,8 @@ ], "links": [ "http://omegalock5zxwbhswbisc42o2q2i54vdulyvtqqbudqousisjgc7j7yd.onion/", - "https://0mega.cc/" + "https://0mega.cc/", + "https://0mega.ws/" ], "ransomnotes-filenames": [ "DECRYPT-FILES.txt" @@ -28550,7 +28557,8 @@ "meta": { "links": [ "http://basemmnnqwxevlymli5bs36o5ynti55xojzvn246spahniugwkff2pad.onion/", - "http://xb6q2aggycmlcrjtbjendcnnwpmmwbosqaugxsqb4nx6cmod3emy7sad.onion" + "http://xb6q2aggycmlcrjtbjendcnnwpmmwbosqaugxsqb4nx6cmod3emy7sad.onion", + "http://92.118.36.204/" ], "refs": [ "https://www.ransomlook.io/group/8base" @@ -28654,7 +28662,34 @@ { "meta": { "links": [ - "http://3ev4metjirohtdpshsqlkrqcmxq6zu3d7obrdhglpy5jpbr7whmlfgqd.onion" + "http://3ev4metjirohtdpshsqlkrqcmxq6zu3d7obrdhglpy5jpbr7whmlfgqd.onion", + "http://ufvi7hpcawesdklmommeeq4iokhq2km4hay3dwh4rirth5xaomle35id.onion/", + "http://t7ogwvu74a6flssns55yv7zw2xvssqbhrdbxqrwbahumyzwklnvqayid.onion/", + "http://gmxnejtsg3uiwopmnsooxbi3p2nukwemkvm7bg44tgbbnuuuyofqjfyd.onion/", + "http://jtjz6utbmabwcatyomwxaeum7ey7nxs7yooqflxhctnksjqsnammonqd.onion/", + "http://2mhkqjcw4auxop7auchz2iijcbj63qccwodtokofbb2ul5oejkkt6xyd.onion/", + "http://wka7ma7rzgmzmtn65dhv5zp5p6e3uv5sydnns7xsf6kpf7noukhchhqd.onion/", + "http://l3yeoyhnphtymqua5env7qitedmqv5ahe7waxgndwa64z2c2h3cjjhqd.onion/", + "http://2j45tydxcvm44jbyr6krhx77rzey3jtif5qdjak2gik4usoljvvhqaid.onion/", + "http://cuft7z2xlfogrtx4ddqnjqyerye2qtagksow2fip4xbb5iw7dsgtvhqd.onion/", + "http://wyz32kscr2ythqpyjwqfxcaxn5576fdurr7jag44gggnmi4cvhykhvid.onion/", + "http://3pb6cefz6hubgyb2ph7ua7yjzjpxwapbbp5zomz7xmvrjhjfykjwu6id.onion/", + "http://kn4spxunete4ddz7375i2wpnj4vvkir7wdmcg2pc5yod56lmb54nbayd.onion/", + "http://2ikvareyuw2wjnc4vb5yteq7d2tkg6k3gevnixzqtkn3cpvej6ajj4yd.onion/", + "http://wflff64dxxqvfhd7poarkvkphmibdjyyhv7h4zqo5m52ggsgncmbrbqd.onion/", + "http://frheu6drsqpehmuyrdxdrfu5bzqwxps4zlmnuxlcnxskwxcwqsyhwxyd.onion/", + "http://kceqbaoxmx2czutxty3mq35m5mv46dq66hpszrhbhduj7uwhu6ax3qad.onion/", + "http://4nsmlpz4qceow7bfrmarxdqaj7chcqobin3mzb27uhscb2yvjs6j4xqd.onion/", + "http://nka6xgyyu77ksb5xmmovp4en2hrkg53mfq2osql526oe7nybnlggfgid.onion/", + "http://mflnjnwfinorxxsgkyfel3fqanbtbbrl5k5mqqjwmrf7o3jc6a4hy3id.onion/", + "http://jtt4lqatjtrj5hxxi33dczkluouf5wivzdmy4v62dnhipk6ixk5mktad.onion/", + "http://udugclljnfcx34amtpddkjggmkfqci5xnlfef2hqtxstufulo3pvauid.onion/", + "http://vmmefm7ktazj2bwtmy46o3wxhk42tctasyyqv6ymuzlivszteyhkkyad.onion/", + "http://cfev2mvlqooohl3af2upkgu3ju4qcgqrrgh6sprfxkgh3qldh2ykxzyd.onion/", + "http://2fzahjlleflpcyecd245xe3q6tczjkwzcm4fbhd4q4bsun45y2csyayd.onion/", + "http://wpefgvpyuszr4vg444qed734big233itylqclte7usszbdbfyqvb2lqd.onion/", + "http://gvzbeu532wwxqze3v3xcxpsbhpvwusnajzahi55dqklbunzgjp5wchad.onion/", + "http://ieelfdk3qr6as2u5cx3kfo57pdu6s77lis3lafg5lx5ljqf2izial6ad.onion/" ], "refs": [ "https://www.ransomlook.io/group/abyss-data" @@ -28928,7 +28963,20 @@ "links": [ "http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion/blog", "http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion/login", - "http://dragonforxxbp3awc7mzs5dkswrua3znqyx5roefmi4smjrsdi22xwqd.onion" + "http://dragonforxxbp3awc7mzs5dkswrua3znqyx5roefmi4smjrsdi22xwqd.onion", + "http://zsglo7t7osxyk3vcl7zxzup7hs4ir52sntteymmw63zvoxzcqytlw7qd.onion/", + "http://6dgi54prfmpuuolutr4hl3akasxbx4o34g5y2bj4blrvzzkjemhxenad.onion/", + "http://eogeko3sdn66gb7vjpwpmlmmmzfx7umtwaugpf5l6tb5jveolfydnuad.onion/", + "http://ewrxgpvv7wsrqq7itfwg5jr7lkc6zzknndmru5su2ugrowxo3wwy5yad.onion/", + "http://3ro23rujyigqrlrwk3e4keh3a3i6ntgrm3f42tbiqtf7vke47c6a6ayd.onion/", + "http://jziu7k7uee467r2wt66ndrwymmw7tsmqgcqi7aemcaxraqmaf2hdm3yd.onion/", + "http://2yczff6zyiey3gkgl5anwejktdp73abxbzbnvwobmrwkwgf3hudpyvyd.onion/", + "http://bpoowhokr3vi32l3t4mjdtdxfrfpigwachopk5ojwmgxihnojhsawuyd.onion/", + "http://dbvczza7nhwdb5kdvkzjtkrcvwnrt5viw7mihutueprvajy7rxhwq6id.onion/", + "http://xtcwd3xmxpggtizn7kmwwqeizexflkkyqsytg2kauccau6ddsfa4gfyd.onion/", + "http://4wcrfql53ljekid3sn66z6swjot725muveddq77utxltaelw64eikfid.onion/", + "http://73h3lxn24kuayyfkn4t6ij7e67jklo24vqzqdhpts3ygmim7hu6u6aid.onion/", + "http://nwtetzmrqhxieetg5lvth7szzvg35gfrqt23ly46vku56oo7pkueswyd.onion/" ], "refs": [ "https://www.ransomlook.io/group/dragonforce" @@ -28945,7 +28993,8 @@ "http://mjmru3yz65o5szsp4rmkmh4adlezcpy5tqjjc4y5z6lozk3nnz2da2ad.onion/", "http:// http://an2ce4pqpf2ipvba2djurxi5pnxxhu3uo7ackul6eafcundqtly7bhid.onion", "http://fpwwt67hm3mkt6hdavkfyqi42oo3vkaggvjj4kxdr2ivsbzyka5yr2qd.onion", - "http://an2ce4pqpf2ipvba2djurxi5pnxxhu3uo7ackul6eafcundqtly7bhid.onion" + "http://an2ce4pqpf2ipvba2djurxi5pnxxhu3uo7ackul6eafcundqtly7bhid.onion", + "http://xeuvs5poflczn5i5kbynb5rupmidb5zjuza6gaq22uqsdp3jvkjkciqd.onion/" ], "refs": [ "https://www.ransomlook.io/group/ransomhub" @@ -29362,7 +29411,9 @@ { "meta": { "links": [ - "https://apos.blog" + "https://apos.blog", + "http://yrz6bayqwhleymbeviter7ejccxm64sv2ppgqgderzgdhutozcbbhpqd.onion/rules", + "http://yrz6bayqwhleymbeviter7ejccxm64sv2ppgqgderzgdhutozcbbhpqd.onion/" ], "refs": [ "https://www.ransomlook.io/group/apos" @@ -29493,7 +29544,8 @@ { "meta": { "links": [ - "http://cicadabv7vicyvgz5khl7v2x5yygcgow7ryy6yppwmxii4eoobdaztqd.onion/" + "http://cicadabv7vicyvgz5khl7v2x5yygcgow7ryy6yppwmxii4eoobdaztqd.onion/", + "http://cicadacnft7gcgnveb7wjm6pjpjcjcsugogmlrat7u7pcel3iwb7bhyd.onion/" ], "refs": [ "https://www.ransomlook.io/group/cicada3301" @@ -29811,7 +29863,45 @@ }, "uuid": "9d7ca9df-c219-59fc-93fb-86f4606942ba", "value": "nitrogen" + }, + { + "meta": { + "links": [ + "http://sarcomawmawlhov7o5mdhz4eszxxlkyaoiyiy2b5iwxnds2dmb4jakad.onion", + "http://bi32pq7y3gqq3qacgvamnk2s2elnppvevqp325wtk2wo7vh2zavjcfid.onion/", + "http://54yjkjwjqbm74nchm6o6b4l775ws2hgesdopus5jvo3jx6ftj7zn7mid.onion/", + "http://ngvvafvhfgwknj63ivqjqdxc7b5fyedo67zshblipo5a2zuair5t4nid.onion/", + "http://icmghe66zl4twvbv5g4h532mogcea44hrkxtotrlx6aia5jslnnbnxad.onion/", + "http://lyz3i74psw6vkuxdjhkyxzy3226775qpzs6oage4zw6qj66ppdxma2qd.onion/", + "http://55lfxollcks2pvxbtg73vrpl3i7x4jnnrxfl6al6viamwngqlu4cxgyd.onion/", + "http://modre6n4hqm4seip2thhbjcfkcdcljhec7ekvd5qt7m7fhimpc2446qd.onion/", + "http://r3yes535gjsi2puoz2bvssl3ewygcfgwoji6wdk3grj3baexn2hha2id.onion/", + "http://pauppf2nuoqxwwqqshaehbkj54debl7bppacfm5h6z6zjoiejifezhad.onion/", + "http://iiobxrljnmjwb6l66bfvhin5zxbghbgiv6yamqpb4bezlrxd2vhetgyd.onion/", + "http://nf5b6a4b4s623wfxkveibjmwwpqjm536t5tyrbtrw7vsdqepsdoejoad.onion/", + "http://rs3icoalw6bdgedspnmt6vp2dzzuyqxtccezmta2g5mlyao64len7dyd.onion/", + "http://lpp4aze237qkkursbtesd54ofag6te5i5lzpee5a3buhq4v3uwtxnlqd.onion/", + "http://6nwhpuwtf4onxvr7el5ycc4xwefhk4w6q6rbn23oe2ghax2x7nns3iad.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/sarcoma" + ] + }, + "uuid": "dfe512ec-19ef-50c4-9ddf-56daf8c9b8d7", + "value": "sarcoma" + }, + { + "meta": { + "links": [ + "http://ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/interlock" + ] + }, + "uuid": "6a20c736-d83c-502f-8a9f-379a556fb4ac", + "value": "interlock" } ], - "version": 135 + "version": 136 } From b0384b8889a686fb0ca18b2999b89045172c1d4f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 10 Oct 2024 22:12:40 +0200 Subject: [PATCH 37/42] chg: [doc] README updated --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d48457f4..917ab538 100644 --- a/README.md +++ b/README.md @@ -495,7 +495,7 @@ Category: *actor* - source: *MISP Project* - total: *46* elements [Ransomware](https://www.misp-galaxy.org/ransomware) - Ransomware galaxy based on different sources and maintained by the MISP Project. -Category: *tool* - source: *Various* - total: *1807* elements +Category: *tool* - source: *Various* - total: *1809* elements [[HTML](https://www.misp-galaxy.org/ransomware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ransomware.json)] From 73847f1cc1bb7a211d95bc401ebb310fa95ab81a Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 17 Oct 2024 13:44:21 +0200 Subject: [PATCH 38/42] chg: [ransomware] updated to the latest version --- clusters/ransomware.json | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index cb71b770..8c15a5d2 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -29203,7 +29203,8 @@ "meta": { "links": [ "http://p66slxmtum2ox4jpayco6ai3qfehd5urgrs4oximjzklxcol264driqd.onion/index.html", - "http://nsalewdnfclsowcal6kn5csm4ryqmfpijznxwictukhrgvz2vbmjjjyd.onion/" + "http://nsalewdnfclsowcal6kn5csm4ryqmfpijznxwictukhrgvz2vbmjjjyd.onion/", + "https://5kvv27efetbcqgem4tl7jsolvr3jxkrbmn23rcjzl7kvqycxuao3t4ad.onion/" ], "refs": [ "https://www.ransomlook.io/group/dunghill" @@ -29372,7 +29373,8 @@ "http://zo5xog4vpvdae473doneepetidh36m5czdq2vyeiq3lvqhuel56p6nid.onion/", "http://66ohzao6afsv2opk22r2kv6fbnf2fthe7v4ykzzc5vjezvvyf3gocwyd.onion/", "https://2nn4b6gihz5bttzabjegune3blwktad2zmy77fwutvvrxxodbufo6qid.onion/", - "http://y6kyfs2unbfcyodzjrxadn4w5vyulhyotdi5dtiqulxbduujehupunqd.onion/" + "http://y6kyfs2unbfcyodzjrxadn4w5vyulhyotdi5dtiqulxbduujehupunqd.onion/", + "http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/api/blog/get" ], "refs": [ "https://www.ransomlook.io/group/embargo" @@ -29893,7 +29895,8 @@ { "meta": { "links": [ - "http://ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid.onion/" + "http://ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid.onion/", + "http://ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid.onion/leaks.php" ], "refs": [ "https://www.ransomlook.io/group/interlock" @@ -29903,5 +29906,5 @@ "value": "interlock" } ], - "version": 136 + "version": 137 } From 2594c9186404e8b68578a041410013b8c75363b0 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 17 Oct 2024 13:55:15 +0200 Subject: [PATCH 39/42] chg: [cluster] updated --- clusters/sigma-rules.json | 3503 ++++++++++++++++++++----------------- 1 file changed, 1863 insertions(+), 1640 deletions(-) diff --git a/clusters/sigma-rules.json b/clusters/sigma-rules.json index db7c7bfa..af929ed1 100644 --- a/clusters/sigma-rules.json +++ b/clusters/sigma-rules.json @@ -23,10 +23,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", + "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml" ], "tags": [ @@ -93,8 +93,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/last-byte/PersistenceSniper", "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", + "https://github.com/last-byte/PersistenceSniper", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml" ], "tags": [ @@ -127,8 +127,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", + "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml" ], "tags": [ @@ -149,10 +149,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", "https://www.sans.org/cyber-security-summit/archives", - "https://twitter.com/jamieantisocial/status/1304520651248668673", + "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", "https://learn.microsoft.com/en-us/dotnet/core/runtime-config/debugging-profiling", + "https://twitter.com/jamieantisocial/status/1304520651248668673", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml" ], "tags": [ @@ -188,9 +188,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml" ], "tags": [ @@ -223,8 +223,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md", + "https://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml" ], "tags": [ @@ -258,10 +258,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", + "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml" ], "tags": [ @@ -294,9 +294,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/Hexacorn/status/991447379864932352", "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml", "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/", + "https://twitter.com/Hexacorn/status/991447379864932352", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml" ], "tags": [ @@ -395,8 +395,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/aedebug.html", "https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging", + "https://persistence-info.github.io/Data/aedebug.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml" ], "tags": [ @@ -419,12 +419,12 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.attackiq.com/2023/09/20/emulating-rhysida/", - "https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html", - "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI", - "https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior", "https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/", "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper", + "https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html", + "https://www.attackiq.com/2023/09/20/emulating-rhysida/", + "https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior", + "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml" ], "tags": [ @@ -466,11 +466,11 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html", - "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html", - "https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/", "https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN", + "https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/", + "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html", + "https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml" ], "tags": [ @@ -540,8 +540,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", + "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml" ], "tags": [ @@ -564,8 +564,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_special_accounts.yml" ], "tags": [ @@ -716,9 +716,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", - "https://github.com/deepinstinct/Lsass-Shtinkering", "https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", + "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml" ], "tags": [ @@ -786,8 +786,8 @@ "logsource.product": "windows", "refs": [ "https://threathunterplaybook.com/hunts/windows/190510-RegModWDigestDowngrade/notebook.html", - "https://github.com/redcanaryco/atomic-red-team/blob/73fcfa1d4863f6a4e17f90e54401de6e30a312bb/atomics/T1112/T1112.md#atomic-test-3---modify-registry-to-store-logon-credentials", "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649", + "https://github.com/redcanaryco/atomic-red-team/blob/73fcfa1d4863f6a4e17f90e54401de6e30a312bb/atomics/T1112/T1112.md#atomic-test-3---modify-registry-to-store-logon-credentials", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml" ], "tags": [ @@ -820,9 +820,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", - "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml" ], "tags": [ @@ -863,8 +863,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74", "https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml" ], "tags": [ @@ -1032,8 +1032,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade", "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", + "https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_network_provider.yml" ], "tags": [ @@ -1100,9 +1100,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml" ], "tags": [ @@ -1135,8 +1135,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", "https://twitter.com/dottor_morte/status/1544652325570191361", + "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml" ], "tags": [ @@ -1202,10 +1202,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html", - "https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html", "https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine", "https://www.virustotal.com/gui/file/6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d/detection", + "https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html", + "https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml" ], "tags": [ @@ -1305,8 +1305,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/naturallanguage6.html", "https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/", + "https://persistence-info.github.io/Data/naturallanguage6.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml" ], "tags": [ @@ -1371,8 +1371,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", + "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml" ], @@ -1439,8 +1439,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/", "https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll", + "https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml" ], "tags": [ @@ -1473,8 +1473,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry", "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", + "https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml" ], "tags": [ @@ -1507,8 +1507,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)", "https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/", + "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml" ], "tags": [ @@ -1576,8 +1576,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", + "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml" ], "tags": [ @@ -1627,9 +1627,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/", - "https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", + "https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password", + "https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml" ], "tags": [ @@ -1662,9 +1662,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", - "https://twitter.com/inversecos/status/1494174785621819397", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", + "https://twitter.com/inversecos/status/1494174785621819397", + "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml" ], "tags": [ @@ -1858,8 +1858,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", "https://twitter.com/dottor_morte/status/1544652325570191361", + "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml" ], "tags": [ @@ -1892,8 +1892,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise", "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", + "https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise", "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml" ], @@ -1940,10 +1940,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/ifilters.html", - "https://twitter.com/0gtweet/status/1468548924600459267", "https://github.com/gtworek/PSBits/tree/master/IFilter", + "https://persistence-info.github.io/Data/ifilters.html", "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", + "https://twitter.com/0gtweet/status/1468548924600459267", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml" ], "tags": [ @@ -1966,10 +1966,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content", - "https://twitter.com/JAMESWT_MHT/status/1699042827261391247", - "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://twitter.com/M_haggis/status/1699056847154725107", + "https://twitter.com/JAMESWT_MHT/status/1699042827261391247", + "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content", + "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml" ], "tags": [ @@ -2058,10 +2058,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1626648985824788480", "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks", "https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/", "https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1112/T1112.md", + "https://twitter.com/nas_bench/status/1626648985824788480", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml" ], "tags": [ @@ -2286,17 +2286,17 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://twitter.com/_xpn_/status/1268712093928378368", "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://bunnyinside.com/?term=f71e8cb9c76a", "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml" ], "tags": [ @@ -2394,8 +2394,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store", "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml" ], "tags": [ @@ -2428,8 +2428,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/", "https://persistence-info.github.io/Data/htmlhelpauthor.html", + "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_chm.yml" ], "tags": [ @@ -2452,8 +2452,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/", "https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll", + "https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml" ], "tags": [ @@ -2520,8 +2520,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650", "https://youtu.be/zSihR3lTf7g", + "https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml" ], "tags": [ @@ -2611,16 +2611,16 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", - "https://blog.sekoia.io/darkgate-internals/", - "https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry", - "https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry", "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", - "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", "https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", - "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry", + "https://blog.sekoia.io/darkgate-internals/", + "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", + "https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry", + "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", + "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml" ], "tags": [ @@ -2788,9 +2788,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml" ], "tags": [ @@ -2858,13 +2858,14 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", + "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", + "https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml" ], "tags": [ @@ -2897,9 +2898,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task", "https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task", + "https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml" ], "tags": [ @@ -2934,9 +2935,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml" ], "tags": [ @@ -2992,9 +2993,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://twitter.com/MichalKoczwara/status/1553634816016498688", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml" ], "tags": [ @@ -3017,9 +3018,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/ransomware-families/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A", + "https://unit42.paloaltonetworks.com/ransomware-families/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hidden_extention.yml" ], "tags": [ @@ -3078,9 +3079,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml" ], "tags": [ @@ -3113,8 +3114,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", + "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://www.blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml" ], @@ -3149,8 +3150,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time", + "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml" ], "tags": [ @@ -3185,9 +3186,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml" ], "tags": [ @@ -3277,8 +3278,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", + "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", "https://github.com/elastic/detection-rules/issues/1371", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml" @@ -3387,8 +3388,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/", "https://persistence-info.github.io/Data/hhctrl.html", + "https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml" ], "tags": [ @@ -3445,9 +3446,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml" ], "tags": [ @@ -3553,9 +3554,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", - "https://twitter.com/inversecos/status/1494174785621819397", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", + "https://twitter.com/inversecos/status/1494174785621819397", + "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml" ], "tags": [ @@ -3655,13 +3656,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", - "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", "https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", - "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", + "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", + "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml" ], "tags": [ @@ -3695,8 +3696,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/inversecos/status/1494174785621819397", "Internal Research", + "https://twitter.com/inversecos/status/1494174785621819397", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml" ], "tags": [ @@ -3729,8 +3730,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd", + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml" ], "tags": [ @@ -3763,8 +3764,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/mpnotify.html", "https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek", + "https://persistence-info.github.io/Data/mpnotify.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml" ], "tags": [ @@ -3820,8 +3821,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/_vivami/status/1347925307643355138", "https://vanmieghem.io/stealth-outlook-persistence/", + "https://twitter.com/_vivami/status/1347925307643355138", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml" ], "tags": [ @@ -3979,10 +3980,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware", - "https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/", "https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps", + "https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware", "https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1", + "https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml" ], "tags": [ @@ -4039,9 +4040,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml" ], "tags": [ @@ -4268,8 +4269,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass", "https://www.exploit-db.com/exploits/47696", + "http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml" ], "tags": [ @@ -4536,9 +4537,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70", "https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change", + "https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml" ], "tags": [ @@ -4680,8 +4681,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml" ], "tags": [ @@ -4805,9 +4806,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope", - "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", "https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/", + "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", + "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml" ], "tags": [ @@ -4863,8 +4864,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44", + "https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml" ], "tags": [ @@ -5054,8 +5055,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp", "https://twitter.com/WhichbufferArda/status/1543900539280293889", + "https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml" ], "tags": [ @@ -5088,8 +5089,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/", "https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html", + "https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml" ], "tags": [ @@ -5191,8 +5192,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/pabraeken/status/998627081360695297", - "https://twitter.com/VakninHai/status/1517027824984547329", "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", + "https://twitter.com/VakninHai/status/1517027824984547329", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml" ], "tags": [ @@ -5266,8 +5267,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/malmoeb/status/1560536653709598721", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://twitter.com/malmoeb/status/1560536653709598721", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml" ], "tags": [ @@ -5290,11 +5291,11 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", - "https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl", - "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage", + "https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl", + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml" ], "tags": [ @@ -5460,8 +5461,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/", "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml" ], "tags": [ @@ -5528,9 +5529,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml" ], "tags": [ @@ -5598,10 +5599,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://persistence-info.github.io/Data/userinitmprlogonscript.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml" ], "tags": [ @@ -5635,9 +5636,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml" ], "tags": [ @@ -5712,8 +5713,8 @@ "logsource.product": "windows", "refs": [ "https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials", - "https://adsecurity.org/?p=1785", "https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/", + "https://adsecurity.org/?p=1785", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dsrm_tampering.yml" ], "tags": [ @@ -5747,9 +5748,9 @@ "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", - "https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml" ], "tags": [ @@ -6162,8 +6163,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ie.yml" ], "tags": [ @@ -6328,9 +6329,9 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", - "http://woshub.com/how-to-clear-rdp-connections-history/", "https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer", + "http://woshub.com/how-to-clear-rdp-connections-history/", + "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml" ], "tags": [ @@ -6374,8 +6375,8 @@ "https://learn.microsoft.com/en-us/windows/win32/shell/launch", "https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", "https://github.com/OTRF/detection-hackathon-apt29/issues/7", - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md", "https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml" ], "tags": [ @@ -6408,8 +6409,8 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://seclists.org/fulldisclosure/2020/Mar/45", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml" ], "tags": [ @@ -6509,8 +6510,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", + "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml" ], "tags": [ @@ -6554,8 +6555,8 @@ "logsource.product": "windows", "refs": [ "https://adepts.of0x.cc/netsh-portproxy-code/", - "https://www.dfirnotes.net/portproxy_detection/", "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", + "https://www.dfirnotes.net/portproxy_detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml" ], "tags": [ @@ -6590,8 +6591,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html", + "http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml" ], "tags": [ @@ -6624,8 +6625,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/inversecos/status/1494174785621819397", "https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/", + "https://twitter.com/inversecos/status/1494174785621819397", "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_office_trust_record_modification.yml" ], @@ -6659,11 +6660,11 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ + "https://nvd.nist.gov/vuln/detail/cve-2021-1675", + "https://nvd.nist.gov/vuln/detail/cve-2021-34527", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf", - "https://nvd.nist.gov/vuln/detail/cve-2021-34527", - "https://nvd.nist.gov/vuln/detail/cve-2021-1675", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml" ], "tags": [ @@ -6698,8 +6699,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/", "https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf", + "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/", "https://persistence-info.github.io/Data/recyclebin.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml" ], @@ -6733,10 +6734,10 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", "https://github.com/hfiref0x/UACME", - "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", + "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", + "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml" ], "tags": [ @@ -6878,8 +6879,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly", "https://lolbas-project.github.io/lolbas/Binaries/Wsreset", + "https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml" ], "tags": [ @@ -7288,8 +7289,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", + "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml" ], "tags": [ @@ -7496,8 +7497,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml" ], "tags": [ @@ -7533,8 +7534,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://blog.xpnsec.com/exploring-mimikatz-part-1/", "https://twitter.com/SBousseaden/status/1183745981189427200", + "https://blog.xpnsec.com/exploring-mimikatz-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml" ], "tags": [ @@ -7744,11 +7745,11 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ + "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", + "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", - "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", - "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_malware_netwire.yml" ], "tags": [ @@ -8342,8 +8343,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", "Internal Research", + "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_cloudflared_communication.yml" ], "tags": [ @@ -8376,10 +8377,10 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/", "https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia", + "https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_domain_azurewebsites.yml" ], "tags": [ @@ -8447,8 +8448,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/neonprimetime/status/1436376497980428318", - "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", + "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_external_ip_lookup.yml" ], "tags": [ @@ -8515,8 +8516,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/980f3f83fd81f37c1ca9c02dccfd1c3d9f9d0841/atomics/T1016/T1016.md#atomic-test-9---dns-server-discovery-using-nslookup", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/7fcdce70-5205-44d6-9c3a-260e616a2f04", + "https://github.com/redcanaryco/atomic-red-team/blob/980f3f83fd81f37c1ca9c02dccfd1c3d9f9d0841/atomics/T1016/T1016.md#atomic-test-9---dns-server-discovery-using-nslookup", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml" ], "tags": [ @@ -8749,9 +8750,9 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://cydefops.com/vscode-data-exfiltration", - "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://ipfyx.fr/post/visual-studio-code-tunnel/", + "https://badoption.eu/blog/2023/01/31/code_c2.html", + "https://cydefops.com/vscode-data-exfiltration", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml" ], "tags": [ @@ -8784,8 +8785,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/", "https://malware.guide/browser-hijacker/remove-onelaunch-virus/", + "https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/", "https://www.malwarebytes.com/blog/detections/pup-optional-onelaunch-silentcf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml" ], @@ -8819,8 +8820,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", + "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_regsvr32_dns_query.yml" ], "tags": [ @@ -8862,14 +8863,14 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", "https://blog.sekoia.io/scattered-spider-laying-new-eggs/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", - "https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a", "https://redcanary.com/blog/misbehaving-rats/", "https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization", + "https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml" ], "tags": [ @@ -8902,18 +8903,18 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", - "https://github.com/RiccardoAncarani/LiquidSnake", - "https://securelist.com/faq-the-projectsauron-apt/75533/", "https://www.us-cert.gov/ncas/alerts/TA17-117A", - "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", - "https://thedfirreport.com/2020/06/21/snatch-ransomware/", - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://securelist.com/faq-the-projectsauron-apt/75533/", + "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", - "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", + "https://thedfirreport.com/2020/06/21/snatch-ransomware/", + "https://github.com/RiccardoAncarani/LiquidSnake", + "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_malicious_namedpipes.yml" ], "tags": [ @@ -8948,8 +8949,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", + "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml" ], "tags": [ @@ -9027,8 +9028,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", "https://github.com/Azure/SimuLand", + "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", "https://o365blog.com/post/adfs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_adfs_namedpipe_connection_uncommon_tool.yml" ], @@ -9062,8 +9063,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", + "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_re.yml" ], "tags": [ @@ -9174,8 +9175,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://github.com/hackvens/CoercedPotato", "https://blog.hackvens.fr/articles/CoercedPotato.html", + "https://github.com/hackvens/CoercedPotato", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_coercedpotato.yml" ], "tags": [ @@ -9311,9 +9312,9 @@ "refs": [ "https://twitter.com/d4rksystem/status/1357010969264873472", "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", + "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", "https://github.com/SigmaHQ/sigma/issues/253", "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", - "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml" ], "tags": [ @@ -9702,8 +9703,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io", "Personal research, statistical analysis", + "https://lolbas-project.github.io", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml" ], "tags": [ @@ -9772,8 +9773,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/", "https://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/", + "https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_target_shell_application.yml" ], "tags": [ @@ -9848,8 +9849,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1090588499517079552", "https://github.com/mdsecactivebreach/CACTUSTORCH", + "https://twitter.com/SBousseaden/status/1090588499517079552", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml" ], "tags": [ @@ -10098,8 +10099,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io", "Personal research, statistical analysis", + "https://lolbas-project.github.io", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml" ], "tags": [ @@ -10457,8 +10458,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", "https://twitter.com/SBousseaden/status/1278977301745741825", + "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml" ], "tags": [ @@ -10558,8 +10559,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", "https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", + "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml" ], "tags": [ @@ -10683,8 +10684,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "Internal Research", + "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_creation.yml" ], "tags": [ @@ -10742,8 +10743,8 @@ "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", - "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", + "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml" ], "tags": [ @@ -10776,9 +10777,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html", - "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", "https://en.wikipedia.org/wiki/IExpress", + "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", + "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sed_file_creation.yml" ], "tags": [ @@ -10960,11 +10961,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", - "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml" ], "tags": [ @@ -10997,9 +10998,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", - "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", + "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_vhd_download_via_browsers.yml" ], "tags": [ @@ -11112,8 +11113,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government", "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", + "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml" ], "tags": [ @@ -11339,9 +11340,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/Yaxser/Backstab", + "https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer", "https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks", "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/", - "https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml" ], "tags": [ @@ -11475,8 +11476,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/12", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml" ], "tags": [ @@ -11544,8 +11545,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "Internal Research", "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", + "Internal Research", "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_addin_persistence.yml" ], @@ -11579,8 +11580,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", + "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml" ], "tags": [ @@ -11603,10 +11604,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", - "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", + "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", + "https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml" ], "tags": [ @@ -11786,8 +11787,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "Internal Research", + "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml" ], "tags": [ @@ -12399,10 +12400,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/", "https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions", - "https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3", + "https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/", "http://addbalance.com/word/startup.htm", + "https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml" ], "tags": [ @@ -12476,8 +12477,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://cobalt.io/blog/kerberoast-attack-techniques", "https://pentestlab.blog/2019/10/21/persistence-security-support-provider/", + "https://cobalt.io/blog/kerberoast-attack-techniques", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_mimikatz_files.yml" ], "tags": [ @@ -12534,26 +12535,26 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/PowerShellMafia/PowerSploit", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", "https://github.com/nettitude/Invoke-PowerThIEf", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", "https://github.com/NetSPI/PowerUpSQL", - "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://github.com/CsEnox/EventViewer-UACBypass", "https://github.com/besimorhino/powercat", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/samratashok/nishang", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/HarmJ0y/DAMP", - "https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu", - "https://github.com/Kevin-Robertson/Powermad", "https://github.com/adrecon/ADRecon", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu", + "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://github.com/samratashok/nishang", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/HarmJ0y/DAMP", "https://github.com/adrecon/AzureADRecon", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/CsEnox/EventViewer-UACBypass", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/PowerShellMafia/PowerSploit", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml" ], "tags": [ @@ -12707,11 +12708,13 @@ "logsource.product": "windows", "refs": [ "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", + "https://github.com/CCob/MirrorDump", + "https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258", + "https://github.com/helpsystems/nanodump", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", + "https://github.com/safedv/RustiveDump/blob/1a9b026b477587becfb62df9677cede619d42030/src/main.rs#L35", "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", "https://www.google.com/search?q=procdump+lsass", - "https://github.com/CCob/MirrorDump", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", - "https://github.com/helpsystems/nanodump", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml" ], "tags": [ @@ -12812,10 +12815,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", + "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml" ], "tags": [ @@ -13046,8 +13049,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "Internal Research", + "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml" ], "tags": [ @@ -13104,9 +13107,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g", "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", - "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml" ], "tags": [ @@ -13197,8 +13200,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", "https://persistence-info.github.io/Data/powershellprofile.html", + "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml" ], "tags": [ @@ -13232,10 +13235,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76", "https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form", + "https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml" ], "tags": [ @@ -13542,8 +13545,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://ipfyx.fr/post/visual-studio-code-tunnel/", + "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_vscode_tunnel_renamed_execution.yml" ], "tags": [ @@ -13600,9 +13603,9 @@ "logsource.product": "windows", "refs": [ "https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence", + "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", "https://liberty-shell.com/sec/2020/02/25/shim-persistence/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory", - "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml" ], "tags": [ @@ -13768,9 +13771,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs", "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs", "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", + "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml" ], "tags": [ @@ -13860,11 +13863,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://twitter.com/luc4m/status/1073181154126254080", "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://twitter.com/malwrhunterteam/status/1235135745611960321", "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", - "https://twitter.com/luc4m/status/1073181154126254080", - "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml" ], "tags": [ @@ -13897,10 +13900,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://pentestlab.blog/tag/ntds-dit/", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", - "https://pentestlab.blog/tag/ntds-dit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml" ], "tags": [ @@ -14042,8 +14045,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mysql-malware-infection-via-user-defined-functions-udf/", "https://asec.ahnlab.com/en/58878/", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mysql-malware-infection-via-user-defined-functions-udf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mysqld_uncommon_file_creation.yml" ], "tags": [ @@ -14066,8 +14069,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/GossiTheDog/HiveNightmare", "https://github.com/FireFart/hivenightmare/", + "https://github.com/GossiTheDog/HiveNightmare", "https://github.com/WiredPulse/Invoke-HiveNightmare", "https://twitter.com/cube0x0/status/1418920190759378944", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml" @@ -14103,9 +14106,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", - "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", + "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", + "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml" ], "tags": [ @@ -14214,8 +14217,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_shtinkering.yml" ], "tags": [ @@ -14248,8 +14251,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/", "https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py", + "https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml" ], "tags": [ @@ -14341,8 +14344,8 @@ "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", - "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", + "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml" ], "tags": [ @@ -14442,9 +14445,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", "https://github.com/fox-it/LDAPFragger", "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", - "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml" ], "tags": [ @@ -14511,8 +14514,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", "https://github.com/binderlabs/DirCreate2System", + "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml" ], "tags": [ @@ -14540,8 +14543,8 @@ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", "https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation", "https://twitter.com/pfiatde/status/1681977680688738305", - "https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/", "https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/", + "https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml" ], "tags": [ @@ -14658,11 +14661,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://twitter.com/luc4m/status/1073181154126254080", "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://twitter.com/malwrhunterteam/status/1235135745611960321", "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", - "https://twitter.com/luc4m/status/1073181154126254080", - "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml" ], "tags": [ @@ -14755,12 +14758,12 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/MaD_c4t/status/1623414582382567424", - "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/", - "https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/", - "https://labs.withsecure.com/publications/detecting-onenote-abuse", "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", + "https://labs.withsecure.com/publications/detecting-onenote-abuse", + "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", + "https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/", + "https://twitter.com/MaD_c4t/status/1623414582382567424", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml" ], "tags": [ @@ -15108,12 +15111,12 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc", + "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", "https://github.com/Wh04m1001/SysmonEoP", - "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml" ], "tags": [ @@ -15156,8 +15159,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "Internal Research", "https://labs.withsecure.com/publications/fin7-target-veeam-servers", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml" ], "tags": [ @@ -15223,8 +15226,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", "https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405", + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml" ], @@ -15258,11 +15261,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://github.com/FireFart/hivenightmare", "https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934", "https://www.google.com/search?q=%22reg.exe+save%22+sam", - "https://github.com/search?q=CVE-2021-36934", "https://github.com/HuskyHacks/ShadowSteal", - "https://github.com/FireFart/hivenightmare", + "https://github.com/search?q=CVE-2021-36934", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml" ], "tags": [ @@ -15329,8 +15332,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "http://blog.harmj0y.net/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/", "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords", + "http://blog.harmj0y.net/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_dpapi_master_key_access.yml" ], "tags": [ @@ -15500,8 +15503,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://www.passcape.com/windows_password_recovery_dpapi_credhist", "https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist", + "https://www.passcape.com/windows_password_recovery_dpapi_credhist", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_credhist.yml" ], "tags": [ @@ -15824,8 +15827,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://github.com/cube0x0/CVE-2021-1675", "https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/", + "https://github.com/cube0x0/CVE-2021-1675", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml" ], "tags": [ @@ -15962,8 +15965,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/9", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/9", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml" ], "tags": [ @@ -16029,9 +16032,9 @@ "logsource.category": "file_executable_detected", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html", - "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", "https://en.wikipedia.org/wiki/IExpress", + "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", + "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml" ], "tags": [ @@ -16189,9 +16192,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE", "https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files", "https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", + "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml" ], "tags": [ @@ -16224,9 +16227,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", "https://github.com/hfiref0x/UACME", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", + "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml" ], "tags": [ @@ -16476,8 +16479,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/threat-detection-report/threats/qbot/", "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", + "https://redcanary.com/threat-detection-report/threats/qbot/", "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml" ], @@ -16511,10 +16514,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.elastic.co/security-labs/operation-bleeding-bear", + "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://twitter.com/splinter_code/status/1483815103279603714", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", - "https://www.elastic.co/security-labs/operation-bleeding-bear", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml" ], "tags": [ @@ -16566,8 +16569,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/bohops/status/1477717351017680899?s=12", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/", "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_acccheckconsole_execution.yml" ], "tags": [ @@ -16657,9 +16660,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nao_sec/status/1530196847679401984", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://twitter.com/_JohnHammond/status/1531672601067675648", + "https://twitter.com/nao_sec/status/1530196847679401984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml" ], "tags": [ @@ -16725,9 +16728,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", - "https://github.com/GhostPack/Rubeus", "https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus", + "https://github.com/GhostPack/Rubeus", + "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml" ], "tags": [ @@ -16777,12 +16780,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/", + "https://nwgat.ninja/getting-system-information-with-wmic-on-windows/", "https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/", + "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar", "https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic", "https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior", - "https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/", - "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar", - "https://nwgat.ninja/getting-system-information-with-wmic-on-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml" ], "tags": [ @@ -16815,12 +16818,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", - "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", - "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", - "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", + "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", + "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", + "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml" ], @@ -16898,8 +16901,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml" ], "tags": [ @@ -16933,9 +16936,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/bash/rar.html", "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://ss64.com/bash/rar.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_compression_with_password.yml" ], "tags": [ @@ -17227,10 +17230,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/", - "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html", - "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", "https://en.wikipedia.org/wiki/IExpress", + "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", + "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html", + "https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml" ], "tags": [ @@ -17296,10 +17299,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml" ], "tags": [ @@ -17414,9 +17417,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -17486,8 +17489,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", "https://mobile.twitter.com/0gtweet/status/1564131230941122561", + "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml" ], "tags": [ @@ -17520,9 +17523,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://badoption.eu/blog/2023/01/31/code_c2.html", - "https://code.visualstudio.com/docs/remote/tunnels", "https://ipfyx.fr/post/visual-studio-code-tunnel/", + "https://code.visualstudio.com/docs/remote/tunnels", + "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml" ], "tags": [ @@ -17555,8 +17558,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.pingcastle.com/documentation/scanner/", "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", + "https://www.pingcastle.com/documentation/scanner/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_pingcastle.yml" ], "tags": [ @@ -17632,8 +17635,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/BloodHoundAD/SharpHound", "https://github.com/BloodHoundAD/BloodHound", + "https://github.com/BloodHoundAD/SharpHound", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml" ], "tags": [ @@ -17757,9 +17760,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20200229201156/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493861893.pdf", "https://lolbas-project.github.io/lolbas/Binaries/Psr/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://web.archive.org/web/20200229201156/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493861893.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml" ], "tags": [ @@ -17981,13 +17984,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", - "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", - "https://pentestlab.blog/tag/ntds-dit/", "https://github.com/zcgonvh/NTDSDumpEx", + "https://pentestlab.blog/tag/ntds-dit/", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml" ], "tags": [ @@ -18053,8 +18056,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", + "https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml" ], "tags": [ @@ -18087,8 +18090,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/network-tunneling-with-qemu/111803/", "https://www.qemu.org/docs/master/system/invocation.html#hxtool-5", + "https://securelist.com/network-tunneling-with-qemu/111803/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_qemu_suspicious_execution.yml" ], "tags": [ @@ -18129,8 +18132,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml" ], "tags": [ @@ -18165,8 +18168,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/", "https://dtm.uk/wuauclt/", + "https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml" ], "tags": [ @@ -18361,8 +18364,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml" ], "tags": [ @@ -18463,8 +18466,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", "https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", + "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml" ], "tags": [ @@ -18499,8 +18502,8 @@ "logsource.product": "windows", "refs": [ "https://adepts.of0x.cc/netsh-portproxy-code/", - "https://www.dfirnotes.net/portproxy_detection/", "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", + "https://www.dfirnotes.net/portproxy_detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml" ], "tags": [ @@ -18609,10 +18612,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", + "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", - "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml" ], "tags": [ @@ -18676,9 +18679,9 @@ "value": "Terminal Service Process Spawn" }, { - "description": "Detects Certipy a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.", + "description": "Detects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.\n", "meta": { - "author": "pH-T (Nextron Systems)", + "author": "pH-T (Nextron Systems), Sittikorn Sangrattanapitak", "creation_date": "2023-04-17", "falsepositive": [ "Unlikely" @@ -18689,6 +18692,7 @@ "logsource.product": "windows", "refs": [ "https://github.com/ly4k/Certipy", + "https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_certipy.yml" ], "tags": [ @@ -18722,10 +18726,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html", + "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine", "https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", - "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", - "https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultravnc_susp_execution.yml" ], "tags": [ @@ -18792,8 +18796,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/cloudflare/cloudflared", "https://blog.reconinfosec.com/emergence-of-akira-ransomware-group", + "https://github.com/cloudflare/cloudflared", "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml" ], @@ -19301,8 +19305,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml" ], @@ -19361,11 +19365,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Hexacorn/status/885570278637678592", - "https://twitter.com/Hexacorn/status/885553465417756673", "https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques", - "https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", + "https://twitter.com/Hexacorn/status/885553465417756673", "https://twitter.com/vysecurity/status/885545634958385153", + "https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", + "https://twitter.com/Hexacorn/status/885570278637678592", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml" ], "tags": [ @@ -19454,8 +19458,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/6", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml" ], "tags": [ @@ -19488,8 +19492,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/wusa.exe/", "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://www.echotrail.io/insights/search/wusa.exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml" ], "tags": [ @@ -19662,8 +19666,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Internal Research", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml" ], "tags": [ @@ -19754,8 +19758,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/decoder-it/LocalPotato", "https://www.localpotato.com/localpotato_html/LocalPotato.html", + "https://github.com/decoder-it/LocalPotato", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml" ], "tags": [ @@ -20140,8 +20144,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/", "https://pentestlab.blog/tag/svchost/", + "https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml" ], "tags": [ @@ -20174,8 +20178,8 @@ "logsource.product": "windows", "refs": [ "https://www.mandiant.com/resources/blog/lnk-between-browsers", - "https://emkc.org/s/RJjuLa", "https://redcanary.com/blog/chromeloader/", + "https://emkc.org/s/RJjuLa", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml" ], "tags": [ @@ -20208,8 +20212,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml" ], "tags": [ @@ -20308,9 +20312,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bash/", "https://linux.die.net/man/1/bash", "Internal Research", + "https://lolbas-project.github.io/lolbas/Binaries/Bash/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml" ], "tags": [ @@ -20411,9 +20415,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", - "https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2", "https://github.com/swagkarna/Defeat-Defender-V1.2.0", + "https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2", + "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml" ], "tags": [ @@ -20513,9 +20517,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://twitter.com/gN3mes1s/status/1222095371175911424", "https://twitter.com/gN3mes1s/status/1222088214581825540", + "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml" ], "tags": [ @@ -20571,10 +20575,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac", - "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsi_fsharp_code_execution.yml" ], "tags": [ @@ -20607,8 +20611,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/", "https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows", + "https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml" ], "tags": [ @@ -20658,8 +20662,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/", "https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/", + "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml" ], "tags": [ @@ -20734,10 +20738,10 @@ "logsource.product": "windows", "refs": [ "https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png", - "https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/", "https://twitter.com/aceresponder/status/1636116096506818562", - "https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/", "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/", + "https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/", + "https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml" ], "tags": [ @@ -20771,9 +20775,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/netero1010/TrustedPath-UACBypass-BOF", "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e", "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", - "https://github.com/netero1010/TrustedPath-UACBypass-BOF", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml" ], "tags": [ @@ -20839,8 +20843,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_xpn_/status/1491557187168178176", "https://www.youtube.com/watch?v=Ie831jF0bb0", + "https://twitter.com/_xpn_/status/1491557187168178176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_citrix_trolleyexpress_procdump.yml" ], "tags": [ @@ -20882,9 +20886,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2023/03/06/2022-year-in-review/", "https://learn.microsoft.com/en-us/answers/questions/253555/software-list-inventory-wmic-product", "https://www.yeahhub.com/list-installed-programs-version-path-windows/", - "https://thedfirreport.com/2023/03/06/2022-year-in-review/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml" ], "tags": [ @@ -20918,8 +20922,8 @@ "logsource.product": "windows", "refs": [ "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://twitter.com/egre55/status/1087685529016193025", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download.yml" @@ -20954,8 +20958,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", "Internal Research", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_change.yml" ], "tags": [ @@ -20988,10 +20992,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/", - "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery", + "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup", + "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_dump_sensitive_files.yml" ], "tags": [ @@ -21024,9 +21028,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", - "https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", + "https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/", + "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml" ], "tags": [ @@ -21130,9 +21134,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", - "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", + "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml" ], "tags": [ @@ -21261,6 +21265,39 @@ "uuid": "97a80ec7-0e2f-4d05-9ef4-65760e634f6b", "value": "Security Privileges Enumeration Via Whoami.EXE" }, + { + "description": "Detects possible search for JWT tokens via CLI by looking for the string \"eyJ0eX\" or \"eyJhbG\".\nThis string is used as an anchor to look for the start of the JWT token used by microsoft office and similar apps.\n", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022-10-25", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_jwt_token_search.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://mrd0x.com/stealing-tokens-from-office-applications/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_jwt_token_search.yml" + ], + "tags": [ + "attack.credential-access", + "attack.t1528" + ] + }, + "related": [ + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "6d3a3952-6530-44a3-8554-cf17c116c615", + "value": "Potentially Suspicious JWT Token Search Via CLI" + }, { "description": "Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.", "meta": { @@ -21275,8 +21312,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntdsutil_susp_usage.yml" ], "tags": [ @@ -21310,10 +21347,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", - "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml" ], "tags": [ @@ -21337,8 +21374,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", + "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml" ], "tags": [ @@ -21460,8 +21497,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml" ], "tags": [ @@ -21621,8 +21658,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/an0n_r0/status/1474698356635193346?s=12", "https://twitter.com/mrd0x/status/1475085452784844803?s=12", + "https://twitter.com/an0n_r0/status/1474698356635193346?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml" ], "tags": [ @@ -21663,10 +21700,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control", - "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", + "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", + "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml" ], "tags": [ @@ -21755,8 +21792,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/dsnezhkov/TruffleSnout/blob/master/TruffleSnout/Docs/USAGE.md", "https://github.com/dsnezhkov/TruffleSnout", + "https://github.com/dsnezhkov/TruffleSnout/blob/master/TruffleSnout/Docs/USAGE.md", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_trufflesnout.yml" ], @@ -21824,9 +21861,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode", "https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html", "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", + "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode", "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml" ], @@ -21860,8 +21897,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1", + "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml" ], "tags": [ @@ -22110,11 +22147,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://man.openbsd.org/ssh_config#LocalCommand", - "https://gtfobins.github.io/gtfobins/ssh/", - "https://github.com/LOLBAS-Project/LOLBAS/pull/211/files", - "https://man.openbsd.org/ssh_config#ProxyCommand", "https://lolbas-project.github.io/lolbas/Binaries/Ssh/", + "https://gtfobins.github.io/gtfobins/ssh/", + "https://man.openbsd.org/ssh_config#LocalCommand", + "https://man.openbsd.org/ssh_config#ProxyCommand", + "https://github.com/LOLBAS-Project/LOLBAS/pull/211/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ssh_proxy_execution.yml" ], "tags": [ @@ -22147,10 +22184,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" ], "tags": [ @@ -22194,8 +22231,8 @@ "logsource.product": "windows", "refs": [ "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://www.intrinsec.com/apt27-analysis/", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml" ], "tags": [ @@ -22435,8 +22472,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://twitter.com/MichalKoczwara/status/1553634816016498688", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml" ], @@ -22615,8 +22652,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/", "https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/", + "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml" ], "tags": [ @@ -22750,8 +22787,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml", "https://twitter.com/pabraeken/status/993298228840992768", + "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml" ], "tags": [ @@ -22794,9 +22831,9 @@ "logsource.product": "windows", "refs": [ "https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms", + "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", "https://redcanary.com/blog/msix-installers/", "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csvde_export.yml" ], "tags": [ @@ -22830,9 +22867,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", - "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", + "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", + "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_default_accounts_manipulation.yml" ], "tags": [ @@ -22966,8 +23003,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml" ], "tags": [ @@ -23013,10 +23050,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior", - "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", - "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior", "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", + "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", + "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior", + "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml" ], "tags": [ @@ -23223,9 +23260,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", - "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", "https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/", + "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml" ], "tags": [ @@ -23292,13 +23329,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", - "https://taggart-tech.com/quasar-electron/", - "https://lolbas-project.github.io/lolbas/Binaries/Teams/", - "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", - "https://github.com/mttaggart/quasar", - "https://positive.security/blog/ms-officecmd-rce", "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", + "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", + "https://lolbas-project.github.io/lolbas/Binaries/Teams/", + "https://github.com/mttaggart/quasar", + "https://taggart-tech.com/quasar-electron/", + "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", + "https://positive.security/blog/ms-officecmd-rce", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml" ], "tags": [ @@ -23354,8 +23391,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)", + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://twitter.com/frack113/status/1555830623633375232", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml" ], @@ -23456,8 +23493,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup", "https://twitter.com/Oddvarmoe/status/1641712700605513729", + "https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ksetup_password_change_computer.yml" ], "tags": [ @@ -23480,11 +23517,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg", + "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml" ], "tags": [ @@ -23517,13 +23554,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.huntress.com/blog/attacking-mssql-servers-pt-ii", + "https://asec.ahnlab.com/en/78944/", "https://www.huntress.com/blog/attacking-mssql-servers", "https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/", - "https://asec.ahnlab.com/en/61000/", "https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", - "https://asec.ahnlab.com/en/78944/", + "https://www.huntress.com/blog/attacking-mssql-servers-pt-ii", "https://docs.microsoft.com/en-us/sql/tools/bcp-utility", + "https://asec.ahnlab.com/en/61000/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcp_export_data.yml" ], "tags": [ @@ -23556,9 +23593,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", - "https://www.echotrail.io/insights/search/wermgr.exe", "https://github.com/binderlabs/DirCreate2System", + "https://www.echotrail.io/insights/search/wermgr.exe", + "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml" ], "tags": [ @@ -23904,9 +23941,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml" ], "tags": [ @@ -23972,10 +24009,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091", - "https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/", - "https://bazaar.abuse.ch/sample/64e6605496919cd76554915cbed88e56fdec10dec6523918a631754664b8c8d3/", "https://tria.ge/240521-ynezpagf56/behavioral1", + "https://bazaar.abuse.ch/sample/64e6605496919cd76554915cbed88e56fdec10dec6523918a631754664b8c8d3/", + "https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/", + "https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitlockertogo_execution.yml" ], "tags": [ @@ -24043,11 +24080,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", - "https://twitter.com/cglyer/status/1355171195654709249", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", - "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", + "https://twitter.com/cglyer/status/1355171195654709249", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml" ], "tags": [ @@ -24080,8 +24117,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit", + "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_secedit_execution.yml" ], "tags": [ @@ -24222,9 +24259,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", "http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/", "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_squirrel_download.yml" ], "tags": [ @@ -24258,8 +24295,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", + "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml" ], @@ -24327,8 +24364,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", + "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", "https://www.fortiguard.com/threat-signal-report/4718?s=09", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml" ], @@ -24505,8 +24542,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20220830122045/http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html", "https://blog.talosintelligence.com/modernloader-delivers-multiple-stealers-cryptominers-and-rats/", + "https://web.archive.org/web/20220830122045/http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml" ], "tags": [ @@ -24539,8 +24576,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html", "https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core", + "https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml" ], "tags": [ @@ -24573,12 +24610,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699", - "https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1", - "https://github.com/vletoux/pingcastle", "https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680", - "https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8", + "https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699", + "https://github.com/vletoux/pingcastle", "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", + "https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8", + "https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1", "https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml" ], @@ -24612,9 +24649,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41", "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a", + "https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dism_enable_powershell_web_access_feature.yml" ], "tags": [ @@ -24648,8 +24685,8 @@ "logsource.product": "windows", "refs": [ "https://www.mandiant.com/resources/blog/lnk-between-browsers", - "https://emkc.org/s/RJjuLa", "https://redcanary.com/blog/chromeloader/", + "https://emkc.org/s/RJjuLa", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml" ], "tags": [ @@ -24682,11 +24719,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", - "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", + "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml" ], "tags": [ @@ -24763,11 +24800,11 @@ "logsource.product": "windows", "refs": [ "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", - "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", - "https://github.com/Hackndo/lsassy", "https://github.com/CCob/MirrorDump", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", "https://github.com/helpsystems/nanodump", + "https://github.com/Hackndo/lsassy", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", + "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml" ], "tags": [ @@ -24800,8 +24837,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Oddvarmoe/status/985518877076541440", "https://lolbas-project.github.io/lolbas/Binaries/Print/", + "https://twitter.com/Oddvarmoe/status/985518877076541440", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml" ], "tags": [ @@ -24883,9 +24920,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.php.net/manual/en/features.commandline.php", - "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml" ], "tags": [ @@ -24943,8 +24980,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html", "https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax", + "https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml" ], "tags": [ @@ -24977,8 +25014,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", + "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml" ], "tags": [ @@ -25045,8 +25082,8 @@ "logsource.product": "windows", "refs": [ "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml" ], "tags": [ @@ -25190,9 +25227,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465", "https://twitter.com/Max_Mal_/status/1633863678909874176", "Internal Research", - "https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465", "https://twitter.com/_JohnHammond/status/1588155401752788994", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml" ], @@ -25349,9 +25386,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/", "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md", - "https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml" ], "tags": [ @@ -25384,9 +25421,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall", - "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/", "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", + "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_disable.yml" ], "tags": [ @@ -25455,8 +25492,8 @@ "refs": [ "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", "https://github.com/defaultnamehere/cookie_crimes/", - "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password", "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", + "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml" ], "tags": [ @@ -25555,9 +25592,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini", - "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regini/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_execution.yml" ], "tags": [ @@ -25659,8 +25696,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt", - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml" ], "tags": [ @@ -25922,8 +25959,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml" ], "tags": [ @@ -26007,8 +26044,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/ShadowChasing1/status/1552595370961944576", "https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior", + "https://twitter.com/ShadowChasing1/status/1552595370961944576", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml" ], "tags": [ @@ -26142,9 +26179,9 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/SBousseaden/status/1211636381086339073", - "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml" ], "tags": [ @@ -26195,8 +26232,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Gpscript/", "https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/", + "https://lolbas-project.github.io/lolbas/Binaries/Gpscript/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml" ], "tags": [ @@ -26229,12 +26266,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", "https://redcanary.com/blog/raspberry-robin/", - "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", + "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", - "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml" ], "tags": [ @@ -26300,8 +26337,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://www.gpg4win.de/documentation.html", + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml" ], @@ -26325,8 +26362,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism", + "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dism_remove.yml" ], "tags": [ @@ -26359,10 +26396,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/", - "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery", + "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup", + "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_restore_sensitive_files.yml" ], "tags": [ @@ -26395,8 +26432,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://learn.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps", + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml" ], "tags": [ @@ -26463,8 +26500,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/nettitude/SharpWSUS", - "https://labs.nettitude.com/blog/introducing-sharpwsus/", "https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1", + "https://labs.nettitude.com/blog/introducing-sharpwsus/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpwsus_wsuspendu_execution.yml" ], "tags": [ @@ -26531,8 +26568,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", + "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_atbroker_uncommon_ats_execution.yml" ], "tags": [ @@ -26758,8 +26795,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/hexacorn/status/1448037865435320323", "https://twitter.com/Gal_B1t/status/1062971006078345217", + "https://twitter.com/hexacorn/status/1448037865435320323", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml" ], "tags": [ @@ -26792,8 +26829,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md", "https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml" ], "tags": [ @@ -26902,8 +26939,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml" ], "tags": [ @@ -26936,8 +26973,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom", "https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon", + "https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver.yml" ], "tags": [ @@ -27063,10 +27100,10 @@ "logsource.product": "windows", "refs": [ "https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841", - "https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team", - "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/", "https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md", + "https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/", + "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml" ], "tags": [ @@ -27160,8 +27197,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", - "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://github.com/antonioCoco/RogueWinRM", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml" ], @@ -27195,8 +27232,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nao_sec/status/1530196847679401984", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://twitter.com/nao_sec/status/1530196847679401984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml" ], "tags": [ @@ -27270,8 +27307,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/carlospolop/PEASS-ng", "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation", + "https://github.com/carlospolop/PEASS-ng", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml" ], "tags": [ @@ -27343,8 +27380,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options", + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powercfg_execution.yml" ], "tags": [ @@ -27433,8 +27470,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", "https://twitter.com/mrd0x/status/1478116126005641220", + "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download.yml" ], "tags": [ @@ -27576,12 +27613,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", - "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://www.joeware.net/freetools/tools/adfind/", + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml" ], "tags": [ @@ -27780,10 +27817,10 @@ "logsource.product": "windows", "refs": [ "https://github.com/cloudflare/cloudflared", - "https://www.intrinsec.com/akira_ransomware/", - "https://github.com/cloudflare/cloudflared/releases", "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", + "https://www.intrinsec.com/akira_ransomware/", "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", + "https://github.com/cloudflare/cloudflared/releases", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml" ], "tags": [ @@ -27816,9 +27853,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/", "https://twitter.com/nas_bench/status/1534915321856917506", "https://twitter.com/nas_bench/status/1534916659676422152", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml" ], "tags": [ @@ -27894,8 +27931,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://www.gpg4win.de/documentation.html", + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml" ], @@ -28021,8 +28058,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade", "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", + "https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml" ], "tags": [ @@ -28055,8 +28092,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/azure/dns/dns-zones-records", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd", + "https://learn.microsoft.com/en-us/azure/dns/dns-zones-records", "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml" ], @@ -28341,8 +28378,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/", "https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/", + "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_aspnet_compiler_exectuion.yml" ], "tags": [ @@ -28375,8 +28412,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_felamos/status/1179811992841797632", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/", + "https://twitter.com/_felamos/status/1179811992841797632", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml" ], "tags": [ @@ -28442,8 +28479,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://anydesk.com/en/changelog/windows", "https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/", + "https://anydesk.com/en/changelog/windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml" ], "tags": [ @@ -28467,9 +28504,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://reaqta.com/2017/11/short-journey-darkvnc/", - "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html", "https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html", + "https://reaqta.com/2017/11/short-journey-darkvnc/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml" ], "tags": [ @@ -28527,8 +28564,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/0xthirteen/SharpMove/", "https://pentestlab.blog/tag/sharpmove/", + "https://github.com/0xthirteen/SharpMove/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpmove.yml" ], "tags": [ @@ -28561,12 +28598,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.attackiq.com/2023/09/20/emulating-rhysida/", - "https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html", - "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI", - "https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior", "https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/", "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper", + "https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html", + "https://www.attackiq.com/2023/09/20/emulating-rhysida/", + "https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior", + "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml" ], "tags": [ @@ -28609,9 +28646,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac", "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml" ], "tags": [ @@ -28701,8 +28738,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/", "https://github.com/sensepost/impersonate", + "https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml" ], "tags": [ @@ -28870,12 +28907,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", - "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", - "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", - "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", + "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", + "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", + "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml" ], @@ -28909,8 +28946,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/", "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf", + "https://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_terminate_application.yml" ], "tags": [ @@ -29010,8 +29047,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.002/T1110.002.md#atomic-test-1---password-cracking-with-hashcat", "https://hashcat.net/wiki/doku.php?id=hashcat", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.002/T1110.002.md#atomic-test-1---password-cracking-with-hashcat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_hashcat.yml" ], "tags": [ @@ -29110,8 +29147,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1460815932402679809", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devinit/", + "https://twitter.com/mrd0x/status/1460815932402679809", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml" ], "tags": [ @@ -29145,8 +29182,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md", "https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml" ], "tags": [ @@ -29180,8 +29217,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", - "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone", "https://ss64.com/nt/dsacls.html", + "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml" ], "tags": [ @@ -29214,8 +29251,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2020/07/06/indirect-command-execution/", "https://lolbas-project.github.io/lolbas/Binaries/Pcalua/", + "https://pentestlab.blog/2020/07/06/indirect-command-execution/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml" ], "tags": [ @@ -29248,8 +29285,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/", + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml" ], "tags": [ @@ -29283,8 +29320,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", "https://twitter.com/EricaZelic/status/1614075109827874817", "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml" @@ -29335,9 +29372,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", - "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", + "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml" ], "tags": [ @@ -29370,8 +29407,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/package-manager/winget/source", "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", + "https://learn.microsoft.com/en-us/windows/package-manager/winget/source", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml" ], "tags": [ @@ -29439,14 +29476,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", "https://twitter.com/Hexacorn/status/776122138063409152", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://twitter.com/gN3mes1s/status/941315826107510784", "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", "https://github.com/SigmaHQ/sigma/issues/3742", + "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", "https://reaqta.com/2017/12/mavinject-microsoft-injector/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml" ], "tags": [ @@ -29564,8 +29601,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", - "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://twitter.com/Hexacorn/status/1420053502554951689", + "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_process_clone.yml" ], "tags": [ @@ -29643,8 +29680,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml" ], "tags": [ @@ -29677,10 +29714,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml" ], "tags": [ @@ -29778,9 +29815,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.nirsoft.net/utils/nircmd.html", "https://www.nirsoft.net/utils/nircmd2.html#using", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml" ], "tags": [ @@ -29838,8 +29875,8 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", - "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", + "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml" ], "tags": [ @@ -29872,8 +29909,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml" ], @@ -29976,8 +30013,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf", + "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", "https://redcanary.com/blog/child-processes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml" ], @@ -30011,9 +30048,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/", "https://twitter.com/RedDrip7/status/1506480588827467785", "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf", + "https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml" ], "tags": [ @@ -30046,9 +30083,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/", "https://twitter.com/pabraeken/status/999090532839313408", "https://twitter.com/pabraeken/status/995837734379032576", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml" ], "tags": [ @@ -30158,8 +30195,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", - "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml" ], "tags": [ @@ -30260,17 +30297,17 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", - "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", + "https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/", "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml", - "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", "https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", - "https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/", "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", + "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", + "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml" ], "tags": [ @@ -30370,8 +30407,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download", + "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_imewbdld_download.yml" ], "tags": [ @@ -30447,8 +30484,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/", "https://www.echotrail.io/insights/search/msbuild.exe", + "https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml" ], "tags": [ @@ -30527,8 +30564,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa", "https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml" ], "tags": [ @@ -30585,8 +30622,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://www.cobaltstrike.com/help-windows-executable", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://redcanary.com/threat-detection-report/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml" ], @@ -30620,10 +30657,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml", - "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/", "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", + "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml" ], "tags": [ @@ -30666,8 +30703,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml" ], "tags": [ @@ -30937,9 +30974,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/tccontre18/status/1480950986650832903", - "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", "https://twitter.com/mrd0x/status/1461041276514623491", + "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", + "https://twitter.com/tccontre18/status/1480950986650832903", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml" ], "tags": [ @@ -30972,13 +31009,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.softperfect.com/products/networkscanner/", - "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/", "https://www.protect.airbus.com/blog/uncovering-cyber-intruders-netscan/", + "https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/", + "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue", "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf", "https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/", - "https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/", + "https://www.softperfect.com/products/networkscanner/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_netscan.yml" ], "tags": [ @@ -31120,9 +31157,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml" ], "tags": [ @@ -31275,8 +31312,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml" ], "tags": [ @@ -31485,10 +31522,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://twitter.com/ForensicITGuy/status/1334734244120309760", + "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml" ], "tags": [ @@ -31573,9 +31610,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/Winrm/", "https://twitter.com/bohops/status/994405551751815170", "https://redcanary.com/blog/lateral-movement-winrm-wmi/", + "https://lolbas-project.github.io/lolbas/Scripts/Winrm/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml" ], "tags": [ @@ -31608,8 +31645,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_werfault_lsass_shtinkering.yml" ], "tags": [ @@ -31642,10 +31679,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", - "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", - "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", "https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", + "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", + "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", + "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml" ], "tags": [ @@ -31710,8 +31747,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md", + "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml" ], "tags": [ @@ -31745,8 +31782,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2288", "https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100", + "https://adsecurity.org/?p=2288", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml" ], "tags": [ @@ -31886,8 +31923,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bginfo_uncommon_child_process.yml" ], "tags": [ @@ -31937,8 +31974,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", "https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", "https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml" ], @@ -32058,8 +32095,8 @@ "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", - "https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4", "https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0", + "https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml" ], "tags": [ @@ -32093,9 +32130,9 @@ "logsource.product": "windows", "refs": [ "https://youtu.be/5mqid-7zp8k?t=2481", - "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_mailboxexport_share.yml" ], "tags": [ @@ -32220,10 +32257,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml" ], "tags": [ @@ -32266,8 +32303,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cglyer/status/1182389676876980224", "https://twitter.com/cglyer/status/1182391019633029120", + "https://twitter.com/cglyer/status/1182389676876980224", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" ], "tags": [ @@ -32323,12 +32360,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://isc.sans.edu/diary/22264", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", + "https://isc.sans.edu/diary/22264", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml" ], "tags": [ @@ -32371,8 +32408,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", + "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", "https://www.fortiguard.com/threat-signal-report/4718?s=09", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml" ], @@ -32406,8 +32443,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/DissectMalware/status/998797808907046913", "https://www.phpied.com/make-your-javascript-a-windows-exe/", + "https://twitter.com/DissectMalware/status/998797808907046913", "https://lolbas-project.github.io/lolbas/Binaries/Jsc/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_jsc_execution.yml" ], @@ -32661,9 +32698,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication", - "https://github.com/grayhatkiller/SharpExShell", "https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922", + "https://github.com/grayhatkiller/SharpExShell", + "https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml" ], "tags": [ @@ -32696,9 +32733,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", - "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", + "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml" ], "tags": [ @@ -32931,10 +32968,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/CyberRaiju/status/1273597319322058752", + "https://twitter.com/bohops/status/1276357235954909188?s=12", "https://twitter.com/nas_bench/status/1535322450858233858", "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", - "https://twitter.com/bohops/status/1276357235954909188?s=12", + "https://twitter.com/CyberRaiju/status/1273597319322058752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml" ], "tags": [ @@ -32968,8 +33005,8 @@ "logsource.product": "windows", "refs": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage", - "https://unit42.paloaltonetworks.com/chromeloader-malware/", "https://lolbas-project.github.io/lolbas/Binaries/Tar/", + "https://unit42.paloaltonetworks.com/chromeloader-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tar_extraction.yml" ], "tags": [ @@ -33011,10 +33048,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", - "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", + "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", + "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml" ], "tags": [ @@ -33106,8 +33143,8 @@ "logsource.product": "windows", "refs": [ "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml" ], "tags": [ @@ -33141,14 +33178,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", "https://twitter.com/Hexacorn/status/776122138063409152", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://twitter.com/gN3mes1s/status/941315826107510784", "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", "https://github.com/SigmaHQ/sigma/issues/3742", + "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", "https://reaqta.com/2017/12/mavinject-microsoft-injector/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml" ], "tags": [ @@ -33213,9 +33250,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", + "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml" ], "tags": [ @@ -33329,9 +33366,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.scythe.io/library/threat-emulation-qakbot", "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/", + "https://www.scythe.io/library/threat-emulation-qakbot", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml" ], "tags": [ @@ -33388,8 +33425,8 @@ "logsource.product": "windows", "refs": [ "https://user-images.githubusercontent.com/61026070/136518004-b68cce7d-f9b8-4e9a-9b7b-53b1568a9a94.png", - "https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/tools.conf", "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", + "https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/tools.conf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml" ], "tags": [ @@ -33424,9 +33461,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/@cyberjyot/t1218-008-dll-execution-using-odbcconf-exe-803fa9e08dac", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", + "https://medium.com/@cyberjyot/t1218-008-dll-execution-using-odbcconf-exe-803fa9e08dac", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml" ], "tags": [ @@ -33529,8 +33566,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/sensepost/ruler", - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49", "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml" ], "tags": [ @@ -33729,10 +33766,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/lefterispan/status/1286259016436514816", "https://twitter.com/jseerden/status/1247985304667066373/photo/1", - "https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", + "https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension", + "https://twitter.com/lefterispan/status/1286259016436514816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml" ], "tags": [ @@ -33765,8 +33802,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/3proxy/3proxy", + "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml" ], "tags": [ @@ -33833,10 +33870,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/", - "https://twitter.com/mrd0x/status/1511489821247684615", "https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f", "https://twitter.com/mrd0x/status/1511415432888131586", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/", + "https://twitter.com/mrd0x/status/1511489821247684615", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml" ], "tags": [ @@ -33948,10 +33985,10 @@ "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/", - "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", - "https://twitter.com/nao_sec/status/1530196847679401984", - "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/", + "https://twitter.com/nao_sec/status/1530196847679401984", + "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml" ], "tags": [ @@ -33992,8 +34029,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml", "https://learn.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml-", + "https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml" ], "tags": [ @@ -34036,8 +34073,8 @@ "logsource.product": "windows", "refs": [ "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", - "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", + "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml" ], "tags": [ @@ -34093,9 +34130,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.exploit-db.com/exploits/37525", "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer", "https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection", - "https://www.exploit-db.com/exploits/37525", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml" ], "tags": [ @@ -34195,11 +34232,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/", - "https://github.com/AlessandroZ/LaZagne/tree/master", "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf", - "https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/", + "https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/", + "https://github.com/AlessandroZ/LaZagne/tree/master", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_lazagne.yml" ], "tags": [ @@ -34256,8 +34293,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml" ], "tags": [ @@ -34390,8 +34427,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.005/T1218.005.md", + "https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml" ], "tags": [ @@ -34424,8 +34461,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules", "https://ss64.com/nt/netsh.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml" ], "tags": [ @@ -34458,10 +34495,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", - "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", + "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", + "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml" ], "tags": [ @@ -34494,10 +34531,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/", "https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/", "https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/", - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user.yml" ], "tags": [ @@ -34563,8 +34600,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md", "https://ss64.com/nt/mklink.html", + "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml" ], "tags": [ @@ -34643,9 +34680,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", - "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml" ], @@ -34789,12 +34826,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup", + "https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_delete_all_backups.yml" ], "tags": [ @@ -34869,8 +34906,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securityxploded.com/", "https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/", + "https://securityxploded.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_secutyxploded.yml" ], "tags": [ @@ -34903,10 +34940,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/defaultnamehere/cookie_crimes/", - "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", "https://github.com/wunderwuzzi23/firefox-cookiemonster", + "https://github.com/defaultnamehere/cookie_crimes/", "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", + "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml" ], "tags": [ @@ -35142,9 +35179,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.revshells.com/", - "https://nmap.org/ncat/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", + "https://nmap.org/ncat/", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_netcat.yml" ], "tags": [ @@ -35403,9 +35440,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://twitter.com/gN3mes1s/status/1222095371175911424", "https://twitter.com/gN3mes1s/status/1222088214581825540", + "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml" ], "tags": [ @@ -35462,11 +35499,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://en.wikipedia.org/wiki/Hangul_(word_processor)", "https://twitter.com/cyberwar_15/status/1187287262054076416", "https://blog.alyac.co.kr/1901", "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", - "https://en.wikipedia.org/wiki/Hangul_(word_processor)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml" ], "tags": [ @@ -35517,11 +35554,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", + "https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive", "https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/", "https://www.pureid.io/dumping-abusing-windows-credentials-part-1/", - "https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive", "https://twitter.com/0gtweet/status/1299071304805560321?s=21", + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml" ], "tags": [ @@ -35621,9 +35658,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html", - "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_export.yml" ], "tags": [ @@ -35679,8 +35716,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_protocolhandler_download.yml" ], "tags": [ @@ -35713,8 +35750,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt", "https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt", + "http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt", "https://twitter.com/n1nj4sec/status/1421190238081277959", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml" ], @@ -35739,8 +35776,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna", "https://twitter.com/vysecurity/status/977198418354491392", + "https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ping_hex_ip.yml" ], "tags": [ @@ -35781,9 +35818,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", + "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml" ], "tags": [ @@ -35839,8 +35876,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", + "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml" ], "tags": [ @@ -35965,8 +36002,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/", "https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys", + "https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml" ], "tags": [ @@ -35999,8 +36036,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", + "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml" ], @@ -36034,12 +36071,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", - "https://twitter.com/eral4m/status/1479080793003671557", - "https://twitter.com/nas_bench/status/1433344116071583746", - "https://twitter.com/Hexacorn/status/885258886428725250", - "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", "https://twitter.com/eral4m/status/1479106975967240209", + "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", + "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", + "https://twitter.com/Hexacorn/status/885258886428725250", + "https://twitter.com/nas_bench/status/1433344116071583746", + "https://twitter.com/eral4m/status/1479080793003671557", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml" ], "tags": [ @@ -36138,9 +36175,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html", "https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors", "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf", - "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml" ], "tags": [ @@ -36230,8 +36267,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/package-manager/winget/source", "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", + "https://learn.microsoft.com/en-us/windows/package-manager/winget/source", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml" ], "tags": [ @@ -36267,11 +36304,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", - "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", + "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", + "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml" ], "tags": [ @@ -36403,8 +36440,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", "https://github.com/quarkslab/quarkspwdump", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_quarks_pwdump.yml" ], "tags": [ @@ -36479,9 +36516,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml" ], "tags": [ @@ -36682,8 +36719,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", "https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/", + "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml" ], "tags": [ @@ -36922,8 +36959,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/ber_m1ng/status/1397948048135778309", "https://www.cobaltstrike.com/help-opsec", + "https://twitter.com/ber_m1ng/status/1397948048135778309", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml" ], "tags": [ @@ -37022,11 +37059,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://twitter.com/0gtweet/status/1628720819537936386", - "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", + "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml" ], "tags": [ @@ -37061,9 +37098,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", - "https://docs.python.org/3/using/cmdline.html#cmdoption-c", "https://www.revshells.com/", + "https://docs.python.org/3/using/cmdline.html#cmdoption-c", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml" ], "tags": [ @@ -37219,9 +37256,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/cloudflare/cloudflared", - "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", "https://www.intrinsec.com/akira_ransomware/", + "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", + "https://github.com/cloudflare/cloudflared", "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml" ], @@ -37337,9 +37374,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html", "https://lab52.io/blog/winter-vivern-all-summer/", "https://hatching.io/blog/powershell-analysis/", - "https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml" ], "tags": [ @@ -37439,10 +37476,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", - "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", "https://twitter.com/Z3Jpa29z/status/1317545798981324801", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", + "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csi_execution.yml" ], "tags": [ @@ -37526,9 +37563,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml" ], "tags": [ @@ -37594,9 +37631,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js", "https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/", "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", + "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_koadic.yml" ], "tags": [ @@ -37645,9 +37682,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/", "https://twitter.com/nas_bench/status/1534957360032120833", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/", + "https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cdb_arbitrary_command_execution.yml" ], "tags": [ @@ -37763,8 +37800,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/Kevin-Robertson/Inveigh", + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml" ], "tags": [ @@ -37933,8 +37970,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb?gi=41b97a644843", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md", + "https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb?gi=41b97a644843", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml" ], "tags": [ @@ -38053,9 +38090,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", - "https://twitter.com/mattifestation/status/1196390321783025666", "https://twitter.com/oulusoyum/status/1191329746069655553", + "https://twitter.com/mattifestation/status/1196390321783025666", + "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml" ], "tags": [ @@ -38276,8 +38313,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/package-manager/winget/source", "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", + "https://learn.microsoft.com/en-us/windows/package-manager/winget/source", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_add_custom_source.yml" ], "tags": [ @@ -38311,8 +38348,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1457676633809330184", "https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/", + "https://twitter.com/0gtweet/status/1457676633809330184", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sigverif_uncommon_child_process.yml" ], "tags": [ @@ -38411,10 +38448,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nodejs.org/api/cli.html", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", + "https://nodejs.org/api/cli.html", + "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml" ], "tags": [ @@ -38448,8 +38485,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt", - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml" ], "tags": [ @@ -38472,9 +38509,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan", - "https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/", "https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/", + "https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/", + "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml" ], "tags": [ @@ -38508,9 +38545,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://badoption.eu/blog/2023/01/31/code_c2.html", - "https://code.visualstudio.com/docs/remote/tunnels", "https://ipfyx.fr/post/visual-studio-code-tunnel/", + "https://code.visualstudio.com/docs/remote/tunnels", + "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml" ], "tags": [ @@ -38543,8 +38580,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=ro2QuZTIMBM", "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://www.youtube.com/watch?v=ro2QuZTIMBM", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_psexec_service.yml" ], "tags": [ @@ -38600,24 +38637,24 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/calebstewart/CVE-2021-1675", "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://adsecurity.org/?p=2921", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://github.com/besimorhino/powercat", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/calebstewart/CVE-2021-1675", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/samratashok/nishang", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/Kevin-Robertson/Powermad", - "https://github.com/adrecon/ADRecon", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/HarmJ0y/DAMP", "https://github.com/adrecon/AzureADRecon", "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/besimorhino/powercat", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/adrecon/ADRecon", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/samratashok/nishang", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml" ], "tags": [ @@ -38800,8 +38837,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", - "https://www.elastic.co/guide/en/security/current/execution-of-com-object-via-xwizard.html", "https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", + "https://www.elastic.co/guide/en/security/current/execution-of-com-object-via-xwizard.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_xwizard_runwizard_com_object_exec.yml" ], "tags": [ @@ -38868,8 +38905,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", "https://twitter.com/SBousseaden/status/1278977301745741825", + "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml" ], "tags": [ @@ -39189,10 +39226,10 @@ "logsource.product": "windows", "refs": [ "https://github.com/cloudflare/cloudflared", - "https://www.intrinsec.com/akira_ransomware/", - "https://github.com/cloudflare/cloudflared/releases", "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", + "https://www.intrinsec.com/akira_ransomware/", "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", + "https://github.com/cloudflare/cloudflared/releases", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_portable_execution.yml" ], "tags": [ @@ -39375,9 +39412,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/", "https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019", "https://twitter.com/pabraeken/status/990758590020452353", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml" ], "tags": [ @@ -39467,10 +39504,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/lefterispan/status/1286259016436514816", "https://twitter.com/jseerden/status/1247985304667066373/photo/1", - "https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", + "https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension", + "https://twitter.com/lefterispan/status/1286259016436514816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml" ], "tags": [ @@ -39605,10 +39642,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior", - "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", - "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior", "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", + "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", + "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior", + "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml" ], "tags": [ @@ -39642,8 +39679,8 @@ "logsource.product": "windows", "refs": [ "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_output.yml" ], "tags": [ @@ -39734,12 +39771,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", "https://www.localpotato.com/", - "https://github.com/ohpe/juicy-potato", - "https://pentestlab.blog/2017/04/13/hot-potato/", "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", + "https://github.com/ohpe/juicy-potato", + "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", + "https://pentestlab.blog/2017/04/13/hot-potato/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml" ], "tags": [ @@ -39840,12 +39877,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", - "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", - "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml" ], "tags": [ @@ -39886,9 +39923,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", - "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", + "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml" ], "tags": [ @@ -40057,8 +40094,8 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", - "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", "https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0", + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml" ], "tags": [ @@ -40196,13 +40233,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.softwaretestinghelp.com/how-to-use-ngrok/", "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", "https://ngrok.com/docs", - "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", - "https://twitter.com/xorJosh/status/1598646907802451969", - "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", + "https://www.softwaretestinghelp.com/how-to-use-ngrok/", "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", + "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", + "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", + "https://twitter.com/xorJosh/status/1598646907802451969", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml" ], "tags": [ @@ -40338,9 +40375,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md", "https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx", - "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml" ], "tags": [ @@ -40410,8 +40447,8 @@ "logsource.product": "windows", "refs": [ "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", - "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", "https://twitter.com/0gtweet/status/1628720819537936386", + "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml" ], "tags": [ @@ -40521,8 +40558,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military", "https://learn.microsoft.com/en-us/windows/win32/shell/csidl", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military", "https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml" ], @@ -40622,8 +40659,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml" ], "tags": [ @@ -40794,11 +40831,11 @@ "logsource.product": "windows", "refs": [ "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", - "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://twitter.com/egre55/status/1087685529016193025", + "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml" ], "tags": [ @@ -40833,8 +40870,8 @@ "refs": [ "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", "https://twitter.com/hFireF0X/status/897640081053364225", - "https://github.com/hfiref0x/UACME", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", + "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml" ], "tags": [ @@ -40879,8 +40916,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government", "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", + "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gather_network_info.yml" ], "tags": [ @@ -40957,15 +40994,15 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/2017/05/wannacry.html", "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", - "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", - "https://redcanary.com/blog/intelligence-insights-october-2021/", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/Neo23x0/Raccine#the-process", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", + "https://blog.talosintelligence.com/2017/05/wannacry.html", + "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", + "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml" ], "tags": [ @@ -41040,9 +41077,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://badoption.eu/blog/2023/01/31/code_c2.html", - "https://code.visualstudio.com/docs/remote/tunnels", "https://ipfyx.fr/post/visual-studio-code-tunnel/", + "https://code.visualstudio.com/docs/remote/tunnels", + "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml" ], "tags": [ @@ -41227,9 +41264,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", + "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml" ], "tags": [ @@ -41263,9 +41300,9 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4", - "https://adsecurity.org/?p=2604", - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4", "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4", + "https://adsecurity.org/?p=2604", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml" ], "tags": [ @@ -41298,9 +41335,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)", "https://twitter.com/jonasLyk/status/1555914501802921984", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)", + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml" ], "tags": [ @@ -41497,8 +41534,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1474899714290208777?s=12", "https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace", + "https://twitter.com/0gtweet/status/1474899714290208777?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml" ], "tags": [ @@ -41531,12 +41568,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/JohnLaTwC/status/835149808817991680", - "https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", + "https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil", + "https://twitter.com/JohnLaTwC/status/835149808817991680", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_decode.yml" ], "tags": [ @@ -41571,8 +41608,8 @@ "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml" ], "tags": [ @@ -41664,10 +41701,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content", - "https://twitter.com/JAMESWT_MHT/status/1699042827261391247", - "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://twitter.com/M_haggis/status/1699056847154725107", + "https://twitter.com/JAMESWT_MHT/status/1699042827261391247", + "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content", + "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml" ], "tags": [ @@ -41691,8 +41728,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/mshta.exe", "https://en.wikipedia.org/wiki/HTML_Application", + "https://www.echotrail.io/insights/search/mshta.exe", "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml" ], @@ -41726,9 +41763,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/fireeye/DueDLLigence", "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", + "https://github.com/fireeye/DueDLLigence", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml" ], "tags": [ @@ -41846,9 +41883,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", - "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", + "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", + "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml" ], @@ -41915,16 +41952,16 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://twitter.com/_xpn_/status/1268712093928378368", "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://bunnyinside.com/?term=f71e8cb9c76a", "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "http://managed670.rssing.com/chan-5590147/all_p1.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml" ], "tags": [ @@ -41980,11 +42017,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", - "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script", - "https://twitter.com/mattifestation/status/1326228491302563846", "http://blog.sevagas.com/?Hacking-around-HTA-files", + "https://twitter.com/mattifestation/status/1326228491302563846", + "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", + "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml" ], "tags": [ @@ -42035,15 +42072,15 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3", - "https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf", - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1", - "http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/", - "https://www.group-ib.com/blog/apt41-world-tour-2021/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a", + "http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/", "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", + "https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3", + "https://www.group-ib.com/blog/apt41-world-tour-2021/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml" ], "tags": [ @@ -42246,10 +42283,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", - "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", + "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml" ], "tags": [ @@ -42308,9 +42345,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", "http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/", "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml" ], "tags": [ @@ -42344,10 +42381,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml" ], "tags": [ @@ -42456,13 +42493,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", "https://www.cobaltstrike.com/help-opsec", + "https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", + "https://twitter.com/CyberRaiju/status/1251492025678983169", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", "https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool", - "https://twitter.com/CyberRaiju/status/1251492025678983169", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml" ], "tags": [ @@ -42551,9 +42588,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control", "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", + "https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml" ], "tags": [ @@ -42656,8 +42693,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/", "https://twitter.com/pabraeken/status/991335019833708544", + "https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml" ], "tags": [ @@ -42733,9 +42770,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", - "https://www.echotrail.io/insights/search/wermgr.exe", "https://github.com/binderlabs/DirCreate2System", + "https://www.echotrail.io/insights/search/wermgr.exe", + "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_exec_location.yml" ], "tags": [ @@ -42758,8 +42795,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml" ], "tags": [ @@ -42857,8 +42894,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/gootloader/", "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", + "https://redcanary.com/blog/gootloader/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wscript_cscript_dropper.yml" ], "tags": [ @@ -42899,8 +42936,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution", "https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml" ], "tags": [ @@ -42957,8 +42994,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://klausjochem.me/2016/02/03/netsh-the-cyber-attackers-tool-of-choice/", "https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/", + "https://klausjochem.me/2016/02/03/netsh-the-cyber-attackers-tool-of-choice/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_packet_capture.yml" ], "tags": [ @@ -43083,8 +43120,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", "https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", + "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml" ], "tags": [ @@ -43120,8 +43157,8 @@ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", "https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation", "https://twitter.com/pfiatde/status/1681977680688738305", - "https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/", "https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/", + "https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml" ], "tags": [ @@ -43221,8 +43258,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1478234484881436672?s=12", "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", + "https://twitter.com/mrd0x/status/1478234484881436672?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml" ], "tags": [ @@ -43356,9 +43393,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", - "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", "https://www.activecyber.us/activelabs/windows-uac-bypass", + "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", + "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", "https://twitter.com/ReaQta/status/1222548288731217921", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml" ], @@ -43426,9 +43463,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/raspberry-robin/", "https://github.com/SigmaHQ/sigma/issues/1009", "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", + "https://redcanary.com/blog/raspberry-robin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml" ], "tags": [ @@ -43618,8 +43655,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall", "https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml" ], "tags": [ @@ -43718,8 +43755,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://o365blog.com/aadinternals/", "https://github.com/Gerenios/AADInternals", + "https://o365blog.com/aadinternals/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml" ], "tags": [ @@ -43804,8 +43841,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml" ], "tags": [ @@ -43946,8 +43983,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1", + "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_set_acl.yml" ], "tags": [ @@ -43970,9 +44007,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.nirsoft.net/utils/nircmd.html", "https://www.nirsoft.net/utils/nircmd2.html#using", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd_as_system.yml" ], "tags": [ @@ -44139,8 +44176,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", "https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", + "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml" ], "tags": [ @@ -44164,8 +44201,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-hardware/drivers/taef/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", "https://twitter.com/pabraeken/status/993298228840992768", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml" ], "tags": [ @@ -44274,8 +44311,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20", "https://support.anydesk.com/Automatic_Deployment", + "https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml" ], "tags": [ @@ -44341,9 +44378,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://4sysops.com/archives/creating-a-complete-memory-dump-without-a-blue-screen/", "https://kb.acronis.com/content/60892", "https://learn.microsoft.com/en-us/sysinternals/downloads/livekd", + "https://4sysops.com/archives/creating-a-complete-memory-dump-without-a-blue-screen/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml" ], "tags": [ @@ -44408,8 +44445,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/threat-detection-report/threats/qbot/", "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", + "https://redcanary.com/threat-detection-report/threats/qbot/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml" ], "tags": [ @@ -44477,9 +44514,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", + "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml" ], "tags": [ @@ -44512,8 +44549,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1477925112561209344", "https://twitter.com/wdormann/status/1478011052130459653?s=20", + "https://twitter.com/0gtweet/status/1477925112561209344", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_format_uncommon_filesystem_load.yml" ], "tags": [ @@ -44537,8 +44574,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", - "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/", "https://twitter.com/_st0pp3r_/status/1583914515996897281", + "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml" ], "tags": [ @@ -44705,8 +44742,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml" ], "tags": [ @@ -44739,8 +44776,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml" ], "tags": [ @@ -44773,11 +44810,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", - "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets", + "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", + "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml" ], "tags": [ @@ -44827,10 +44864,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_susp_execution.yml" ], "tags": [ @@ -45013,12 +45050,12 @@ "logsource.product": "windows", "refs": [ "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", - "https://twitter.com/SBousseaden/status/1167417096374050817", + "https://twitter.com/shantanukhande/status/1229348874298388484", "https://twitter.com/Hexacorn/status/1224848930795552769", - "https://twitter.com/Wietze/status/1542107456507203586", + "https://twitter.com/SBousseaden/status/1167417096374050817", "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", "https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py", - "https://twitter.com/shantanukhande/status/1229348874298388484", + "https://twitter.com/Wietze/status/1542107456507203586", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml" ], "tags": [ @@ -45061,9 +45098,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html", - "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml" ], "tags": [ @@ -45096,8 +45133,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/6", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yml" ], "tags": [ @@ -45166,8 +45203,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://ss64.com/nt/for.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://ss64.com/ps/foreach-object.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml" ], @@ -45210,9 +45247,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/tccontre18/status/1480950986650832903", - "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", "https://twitter.com/mrd0x/status/1461041276514623491", + "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", + "https://twitter.com/tccontre18/status/1480950986650832903", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml" ], "tags": [ @@ -45245,8 +45282,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery", + "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_restore_file.yml" ], "tags": [ @@ -45279,8 +45316,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", + "https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certmgr_certificate_installation.yml" ], "tags": [ @@ -45499,8 +45536,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://h.43z.one/ipconverter/", "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", + "https://h.43z.one/ipconverter/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml" ], "tags": [ @@ -45556,8 +45593,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/JohnLaTwC/status/1082851155481288706", "https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03", + "https://twitter.com/JohnLaTwC/status/1082851155481288706", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_appdata.yml" ], "tags": [ @@ -45662,11 +45699,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", - "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", - "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", - "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", + "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", + "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", + "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", + "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" ], "tags": [ @@ -45810,8 +45847,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/", "https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/", + "https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml" ], "tags": [ @@ -45844,11 +45881,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", - "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", + "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", + "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml" ], "tags": [ @@ -45881,10 +45918,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html", - "https://twitter.com/mattifestation/status/986280382042595328", - "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", "https://atomicredteam.io/defense-evasion/T1220/", + "https://twitter.com/mattifestation/status/986280382042595328", + "https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html", + "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml" ], "tags": [ @@ -46107,12 +46144,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699", - "https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1", - "https://github.com/vletoux/pingcastle", "https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680", - "https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8", + "https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699", + "https://github.com/vletoux/pingcastle", "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", + "https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8", + "https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1", "https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_pingcastle.yml" ], @@ -46146,8 +46183,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml" ], "tags": [ @@ -46222,8 +46259,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cglyer/status/1183756892952248325", "https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", + "https://twitter.com/cglyer/status/1183756892952248325", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch.yml" ], "tags": [ @@ -46290,8 +46327,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_guid_task_name.yml" ], "tags": [ @@ -46324,8 +46361,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/skelsec/pypykatz", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz", + "https://github.com/skelsec/pypykatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pypykatz.yml" ], "tags": [ @@ -46434,8 +46471,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows", "https://nmap.org/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nmap_zenmap.yml" ], "tags": [ @@ -46469,10 +46506,10 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/bohops/status/980659399495741441", - "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", - "https://twitter.com/JohnLaTwC/status/1223292479270600706", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", + "https://twitter.com/JohnLaTwC/status/1223292479270600706", + "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml" ], "tags": [ @@ -46505,8 +46542,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_install_reg_debugger_backdoor.yml" ], "tags": [ @@ -46640,9 +46677,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini", - "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regini/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_ads.yml" ], "tags": [ @@ -46675,8 +46712,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100", "https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100", + "https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_http_appdata.yml" ], "tags": [ @@ -46817,11 +46854,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_JohnHammond/status/1708910264261980634", "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", + "https://twitter.com/_JohnHammond/status/1708910264261980634", "https://twitter.com/egre55/status/1087685529016193025", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml" ], @@ -46897,9 +46934,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/", "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks", + "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://twitter.com/christophetd/status/1164506034720952320", "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml" @@ -47034,8 +47071,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml" ], @@ -47059,9 +47096,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml" ], "tags": [ @@ -47146,9 +47183,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)", "https://twitter.com/jonasLyk/status/1555914501802921984", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)", + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml" ], "tags": [ @@ -47230,8 +47267,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnx_execute_csharp_code.yml" ], "tags": [ @@ -47514,8 +47551,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/", "https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html", + "https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml" ], "tags": [ @@ -47582,12 +47619,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", "https://lolbas-project.github.io/lolbas/Binaries/Teams/", + "https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc", "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", "https://positive.security/blog/ms-officecmd-rce", - "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", - "https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml" ], "tags": [ @@ -47652,8 +47689,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government", "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", + "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gather_network_info_execution.yml" ], "tags": [ @@ -47695,8 +47732,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/hackvens/CoercedPotato", "https://blog.hackvens.fr/articles/CoercedPotato.html", + "https://github.com/hackvens/CoercedPotato", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml" ], "tags": [ @@ -47730,8 +47767,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/", "https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter", + "https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml" ], "tags": [ @@ -47898,11 +47935,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", - "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", - "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", "https://twitter.com/max_mal_/status/1542461200797163522", + "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", + "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file", + "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml" ], "tags": [ @@ -48029,8 +48066,8 @@ "logsource.product": "windows", "refs": [ "https://boinc.berkeley.edu/", - "https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details", "https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software", + "https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_boinc.yml" ], "tags": [ @@ -48106,8 +48143,8 @@ "logsource.product": "windows", "refs": [ "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", - "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", + "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml" ], "tags": [ @@ -48199,8 +48236,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml" ], "tags": [ @@ -48296,9 +48333,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md", "https://securelist.com/locked-out/68960/", "https://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a", + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml" ], "tags": [ @@ -48364,10 +48401,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", + "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml" ], "tags": [ @@ -48480,8 +48517,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=ro2QuZTIMBM", "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://www.youtube.com/watch?v=ro2QuZTIMBM", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yml" ], "tags": [ @@ -48538,8 +48575,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/eral4m/status/1451112385041911809", "https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html", + "https://twitter.com/eral4m/status/1451112385041911809", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml" ], "tags": [ @@ -48662,8 +48699,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)", + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://twitter.com/frack113/status/1555830623633375232", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml" ], @@ -48720,9 +48757,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/mrd0x/status/1511415432888131586", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/", "https://twitter.com/mrd0x/status/1511489821247684615", - "https://twitter.com/mrd0x/status/1511415432888131586", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml" ], "tags": [ @@ -48940,9 +48977,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Setres/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://twitter.com/0gtweet/status/1583356502340870144", - "https://lolbas-project.github.io/lolbas/Binaries/Setres/", "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_setres_uncommon_child_process.yml" ], @@ -48984,10 +49021,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", + "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", - "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", + "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml" ], "tags": [ @@ -49020,14 +49057,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", - "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", - "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", - "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", + "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", "https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest", + "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml" ], "tags": [ @@ -49282,11 +49319,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", - "https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt", "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", - "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", + "https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml" ], "tags": [ @@ -49328,10 +49365,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", "https://vms.drweb.fr/virus/?i=24144899", - "https://twitter.com/JohnLaTwC/status/1415295021041979392", + "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", + "https://twitter.com/JohnLaTwC/status/1415295021041979392", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml" ], "tags": [ @@ -49364,8 +49401,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/software/S0404/", "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", + "https://attack.mitre.org/software/S0404/", "https://twitter.com/vxunderground/status/1423336151860002816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_params.yml" ], @@ -49449,8 +49486,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml" ], "tags": [ @@ -49504,8 +49541,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set", "https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2", + "https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml" ], "tags": [ @@ -49547,8 +49584,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://processhacker.sourceforge.io/", "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", + "https://processhacker.sourceforge.io/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml" ], "tags": [ @@ -49600,8 +49637,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior", "https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware", + "https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml" ], "tags": [ @@ -49636,8 +49673,8 @@ "refs": [ "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", - "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", "https://twitter.com/nas_bench/status/1537896324837781506", + "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml" ], "tags": [ @@ -49670,8 +49707,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://asec.ahnlab.com/en/38156/", "https://github.com/fatedier/frp", + "https://asec.ahnlab.com/en/38156/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_frp.yml" ], "tags": [ @@ -49704,9 +49741,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_30.10.2023.txt", "https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt", "Internal Research", + "https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_30.10.2023.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml" ], "tags": [ @@ -49828,8 +49865,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml" ], "tags": [ @@ -49964,8 +50001,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/", "https://twitter.com/harr0ey/status/989617817849876488", + "https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwutl.yml" ], "tags": [ @@ -49998,9 +50035,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44", - "https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048", "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", + "https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml" ], "tags": [ @@ -50159,9 +50196,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/fr0s7_/status/1712780207105404948", - "https://h.43z.one/ipconverter/", "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", + "https://h.43z.one/ipconverter/", + "https://twitter.com/fr0s7_/status/1712780207105404948", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml" ], "tags": [ @@ -50184,10 +50221,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml" ], "tags": [ @@ -50397,8 +50434,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://www.poweradmin.com/paexec/", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml" ], "tags": [ @@ -50466,8 +50503,8 @@ "logsource.product": "windows", "refs": [ "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", - "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", "https://learn.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", + "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml" ], "tags": [ @@ -50542,8 +50579,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blackpointcyber.com/resources/blog/breaking-through-the-screen/", "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8", + "https://blackpointcyber.com/resources/blog/breaking-through-the-screen/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_webshell.yml" ], "tags": [ @@ -50576,8 +50613,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml" ], @@ -50611,8 +50648,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2020/07/06/indirect-command-execution/", "https://lolbas-project.github.io/lolbas/Binaries/Forfiles/", + "https://pentestlab.blog/2020/07/06/indirect-command-execution/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_forfiles_proxy_execution_.yml" ], "tags": [ @@ -50711,9 +50748,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/", - "https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", + "https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password", + "https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml" ], "tags": [ @@ -50733,39 +50770,6 @@ "uuid": "98dedfdd-8333-49d4-9f23-d7018cccae53", "value": "Enable LM Hash Storage - ProcCreation" }, - { - "description": "Detects possible search for office tokens via CLI by looking for the string \"eyJ0eX\". This string is used as an anchor to look for the start of the JWT token used by office and similar apps.", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022-10-25", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_office_token_search.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://mrd0x.com/stealing-tokens-from-office-applications/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_office_token_search.yml" - ], - "tags": [ - "attack.credential-access", - "attack.t1528" - ] - }, - "related": [ - { - "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "6d3a3952-6530-44a3-8554-cf17c116c615", - "value": "Suspicious Office Token Search Via CLI" - }, { "description": "Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly.\nMeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.\n", "meta": { @@ -50779,9 +50783,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173", "https://github.com/Ylianst/MeshAgent", "https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-info.js#L55", - "https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_meshagent_exec.yml" ], "tags": [ @@ -50891,9 +50895,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/electron/rcedit", - "https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915", "https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe", + "https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915", + "https://github.com/electron/rcedit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml" ], "tags": [ @@ -50984,13 +50988,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects", - "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", - "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://www.joeware.net/freetools/tools/adfind/", + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml" ], "tags": [ @@ -51048,8 +51052,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf", "https://sourceforge.net/projects/mouselock/", + "https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_mouselock_execution.yml" ], "tags": [ @@ -51083,9 +51087,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html", "https://twitter.com/0gtweet/status/1564968845726580736", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml" ], "tags": [ @@ -51202,12 +51206,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup", + "https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_delete_backups.yml" ], "tags": [ @@ -51282,8 +51286,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml" ], "tags": [ @@ -51317,8 +51321,8 @@ "logsource.product": "windows", "refs": [ "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", - "https://github.com/jpillora/chisel/", "https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/", + "https://github.com/jpillora/chisel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_chisel.yml" ], "tags": [ @@ -51385,8 +51389,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", - "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", "https://twitter.com/_felamos/status/1204705548668555264", + "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dotnet_arbitrary_dll_csproj_execution.yml" ], "tags": [ @@ -51419,9 +51423,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_download.yml" ], "tags": [ @@ -51478,10 +51482,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", - "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", + "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", + "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml" ], "tags": [ @@ -51547,9 +51551,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", - "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", + "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", + "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml" ], "tags": [ @@ -51582,8 +51586,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1535431474429808642", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", + "https://twitter.com/nas_bench/status/1535431474429808642", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml" ], "tags": [ @@ -51735,8 +51739,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html", "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", + "https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml" ], @@ -51871,8 +51875,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/", "https://twitter.com/1ZRR4H/status/1534259727059787783", + "https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_archiver_iso_phishing.yml" ], "tags": [ @@ -51905,9 +51909,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", - "https://web.archive.org/web/20231210115125/http://www.xuetr.com/", "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", + "https://web.archive.org/web/20231210115125/http://www.xuetr.com/", + "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml" ], "tags": [ @@ -52006,8 +52010,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/", "https://www.autohotkey.com/download/", + "https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_autohotkey.yml" ], "tags": [ @@ -52490,9 +52494,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", - "https://twitter.com/vysecurity/status/974806438316072960", "https://twitter.com/vysecurity/status/873181705024266241", + "https://twitter.com/vysecurity/status/974806438316072960", + "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml" ], @@ -52661,8 +52665,8 @@ "logsource.product": "windows", "refs": [ "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", - "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml" ], "tags": [ @@ -52695,8 +52699,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains", "https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md", + "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_w32tm.yml" ], "tags": [ @@ -52837,9 +52841,9 @@ "logsource.product": "windows", "refs": [ "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", + "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", - "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml" ], "tags": [ @@ -52872,9 +52876,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", + "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml" ], "tags": [ @@ -53135,8 +53139,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml", "https://twitter.com/pabraeken/status/993497996179492864", + "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml" ], "tags": [ @@ -53170,8 +53174,8 @@ "logsource.product": "windows", "refs": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage", - "https://unit42.paloaltonetworks.com/chromeloader-malware/", "https://lolbas-project.github.io/lolbas/Binaries/Tar/", + "https://unit42.paloaltonetworks.com/chromeloader-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tar_compression.yml" ], "tags": [ @@ -53383,9 +53387,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", "https://github.com/tevora-threat/SharpView/", "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml" ], "tags": [ @@ -53595,8 +53599,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Oddvarmoe/status/1270633613449723905", "https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/", + "https://twitter.com/Oddvarmoe/status/1270633613449723905", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_path_traversal.yml" ], "tags": [ @@ -53629,9 +53633,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://badoption.eu/blog/2023/01/31/code_c2.html", - "https://code.visualstudio.com/docs/remote/tunnels", "https://ipfyx.fr/post/visual-studio-code-tunnel/", + "https://code.visualstudio.com/docs/remote/tunnels", + "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml" ], "tags": [ @@ -53665,8 +53669,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/", "https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04", + "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml" ], "tags": [ @@ -53733,8 +53737,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d", "https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/", + "https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_plink_port_forwarding.yml" ], "tags": [ @@ -53776,8 +53780,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hostname_execution.yml" ], "tags": [ @@ -53811,9 +53815,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml" ], "tags": [ @@ -53980,8 +53984,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1478234484881436672?s=12", "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", + "https://twitter.com/mrd0x/status/1478234484881436672?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml" ], "tags": [ @@ -54014,10 +54018,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mode", "https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior", - "https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html", "https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mode", + "https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mode_codepage_russian.yml" ], "tags": [ @@ -54050,9 +54054,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/countuponsec/status/910969424215232518", "https://twitter.com/countuponsec/status/910977826853068800", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/", + "https://twitter.com/countuponsec/status/910969424215232518", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml" ], "tags": [ @@ -54085,10 +54089,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.elastic.co/security-labs/operation-bleeding-bear", + "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://twitter.com/splinter_code/status/1483815103279603714", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", - "https://www.elastic.co/security-labs/operation-bleeding-bear", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml" ], "tags": [ @@ -54157,8 +54161,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/", "https://pentestlab.blog/tag/svchost/", + "https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml" ], "tags": [ @@ -54263,8 +54267,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/", "https://twitter.com/0gtweet/status/1206692239839289344", + "https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml" ], "tags": [ @@ -54396,8 +54400,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/S3cur3Th1sSh1t/SharpImpersonation", "https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/", + "https://github.com/S3cur3Th1sSh1t/SharpImpersonation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml" ], "tags": [ @@ -54439,9 +54443,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://www.joeware.net/freetools/tools/adfind/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml" ], "tags": [ @@ -54533,12 +54537,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", - "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", - "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", - "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", + "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", + "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", + "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml" ], @@ -54574,11 +54578,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", - "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe", "https://twitter.com/gN3mes1s/status/1206874118282448897", - "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", + "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", + "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", + "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml" ], "tags": [ @@ -54748,8 +54752,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1359039665232306183?s=21", "https://ss64.com/nt/logman.html", + "https://twitter.com/0gtweet/status/1359039665232306183?s=21", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_logman_disable_eventlog.yml" ], "tags": [ @@ -54881,8 +54885,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://pentestlab.blog/2017/03/31/insecure-registry-permissions/", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml" ], "tags": [ @@ -54915,9 +54919,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/", - "https://twitter.com/SwiftOnSecurity/status/1455897435063074824", "https://github.com/LOLBAS-Project/LOLBAS/pull/151", + "https://twitter.com/SwiftOnSecurity/status/1455897435063074824", + "https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdl32_arbitrary_file_download.yml" ], "tags": [ @@ -54993,8 +54997,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1562072617552678912", "https://ss64.com/nt/cmd.html", + "https://twitter.com/cyb3rops/status/1562072617552678912", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml" ], "tags": [ @@ -55027,8 +55031,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml", "https://twitter.com/Moriarty_Meng/status/984380793383370752", + "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_input_stream.yml" ], "tags": [ @@ -55163,8 +55167,8 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", - "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", + "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml" ], "tags": [ @@ -55364,9 +55368,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", - "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://guides.lib.umich.edu/c.php?g=282942&p=1885348", + "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml" ], "tags": [ @@ -55399,10 +55403,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://zero2auto.com/2020/05/19/netwalker-re/", - "https://redcanary.com/blog/yellow-cockatoo/", - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", "https://mez0.cc/posts/cobaltstrike-powershell-exec/", + "https://redcanary.com/blog/yellow-cockatoo/", + "https://zero2auto.com/2020/05/19/netwalker-re/", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml" ], "tags": [ @@ -55529,9 +55533,9 @@ "logsource.category": "wmi_event", "logsource.product": "windows", "refs": [ + "https://github.com/RiccardoAncarani/LiquidSnake", "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", - "https://github.com/RiccardoAncarani/LiquidSnake", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml" ], "tags": [ @@ -55564,8 +55568,8 @@ "logsource.category": "process_tampering", "logsource.product": "windows", "refs": [ - "https://twitter.com/SecurePeacock/status/1486054048390332423?s=20", "https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/", + "https://twitter.com/SecurePeacock/status/1486054048390332423?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_tampering/proc_tampering_susp_process_hollowing.yml" ], "tags": [ @@ -55632,8 +55636,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", + "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml" ], "tags": [ @@ -55675,9 +55679,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://cydefops.com/vscode-data-exfiltration", - "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://ipfyx.fr/post/visual-studio-code-tunnel/", + "https://badoption.eu/blog/2023/01/31/code_c2.html", + "https://cydefops.com/vscode-data-exfiltration", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_vscode_tunnel_connection.yml" ], "tags": [ @@ -55890,8 +55894,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.ietf.org/rfc/rfc2821.txt", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", + "https://www.ietf.org/rfc/rfc2821.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml" ], "tags": [ @@ -55967,10 +55971,10 @@ "logsource.product": "windows", "refs": [ "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf", - "https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/", - "https://github.com/looCiprian/GC2-sheet", "https://youtu.be/n2dFlSaBBKo", "https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/", + "https://github.com/looCiprian/GC2-sheet", + "https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_google_api_non_browser_access.yml" ], "tags": [ @@ -56037,8 +56041,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download", + "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_imewdbld.yml" ], "tags": [ @@ -56104,9 +56108,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ + "https://github.com/rapid7/metasploit-framework/issues/11337", "https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2", "https://portmap.io/", - "https://github.com/rapid7/metasploit-framework/issues/11337", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_portmap.yml" ], "tags": [ @@ -56217,8 +56221,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python", "https://pypi.org/project/scapy/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_python.yml" ], "tags": [ @@ -56251,9 +56255,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", - "Internal Research", "https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/", + "Internal Research", + "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_cloudflared_communication.yml" ], "tags": [ @@ -56454,11 +56458,11 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://twitter.com/M_haggis/status/900741347035889665", "https://twitter.com/M_haggis/status/1032799638213066752", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml" ], "tags": [ @@ -56524,8 +56528,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet", "https://web.archive.org/web/20200219102749/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf", + "https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_notepad.yml" ], "tags": [ @@ -56595,10 +56599,10 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/", - "https://tria.ge/240301-rk34sagf5x/behavioral2", - "https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html", "https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d", + "https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/", + "https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html", + "https://tria.ge/240301-rk34sagf5x/behavioral2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dialer_initiated_connection.yml" ], "tags": [ @@ -56654,10 +56658,10 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://ngrok.com/blog-post/new-ngrok-domains", - "https://ngrok.com/", "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/", + "https://ngrok.com/", "https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf", + "https://ngrok.com/blog-post/new-ngrok-domains", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_ngrok.yml" ], "tags": [ @@ -56690,8 +56694,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/FalconForceTeam/FalconFriday/blob/master/Discovery/ADWS_Connection_from_Unexpected_Binary-Win.md", "https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c", + "https://github.com/FalconForceTeam/FalconFriday/blob/master/Discovery/ADWS_Connection_from_Unexpected_Binary-Win.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_adws_unusual_connection.yml" ], "tags": [ @@ -56724,9 +56728,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.poolwatch.io/coin/monero", - "https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files", "https://github.com/stamparm/maltrail/blob/3ea70459b9559134449423c0a7d8b965ac5c40ea/trails/static/suspicious/crypto_mining.txt", + "https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files", + "https://www.poolwatch.io/coin/monero", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_crypto_mining_pools.yml" ], "tags": [ @@ -56835,10 +56839,10 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/", "https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia", + "https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_azurewebsites.yml" ], "tags": [ @@ -56879,8 +56883,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb", "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east", + "https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_dropbox_api.yml" ], "tags": [ @@ -57177,8 +57181,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/forensicitguy/status/1513538712986079238", - "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/", "https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/", + "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_eqnedt.yml" ], "tags": [ @@ -57212,9 +57216,9 @@ "logsource.product": "windows", "refs": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a", - "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", - "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", "https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md", + "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", + "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_external_ip_lookup.yml" ], "tags": [ @@ -57349,12 +57353,12 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", - "https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al", - "https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/", - "https://twitter.com/kleiton0x7e/status/1600567316810551296", "https://github.com/kleiton0x00/RedditC2", "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", + "https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/", + "https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al", + "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", + "https://twitter.com/kleiton0x7e/status/1600567316810551296", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml" ], "tags": [ @@ -57617,8 +57621,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/malmoeb/status/1535142803075960832", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://twitter.com/malmoeb/status/1535142803075960832", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml" ], "tags": [ @@ -57652,10 +57656,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/malmoeb/status/1535142803075960832", - "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://twitter.com/malmoeb/status/1535142803075960832", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml" ], "tags": [ @@ -57757,10 +57761,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml" ], "tags": [ @@ -57794,9 +57798,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker", "https://nxlog.co/documentation/nxlog-user-guide/applocker.html", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml" ], "tags": [ @@ -58028,9 +58032,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule", "https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170", + "https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_wmiprvse.yml" ], "tags": [ @@ -58447,9 +58451,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/_dirkjan/status/1309214379003588608", - "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", + "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", + "https://twitter.com/_dirkjan/status/1309214379003588608", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml" ], "tags": [ @@ -58648,9 +58652,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://threathunterplaybook.com/library/windows/active_directory_replication.html", "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", "https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html", - "https://threathunterplaybook.com/library/windows/active_directory_replication.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml" ], "tags": [ @@ -58683,8 +58687,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml", "https://securitydatasets.com/notebooks/atomic/windows/lateral_movement/SDWIN-200806015757.html?highlight=create%20file", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml" ], "tags": [ @@ -58913,8 +58917,8 @@ "logsource.product": "windows", "refs": [ "https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html", - "https://www.x86matthew.com/view_post?id=create_svc_rpc", "https://twitter.com/SBousseaden/status/1490608838701166596", + "https://www.x86matthew.com/view_post?id=create_svc_rpc", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml" ], "tags": [ @@ -59201,10 +59205,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_workstation_was_locked.yml" ], "tags": [ @@ -59227,10 +59231,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", - "https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all", "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662", + "https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all", + "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_user_enumeration.yml" ], "tags": [ @@ -59574,9 +59578,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/topotam/PetitPotam", - "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/", + "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", + "https://github.com/topotam/PetitPotam", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml" ], "tags": [ @@ -59676,8 +59680,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=3513", "https://www.trustedsec.com/blog/art_of_kerberoast/", + "https://adsecurity.org/?p=3513", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_kerberoasting_activity.yml" ], "tags": [ @@ -59710,16 +59714,16 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://twitter.com/_xpn_/status/1268712093928378368", "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://bunnyinside.com/?term=f71e8cb9c76a", "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "http://managed670.rssing.com/chan-5590147/all_p1.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml" ], "tags": [ @@ -59802,9 +59806,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://www.secureworks.com/blog/ransomware-as-a-distraction", "https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-0-16-1-scheduled-task-execution-at-scale-via-gpo.html", "https://twitter.com/menasec1/status/1106899890377052160", - "https://www.secureworks.com/blog/ransomware-as-a-distraction", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml" ], "tags": [ @@ -59879,9 +59883,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://blog.harmj0y.net/redteaming/another-word-on-delegation/", "https://adsecurity.org/?p=3466", "https://msdn.microsoft.com/en-us/library/cc220234.aspx", - "https://blog.harmj0y.net/redteaming/another-word-on-delegation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml" ], "tags": [ @@ -60022,9 +60026,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", - "https://www.sans.org/webcasts/119395", "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", + "https://www.sans.org/webcasts/119395", + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml" ], "tags": [ @@ -60075,9 +60079,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48", - "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml" ], "tags": [ @@ -60110,10 +60114,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", - "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", - "https://twitter.com/MsftSecIntel/status/1257324139515269121", "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", + "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", + "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", + "https://twitter.com/MsftSecIntel/status/1257324139515269121", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_iso_mount.yml" ], "tags": [ @@ -60289,8 +60293,8 @@ "logsource.product": "windows", "refs": [ "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm", - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_sdelete.yml" ], "tags": [ @@ -60350,8 +60354,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/SBousseaden/status/1581300963650187264?", - "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html", + "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml" ], "tags": [ @@ -60418,8 +60422,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2053", "https://blog.harmj0y.net/redteaming/another-word-on-delegation/", + "https://adsecurity.org/?p=2053", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml" ], "tags": [ @@ -60452,8 +60456,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", + "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_teams_suspicious_objectaccess.yml" ], "tags": [ @@ -60487,8 +60491,8 @@ "logsource.product": "windows", "refs": [ "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", - "Live environment caused by malware", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616", + "Live environment caused by malware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_time_modification.yml" ], "tags": [ @@ -60554,10 +60558,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/deepinstinct/NoFilter", - "https://www.deepinstinct.com/blog/nofilter-abusing-windows-filtering-platform-for-privilege-escalation", "https://x.com/_st0pp3r_/status/1742203752361128162?s=20", + "https://github.com/deepinstinct/NoFilter", "https://github.com/deepinstinct/NoFilter/blob/121d215ab130c5e8e3ad45a7e7fcd56f4de97b4d/NoFilter/Consts.cpp", + "https://www.deepinstinct.com/blog/nofilter-abusing-windows-filtering-platform-for-privilege-escalation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_hktl_nofilter.yml" ], "tags": [ @@ -60715,9 +60719,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", "https://twitter.com/deviouspolack/status/832535435960209408", "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml", - "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_audit_log_cleared.yml" ], "tags": [ @@ -60751,9 +60755,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://twitter.com/SecurityJosh/status/1283027365770276866", "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", - "https://twitter.com/SecurityJosh/status/1283027365770276866", "https://twitter.com/Flangvik/status/1283054508084473861", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml" ], @@ -60862,9 +60866,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://threathunterplaybook.com/library/windows/active_directory_replication.html", "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", "https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html", - "https://threathunterplaybook.com/library/windows/active_directory_replication.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml" ], "tags": [ @@ -61287,9 +61291,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", "https://github.com/fox-it/LDAPFragger", "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", - "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml" ], "tags": [ @@ -61663,10 +61667,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", - "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662", "https://twitter.com/gentilkiwi/status/1003236624925413376", + "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", + "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml" ], "tags": [ @@ -62103,8 +62107,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4701", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4699", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4701", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml" ], "tags": [ @@ -62171,8 +62175,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6281", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6281", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_codeintegrity_check_failure.yml" ], "tags": [ @@ -62247,9 +62251,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", - "https://twitter.com/malmoeb/status/1511760068743766026", "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py", + "https://twitter.com/malmoeb/status/1511760068743766026", + "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml" ], "tags": [ @@ -62285,8 +62289,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/topotam/PetitPotam", "https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml", + "https://github.com/topotam/PetitPotam", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_network_share.yml" ], "tags": [ @@ -62386,11 +62390,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624", - "https://github.com/sensepost/ruler/issues/47", - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776", "https://github.com/sensepost/ruler", + "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776", + "https://github.com/sensepost/ruler/issues/47", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml" ], "tags": [ @@ -62564,8 +62568,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml" ], "tags": [ @@ -62599,8 +62603,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732", + "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml" ], "tags": [ @@ -63159,9 +63163,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", "https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis", "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", - "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml" ], "tags": [ @@ -63194,11 +63198,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml" ], "tags": [ @@ -63282,8 +63286,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/blob/5fe7833312031a4787e07893e27e4ea7a7665745/rules/_deprecated/privilege_escalation_krbrelayup_suspicious_logon.toml#L38", "https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g", + "https://github.com/elastic/detection-rules/blob/5fe7833312031a4787e07893e27e4ea7a7665745/rules/_deprecated/privilege_escalation_krbrelayup_suspicious_logon.toml#L38", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_privesc_kerberos_relay_over_ldap.yml" ], "tags": [ @@ -63351,11 +63355,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml" ], "tags": [ @@ -63388,10 +63392,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml" ], @@ -63425,9 +63429,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/netero1010/EDRSilencer", "https://github.com/amjcyber/EDRNoiseMaker", "https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983", + "https://github.com/netero1010/EDRSilencer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml" ], "tags": [ @@ -63460,9 +63464,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "Internal Research", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml" ], "tags": [ @@ -63485,9 +63489,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "Internal Research", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml" ], "tags": [ @@ -63510,9 +63514,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "Internal Research", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml" ], "tags": [ @@ -63535,9 +63539,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "Internal Research", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml" ], "tags": [ @@ -63560,9 +63564,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "Internal Research", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml" ], "tags": [ @@ -63585,9 +63589,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "Internal Research", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml" ], "tags": [ @@ -63610,9 +63614,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "Internal Research", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml" ], "tags": [ @@ -63645,9 +63649,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "Internal Research", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml" ], "tags": [ @@ -63670,10 +63674,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", "https://twitter.com/SBousseaden/status/1483810148602814466", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml" ], "tags": [ @@ -63696,9 +63700,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", "https://twitter.com/wdormann/status/1590434950335320065", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml" ], "tags": [ @@ -64397,9 +64401,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_real_time_protection_disabled.yml" ], "tags": [ @@ -64432,8 +64436,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/duff22b/status/1280166329660497920", "https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands", + "https://twitter.com/duff22b/status/1280166329660497920", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_asr_psexec_wmi.yml" ], "tags": [ @@ -64542,9 +64546,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012", - "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_virus_scan_disabled.yml" ], "tags": [ @@ -64635,8 +64639,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_malware_and_pua_scan_disabled.yml" ], "tags": [ @@ -64735,9 +64739,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_antimalware_platform_expired.yml" ], "tags": [ @@ -64907,10 +64911,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01", "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", - "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", + "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01", "https://www.nextron-systems.com/?s=antivirus", + "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/Other/win_av_relevant_match.yml" ], "tags": [ @@ -64985,9 +64989,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", - "https://github.com/deepinstinct/Lsass-Shtinkering", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55", + "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml" ], "tags": [ @@ -65062,8 +65066,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)", "https://twitter.com/mgreen27/status/1558223256704122882", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse.yml" ], "tags": [ @@ -65096,8 +65100,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)", "https://twitter.com/mgreen27/status/1558223256704122882", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml" ], "tags": [ @@ -65120,11 +65124,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://twitter.com/VM_vivisector/status/1217190929330655232", + "https://twitter.com/DidierStevens/status/1217533958096924676", "https://nullsec.us/windows-event-log-audit-cve/", "https://twitter.com/FlemmingRiis/status/1217147415482060800", - "https://twitter.com/VM_vivisector/status/1217190929330655232", "https://www.youtube.com/watch?v=ebmW42YYveI", - "https://twitter.com/DidierStevens/status/1217533958096924676", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml" ], "tags": [ @@ -65274,8 +65278,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", "https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", + "https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml" ], @@ -65323,8 +65327,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html", "https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/", + "https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml" ], "tags": [ @@ -65357,8 +65361,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html", "https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/", + "https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon.yml" ], "tags": [ @@ -65555,8 +65559,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/pull/4467", "https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling", + "https://github.com/SigmaHQ/sigma/pull/4467", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml" ], "tags": [ @@ -65589,8 +65593,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/pull/4467", "https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling", + "https://github.com/SigmaHQ/sigma/pull/4467", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml" ], "tags": [ @@ -65621,12 +65625,12 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", - "https://ipurple.team/2024/07/15/sharphound-detection/", + "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c", "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", - "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", + "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", + "https://ipurple.team/2024/07/15/sharphound-detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml" ], "tags": [ @@ -65742,8 +65746,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10)", "https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml" ], "tags": [ @@ -65898,8 +65902,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382", "https://www.secura.com/blog/zero-logon", + "https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/netlogon/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" ], "tags": [ @@ -66646,9 +66650,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", - "https://www.sans.org/webcasts/119395", "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", + "https://www.sans.org/webcasts/119395", + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml" ], "tags": [ @@ -67596,8 +67600,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/wdormann/status/1347958161609809921", - "https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/", "https://twitter.com/jonasLyk/status/1347900440000811010", + "https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/ntfs/win_system_ntfs_vuln_exploit.yml" ], "tags": [ @@ -67663,8 +67667,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Ekultek/BlueKeep", "https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708", + "https://github.com/Ekultek/BlueKeep", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml" ], "tags": [ @@ -67698,9 +67702,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", - "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml" ], "tags": [ @@ -67733,9 +67737,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", - "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml" ], "tags": [ @@ -67916,8 +67920,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/deviouspolack/status/832535435960209408", "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", + "https://twitter.com/deviouspolack/status/832535435960209408", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml" ], "tags": [ @@ -67952,8 +67956,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/deviouspolack/status/832535435960209408", "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", + "https://twitter.com/deviouspolack/status/832535435960209408", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml" ], "tags": [ @@ -67988,8 +67992,8 @@ "logsource.product": "windows", "refs": [ "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", - "https://twitter.com/gentilkiwi/status/861641945944391680", "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", + "https://twitter.com/gentilkiwi/status/861641945944391680", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml" ], "tags": [ @@ -68055,8 +68059,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml" ], "tags": [ @@ -68104,11 +68108,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", - "https://winaero.com/enable-openssh-server-windows-10/", "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", + "https://winaero.com/enable-openssh-server-windows-10/", + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml" ], "tags": [ @@ -68128,6 +68132,182 @@ "uuid": "3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781", "value": "OpenSSH Server Listening On Socket" }, + { + "description": "Detects the addition of a new module to an IIS server.", + "meta": { + "author": "frack113", + "creation_date": "2024-10-06", + "falsepositive": [ + "Legitimate administrator activity" + ], + "filename": "win_iis_module_added.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview", + "https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", + "https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis", + "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/iis-configuration/win_iis_module_added.yml" + ], + "tags": [ + "attack.defense-evasion", + "attack.persistence", + "attack.t1562.002", + "attack.t1505.004" + ] + }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "dd857d3e-0c6e-457b-9b48-e82ae7f86bd7", + "value": "New Module Module Added To IIS Server" + }, + { + "description": "Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.", + "meta": { + "author": "frack113, Nasreddine Bencherchali", + "creation_date": "2024-10-06", + "falsepositive": [ + "Legitimate administrator activity" + ], + "filename": "win_iis_logging_etw_disabled.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/logfile/", + "https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis", + "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/iis-configuration/win_iis_logging_etw_disabled.yml" + ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.002", + "attack.t1505.004" + ] + }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "a5b40a90-baf5-4bf7-a6f7-373494881d22", + "value": "ETW Logging/Processing Option Disabled On IIS Server" + }, + { + "description": "Detects the removal of a previously installed IIS module.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2024-10-06", + "falsepositive": [ + "Legitimate administrator activity" + ], + "filename": "win_iis_module_removed.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview", + "https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", + "https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis", + "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/iis-configuration/win_iis_module_removed.yml" + ], + "tags": [ + "attack.defense-evasion", + "attack.persistence", + "attack.t1562.002", + "attack.t1505.004" + ] + }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "9e1a1fdf-ee58-40ce-8e15-b66ca5a80e1f", + "value": "Previously Installed IIS Module Was Removed" + }, + { + "description": "Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.", + "meta": { + "author": "frack113", + "creation_date": "2024-10-06", + "falsepositive": [ + "Unknown" + ], + "filename": "win_iis_logging_http_disabled.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging", + "https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis", + "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/iis-configuration/win_iis_logging_http_disabled.yml" + ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.002", + "attack.t1505.004" + ] + }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e8ebd53a-30c2-45bd-81bb-74befba07bdb", + "value": "HTTP Logging Disabled On IIS Server" + }, { "description": "Detect standard users login that are part of high privileged groups such as the Administrator group", "meta": { @@ -68141,8 +68321,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection", "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers", + "https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection", "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml" ], @@ -68412,8 +68592,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml" ], "tags": [ @@ -68437,8 +68617,8 @@ "logsource.product": "windows", "refs": [ "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", - "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml" ], "tags": [ @@ -68461,8 +68641,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml" ], "tags": [ @@ -68485,10 +68665,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "Internal Research", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml" ], "tags": [ @@ -68511,10 +68691,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "Internal Research", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml" ], "tags": [ @@ -68537,10 +68717,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "Internal Research", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml" ], "tags": [ @@ -68563,10 +68743,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "Internal Research", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml" ], "tags": [ @@ -68816,8 +68996,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", "https://mobile.twitter.com/0gtweet/status/1564131230941122561", + "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_shell_chrome_api.yml" ], "tags": [ @@ -68860,11 +69040,11 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", - "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", - "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", "https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/", + "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", + "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", "https://hijacklibs.net/", + "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml" ], "tags": [ @@ -68907,8 +69087,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/am0nsec/status/1412232114980982787", "https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add", + "https://twitter.com/am0nsec/status/1412232114980982787", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml" ], "tags": [ @@ -69103,6 +69283,41 @@ "uuid": "ec8c4047-fad9-416a-8c81-0f479353d7f6", "value": "Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE" }, + { + "description": "Detects potential DLL sideloading of Python DLL files.", + "meta": { + "author": "Swachchhanda Shrawan Poudel", + "creation_date": "2024-10-06", + "falsepositive": [ + "Legitimate software using Python DLLs" + ], + "filename": "image_load_side_load_python.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/", + "https://github.com/wietze/HijackLibs/tree/dc9c9f2f94e6872051dab58fbafb043fdd8b4176/yml/3rd_party/python", + "https://www.securonix.com/blog/seolurker-attack-campaign-uses-seo-poisoning-fake-google-ads-to-install-malware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_python.yml" + ], + "tags": [ + "attack.defense-evasion", + "attack.t1574.002" + ] + }, + "related": [ + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "d36f7c12-14a3-4d48-b6b8-774b9c66f44d", + "value": "Potential Python DLL SideLoading" + }, { "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", "meta": { @@ -69116,9 +69331,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", - "https://twitter.com/mattifestation/status/1196390321783025666", "https://twitter.com/oulusoyum/status/1191329746069655553", + "https://twitter.com/mattifestation/status/1196390321783025666", + "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_tttracer_module_load.yml" ], "tags": [ @@ -69248,9 +69463,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", "https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html", "https://twitter.com/dez_/status/986614411711442944", + "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml" ], "tags": [ @@ -69361,9 +69576,9 @@ "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", "https://github.com/Wh04m1001/SysmonEoP", - "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", - "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", + "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml" ], "tags": [ @@ -69407,10 +69622,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/blog/windows-restart-manager-part-2/", - "https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/", - "https://www.crowdstrike.com/blog/windows-restart-manager-part-1/", "https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html", + "https://www.crowdstrike.com/blog/windows-restart-manager-part-1/", + "https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/", + "https://www.crowdstrike.com/blog/windows-restart-manager-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml" ], "tags": [ @@ -69518,10 +69733,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", - "https://thewover.github.io/Introducing-Donut/", + "https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://github.com/tyranid/DotNetToJScript", + "https://thewover.github.io/Introducing-Donut/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml" ], "tags": [ @@ -69664,8 +69879,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/", "https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html", + "https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml" ], "tags": [ @@ -69861,11 +70076,11 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/Max_Mal_/status/1775222576639291859", "https://thehackernews.com/2024/03/two-chinese-apt-groups-ramp-up-cyber.html", "https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/", - "https://csirt-cti.net/2024/02/01/stately-taurus-continued-new-information-on-cyberespionage-attacks-against-myanmar-military-junta/", "https://twitter.com/DTCERT/status/1712785426895839339", + "https://twitter.com/Max_Mal_/status/1775222576639291859", + "https://csirt-cti.net/2024/02/01/stately-taurus-continued-new-information-on-cyberespionage-attacks-against-myanmar-military-junta/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_keyscrambler.yml" ], "tags": [ @@ -69907,10 +70122,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", "https://github.com/bohops/WSMan-WinRM", "https://twitter.com/chadtilbury/status/1275851297770610688", + "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml" ], "tags": [ @@ -70028,9 +70243,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/", "https://securelist.com/apt-luminousmoth/103332/", "https://twitter.com/WhichbufferArda/status/1658829954182774784", + "https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_wwlib.yml" ], "tags": [ @@ -70395,8 +70610,8 @@ "logsource.product": "windows", "refs": [ "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", - "https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html", "https://twitter.com/HunterPlaybook/status/1301207718355759107", + "https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml" ], "tags": [ @@ -70610,8 +70825,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/ly4k/SpoolFool", "https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/", + "https://github.com/ly4k/SpoolFool", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_spoolsv_dll_load.yml" ], "tags": [ @@ -70691,9 +70906,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "https://unit42.paloaltonetworks.com/unsigned-dlls/?web_view=true", "https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql", "https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion", - "https://unit42.paloaltonetworks.com/unsigned-dlls/?web_view=true", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_unsigned_dll.yml" ], "tags": [ @@ -70820,8 +71035,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.roboform.com/", "https://twitter.com/t3ft3lb/status/1656194831830401024", + "https://www.roboform.com/", "https://twitter.com/StopMalvertisin/status/1648604148848549888", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_robform.yml" ], @@ -70906,10 +71121,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html", - "https://github.com/S12cybersecurity/RDPCredentialStealer", "https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", + "https://github.com/S12cybersecurity/RDPCredentialStealer", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", + "https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml" ], "tags": [ @@ -71153,8 +71368,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://hijacklibs.net/entries/3rd_party/vlc/libvlc.html", "https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html", + "https://hijacklibs.net/entries/3rd_party/vlc/libvlc.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_libvlc.yml" ], "tags": [ @@ -71314,8 +71529,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "Internal Research", "https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml" ], "tags": [ @@ -71338,8 +71553,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", "https://github.com/binderlabs/DirCreate2System", + "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_comctl32.yml" ], "tags": [ @@ -71417,10 +71632,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/blog/windows-restart-manager-part-2/", - "https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/", - "https://www.crowdstrike.com/blog/windows-restart-manager-part-1/", "https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html", + "https://www.crowdstrike.com/blog/windows-restart-manager-part-1/", + "https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/", + "https://www.crowdstrike.com/blog/windows-restart-manager-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml" ], "tags": [ @@ -71548,8 +71763,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/blog/lnk-between-browsers", "https://wazuh.com/blog/detecting-xll-files-used-for-dropping-fin7-jssloader-with-wazuh/", + "https://www.mandiant.com/resources/blog/lnk-between-browsers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_excel_xll_susp_load.yml" ], "tags": [ @@ -71903,8 +72118,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/", "https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets", + "https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_classicexplorer32.yml" ], "tags": [ @@ -72199,9 +72414,9 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ - "https://github.com/besimorhino/powercat", - "https://nmap.org/ncat/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", + "https://nmap.org/ncat/", + "https://github.com/besimorhino/powercat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml" ], "tags": [ @@ -72334,9 +72549,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://github.com/bohops/WSMan-WinRM", "https://twitter.com/chadtilbury/status/1275851297770610688", + "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml" ], "tags": [ @@ -72508,7 +72723,7 @@ "value": "Nslookup PowerShell Download Cradle" }, { - "description": "Detects renamed powershell", + "description": "Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.\n", "meta": { "author": "Harish Segar, frack113", "creation_date": "2020-06-29", @@ -72525,7 +72740,8 @@ ], "tags": [ "attack.execution", - "attack.t1059.001" + "attack.t1059.001", + "attack.t1036.003" ] }, "related": [ @@ -72535,6 +72751,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "30a8cb77-8eb3-4cfb-8e79-ad457c5a4592", @@ -72587,8 +72810,8 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml" ], "tags": [ @@ -72787,8 +73010,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", "https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA", + "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml" ], "tags": [ @@ -72957,8 +73180,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4", - "https://adsecurity.org/?p=2604", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4", + "https://adsecurity.org/?p=2604", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml" ], "tags": [ @@ -72991,11 +73214,11 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps", - "http://woshub.com/manage-windows-firewall-powershell/", - "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", "https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", + "http://woshub.com/manage-windows-firewall-powershell/", "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", + "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", + "https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml" ], "tags": [ @@ -73062,8 +73285,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2", + "https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml" ], "tags": [ @@ -73129,8 +73352,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting", + "https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml" ], "tags": [ @@ -73366,8 +73589,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", "https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", "https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_export_certificate.yml" ], @@ -73424,8 +73647,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell", "https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml" ], "tags": [ @@ -73623,24 +73846,24 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://github.com/calebstewart/CVE-2021-1675", "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://adsecurity.org/?p=2921", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://github.com/besimorhino/powercat", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/calebstewart/CVE-2021-1675", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/samratashok/nishang", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/Kevin-Robertson/Powermad", - "https://github.com/adrecon/ADRecon", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/HarmJ0y/DAMP", "https://github.com/adrecon/AzureADRecon", "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/besimorhino/powercat", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/adrecon/ADRecon", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/samratashok/nishang", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml" ], "tags": [ @@ -73939,8 +74162,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1", "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319", + "https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml" ], "tags": [ @@ -74297,9 +74520,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", - "https://github.com/GhostPack/Rubeus", "https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus", + "https://github.com/GhostPack/Rubeus", + "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml" ], "tags": [ @@ -74448,8 +74671,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount", "https://www.powershellgallery.com/packages/DSInternals", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml" ], "tags": [ @@ -74661,8 +74884,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://www.pwndefend.com/2021/02/15/retrieving-passwords-from-veeam-backup-servers/", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml" ], "tags": [ @@ -74922,8 +75145,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml" ], "tags": [ @@ -75075,8 +75298,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml" ], "tags": [ @@ -75110,9 +75333,9 @@ "logsource.product": "windows", "refs": [ "https://youtu.be/5mqid-7zp8k?t=2481", - "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml" ], "tags": [ @@ -75360,9 +75583,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13", - "https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/7b8935fe4c82cb64d61343de1a8b2e38dd968534/handbooks/10_post_exploitation.md", "https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing", + "https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/7b8935fe4c82cb64d61343de1a8b2e38dd968534/handbooks/10_post_exploitation.md", + "https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_packet_capture.yml" ], "tags": [ @@ -75430,9 +75653,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml" ], "tags": [ @@ -75588,8 +75811,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1", + "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_acl_susp_location.yml" ], "tags": [ @@ -75656,9 +75879,9 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", - "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", - "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", + "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", + "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml" ], "tags": [ @@ -75767,8 +75990,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml" ], "tags": [ @@ -75803,8 +76026,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell", + "https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml" ], "tags": [ @@ -75922,9 +76145,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41", "https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a", + "https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powershell_web_access_installation.yml" ], "tags": [ @@ -75958,9 +76181,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", - "https://powersploit.readthedocs.io/en/stable/Recon/README", "https://thedfirreport.com/2020/10/08/ryuks-return", "https://adsecurity.org/?p=2277", + "https://powersploit.readthedocs.io/en/stable/Recon/README", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml" ], "tags": [ @@ -76161,8 +76384,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1087.002/T1087.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml" ], @@ -76204,8 +76427,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.offensive-security.com/metasploit-unleashed/timestomp/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", + "https://www.offensive-security.com/metasploit-unleashed/timestomp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml" ], "tags": [ @@ -76238,8 +76461,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/datasources/DS0005/", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", + "https://attack.mitre.org/datasources/DS0005/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml" ], "tags": [ @@ -76306,10 +76529,10 @@ "logsource.product": "windows", "refs": [ "https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841", - "https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team", - "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/", "https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md", + "https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/", + "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml" ], "tags": [ @@ -76469,8 +76692,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml" ], "tags": [ @@ -76503,9 +76726,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -76696,8 +76919,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps", "https://twitter.com/NathanMcNulty/status/1569497348841287681", + "https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml" ], "tags": [ @@ -76941,8 +77164,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml" ], "tags": [ @@ -77008,8 +77231,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml" ], "tags": [ @@ -77042,9 +77265,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", "https://twitter.com/oroneequalsone/status/1568432028361830402", "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml" ], "tags": [ @@ -77111,8 +77334,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4", + "https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml" ], @@ -77146,8 +77369,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml" ], @@ -77238,8 +77461,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", + "https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml" ], "tags": [ @@ -77406,8 +77629,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md", "https://techgenix.com/malicious-powershell-scripts-evade-detection/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml" ], "tags": [ @@ -77482,8 +77705,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://o365blog.com/aadinternals/", "https://github.com/Gerenios/AADInternals", + "https://o365blog.com/aadinternals/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml" ], "tags": [ @@ -77953,8 +78176,8 @@ "logsource.product": "windows", "refs": [ "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml" ], "tags": [ @@ -78020,10 +78243,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", + "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", "https://twitter.com/ScumBots/status/1610626724257046529", - "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", + "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml" ], "tags": [ @@ -78057,8 +78280,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso", "https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml" ], "tags": [ @@ -78265,9 +78488,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", "https://www.ietf.org/rfc/rfc2821.txt", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml" ], "tags": [ @@ -78836,8 +79059,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/8", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml" ], "tags": [ @@ -78904,22 +79127,22 @@ "logsource.product": "windows", "refs": [ "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/PowerShellMafia/PowerSploit", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/nettitude/Invoke-PowerThIEf", - "https://github.com/NetSPI/PowerUpSQL", - "https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/samratashok/nishang", + "https://github.com/nettitude/Invoke-PowerThIEf", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/NetSPI/PowerUpSQL", + "https://github.com/PowerShellMafia/PowerSploit", + "https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://github.com/besimorhino/powercat", "https://github.com/S3cur3Th1sSh1t/WinPwn", "https://github.com/CsEnox/EventViewer-UACBypass", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/samratashok/nishang", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml" ], "tags": [ @@ -78952,8 +79175,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md", + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml" ], "tags": [ @@ -79062,24 +79285,24 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ + "https://github.com/calebstewart/CVE-2021-1675", "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://adsecurity.org/?p=2921", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://github.com/besimorhino/powercat", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/calebstewart/CVE-2021-1675", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/samratashok/nishang", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/Kevin-Robertson/Powermad", - "https://github.com/adrecon/ADRecon", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/HarmJ0y/DAMP", "https://github.com/adrecon/AzureADRecon", "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/besimorhino/powercat", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/adrecon/ADRecon", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/samratashok/nishang", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml" ], "tags": [ @@ -79169,8 +79392,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0", "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0", + "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml" ], "tags": [ @@ -79428,8 +79651,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/", + "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", "https://www.mdeditor.tw/pl/pgRt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml" ], @@ -79750,17 +79973,17 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://github.com/codewhitesec/HandleKatz", "https://github.com/fortra/nanodump", "https://github.com/xuanxuan0/DripLoader", - "https://github.com/ohpe/juicy-potato", - "https://www.tarasco.org/security/pwdump_7/", "https://github.com/antonioCoco/RoguePotato", - "https://github.com/topotam/PetitPotam", - "https://github.com/outflanknl/Dumpert", + "https://github.com/ohpe/juicy-potato", + "https://github.com/codewhitesec/HandleKatz", "https://github.com/hfiref0x/UACME", - "https://github.com/wavestone-cdt/EDRSandblast", + "https://github.com/outflanknl/Dumpert", + "https://github.com/topotam/PetitPotam", + "https://www.tarasco.org/security/pwdump_7/", "https://github.com/gentilkiwi/mimikatz", + "https://github.com/wavestone-cdt/EDRSandblast", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml" ], "tags": [ @@ -79910,8 +80133,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/", "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/", "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml" @@ -79947,8 +80170,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md", "https://labs.withsecure.com/publications/detecting-onenote-abuse", + "https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml" ], "tags": [ @@ -79982,8 +80205,8 @@ "logsource.product": "windows", "refs": [ "https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html", - "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", "https://github.com/codewhitesec/SysmonEnte/", + "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_sysmonente.yml" ], "tags": [ @@ -80061,8 +80284,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/skelsec/pypykatz", "https://twitter.com/bh4b3sh/status/1303674603819081728", + "https://github.com/skelsec/pypykatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_python_based_tool.yml" ], "tags": [ @@ -80097,9 +80320,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", - "https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", - "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", + "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml" ], "tags": [ @@ -80166,8 +80389,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611", "https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/", + "https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_uac_bypass_editionupgrademanagerobj.yml" ], "tags": [ @@ -80305,8 +80528,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", "https://twitter.com/SBousseaden/status/1541920424635912196", + "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_seclogon_access.yml" ], @@ -80417,8 +80640,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/timbmsft/status/900724491076214784", "https://github.com/hlldz/Invoke-Phant0m", + "https://twitter.com/timbmsft/status/900724491076214784", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_svchost_susp_access_request.yml" ], "tags": [ @@ -80680,11 +80903,11 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", - "https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml" ], "tags": [ @@ -80718,8 +80941,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/boku7/injectAmsiBypass", "https://github.com/boku7/spawn", + "https://github.com/boku7/injectAmsiBypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml" ], "tags": [ @@ -81033,9 +81256,9 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://threatpost.com/microsoft-petitpotam-poc/168163/", - "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", + "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", + "https://threatpost.com/microsoft-petitpotam-poc/168163/", "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml" ], @@ -81076,9 +81299,9 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ + "https://github.com/nknorg/nkn-sdk-go", "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", "https://github.com/Maka8ka/NGLite", - "https://github.com/nknorg/nkn-sdk-go", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_nkn.yml" ], "tags": [ @@ -81323,12 +81546,12 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://github.com/corelight/CVE-2021-1675", - "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", - "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", + "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", + "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml" ], "tags": [ @@ -81355,10 +81578,10 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://twitter.com/neu5ron/status/1346245602502443009", + "https://tools.ietf.org/html/rfc2929#section-2.1", "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", - "https://tools.ietf.org/html/rfc2929#section-2.1", + "https://twitter.com/neu5ron/status/1346245602502443009", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml" ], "tags": [ @@ -81515,9 +81738,9 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://twitter.com/_dirkjan/status/1309214379003588608", - "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", + "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", + "https://twitter.com/_dirkjan/status/1309214379003588608", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml" ], "tags": [ @@ -81739,8 +81962,8 @@ "logsource.category": "No established category", "logsource.product": "cisco", "refs": [ - "https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/command/reference/sysmgmt/n5k-sysmgmt-cr/n5k-sm_cmds_c.html", "https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609", + "https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/command/reference/sysmgmt/n5k-sysmgmt-cr/n5k-sm_cmds_c.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_clear_logs.yml" ], "tags": [ @@ -82390,8 +82613,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://twitter.com/stvemillertime/status/1024707932447854592", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1", + "https://twitter.com/stvemillertime/status/1024707932447854592", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_txt_exec_strings.yml" ], "tags": [ @@ -82465,10 +82688,10 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://core.telegram.org/bots/faq", - "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", + "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_telegram_api.yml" ], "tags": [ @@ -82597,9 +82820,9 @@ "logsource.category": "firewall", "logsource.product": "No established product", "refs": [ + "https://www.cisecurity.org/controls/cis-controls-list/", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_cleartext_protocols.yml" ], "tags": [ @@ -82690,11 +82913,11 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ + "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile", "https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/", + "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100", "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile", "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile", - "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile", - "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_hktl_cobalt_strike_malleable_c2_requests.yml" ], "tags": [ @@ -82730,8 +82953,8 @@ "refs": [ "https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462", "https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html", - "https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4", "https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html", + "https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_webdav_external_execution.yml" ], "tags": [ @@ -82806,10 +83029,10 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ + "https://www.spamhaus.org/statistics/tlds/", + "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", - "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", - "https://www.spamhaus.org/statistics/tlds/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml" ], "tags": [ @@ -82892,8 +83115,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/", "https://twitter.com/jhencinski/status/1102695118455349248", + "https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml" ], "tags": [ @@ -82970,14 +83193,14 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ + "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", - "https://twitter.com/crep1x/status/1635034100213112833", + "https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large", "https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q", "http://www.botopedia.org/search?searchword=scan&searchphrase=all", - "https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large", - "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", - "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", "https://perishablepress.com/blacklist/ua-2013.txt", + "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", + "https://twitter.com/crep1x/status/1635034100213112833", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_malware.yml" ], "tags": [ @@ -83044,8 +83267,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://blogs.jpcert.or.jp/en/2022/07/yamabot.html", "https://deviceatlas.com/blog/list-of-user-agent-strings#desktop", + "https://blogs.jpcert.or.jp/en/2022/07/yamabot.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_susp_base64.yml" ], "tags": [ @@ -83148,8 +83371,8 @@ "logsource.product": "No established product", "refs": [ "https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11", - "https://blog.talosintelligence.com/ipfs-abuse/", "https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638", + "https://blog.talosintelligence.com/ipfs-abuse/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml" ], "tags": [ @@ -83232,9 +83455,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516", "https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029", "https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash", + "https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml" ], "tags": [ @@ -83309,8 +83532,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.advanced-port-scanner.com/", "https://www.advanced-ip-scanner.com/", + "https://www.advanced-port-scanner.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_pua_advanced_ip_scanner_update_check.yml" ], "tags": [ @@ -83680,9 +83903,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ + "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", - "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_telegram_api.yml" ], "tags": [ @@ -83833,8 +84056,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1", "https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html", + "https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_source_code_enumeration.yml" ], "tags": [ @@ -83867,11 +84090,11 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://twitter.com/httpvoid0x2f/status/1532924261035384832", "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035", "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", - "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", - "https://twitter.com/httpvoid0x2f/status/1532924261035384832", "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", + "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_java_payload_in_access_logs.yml" ], "tags": [ @@ -83940,8 +84163,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/pimps/JNDI-Exploit-Kit", "https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit", + "https://github.com/pimps/JNDI-Exploit-Kit", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_jndi_exploit.yml" ], "tags": [ @@ -84010,8 +84233,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", + "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_susp_useragents.yml" ], @@ -84046,8 +84269,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection", "https://github.com/payloadbox/ssti-payloads", + "https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_ssti_in_access_logs.yml" ], "tags": [ @@ -84080,9 +84303,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516", "https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029", "https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash", + "https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml" ], "tags": [ @@ -84116,8 +84339,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://bad-jubies.github.io/RCE-NOW-WHAT/", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_win_webshells_in_access_logs.yml" ], "tags": [ @@ -84152,11 +84375,11 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", - "https://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection", + "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", "https://github.com/payloadbox/sql-injection-payload-list", "https://brightsec.com/blog/sql-injection-payloads/", - "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", + "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", + "https://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_sql_injection_in_access_logs.yml" ], "tags": [ @@ -84190,8 +84413,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/projectdiscovery/nuclei-templates", "https://book.hacktricks.xyz/pentesting-web/file-inclusion", + "https://github.com/projectdiscovery/nuclei-templates", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_path_traversal_exploitation_attempt.yml" ], "tags": [ @@ -84259,8 +84482,8 @@ "logsource.product": "No established product", "refs": [ "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", - "https://github.com/lijiejie/IIS_shortname_Scanner", "https://www.exploit-db.com/exploits/19525", + "https://github.com/lijiejie/IIS_shortname_Scanner", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml" ], "tags": [ @@ -84393,9 +84616,9 @@ "logsource.category": "application", "logsource.product": "jvm", "refs": [ + "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://rules.sonarsource.com/java/RSPEC-2755", "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing", - "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_xxe_exploitation_attempt.yml" ], "tags": [ @@ -84496,8 +84719,8 @@ "logsource.category": "application", "logsource.product": "spring", "refs": [ - "https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection", "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", + "https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/spring/spring_spel_injection.yml" ], "tags": [ @@ -84564,8 +84787,8 @@ "logsource.product": "ruby_on_rails", "refs": [ "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", - "http://edgeguides.rubyonrails.org/security.html", "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", + "http://edgeguides.rubyonrails.org/security.html", "http://guides.rubyonrails.org/action_controller_overview.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml" ], @@ -84600,8 +84823,8 @@ "logsource.category": "application", "logsource.product": "velocity", "refs": [ - "https://antgarsil.github.io/posts/velocity/", "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", + "https://antgarsil.github.io/posts/velocity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/velocity/velocity_ssti_injection.yml" ], "tags": [ @@ -84734,8 +84957,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_smb_file_open.yml" ], "tags": [ @@ -84777,8 +85000,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_vnc_connection_attempt.yml" ], "tags": [ @@ -84811,8 +85034,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_ssh_new_connection.yml" ], "tags": [ @@ -84863,8 +85086,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_tftp_request.yml" ], "tags": [ @@ -84897,8 +85120,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_ftp_login_attempt.yml" ], "tags": [ @@ -84940,8 +85163,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_httpproxy_login_attempt.yml" ], "tags": [ @@ -84975,8 +85198,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_http_post_login_attempt.yml" ], "tags": [ @@ -85009,8 +85232,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_git_clone_request.yml" ], "tags": [ @@ -85043,8 +85266,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_snmp_cmd.yml" ], "tags": [ @@ -85086,8 +85309,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_sip_request.yml" ], "tags": [ @@ -85120,8 +85343,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_ssh_login_attempt.yml" ], "tags": [ @@ -85172,8 +85395,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_mysql_login_attempt.yml" ], "tags": [ @@ -85215,8 +85438,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_redis_command.yml" ], "tags": [ @@ -85258,8 +85481,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_mssql_login_sqlauth.yml" ], "tags": [ @@ -85301,8 +85524,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_telnet_login_attempt.yml" ], "tags": [ @@ -85344,8 +85567,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_mssql_login_winauth.yml" ], "tags": [ @@ -85387,8 +85610,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_http_get.yml" ], "tags": [ @@ -85421,8 +85644,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_ntp_monlist.yml" ], "tags": [ @@ -85488,8 +85711,8 @@ "logsource.category": "No established category", "logsource.product": "kubernetes", "refs": [ - "https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/", "https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/", + "https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_secrets_modified_or_deleted.yml" ], "tags": [ @@ -85545,8 +85768,8 @@ "logsource.category": "No established category", "logsource.product": "kubernetes", "refs": [ - "https://medium.com/@seifeddinerajhi/kubernetes-rbac-privilege-escalation-exploits-and-mitigations-26c07629eeab", "https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/", + "https://medium.com/@seifeddinerajhi/kubernetes-rbac-privilege-escalation-exploits-and-mitigations-26c07629eeab", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_rolebinding_modification.yml" ], "tags": [ @@ -85602,8 +85825,8 @@ "logsource.category": "No established category", "logsource.product": "kubernetes", "refs": [ - "https://security.padok.fr/en/blog/kubernetes-webhook-attackers", "https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/", + "https://security.padok.fr/en/blog/kubernetes-webhook-attackers", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml" ], "tags": [ @@ -85653,8 +85876,8 @@ "logsource.category": "No established category", "logsource.product": "kubernetes", "refs": [ - "https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues", "https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/", + "https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_unauthorized_unauthenticated_actions.yml" ], "tags": [ @@ -85678,8 +85901,8 @@ "logsource.category": "No established category", "logsource.product": "kubernetes", "refs": [ - "https://www.redhat.com/en/blog/protecting-kubernetes-against-mitre-attck-persistence#technique-33-kubernetes-cronjob", "https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/", + "https://www.redhat.com/en/blog/protecting-kubernetes-against-mitre-attck-persistence#technique-33-kubernetes-cronjob", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_cronjob_modification.yml" ], "tags": [ @@ -85841,10 +86064,10 @@ "logsource.category": "application", "logsource.product": "kubernetes", "refs": [ - "https://www.elastic.co/guide/en/security/current/kubernetes-pod-created-with-hostnetwork.html", - "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer", + "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/", "https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html", + "https://www.elastic.co/guide/en/security/current/kubernetes-pod-created-with-hostnetwork.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml" ], "tags": [ @@ -85908,8 +86131,8 @@ "logsource.category": "application", "logsource.product": "kubernetes", "refs": [ - "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/", "https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch", + "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_sidecar_injection.yml" ], "tags": [ @@ -85941,8 +86164,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml" ], "tags": [ @@ -85966,9 +86189,9 @@ "logsource.product": "rpc_firewall", "refs": [ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml" ], "tags": [ @@ -85991,9 +86214,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", + "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml" ], @@ -86017,9 +86240,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/zeronetworks/rpcfirewall", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml" ], "tags": [ @@ -86061,9 +86284,9 @@ "logsource.product": "rpc_firewall", "refs": [ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml" ], "tags": [ @@ -86105,9 +86328,9 @@ "logsource.product": "rpc_firewall", "refs": [ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml" ], "tags": [ @@ -86148,10 +86371,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/zeronetworks/rpcfirewall", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml" ], "tags": [ @@ -86184,12 +86407,12 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", "https://github.com/zeronetworks/rpcfirewall", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml" ], "tags": [ @@ -86213,9 +86436,9 @@ "logsource.product": "rpc_firewall", "refs": [ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml" ], "tags": [ @@ -86256,10 +86479,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/zeronetworks/rpcfirewall", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml" ], "tags": [ @@ -86292,10 +86515,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml" ], "tags": [ @@ -86329,9 +86552,9 @@ "logsource.product": "rpc_firewall", "refs": [ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml" ], "tags": [ @@ -86354,9 +86577,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml" ], @@ -86391,9 +86614,9 @@ "logsource.product": "rpc_firewall", "refs": [ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml" ], "tags": [ @@ -86416,9 +86639,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml" ], @@ -86442,10 +86665,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/zeronetworks/rpcfirewall", - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml" ], "tags": [ @@ -86468,10 +86691,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/zeronetworks/rpcfirewall", - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml" ], "tags": [ @@ -86503,8 +86726,8 @@ "logsource.category": "file_event", "logsource.product": "macos", "refs": [ - "https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md", + "https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml" ], "tags": [ @@ -86607,8 +86830,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior", "https://objective-see.org/blog/blog_0x6D.html", + "https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior", "https://ss64.com/osx/csrutil.html", "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_csrutil_disable.yml" @@ -86676,8 +86899,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://redcanary.com/blog/applescript/", "https://ss64.com/osx/osacompile.html", + "https://redcanary.com/blog/applescript/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_osacompile_runonly_execution.yml" ], "tags": [ @@ -86784,10 +87007,10 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior", "https://www.virustotal.com/gui/file/5907d59ec1303cfb5c0a0f4aaca3efc0830707d86c732ba6b9e842b5730b95dc/behavior", "https://www.trendmicro.com/en_ph/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", "https://www.virustotal.com/gui/file/4ffdc72d1ff1ee8228e31691020fc275afd1baee5a985403a71ca8c7bd36e2e4/behavior", - "https://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_ioreg_discovery.yml" ], "tags": [ @@ -86820,9 +87043,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml" ], "tags": [ @@ -86879,8 +87102,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine", "https://www.loobins.io/binaries/tmutil/", + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_tmutil_disable_backup.yml" ], "tags": [ @@ -86914,8 +87137,8 @@ "logsource.product": "macos", "refs": [ "https://github.com/MythicAgents/typhon/", - "https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html", "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", + "https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_jamf_usage.yml" ], "tags": [ @@ -86973,10 +87196,10 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://www.loobins.io/binaries/launchctl/", + "https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/", "https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.001/T1569.001.md", - "https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/", - "https://www.loobins.io/binaries/launchctl/", "https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml" ], @@ -87027,9 +87250,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://ss64.com/mac/hdiutil.html", - "https://www.loobins.io/binaries/hdiutil/", "https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/", + "https://www.loobins.io/binaries/hdiutil/", + "https://ss64.com/mac/hdiutil.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_hdiutil_create.yml" ], "tags": [ @@ -87052,8 +87275,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos", "https://ss64.com/osx/sysadminctl.html", + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml" ], "tags": [ @@ -87087,8 +87310,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md", "https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml" ], "tags": [ @@ -87121,9 +87344,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.virustotal.com/gui/file/03b71eaceadea05bc0eea5cddecaa05f245126d6b16cfcd0f3ba0442ac58dab3/behavior", - "https://www.virustotal.com/gui/file/d3fa64f63563fe958b75238742d1e473800cb5f49f5cb79d38d4aa3c93709026/behavior", "https://ss64.com/osx/sw_vers.html", + "https://www.virustotal.com/gui/file/d3fa64f63563fe958b75238742d1e473800cb5f49f5cb79d38d4aa3c93709026/behavior", + "https://www.virustotal.com/gui/file/03b71eaceadea05bc0eea5cddecaa05f245126d6b16cfcd0f3ba0442ac58dab3/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_swvers_discovery.yml" ], "tags": [ @@ -87157,8 +87380,8 @@ "logsource.product": "macos", "refs": [ "https://github.com/MythicAgents/typhon/", - "https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html", "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", + "https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml" ], "tags": [ @@ -87181,8 +87404,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-2---create-local-account-with-admin-privileges---macos", "https://ss64.com/osx/dscl.html", + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-2---create-local-account-with-admin-privileges---macos", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml" ], "tags": [ @@ -87217,8 +87440,8 @@ "logsource.product": "macos", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1078.003/T1078.003.md", - "https://ss64.com/osx/dsenableroot.html", "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml", + "https://ss64.com/osx/dsenableroot.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml" ], "tags": [ @@ -87334,8 +87557,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", "https://www.manpagez.com/man/8/firmwarepasswd/", + "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", "https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml" ], @@ -87359,9 +87582,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://ss64.com/mac/hdiutil.html", - "https://www.loobins.io/binaries/hdiutil/", "https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/", + "https://www.loobins.io/binaries/hdiutil/", + "https://ss64.com/mac/hdiutil.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_hdiutil_mount.yml" ], "tags": [ @@ -87435,8 +87658,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_screencapture.yml" ], "tags": [ @@ -87535,13 +87758,13 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/", - "https://evasions.checkpoint.com/techniques/macos.html", "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", - "https://www.virustotal.com/gui/file/1c547a064494a35d6b5e6b459de183ab2720a22725e082bed6f6629211f7abc1/behavior", - "https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior", - "https://objective-see.org/blog/blog_0x1E.html", "https://www.loobins.io/binaries/sysctl/#", + "https://objective-see.org/blog/blog_0x1E.html", + "https://www.virustotal.com/gui/file/1c547a064494a35d6b5e6b459de183ab2720a22725e082bed6f6629211f7abc1/behavior", + "https://evasions.checkpoint.com/techniques/macos.html", + "https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/", + "https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_sysctl_discovery.yml" ], "tags": [ @@ -87616,9 +87839,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md", "https://linux.die.net/man/1/dd", "https://linux.die.net/man/1/truncate", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_binary_padding.yml" ], "tags": [ @@ -87719,8 +87942,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://redcanary.com/blog/applescript/", "https://objective-see.org/blog/blog_0x4B.html", + "https://redcanary.com/blog/applescript/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_office_susp_child_processes.yml" ], "tags": [ @@ -87844,8 +88067,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md", "https://redcanary.com/blog/applescript/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_applescript.yml" ], "tags": [ @@ -87911,8 +88134,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior", "https://objective-see.org/blog/blog_0x6D.html", + "https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior", "https://ss64.com/osx/csrutil.html", "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_csrutil_status.yml" @@ -87980,8 +88203,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685", "https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml" ], "tags": [ @@ -88360,9 +88583,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl", - "https://www.loobins.io/binaries/nscurl/", "https://gist.github.com/nasbench/ca6ef95db04ae04ffd1e0b1ce709cadd", + "https://www.loobins.io/binaries/nscurl/", + "https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_nscurl_usage.yml" ], "tags": [ @@ -88429,8 +88652,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://ss64.com/osx/sysadminctl.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", + "https://ss64.com/osx/sysadminctl.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_create_account.yml" ], "tags": [ @@ -88530,12 +88753,12 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://ss64.com/mac/system_profiler.html", - "https://www.trendmicro.com/en_za/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", - "https://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf", "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", + "https://ss64.com/mac/system_profiler.html", "https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af", "https://objective-see.org/blog/blog_0x62.html", + "https://www.trendmicro.com/en_za/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", + "https://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_system_profiler_discovery.yml" ], "tags": [ @@ -88610,8 +88833,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.sentinelone.com/labs/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/", "https://ss64.com/mac/chflags.html", + "https://www.sentinelone.com/labs/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/", "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf", "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_chflags_hidden_flag.yml" @@ -88703,8 +88926,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine", "https://www.loobins.io/binaries/tmutil/", + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_tmutil_delete_backup.yml" ], "tags": [ @@ -88912,8 +89135,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine", "https://www.loobins.io/binaries/tmutil/", + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_tmutil_exclude_file_from_backup.yml" ], "tags": [ @@ -89101,8 +89324,8 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts", "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml" ], "tags": [ @@ -89176,10 +89399,10 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions", - "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", - "https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization", "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise", + "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions", + "https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization", + "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_disable_high_risk_configuration.yml" ], "tags": [ @@ -89247,10 +89470,10 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership", - "https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository", "https://docs.github.com/en/migrations", + "https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership", "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration", + "https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_repo_or_org_transferred.yml" ], "tags": [ @@ -89361,8 +89584,8 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority", "https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities", + "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_ssh_certificate_config_changed.yml" ], "tags": [ @@ -89540,8 +89763,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml" ], "tags": [ @@ -89564,8 +89787,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_identity_provider_created.yml" ], "tags": [ @@ -89598,8 +89821,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml" ], "tags": [ @@ -89632,9 +89855,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://dataconomy.com/2023/10/23/okta-data-breach/", - "https://www.beyondtrust.com/blog/entry/okta-support-unit-breach", "https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/", + "https://www.beyondtrust.com/blog/entry/okta-support-unit-breach", + "https://dataconomy.com/2023/10/23/okta-data-breach/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_activity_from_proxy_query.yml" ], "tags": [ @@ -89680,9 +89903,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data", - "https://developer.okta.com/docs/reference/api/system-log/", "https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_password_in_alternateid_field.yml" ], "tags": [ @@ -89715,8 +89938,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_modified_or_deleted.yml" ], "tags": [ @@ -89739,8 +89962,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_revoked.yml" ], "tags": [ @@ -89797,9 +90020,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_security_threat_detected.yml" ], "tags": [ @@ -89822,8 +90045,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml" ], "tags": [ @@ -89846,8 +90069,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_created.yml" ], "tags": [ @@ -89870,8 +90093,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_account_locked_out.yml" ], "tags": [ @@ -89904,8 +90127,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml" ], "tags": [ @@ -89928,8 +90151,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_new_behaviours_admin_console.yml" ], "tags": [ @@ -89962,9 +90185,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://sec.okta.com/fastpassphishingdetection", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_fastpass_phishing_detection.yml" ], "tags": [ @@ -89997,8 +90220,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assignment_created.yml" ], "tags": [ @@ -90021,8 +90244,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_unauthorized_access_to_app.yml" ], "tags": [ @@ -90047,8 +90270,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_modified_or_deleted.yml" ], "tags": [ @@ -90071,8 +90294,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml" ], "tags": [ @@ -90107,8 +90330,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_session_start_via_anonymised_proxy.yml" ], "tags": [ @@ -90141,8 +90364,8 @@ "logsource.category": "No established category", "logsource.product": "cisco", "refs": [ - "https://help.duo.com/s/article/6327?language=en_US", "https://duo.com/docs/adminapi#logs", + "https://help.duo.com/s/article/6327?language=en_US", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/cisco/duo/cisco_duo_mfa_bypass_via_bypass_code.yml" ], "tags": [ @@ -90386,8 +90609,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", "https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html", + "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml" ], "tags": [ @@ -90607,9 +90830,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html", "https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/", "https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md", + "https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml" ], "tags": [ @@ -90759,9 +90982,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml" ], "tags": [ @@ -91147,9 +91370,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ + "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html", "https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/", "https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things", - "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml" ], "tags": [ @@ -91234,8 +91457,8 @@ "logsource.product": "aws", "refs": [ "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html", - "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py", "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html", + "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml" ], "tags": [ @@ -91425,12 +91648,12 @@ "logsource.product": "aws", "refs": [ "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", - "https://github.com/elastic/detection-rules/pull/1145/files", - "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", + "https://github.com/elastic/detection-rules/pull/1145/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_s3_data_management_tampering.yml" ], "tags": [ @@ -91845,8 +92068,8 @@ "logsource.product": "gcp", "refs": [ "https://cloud.google.com/access-context-manager/docs/audit-logging", - "https://cloud.google.com/logging/docs/audit/understanding-audit-logs", "https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog", + "https://cloud.google.com/logging/docs/audit/understanding-audit-logs", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_access_policy_deleted.yml" ], "tags": [ @@ -91906,8 +92129,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html", "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_full_network_traffic_packet_capture.yml" ], "tags": [ @@ -92073,11 +92296,11 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://github.com/elastic/detection-rules/pull/1267", - "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", - "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", + "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", + "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", + "https://github.com/elastic/detection-rules/pull/1267", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_kubernetes_rolebinding.yml" ], "tags": [ @@ -92195,9 +92418,9 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_mfa_disabled.yml" ], "tags": [ @@ -92244,9 +92467,9 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_removed.yml" ], "tags": [ @@ -92269,8 +92492,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings", "https://support.google.com/a/answer/9261439", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_access_levels_modified.yml" ], "tags": [ @@ -92304,8 +92527,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_granted_domain_api_access.yml" ], "tags": [ @@ -92438,8 +92661,8 @@ "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ - "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html", "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", + "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml" ], "tags": [ @@ -92472,8 +92695,8 @@ "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ - "https://confluence.atlassian.com/bitbucketserver/global-permissions-776640369.html", "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", + "https://confluence.atlassian.com/bitbucketserver/global-permissions-776640369.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml" ], "tags": [ @@ -92507,8 +92730,8 @@ "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ - "https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html", "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", + "https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml" ], "tags": [ @@ -92550,8 +92773,8 @@ "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ - "https://support.atlassian.com/security-and-access-policies/docs/export-user-accounts", "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", + "https://support.atlassian.com/security-and-access-policies/docs/export-user-accounts", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_user_details_export_attempt_detected.yml" ], "tags": [ @@ -92668,8 +92891,8 @@ "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ - "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html", "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", + "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml" ], "tags": [ @@ -92736,8 +92959,8 @@ "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ - "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html", "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", + "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_full_data_export_triggered.yml" ], "tags": [ @@ -92779,8 +93002,8 @@ "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ - "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html", "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", + "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml" ], "tags": [ @@ -92854,8 +93077,8 @@ "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ - "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html", "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", + "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml" ], "tags": [ @@ -92888,8 +93111,8 @@ "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ - "https://confluence.atlassian.com/bitbucketserver/users-and-groups-776640439.html", "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", + "https://confluence.atlassian.com/bitbucketserver/users-and-groups-776640439.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_user_permissions_export_attempt_detected.yml" ], "tags": [ @@ -92938,8 +93161,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.sygnia.co/golden-saml-advisory", + "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", "https://o365blog.com/post/aadbackdoor/", @@ -93042,8 +93265,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", + "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_activity_from_infrequent_country.yml" ], "tags": [ @@ -93076,8 +93299,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", + "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_impossible_travel_activity.yml" ], "tags": [ @@ -93110,8 +93333,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", + "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_activity_from_anonymous_ip_addresses.yml" ], "tags": [ @@ -93144,8 +93367,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", + "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_unusual_volume_of_file_deletion.yml" ], "tags": [ @@ -93178,8 +93401,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", + "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_susp_inbox_forwarding.yml" ], "tags": [ @@ -93212,8 +93435,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", + "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_susp_oauth_app_file_download_activities.yml" ], "tags": [ @@ -93269,8 +93492,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", + "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_user_restricted_from_sending_email.yml" ], "tags": [ @@ -93303,8 +93526,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", + "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_potential_ransomware_activity.yml" ], "tags": [ @@ -93337,8 +93560,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", + "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_activity_by_terminated_user.yml" ], "tags": [ @@ -93361,8 +93584,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", + "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_logon_from_risky_ip_address.yml" ], "tags": [ @@ -93395,8 +93618,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", + "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_data_exfiltration_to_unsanctioned_app.yml" ], "tags": [ @@ -93462,8 +93685,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", + "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_detection/microsoft365_from_susp_ip_addresses.yml" ], "tags": [ @@ -94178,8 +94401,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/", "https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487", + "https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/", "https://twitter.com/NathanMcNulty/status/1785051227568632263", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_auditlogs_laps_credential_dumping.yml" ], @@ -94819,8 +95042,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/", "https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022", + "https://www.microsoft.com/en-us/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml" ], "tags": [ @@ -95726,8 +95949,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address", "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml" ], "tags": [ @@ -95763,8 +95986,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#token-issuer-anomaly", "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#token-issuer-anomaly", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml" ], "tags": [ @@ -95797,8 +96020,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel", "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml" ], "tags": [ @@ -95834,8 +96057,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt", "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml" ], "tags": [ @@ -95868,8 +96091,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address", "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml" ], "tags": [ @@ -95902,8 +96125,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token", "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_token.yml" ], "tags": [ @@ -95973,8 +96196,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address", "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml" ], "tags": [ @@ -96041,8 +96264,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser", "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml" ], "tags": [ @@ -96078,8 +96301,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding", "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml" ], "tags": [ @@ -96149,9 +96372,9 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in", - "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml" ], "tags": [ @@ -96187,8 +96410,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#leaked-credentials", "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#leaked-credentials", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml" ], "tags": [ @@ -96221,8 +96444,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated", "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml" ], "tags": [ @@ -96255,8 +96478,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules", "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml" ], "tags": [ @@ -96323,8 +96546,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address", "https://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0", + "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml" ], "tags": [ @@ -96423,8 +96646,8 @@ "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_container_registry_created_or_deleted.yml" ], "tags": [ @@ -96476,8 +96699,8 @@ "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_role_access.yml" ], "tags": [ @@ -96503,8 +96726,8 @@ "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_secret_or_config_object_access.yml" ], "tags": [ @@ -97092,8 +97315,8 @@ "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_network_policy_change.yml" ], "tags": [ @@ -97204,8 +97427,8 @@ "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_rolebinding_modified_or_deleted.yml" ], "tags": [ @@ -97356,8 +97579,8 @@ "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_service_account_modified_or_deleted.yml" ], "tags": [ @@ -97394,8 +97617,8 @@ "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_cluster_created_or_deleted.yml" ], "tags": [ @@ -97675,10 +97898,10 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://kubernetes.io/docs/concepts/workloads/controllers/job/", "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_cronjob.yml" ], "tags": [ @@ -97713,8 +97936,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml", + "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_events_deleted.yml" ], "tags": [ @@ -97991,9 +98214,9 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ + "https://www.cisecurity.org/controls/cis-controls-list/", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/host_without_firewall.yml" ], "tags": "No established tags" @@ -98014,10 +98237,10 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ - "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/default_credentials_usage.yml" ], "tags": [ @@ -98040,9 +98263,9 @@ "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ + "https://www.cisecurity.org/controls/cis-controls-list/", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/netflow_cleartext_protocols.yml" ], "tags": [ @@ -98111,8 +98334,8 @@ "logsource.product": "No established product", "refs": [ "https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619", - "https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448", "https://www.nextron-systems.com/?s=antivirus", + "https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_password_dumper.yml" ], "tags": [ @@ -98202,12 +98425,12 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7", "https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916", - "https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045", - "https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c", "https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d", "https://www.nextron-systems.com/?s=antivirus", + "https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7", + "https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c", + "https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_ransomware.yml" ], "tags": [ @@ -98239,8 +98462,8 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/", "https://www.nextron-systems.com/?s=antivirus", + "https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_hacktool.yml" ], "tags": [ @@ -98274,15 +98497,15 @@ "logsource.product": "No established product", "refs": [ "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", - "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", - "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", - "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", + "https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection", "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", + "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", + "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", "https://github.com/tennc/webshell", - "https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection", + "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_webshell.yml" ], "tags": [ @@ -98316,8 +98539,8 @@ "logsource.product": "No established product", "refs": [ "https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466", - "https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797", "https://www.nextron-systems.com/?s=antivirus", + "https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797", "https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_exploiting.yml" ], @@ -98451,10 +98674,10 @@ "logsource.category": "file_event", "logsource.product": "linux", "refs": [ - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml" ], "tags": [ @@ -98511,10 +98734,10 @@ "logsource.category": "file_event", "logsource.product": "linux", "refs": [ - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml" ], "tags": [ @@ -98713,10 +98936,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", "https://linux.die.net/man/8/pam_tty_audit", + "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", + "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml" ], "tags": [ @@ -98891,10 +99114,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://mn3m.info/posts/suid-vs-capabilities/", - "https://man7.org/linux/man-pages/man8/getcap.8.html", - "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", + "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", + "https://man7.org/linux/man-pages/man8/getcap.8.html", + "https://mn3m.info/posts/suid-vs-capabilities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml" ], "tags": [ @@ -99035,8 +99258,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md", + "https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml" ], "tags": [ @@ -99102,8 +99325,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", + "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml" ], "tags": [ @@ -99169,8 +99392,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", "https://firewalld.org/documentation/man-pages/firewall-cmd.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml" ], "tags": [ @@ -99237,8 +99460,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", + "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml" ], "tags": [ @@ -99279,8 +99502,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/", "https://linux.die.net/man/1/xclip", + "https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_collection.yml" ], "tags": [ @@ -99313,8 +99536,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/wget/", "https://linux.die.net/man/1/wget", + "https://gtfobins.github.io/gtfobins/wget/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml" ], "tags": [ @@ -99413,8 +99636,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa", "https://linux.die.net/man/1/arecord", + "https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_audio_capture.yml" ], "tags": [ @@ -99448,9 +99671,9 @@ "logsource.product": "linux", "refs": [ "https://man7.org/linux/man-pages/man1/passwd.1.html", + "https://linux.die.net/man/1/chage", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", - "https://linux.die.net/man/1/chage", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml" ], "tags": [ @@ -99583,9 +99806,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://imagemagick.org/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", "https://linux.die.net/man/1/import", + "https://imagemagick.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencapture_import.yml" ], "tags": [ @@ -99618,9 +99841,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07", "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files", + "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_create_account.yml" ], "tags": [ @@ -99687,8 +99910,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat", "https://objective-see.org/blog/blog_0x68.html", + "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat", "https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml" ], @@ -100118,8 +100341,8 @@ "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", - "https://linux.die.net/man/8/insmod", "https://man7.org/linux/man-pages/man8/kmod.8.html", + "https://linux.die.net/man/8/insmod", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_load_module_insmod.yml" ], "tags": [ @@ -100252,8 +100475,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content", "https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf", + "https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content", "https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence", "https://regex101.com/r/RugQYK/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_pnscan_binary_cli_pattern.yml" @@ -100321,8 +100544,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", "https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk", + "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml" ], "tags": [ @@ -100346,9 +100569,9 @@ "logsource.product": "linux", "refs": [ "https://gtfobins.github.io/gtfobins/awk/#shell", + "https://gtfobins.github.io/gtfobins/gawk/#shell", "https://gtfobins.github.io/gtfobins/nawk/#shell", "https://gtfobins.github.io/gtfobins/mawk/#shell", - "https://gtfobins.github.io/gtfobins/gawk/#shell", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_awk_shell_spawn.yml" ], "tags": [ @@ -100405,8 +100628,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", "https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk", + "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml" ], "tags": [ @@ -100495,8 +100718,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html", + "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml" ], "tags": [ @@ -100745,8 +100968,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://attack.mitre.org/techniques/T1548/001/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md", + "https://attack.mitre.org/techniques/T1548/001/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml" ], "tags": [ @@ -100779,10 +101002,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml" ], "tags": [ @@ -100901,8 +101124,8 @@ "logsource.product": "linux", "refs": [ "https://github.com/Tib3rius/AutoRecon", - "https://github.com/projectdiscovery/naabu", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md", + "https://github.com/projectdiscovery/naabu", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_network_utilities_execution.yml" ], "tags": [ @@ -101002,8 +101225,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", "https://github.com/sleventyeleven/linuxprivchecker/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml" ], "tags": [ @@ -101160,10 +101383,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml" ], "tags": [ @@ -101221,8 +101444,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", "https://bpftrace.org/", + "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml" ], "tags": [ @@ -101458,9 +101681,9 @@ "logsource.product": "linux", "refs": [ "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html", - "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html", "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/", + "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml" ], "tags": [ @@ -101535,8 +101758,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://support.solarwinds.com/SuccessCenter/s/article/Configure-ESXi-Syslog-to-LEM?language=en_US", "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html", + "https://support.solarwinds.com/SuccessCenter/s/article/Configure-ESXi-Syslog-to-LEM?language=en_US", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml" ], "tags": [ @@ -101577,10 +101800,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml" ], "tags": [ @@ -101604,8 +101827,8 @@ "logsource.product": "linux", "refs": [ "https://github.com/diego-treitos/linux-smart-enumeration", - "https://github.com/carlospolop/PEASS-ng", "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes", + "https://github.com/carlospolop/PEASS-ng", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml" ], "tags": [ @@ -101662,10 +101885,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml" ], "tags": [ @@ -101766,9 +101989,9 @@ "logsource.product": "linux", "refs": [ "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html", - "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html", "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/", + "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml" ], "tags": [ @@ -101791,8 +102014,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", + "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", "https://github.com/apache/spark/pull/36315/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml" ], @@ -101828,8 +102051,8 @@ "logsource.product": "linux", "refs": [ "https://access.redhat.com/security/cve/cve-2019-14287", - "https://twitter.com/matthieugarin/status/1183970598210412546", "https://www.openwall.com/lists/oss-security/2019/10/14/1", + "https://twitter.com/matthieugarin/status/1183970598210412546", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml" ], "tags": [ @@ -101973,9 +102196,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan", - "https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/", "https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/", + "https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/", + "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml" ], "tags": [ @@ -102077,8 +102300,8 @@ "logsource.product": "linux", "refs": [ "https://www.cyberciti.biz/faq/linux-remove-user-command/", - "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://linux.die.net/man/8/groupdel", + "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_groupdel.yml" ], @@ -102135,8 +102358,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.cyberciti.biz/faq/linux-remove-user-command/", "https://linux.die.net/man/8/userdel", + "https://www.cyberciti.biz/faq/linux-remove-user-command/", "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_userdel.yml" @@ -102171,10 +102394,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml" ], "tags": [ @@ -102300,8 +102523,8 @@ "logsource.product": "linux", "refs": [ "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vsan.html", - "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html", "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html", + "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml" ], "tags": [ @@ -102342,15 +102565,15 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/t3l3machus/hoaxshell", - "https://github.com/t3l3machus/Villain", - "https://github.com/carlospolop/PEASS-ng", - "https://github.com/Ne0nd0g/merlin", - "https://github.com/pathtofile/bad-bpf", "https://github.com/Pennyw0rth/NetExec/", - "https://github.com/1N3/Sn1per", - "https://github.com/Gui774ume/ebpfkit", + "https://github.com/Ne0nd0g/merlin", "https://github.com/HavocFramework/Havoc", + "https://github.com/pathtofile/bad-bpf", + "https://github.com/1N3/Sn1per", + "https://github.com/carlospolop/PEASS-ng", + "https://github.com/t3l3machus/Villain", + "https://github.com/Gui774ume/ebpfkit", + "https://github.com/t3l3machus/hoaxshell", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml" ], "tags": [ @@ -102417,8 +102640,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/flock/#shell", "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html", + "https://gtfobins.github.io/gtfobins/flock/#shell", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_flock_shell_execution.yml" ], "tags": [ @@ -102485,8 +102708,8 @@ "logsource.product": "linux", "refs": [ "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml" ], "tags": [ @@ -102577,8 +102800,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_network.html", + "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml" ], "tags": [ @@ -102619,8 +102842,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.makeuseof.com/how-to-install-and-use-doas/", "https://research.splunk.com/endpoint/linux_doas_tool_execution/", + "https://www.makeuseof.com/how-to-install-and-use-doas/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml" ], "tags": [ @@ -102654,8 +102877,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker", "https://blog.skyplabs.net/posts/container-detection/", + "https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_dockerenv_recon.yml" ], "tags": [ @@ -102745,10 +102968,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/gcc/#shell", - "https://gtfobins.github.io/gtfobins/c89/#shell", - "https://gtfobins.github.io/gtfobins/c99/#shell", "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html", + "https://gtfobins.github.io/gtfobins/c99/#shell", + "https://gtfobins.github.io/gtfobins/c89/#shell", + "https://gtfobins.github.io/gtfobins/gcc/#shell", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gcc_shell_execution.yml" ], "tags": [ @@ -102782,8 +103005,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker", "https://blog.skyplabs.net/posts/container-detection/", + "https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_container_residence_discovery.yml" ], "tags": [ @@ -102849,9 +103072,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/rvim/", "https://gtfobins.github.io/gtfobins/vim/", "https://gtfobins.github.io/gtfobins/vimdiff/", + "https://gtfobins.github.io/gtfobins/rvim/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_vim_shell_execution.yml" ], "tags": [ @@ -102884,11 +103107,11 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://curl.se/docs/manpage.html", - "https://twitter.com/d1r4c/status/1279042657508081664", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", - "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", + "https://curl.se/docs/manpage.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", + "https://twitter.com/d1r4c/status/1279042657508081664", + "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml" ], "tags": [ @@ -103053,8 +103276,8 @@ "logsource.product": "linux", "refs": [ "https://gtfobins.github.io/gtfobins/nohup/", - "https://en.wikipedia.org/wiki/Nohup", "https://www.computerhope.com/unix/unohup.htm", + "https://en.wikipedia.org/wiki/Nohup", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup.yml" ], "tags": [ @@ -103240,8 +103463,8 @@ "logsource.product": "linux", "refs": [ "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_storage.html", - "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html", "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html", + "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml" ], "tags": [ @@ -103316,11 +103539,11 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", - "https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/", - "https://www.revshells.com/", - "https://www.infosecademy.com/netcat-reverse-shells/", "https://man7.org/linux/man-pages/man1/ncat.1.html", + "https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/", + "https://www.infosecademy.com/netcat-reverse-shells/", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml" ], "tags": [ @@ -103452,8 +103675,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", "https://github.com/arget13/DDexec", + "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml" ], "tags": [ @@ -103552,10 +103775,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml" ], "tags": [ @@ -103611,8 +103834,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", "https://bpftrace.org/", + "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", "https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml" ], @@ -103670,8 +103893,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/apt/", "https://gtfobins.github.io/gtfobins/apt-get/", + "https://gtfobins.github.io/gtfobins/apt/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_apt_shell_execution.yml" ], "tags": [ @@ -103704,10 +103927,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml" ], "tags": [ @@ -103740,9 +103963,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/", "https://blogs.blackberry.com/", "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", + "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml" ], "tags": [ @@ -103808,8 +104031,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", "https://github.com/sleventyeleven/linuxprivchecker/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml" ], "tags": [ @@ -103842,10 +104065,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://linuxhint.com/uninstall-debian-packages/", - "https://sysdig.com/blog/mitre-defense-evasion-falco", "https://linuxhint.com/uninstall_yum_package/", + "https://sysdig.com/blog/mitre-defense-evasion-falco", "https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command", + "https://linuxhint.com/uninstall-debian-packages/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_remove_package.yml" ], "tags": [ @@ -103902,8 +104125,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker", "https://blog.skyplabs.net/posts/container-detection/", + "https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_inod_listing.yml" ], "tags": [ @@ -104263,11 +104486,11 @@ "logsource.category": "network_connection", "logsource.product": "linux", "refs": [ + "https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections", "https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors", - "https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html", "https://www.mandiant.com/resources/blog/ukraine-and-sandworm-team", "https://thehackernews.com/2024/01/systembc-malwares-c2-server-analysis.html", - "https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections", + "https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_susp_malware_callback_port.yml" ], "tags": [ @@ -104483,10 +104706,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", "https://artkond.com/2017/03/23/pivoting-guide/", "http://pastebin.com/FtygZ1cg", "https://web.archive.org/web/20170319121015/http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html", - "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_commands.yml" ], "tags": [ @@ -104543,8 +104766,8 @@ "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid", - "https://linux.die.net/man/8/useradd", "https://digital.nhs.uk/cyber-alerts/2018/cc-2825", + "https://linux.die.net/man/8/useradd", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_privileged_user_creation.yml" ], "tags": [ @@ -104719,9 +104942,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md", "https://www.hackers-arise.com/post/2016/06/20/covering-your-bash-shell-tracks-antiforensics", + "https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml" ], "tags": [ @@ -104912,8 +105135,8 @@ "logsource.product": "linux", "refs": [ "https://access.redhat.com/security/cve/cve-2019-14287", - "https://twitter.com/matthieugarin/status/1183970598210412546", "https://www.openwall.com/lists/oss-security/2019/10/14/1", + "https://twitter.com/matthieugarin/status/1183970598210412546", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml" ], "tags": [ @@ -105175,5 +105398,5 @@ "value": "Modifying Crontab" } ], - "version": 20241003 + "version": 20241017 } From 576a3433d4308f4d79f61da67c69474434dc7b37 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 17 Oct 2024 14:10:14 +0200 Subject: [PATCH 40/42] chg: [README] updated --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 917ab538..332fdc6a 100644 --- a/README.md +++ b/README.md @@ -535,7 +535,7 @@ Category: *sector* - source: *CERT-EU* - total: *118* elements [Sigma-Rules](https://www.misp-galaxy.org/sigma-rules) - MISP galaxy cluster based on Sigma Rules. -Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2965* elements +Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2970* elements [[HTML](https://www.misp-galaxy.org/sigma-rules)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sigma-rules.json)] From 9337227db7d2d6866bd1155c8a8f7e89aef9dc92 Mon Sep 17 00:00:00 2001 From: Daniel Plohmann Date: Mon, 21 Oct 2024 08:48:56 +0200 Subject: [PATCH 41/42] added Unit42 name for Kimsuky (Sparkling Pisces) --- clusters/threat-actor.json | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 40c3e415..c11735d5 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5681,7 +5681,8 @@ "https://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/", "https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html", "https://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-may-16b", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage" + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage", + "https://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/" ], "synonyms": [ "Velvet Chollima", @@ -5692,7 +5693,8 @@ "APT43", "Emerald Sleet", "THALLIUM", - "Springtail" + "Springtail", + "Sparkling Pisces" ], "targeted-sector": [ "Research - Innovation", @@ -16985,5 +16987,5 @@ "value": "TaskMasters" } ], - "version": 316 + "version": 317 } From 6c4c2696b6ba0fb7cd92b901d4d2cdcf7223dbd1 Mon Sep 17 00:00:00 2001 From: Daniel Plohmann Date: Fri, 25 Oct 2024 14:08:53 +0200 Subject: [PATCH 42/42] add APT37 alias used by AhnLab (TA-RedAnt) --- clusters/threat-actor.json | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c11735d5..cc95b8f3 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6422,7 +6422,8 @@ "https://securelist.com/operation-daybreak/75100/", "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/", "https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/", - "https://unit42.paloaltonetworks.com/atoms/moldypisces/" + "https://unit42.paloaltonetworks.com/atoms/moldypisces/", + "https://asec.ahnlab.com/en/83877/" ], "synonyms": [ "APT 37", @@ -6439,7 +6440,8 @@ "Venus 121", "ATK4", "G0067", - "Moldy Pisces" + "Moldy Pisces", + "TA-RedAnt" ] }, "related": [ @@ -16987,5 +16989,5 @@ "value": "TaskMasters" } ], - "version": 317 + "version": 318 }