diff --git a/clusters/sigma-rules.json b/clusters/sigma-rules.json index b339e67b..2b65a347 100644 --- a/clusters/sigma-rules.json +++ b/clusters/sigma-rules.json @@ -48,8 +48,8 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_hacktool.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_hacktool.yml", + "https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/" ], "tags": [ "attack.execution", @@ -72,9 +72,9 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_password_dumper.yml", "https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619/detection", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_password_dumper.yml" + "https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/" ], "tags": [ "attack.credential_access", @@ -100,10 +100,10 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://twitter.com/mvelazco/status/1410291741241102338", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_printernightmare_cve_2021_34527.yml" + "https://twitter.com/mvelazco/status/1410291741241102338", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_printernightmare_cve_2021_34527.yml", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675" ], "tags": [ "attack.privilege_escalation", @@ -149,8 +149,8 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_relevant_files.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_relevant_files.yml", + "https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/" ], "tags": [ "attack.resource_development", @@ -173,16 +173,16 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/", - "https://github.com/tennc/webshell", "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", - "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", - "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", + "https://github.com/tennc/webshell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_webshell.yml", "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", - "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", - "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_webshell.yml" + "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", + "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", + "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", + "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", + "https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/" ], "tags": [ "attack.persistence", @@ -254,12 +254,12 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://attack.mitre.org/techniques/T1053/", - "https://attack.mitre.org/tactics/TA0008/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://attack.mitre.org/techniques/T1053/", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://attack.mitre.org/tactics/TA0008/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml" ], "tags": [ @@ -284,13 +284,12 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://attack.mitre.org/tactics/TA0007/", + "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/zeronetworks/rpcfirewall", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml" + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://attack.mitre.org/tactics/TA0007/" ], "tags": "No established tags" }, @@ -310,12 +309,12 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://attack.mitre.org/techniques/T1033/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml" + "https://attack.mitre.org/techniques/T1033/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/" ], "tags": [ "attack.t1033" @@ -337,11 +336,11 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://attack.mitre.org/tactics/TA0008/", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://attack.mitre.org/tactics/TA0008/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml" ], "tags": [ @@ -364,11 +363,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml", "https://attack.mitre.org/tactics/TA0007/", - "https://github.com/zeronetworks/rpcfirewall", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml" + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/" ], "tags": "No established tags" }, @@ -388,12 +386,12 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://attack.mitre.org/techniques/T1053/", - "https://attack.mitre.org/tactics/TA0008/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://attack.mitre.org/techniques/T1053/", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://attack.mitre.org/tactics/TA0008/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml" ], "tags": [ @@ -418,12 +416,12 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://attack.mitre.org/tactics/TA0007/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml", "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml" + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://attack.mitre.org/tactics/TA0007/" ], "tags": "No established tags" }, @@ -443,14 +441,14 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://attack.mitre.org/tactics/TA0008/", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml" + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", + "https://attack.mitre.org/tactics/TA0008/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md" ], "tags": [ "attack.lateral_movement" @@ -472,13 +470,13 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://attack.mitre.org/tactics/TA0008/", "https://attack.mitre.org/techniques/T1021/003/", - "https://attack.mitre.org/techniques/T1047/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml" + "https://attack.mitre.org/techniques/T1047/" ], "tags": [ "attack.lateral_movement", @@ -502,12 +500,12 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://attack.mitre.org/techniques/T1112/", - "https://attack.mitre.org/tactics/TA0008/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", + "https://attack.mitre.org/techniques/T1112/", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://attack.mitre.org/tactics/TA0008/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml" ], "tags": [ @@ -530,12 +528,12 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://attack.mitre.org/tactics/TA0007/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml" + "https://attack.mitre.org/tactics/TA0007/" ], "tags": "No established tags" }, @@ -555,12 +553,12 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://attack.mitre.org/tactics/TA0008/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml" + "https://attack.mitre.org/tactics/TA0008/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md" ], "tags": [ "attack.lateral_movement" @@ -582,13 +580,13 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://attack.mitre.org/tactics/TA0008/", "https://attack.mitre.org/techniques/T1569/002/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml" + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md" ], "tags": [ "attack.lateral_movement", @@ -611,13 +609,13 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://attack.mitre.org/techniques/T1053/", - "https://attack.mitre.org/tactics/TA0008/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://attack.mitre.org/techniques/T1053/", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml", + "https://attack.mitre.org/tactics/TA0008/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md" ], "tags": [ "attack.lateral_movement", @@ -641,12 +639,12 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://attack.mitre.org/tactics/TA0007/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml" + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://attack.mitre.org/tactics/TA0007/" ], "tags": "No established tags" }, @@ -666,10 +664,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://attack.mitre.org/techniques/T1087/", + "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", - "https://github.com/zeronetworks/rpcfirewall", + "https://attack.mitre.org/techniques/T1087/", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml" ], @@ -693,12 +691,12 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml", "https://attack.mitre.org/techniques/T1033/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", - "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml" + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", + "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md" ], "tags": [ "attack.t1033" @@ -720,11 +718,11 @@ "logsource.category": "application", "logsource.product": "ruby_on_rails", "refs": [ - "http://edgeguides.rubyonrails.org/security.html", "http://guides.rubyonrails.org/action_controller_overview.html", - "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml", "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml" + "http://edgeguides.rubyonrails.org/security.html", + "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception" ], "tags": [ "attack.initial_access", @@ -771,8 +769,8 @@ "logsource.category": "application", "logsource.product": "sql", "refs": [ - "http://www.sqlinjection.net/errors", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/sql/app_sqlinjection_errors.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/sql/app_sqlinjection_errors.yml", + "http://www.sqlinjection.net/errors" ], "tags": [ "attack.initial_access", @@ -867,8 +865,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ec2_disable_encryption.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ec2_disable_encryption.yml", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html" ], "tags": [ "attack.impact", @@ -892,8 +890,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__download_userdata/main.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ec2_download_userdata.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ec2_download_userdata.yml", + "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__download_userdata/main.py" ], "tags": [ "attack.exfiltration", @@ -916,8 +914,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__startup_shell_script/main.py#L9", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ec2_startup_script_change.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ec2_startup_script_change.yml", + "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__startup_shell_script/main.py#L9" ], "tags": [ "attack.execution", @@ -966,10 +964,10 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py", "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html", - "https://attack.mitre.org/techniques/T1525", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ecs_task_definition_backdoor.yml" + "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ecs_task_definition_backdoor.yml", + "https://attack.mitre.org/techniques/T1525" ], "tags": [ "attack.persistence", @@ -1065,8 +1063,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://github.com/elastic/detection-rules/blob/598f3d7e0a63221c0703ad9a0ea7e22e7bc5961e/rules/integrations/aws/persistence_elasticache_security_group_creation.toml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_elasticache_security_group_created.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_elasticache_security_group_created.yml", + "https://github.com/elastic/detection-rules/blob/598f3d7e0a63221c0703ad9a0ea7e22e7bc5961e/rules/integrations/aws/persistence_elasticache_security_group_creation.toml" ], "tags": [ "attack.persistence", @@ -1137,8 +1135,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/guardduty__whitelist_ip/main.py#L9", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_guardduty_disruption.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_guardduty_disruption.yml", + "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/guardduty__whitelist_ip/main.py#L9" ], "tags": [ "attack.defense_evasion", @@ -1211,8 +1209,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/cli/latest/reference/macie/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_macic_evasion.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_macic_evasion.yml", + "https://docs.aws.amazon.com/cli/latest/reference/macie/" ], "tags": [ "attack.defense_evasion", @@ -1260,8 +1258,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_rds_change_master_password.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_rds_change_master_password.yml", + "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py" ], "tags": [ "attack.exfiltration", @@ -1284,8 +1282,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_rds_public_db_restore.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_rds_public_db_restore.yml", + "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py" ], "tags": [ "attack.exfiltration", @@ -1332,8 +1330,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml" ], @@ -1359,8 +1357,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_route_53_domain_transferred_to_another_account.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_route_53_domain_transferred_to_another_account.yml", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml" ], "tags": [ "attack.persistence", @@ -1384,13 +1382,13 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://github.com/elastic/detection-rules/pull/1145/files", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", - "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", + "https://github.com/elastic/detection-rules/pull/1145/files", + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_s3_data_management_tampering.yml" ], "tags": [ @@ -1467,8 +1465,8 @@ "logsource.product": "aws", "refs": [ "https://github.com/elastic/detection-rules/pull/1214", - "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_sts_assumerole_misuse.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_sts_assumerole_misuse.yml", + "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html" ], "tags": [ "attack.lateral_movement", @@ -1494,9 +1492,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://github.com/elastic/detection-rules/pull/1213", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml", "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml" + "https://github.com/elastic/detection-rules/pull/1213" ], "tags": [ "attack.lateral_movement", @@ -1524,9 +1522,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html", "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_susp_saml_activity.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_susp_saml_activity.yml", + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html" ], "tags": [ "attack.initial_access", @@ -1554,8 +1552,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_update_login_profile.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_update_login_profile.yml", + "https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation" ], "tags": [ "attack.persistence", @@ -1578,8 +1576,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://o365blog.com/post/hybridhealthagent/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aadhybridhealth_adfs_new_server.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aadhybridhealth_adfs_new_server.yml", + "https://o365blog.com/post/hybridhealthagent/" ], "tags": [ "attack.defense_evasion", @@ -1602,8 +1600,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://o365blog.com/post/hybridhealthagent/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml", + "https://o365blog.com/post/hybridhealthagent/" ], "tags": [ "attack.defense_evasion", @@ -1627,8 +1625,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aad_secops_ca_policy_removedby_bad_actor.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aad_secops_ca_policy_removedby_bad_actor.yml", + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access" ], "tags": [ "attack.defense_evasion", @@ -1728,8 +1726,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_account_lockout.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_account_lockout.yml", + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts" ], "tags": [ "attack.credential_access", @@ -1870,8 +1868,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#bitlocker-key-retrieval", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_bitlocker_key_retrieval.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_bitlocker_key_retrieval.yml", + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#bitlocker-key-retrieval" ], "tags": [ "attack.defense_evasion", @@ -1918,8 +1916,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_device_registration_policy_changes.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_device_registration_policy_changes.yml", + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy" ], "tags": [ "attack.defense_evasion", @@ -2084,9 +2082,9 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://attack.mitre.org/techniques/T1098/003/", "https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml", + "https://attack.mitre.org/techniques/T1098/003/" ], "tags": [ "attack.persistence", @@ -2136,8 +2134,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations" ], "tags": [ "attack.impact" @@ -2161,8 +2159,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations" ], "tags": [ "attack.impact" @@ -2184,8 +2182,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_appid_uri_changes.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_appid_uri_changes.yml", + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed" ], "tags": [ "attack.t1528", @@ -2258,8 +2256,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_delegated_permissions_all_users.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_delegated_permissions_all_users.yml", + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions" ], "tags": [ "attack.privilege_escalation" @@ -2281,8 +2279,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-authentication-flows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_device_code_authentication.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_device_code_authentication.yml", + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-authentication-flows" ], "tags": [ "attack.t1078", @@ -2308,8 +2306,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#end-user-consent", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_end_user_consent.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_end_user_consent.yml", + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#end-user-consent" ], "tags": [ "attack.privilege_escalation" @@ -2380,8 +2378,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_permissions_for_api.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_permissions_for_api.yml", + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions" ], "tags": [ "attack.privilege_escalation" @@ -2403,8 +2401,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_permissions_msft.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_permissions_msft.yml", + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions" ], "tags": [ "attack.privilege_escalation" @@ -2426,8 +2424,8 @@ "logsource.category": "No established category", "logsource.product": "microsoft365portal", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_privileged_permissions.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_privileged_permissions.yml", + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions" ], "tags": [ "attack.privilege_escalation" @@ -2449,8 +2447,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#service-principal-assigned-to-a-role", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_role_added.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_role_added.yml", + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#service-principal-assigned-to-a-role" ], "tags": [ "attack.persistence" @@ -2472,8 +2470,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-authentication-flows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_ropc_authentication.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_ropc_authentication.yml", + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-authentication-flows" ], "tags": [ "attack.t1078", @@ -2499,8 +2497,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_uri_modifications.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_uri_modifications.yml", + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes" ], "tags": [ "attack.t1528", @@ -2549,8 +2547,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_change_to_authentication_method.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_change_to_authentication_method.yml", + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts" ], "tags": [ "attack.credential_access" @@ -2574,8 +2572,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_conditional_access_failure.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_conditional_access_failure.yml", + "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-privileged-accounts" ], "tags": [ "attack.credential_access", @@ -2599,12 +2597,12 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_container_registry_created_or_deleted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_container_registry_created_or_deleted.yml", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes" ], "tags": [ "attack.impact" @@ -2626,8 +2624,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_creating_number_of_resources_detection.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_creating_number_of_resources_detection.yml", + "https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml" ], "tags": [ "attack.t1098" @@ -2698,8 +2696,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes" ], "tags": [ "attack.impact" @@ -2723,9 +2721,9 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://attack.mitre.org/techniques/T1078", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_federation_modified.yml", "https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_federation_modified.yml" + "https://attack.mitre.org/techniques/T1078" ], "tags": [ "attack.initial_access", @@ -2749,8 +2747,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_firewall_modified_or_deleted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_firewall_modified_or_deleted.yml", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations" ], "tags": [ "attack.impact" @@ -2773,8 +2771,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations" ], "tags": [ "attack.impact" @@ -2843,8 +2841,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_group_user_removal_ca_modification.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_group_user_removal_ca_modification.yml", + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access" ], "tags": [ "attack.persistence", @@ -2917,8 +2915,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations" ], "tags": [ "attack.impact", @@ -2945,8 +2943,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_keyvault_modified_or_deleted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_keyvault_modified_or_deleted.yml", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations" ], "tags": [ "attack.impact", @@ -2973,8 +2971,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations" ], "tags": [ "attack.impact", @@ -3000,8 +2998,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_admission_controller.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_admission_controller.yml", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes" ], "tags": [ "attack.persistence", @@ -3028,11 +3026,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml" ], "tags": [ @@ -3056,11 +3054,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", - "https://kubernetes.io/docs/concepts/workloads/controllers/job/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cronjob.yml" + "https://kubernetes.io/docs/concepts/workloads/controllers/job/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cronjob.yml", + "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes" ], "tags": [ "attack.persistence", @@ -3084,9 +3082,9 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_events_deleted.yml", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_events_deleted.yml" + "https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml" ], "tags": [ "attack.defense_evasion", @@ -3111,12 +3109,12 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_network_policy_change.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_network_policy_change.yml", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes" ], "tags": [ "attack.impact", @@ -3140,9 +3138,9 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_pods_deleted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_pods_deleted.yml", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes" ], "tags": [ "attack.impact" @@ -3165,12 +3163,12 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml", "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml" + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes" ], "tags": [ "attack.impact", @@ -3194,12 +3192,12 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_role_access.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_role_access.yml", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes" ], "tags": [ "attack.impact" @@ -3221,12 +3219,12 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml" + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes" ], "tags": [ "attack.impact" @@ -3249,12 +3247,12 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml", "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml" + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes" ], "tags": [ "attack.impact" @@ -3300,8 +3298,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_login_to_disabled_account.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_login_to_disabled_account.yml", + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts" ], "tags": [ "attack.initial_access", @@ -3373,8 +3371,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_mfa_interrupted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_mfa_interrupted.yml", + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts" ], "tags": [ "attack.initial_access", @@ -3398,8 +3396,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations" ], "tags": [ "attack.impact" @@ -3422,8 +3420,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations" ], "tags": [ "attack.impact" @@ -3446,8 +3444,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations" ], "tags": [ "attack.impact" @@ -3470,8 +3468,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_security_modified_or_deleted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_security_modified_or_deleted.yml", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations" ], "tags": [ "attack.impact" @@ -3494,8 +3492,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations" ], "tags": [ "attack.impact" @@ -3517,8 +3515,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_new_cloudshell_created.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_new_cloudshell_created.yml", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations" ], "tags": [ "attack.execution", @@ -3543,8 +3541,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml", + "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy" ], "tags": [ "attack.defense_evasion" @@ -3687,8 +3685,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_privileged_account_creation.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_privileged_account_creation.yml", + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts" ], "tags": [ "attack.persistence", @@ -3712,8 +3710,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/RareOperations.yaml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_rare_operations.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_rare_operations.yml", + "https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/RareOperations.yaml" ], "tags": [ "attack.t1003" @@ -3737,8 +3735,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_service_principal_created.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_service_principal_created.yml", + "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy" ], "tags": [ "attack.defense_evasion" @@ -3785,8 +3783,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization" ], "tags": [ "attack.initial_access", @@ -3835,8 +3833,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_suppression_rule_created.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_suppression_rule_created.yml", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations" ], "tags": [ "attack.impact" @@ -3858,8 +3856,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_tap_added.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_tap_added.yml", + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts" ], "tags": [ "attack.privilege_escalation", @@ -3930,8 +3928,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml", + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts" ], "tags": [ "attack.credential_access", @@ -3978,8 +3976,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_virtual_network_modified_or_deleted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_virtual_network_modified_or_deleted.yml", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations" ], "tags": [ "attack.impact" @@ -4002,8 +4000,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations" ], "tags": [ "attack.impact" @@ -4026,8 +4024,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/storage/docs/json_api/v1/buckets", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_bucket_enumeration.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_bucket_enumeration.yml", + "https://cloud.google.com/storage/docs/json_api/v1/buckets" ], "tags": [ "attack.discovery" @@ -4050,8 +4048,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/storage/docs/json_api/v1/buckets", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml", + "https://cloud.google.com/storage/docs/json_api/v1/buckets" ], "tags": [ "attack.impact" @@ -4097,8 +4095,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/dns/docs/reference/v1/managedZones", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml", + "https://cloud.google.com/dns/docs/reference/v1/managedZones" ], "tags": [ "attack.impact" @@ -4121,8 +4119,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html", + "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml" ], "tags": [ @@ -4147,8 +4145,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html", + "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml" ], "tags": [ @@ -4202,9 +4200,9 @@ "logsource.product": "gcp", "refs": [ "https://cloud.google.com/kubernetes-engine/docs", - "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_cronjob.yml", "https://kubernetes.io/docs/concepts/workloads/controllers/job/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_cronjob.yml" + "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/" ], "tags": [ "attack.persistence", @@ -4231,10 +4229,10 @@ "refs": [ "https://github.com/elastic/detection-rules/pull/1267", "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", - "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", - "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_rolebinding.yml" + "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_rolebinding.yml", + "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control" ], "tags": [ "attack.credential_access" @@ -4281,8 +4279,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_service_account_disabled_or_deleted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_service_account_disabled_or_deleted.yml", + "https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts" ], "tags": [ "attack.impact", @@ -4306,8 +4304,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_service_account_modified.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_service_account_modified.yml", + "https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts" ], "tags": [ "attack.impact" @@ -4379,10 +4377,10 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_application_removed.yml", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_application_removed.yml" + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION" ], "tags": [ "attack.impact" @@ -4405,8 +4403,8 @@ "logsource.product": "google_workspace", "refs": [ "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS" ], "tags": [ "attack.persistence", @@ -4429,10 +4427,10 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION" ], "tags": [ "attack.impact" @@ -4455,8 +4453,8 @@ "logsource.product": "google_workspace", "refs": [ "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings" ], "tags": [ "attack.impact" @@ -4478,9 +4476,9 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml" + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings" ], "tags": [ "attack.impact" @@ -4502,9 +4500,9 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml" + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE" ], "tags": [ "attack.persistence", @@ -4527,9 +4525,9 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml" + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy" ], "tags": [ "attack.impact" @@ -4551,9 +4549,9 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml" + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy" ], "tags": [ "attack.command_and_control", @@ -4576,9 +4574,9 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml" + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy" ], "tags": [ "attack.command_and_control", @@ -4601,9 +4599,9 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml" + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy" ], "tags": [ "attack.exfiltration", @@ -4626,9 +4624,9 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_from_susp_ip_addresses.yml", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_from_susp_ip_addresses.yml" + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy" ], "tags": [ "attack.command_and_control", @@ -4651,9 +4649,9 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_impossible_travel_activity.yml", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_impossible_travel_activity.yml" + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy" ], "tags": [ "attack.initial_access", @@ -4676,9 +4674,9 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml" + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy" ], "tags": [ "attack.initial_access", @@ -4701,12 +4699,12 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", - "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", - "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://www.sygnia.co/golden-saml-advisory", + "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_new_federated_domain_added.yml", + "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://o365blog.com/post/aadbackdoor/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_new_federated_domain_added.yml" + "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf" ], "tags": [ "attack.persistence", @@ -4729,9 +4727,9 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml" + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy" ], "tags": [ "attack.impact", @@ -4754,8 +4752,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://attack.mitre.org/techniques/T1114/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_pst_export_alert.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_pst_export_alert.yml", + "https://attack.mitre.org/techniques/T1114/" ], "tags": [ "attack.collection", @@ -4778,9 +4776,9 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_susp_inbox_forwarding.yml", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_susp_inbox_forwarding.yml" + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy" ], "tags": [ "attack.exfiltration", @@ -4803,8 +4801,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_susp_oauth_app_file_download_activities.yml" ], "tags": [ @@ -4827,9 +4825,9 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml" + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy" ], "tags": [ "attack.impact", @@ -4852,9 +4850,9 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml" + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy" ], "tags": [ "attack.initial_access", @@ -4877,9 +4875,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml", "https://developer.okta.com/docs/reference/api/event-types/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml" + "https://developer.okta.com/docs/reference/api/system-log/" ], "tags": [ "attack.impact" @@ -4901,9 +4899,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_created.yml", "https://developer.okta.com/docs/reference/api/event-types/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_created.yml" + "https://developer.okta.com/docs/reference/api/system-log/" ], "tags": [ "attack.persistence" @@ -4925,8 +4923,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_revoked.yml" ], "tags": [ @@ -4949,8 +4947,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_modified_or_deleted.yml" ], "tags": [ @@ -4973,8 +4971,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml" ], "tags": [ @@ -4997,8 +4995,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml" ], "tags": [ @@ -5021,9 +5019,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml", + "https://developer.okta.com/docs/reference/api/system-log/" ], "tags": [ "attack.impact" @@ -5047,8 +5045,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_modified_or_deleted.yml" ], "tags": [ @@ -5071,9 +5069,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml", "https://developer.okta.com/docs/reference/api/event-types/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml" + "https://developer.okta.com/docs/reference/api/system-log/" ], "tags": [ "attack.impact" @@ -5095,10 +5093,10 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_security_threat_detected.yml", "https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm", - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_security_threat_detected.yml" + "https://developer.okta.com/docs/reference/api/system-log/" ], "tags": "No established tags" }, @@ -5118,8 +5116,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_unauthorized_access_to_app.yml" ], "tags": [ @@ -5142,9 +5140,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_account_locked_out.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_account_locked_out.yml", + "https://developer.okta.com/docs/reference/api/system-log/" ], "tags": [ "attack.impact" @@ -5166,8 +5164,8 @@ "logsource.category": "No established category", "logsource.product": "onelogin", "refs": [ - "https://developers.onelogin.com/api-docs/1/events/event-resource", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/onelogin/onelogin_assumed_another_user.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/onelogin/onelogin_assumed_another_user.yml", + "https://developers.onelogin.com/api-docs/1/events/event-resource" ], "tags": [ "attack.impact" @@ -5212,11 +5210,11 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/default_credentials_usage.yml", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", - "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/default_credentials_usage.yml" + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf" ], "tags": "No established tags" }, @@ -5236,10 +5234,10 @@ "logsource.category": "firewall", "logsource.product": "No established product", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/firewall_cleartext_protocols.yml" + "https://www.cisecurity.org/controls/cis-controls-list/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/firewall_cleartext_protocols.yml", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf" ], "tags": "No established tags" }, @@ -5259,16 +5257,16 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", + "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/group_modification_logging.yml", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", - "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/group_modification_logging.yml" + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf" ], "tags": "No established tags" }, @@ -5286,10 +5284,10 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/host_without_firewall.yml" + "https://www.cisecurity.org/controls/cis-controls-list/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/host_without_firewall.yml", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf" ], "tags": "No established tags" }, @@ -5309,10 +5307,10 @@ "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/netflow_cleartext_protocols.yml" + "https://www.cisecurity.org/controls/cis-controls-list/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/netflow_cleartext_protocols.yml", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf" ], "tags": "No established tags" }, @@ -5332,11 +5330,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", - "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/workstation_was_locked.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/workstation_was_locked.yml", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf" ], "tags": "No established tags" }, @@ -5381,10 +5379,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/1/arecord", "https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa", - "https://attack.mitre.org/techniques/T1123/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_audio_capture.yml" + "https://linux.die.net/man/1/arecord", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_audio_capture.yml", + "https://attack.mitre.org/techniques/T1123/" ], "tags": [ "attack.collection", @@ -5407,9 +5405,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_auditing_config_change.yml", "https://github.com/Neo23x0/auditd/blob/master/audit.rules", - "Self Experience", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_auditing_config_change.yml" + "Self Experience" ], "tags": [ "attack.defense_evasion", @@ -5456,9 +5454,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml", "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", - "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml" + "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor" ], "tags": [ "attack.execution", @@ -5483,8 +5481,8 @@ "logsource.product": "linux", "refs": [ "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", - "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml", + "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor" ], "tags": [ "attack.defense_evasion", @@ -5507,11 +5505,11 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml", "https://man7.org/linux/man-pages/man8/getcap.8.html", "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", "https://mn3m.info/posts/suid-vs-capabilities/", - "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml" + "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099" ], "tags": [ "attack.collection", @@ -5560,8 +5558,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md" ], "tags": [ "attack.defense_evasion", @@ -5584,10 +5582,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://attack.mitre.org/techniques/T1115/", "https://linux.die.net/man/1/xclip", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_collection.yml", "https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_collection.yml" + "https://attack.mitre.org/techniques/T1115/" ], "tags": [ "attack.collection", @@ -5610,9 +5608,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://attack.mitre.org/techniques/T1115/", "https://linux.die.net/man/1/xclip", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml", + "https://attack.mitre.org/techniques/T1115/" ], "tags": [ "attack.collection", @@ -5708,8 +5706,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml", + "https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit" ], "tags": [ "attack.privilege_escalation", @@ -5733,10 +5731,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/berdav/CVE-2021-4034", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034", - "https://access.redhat.com/security/cve/CVE-2021-4034", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml" + "https://github.com/berdav/CVE-2021-4034", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml", + "https://access.redhat.com/security/cve/CVE-2021-4034" ], "tags": [ "attack.privilege_escalation", @@ -5759,8 +5757,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_data_compressed.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_data_compressed.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md" ], "tags": [ "attack.exfiltration", @@ -5783,9 +5781,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://attack.mitre.org/tactics/TA0010/", - "https://linux.die.net/man/1/wget", "https://gtfobins.github.io/gtfobins/wget/", + "https://linux.die.net/man/1/wget", + "https://attack.mitre.org/tactics/TA0010/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml" ], "tags": [ @@ -5835,9 +5833,9 @@ "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", - "https://attack.mitre.org/techniques/T1562/004/", "https://firewalld.org/documentation/man-pages/firewall-cmd.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml", + "https://attack.mitre.org/techniques/T1562/004/" ], "tags": [ "attack.t1562.004", @@ -5860,8 +5858,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_file_or_folder_permissions.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_file_or_folder_permissions.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md" ], "tags": [ "attack.defense_evasion", @@ -5908,9 +5906,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md", - "https://attack.mitre.org/techniques/T1564/001/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml" + "https://attack.mitre.org/techniques/T1564/001/" ], "tags": [ "attack.defense_evasion", @@ -5933,9 +5931,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://attack.mitre.org/techniques/T1027/003/", "https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml", + "https://attack.mitre.org/techniques/T1027/003/" ], "tags": [ "attack.defense_evasion", @@ -5958,10 +5956,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", - "https://attack.mitre.org/techniques/T1003/", - "https://linux.die.net/man/8/pam_tty_audit", "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", + "https://linux.die.net/man/8/pam_tty_audit", + "https://attack.mitre.org/techniques/T1003/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml" ], @@ -5987,8 +5985,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md", "https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml" ], "tags": [ @@ -6013,10 +6011,10 @@ "logsource.product": "linux", "refs": [ "https://attack.mitre.org/techniques/T1547/006/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_load_module_insmod.yml", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", - "https://linux.die.net/man/8/insmod", "https://man7.org/linux/man-pages/man8/kmod.8.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_load_module_insmod.yml" + "https://linux.die.net/man/8/insmod" ], "tags": [ "attack.persistence", @@ -6040,8 +6038,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "self experience", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_logging_config_change.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_logging_config_change.yml", + "self experience" ], "tags": [ "attack.defense_evasion", @@ -6110,8 +6108,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_network_sniffing.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_network_sniffing.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md" ], "tags": [ "attack.credential_access", @@ -6135,9 +6133,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://github.com/Azure/Azure-Sentinel/pull/3059", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml", + "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure" ], "tags": [ "attack.privilege_escalation", @@ -6164,12 +6162,12 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", - "https://attack.mitre.org/techniques/T1201/", "https://linux.die.net/man/1/chage", "https://man7.org/linux/man-pages/man1/passwd.1.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml", + "https://attack.mitre.org/techniques/T1201/" ], "tags": [ "attack.discovery", @@ -6218,11 +6216,11 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", "https://attack.mitre.org/techniques/T1113/", - "https://linux.die.net/man/1/import", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencapture_import.yml", "https://imagemagick.org/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencapture_import.yml" + "https://linux.die.net/man/1/import" ], "tags": [ "attack.collection", @@ -6245,9 +6243,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture", "https://attack.mitre.org/techniques/T1113/", "https://linux.die.net/man/1/xwd", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml" ], "tags": [ @@ -6271,8 +6269,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md" ], "tags": [ "attack.exfiltration", @@ -6295,8 +6293,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://attack.mitre.org/techniques/T1027/003/", "https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/", + "https://attack.mitre.org/techniques/T1027/003/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml" ], "tags": [ @@ -6320,9 +6318,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://attack.mitre.org/techniques/T1027/003/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml", "https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml" + "https://attack.mitre.org/techniques/T1027/003/" ], "tags": [ "attack.defense_evasion", @@ -6345,8 +6343,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/Neo23x0/auditd", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml", + "https://github.com/Neo23x0/auditd" ], "tags": [ "attack.command_and_control" @@ -6368,8 +6366,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "Internal Research - mostly derived from exploit code including code in MSF", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_susp_cmds.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_susp_cmds.yml", + "Internal Research - mostly derived from exploit code including code in MSF" ], "tags": [ "attack.execution", @@ -6393,8 +6391,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml", + "Internal Research" ], "tags": [ "attack.t1587", @@ -6419,8 +6417,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md" ], "tags": [ "attack.credential_access", @@ -6444,8 +6442,8 @@ "logsource.product": "linux", "refs": [ "https://attack.mitre.org/techniques/T1543/002/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md" ], "tags": [ "attack.persistence", @@ -6469,8 +6467,8 @@ "logsource.product": "linux", "refs": [ "https://attack.mitre.org/techniques/T1082/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_system_info_discovery.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_system_info_discovery.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md" ], "tags": [ "attack.discovery", @@ -6493,8 +6491,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-4---linux-vm-check-via-hardware", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_system_info_discovery2.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_system_info_discovery2.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-4---linux-vm-check-via-hardware" ], "tags": [ "attack.discovery", @@ -6517,8 +6515,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md" ], "tags": [ "attack.impact", @@ -6541,9 +6539,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://attack.mitre.org/techniques/T1027/003/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml", "https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml" + "https://attack.mitre.org/techniques/T1027/003/" ], "tags": [ "attack.defense_evasion", @@ -6591,8 +6589,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "personal experience", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_web_rce.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_web_rce.yml", + "personal experience" ], "tags": [ "attack.persistence", @@ -6712,8 +6710,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://attack.mitre.org/techniques/T1105/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_file_copy.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_file_copy.yml", + "https://attack.mitre.org/techniques/T1105/" ], "tags": [ "attack.command_and_control", @@ -6762,9 +6760,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml", "https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/", - "https://github.com/Immersive-Labs-Sec/nimbuspwn", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml" + "https://github.com/Immersive-Labs-Sec/nimbuspwn" ], "tags": [ "attack.privilege_escalation", @@ -6787,8 +6785,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://twitter.com/wdormann/status/1486161836961579020", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_pwnkit_local_privilege_escalation.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_pwnkit_local_privilege_escalation.yml", + "https://twitter.com/wdormann/status/1486161836961579020" ], "tags": [ "attack.privilege_escalation", @@ -6811,8 +6809,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shellshock.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shellshock.yml", + "https://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf" ], "tags": [ "attack.persistence", @@ -6836,9 +6834,9 @@ "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml", "https://attack.mitre.org/techniques/T1070/003/", - "https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml" + "https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics" ], "tags": [ "attack.defense_evasion", @@ -6861,9 +6859,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/", - "https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/", "https://github.com/uber-common/metta/blob/master/MITRE/Privilege_Escalation/privesc_linux_filesystemweakness.yml", + "https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/", + "https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_priv_esc_prep.yml" ], "tags": [ @@ -6887,11 +6885,11 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", - "http://pastebin.com/FtygZ1cg", "https://artkond.com/2017/03/23/pivoting-guide/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_commands.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_commands.yml", + "http://pastebin.com/FtygZ1cg", + "http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html" ], "tags": [ "attack.execution", @@ -6983,10 +6981,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.openwall.com/lists/oss-security/2019/10/14/1", "https://access.redhat.com/security/cve/cve-2019-14287", - "https://twitter.com/matthieugarin/status/1183970598210412546", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml", + "https://www.openwall.com/lists/oss-security/2019/10/14/1", + "https://twitter.com/matthieugarin/status/1183970598210412546" ], "tags": [ "attack.privilege_escalation", @@ -7011,8 +7009,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/", "https://book.hacktricks.xyz/shells/shells/linux", + "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_dev_tcp.yml" ], @@ -7084,9 +7082,9 @@ "logsource.category": "file_create", "logsource.product": "linux", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_create/file_create_lnx_doas_conf_creation.yml", "https://research.splunk.com/endpoint/linux_doas_conf_file_creation/", - "https://www.makeuseof.com/how-to-install-and-use-doas/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_create/file_create_lnx_doas_conf_creation.yml" + "https://www.makeuseof.com/how-to-install-and-use-doas/" ], "tags": [ "attack.privilege_escalation", @@ -7109,8 +7107,8 @@ "logsource.category": "file_create", "logsource.product": "linux", "refs": [ - "https://github.com/microsoft/MSTIC-Sysmon/blob/f1477c0512b0747c1455283069c21faec758e29d/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_create/file_create_lnx_persistence_cron_files.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_create/file_create_lnx_persistence_cron_files.yml", + "https://github.com/microsoft/MSTIC-Sysmon/blob/f1477c0512b0747c1455283069c21faec758e29d/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml" ], "tags": [ "attack.persistence", @@ -7133,8 +7131,8 @@ "logsource.category": "file_create", "logsource.product": "linux", "refs": [ - "https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_create/file_create_lnx_persistence_sudoers_files.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_create/file_create_lnx_persistence_sudoers_files.yml", + "https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh" ], "tags": [ "attack.persistence", @@ -7250,8 +7248,8 @@ "logsource.category": "network_connection", "logsource.product": "linux", "refs": [ - "https://www.poolwatch.io/coin/monero", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml", + "https://www.poolwatch.io/coin/monero" ], "tags": "No established tags" }, @@ -7271,8 +7269,8 @@ "logsource.category": "network_connection", "logsource.product": "linux", "refs": [ - "https://twitter.com/hakluke/status/1587733971814977537/photo/1", "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", + "https://twitter.com/hakluke/status/1587733971814977537/photo/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml" ], "tags": [ @@ -7520,8 +7518,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md" ], "tags": [ "attack.defense_evasion", @@ -7568,9 +7566,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html", "https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml", + "https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html" ], "tags": [ "attack.defense_evasion", @@ -7593,9 +7591,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", "https://bpftrace.org/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml", + "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/" ], "tags": [ "attack.execution", @@ -7618,8 +7616,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/sleventyeleven/linuxprivchecker/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml", + "https://github.com/sleventyeleven/linuxprivchecker/" ], "tags": [ "attack.reconnaissance", @@ -7642,8 +7640,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml", + "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html" ], "tags": [ "attack.defense_evasion", @@ -7714,8 +7712,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.packetlabs.net/posts/clipboard-data-security/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml", + "https://www.packetlabs.net/posts/clipboard-data-security/" ], "tags": [ "attack.collection", @@ -7761,8 +7759,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.poolwatch.io/coin/monero", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml", + "https://www.poolwatch.io/coin/monero" ], "tags": "No established tags" }, @@ -7783,8 +7781,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml", + "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html" ], "tags": [ "attack.command_and_control", @@ -7807,8 +7805,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml", + "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/" ], "tags": [ "attack.initial_access", @@ -7835,9 +7833,9 @@ "logsource.product": "linux", "refs": [ "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", - "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", "https://github.com/apache/spark/pull/36315/files", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml", + "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html" ], "tags": [ "attack.initial_access", @@ -7861,8 +7859,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-2---macoslinux---overwrite-file-with-dd", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-2---macoslinux---overwrite-file-with-dd" ], "tags": [ "attack.impact", @@ -7885,9 +7883,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://research.splunk.com/endpoint/linux_doas_tool_execution/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml", "https://www.makeuseof.com/how-to-install-and-use-doas/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml" + "https://research.splunk.com/endpoint/linux_doas_tool_execution/" ], "tags": [ "attack.privilege_escalation", @@ -7934,8 +7932,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md" ], "tags": [ "attack.defense_evasion", @@ -7958,8 +7956,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_install_root_certificate.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_install_root_certificate.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md" ], "tags": [ "attack.defense_evasion", @@ -7982,8 +7980,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_local_account.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_local_account.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md" ], "tags": [ "attack.discovery", @@ -8006,8 +8004,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_local_groups.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_local_groups.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md" ], "tags": [ "attack.discovery", @@ -8030,8 +8028,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_network_service_scanning.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_network_service_scanning.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md" ], "tags": [ "attack.discovery", @@ -8054,9 +8052,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/nohup/", "https://en.wikipedia.org/wiki/Nohup", "https://www.computerhope.com/unix/unohup.htm", + "https://gtfobins.github.io/gtfobins/nohup/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup.yml" ], "tags": "No established tags" @@ -8077,9 +8075,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml", "https://github.com/Azure/Azure-Sentinel/pull/3059", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml" + "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure" ], "tags": [ "attack.privilege_escalation", @@ -8106,9 +8104,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://github.com/Azure/Azure-Sentinel/pull/3059", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml", + "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure" ], "tags": [ "attack.privilege_escalation", @@ -8159,8 +8157,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://attack.mitre.org/techniques/T1090/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_proxy_connection.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_proxy_connection.yml", + "https://attack.mitre.org/techniques/T1090/" ], "tags": [ "attack.defense_evasion", @@ -8257,8 +8255,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md" ], "tags": [ "attack.discovery", @@ -8305,8 +8303,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml", + "https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html" ], "tags": [ "attack.defense_evasion" @@ -8328,9 +8326,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml", "https://attack.mitre.org/techniques/T1548/001/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md" ], "tags": [ "attack.persistence" @@ -8352,8 +8350,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.openwall.com/lists/oss-security/2019/10/14/1", "https://access.redhat.com/security/cve/cve-2019-14287", + "https://www.openwall.com/lists/oss-security/2019/10/14/1", "https://twitter.com/matthieugarin/status/1183970598210412546", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml" ], @@ -8405,12 +8403,12 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://twitter.com/d1r4c/status/1279042657508081664", - "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml", "https://curl.se/docs/manpage.html", - "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", + "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", + "https://twitter.com/d1r4c/status/1279042657508081664", + "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html" ], "tags": [ "attack.exfiltration", @@ -8484,9 +8482,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml", "https://github.com/sleventyeleven/linuxprivchecker/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md" ], "tags": [ "attack.reconnaissance", @@ -8509,8 +8507,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml", + "Internal Research" ], "tags": "No established tags" }, @@ -8530,8 +8528,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.tecmint.com/different-types-of-linux-shells/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_java_children.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_java_children.yml", + "https://www.tecmint.com/different-types-of-linux-shells/" ], "tags": [ "attack.execution", @@ -8554,8 +8552,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml", + "Internal Research" ], "tags": [ "attack.defense_evasion", @@ -8578,8 +8576,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/sleventyeleven/linuxprivchecker/blob/0d701080bbf92efd464e97d71a70f97c6f2cd658/linuxprivchecker.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml", + "https://github.com/sleventyeleven/linuxprivchecker/blob/0d701080bbf92efd464e97d71a70f97c6f2cd658/linuxprivchecker.py" ], "tags": [ "attack.reconnaissance", @@ -8604,8 +8602,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_system_info_discovery.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_system_info_discovery.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md" ], "tags": [ "attack.discovery", @@ -8700,8 +8698,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml", + "https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh" ], "tags": [ "attack.defense_evasion", @@ -8749,9 +8747,9 @@ "logsource.category": "file_event", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md", "https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md" ], "tags": [ "attack.persistence", @@ -8896,8 +8894,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md" ], "tags": [ "attack.defense_evasion", @@ -8969,8 +8967,8 @@ "logsource.product": "macos", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md", - "https://gist.github.com/Capybara/6228955", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_creds_from_keychain.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_creds_from_keychain.yml", + "https://gist.github.com/Capybara/6228955" ], "tags": [ "attack.credential_access", @@ -8993,8 +8991,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_disable_security_tools.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_disable_security_tools.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md" ], "tags": [ "attack.defense_evasion", @@ -9066,8 +9064,8 @@ "logsource.product": "macos", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md", - "https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml", + "https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/" ], "tags": [ "attack.credential_access", @@ -9090,8 +9088,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_local_account.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_local_account.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md" ], "tags": [ "attack.discovery", @@ -9114,8 +9112,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_local_groups.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_local_groups.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md" ], "tags": [ "attack.discovery", @@ -9138,8 +9136,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_network_service_scanning.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_network_service_scanning.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md" ], "tags": [ "attack.discovery", @@ -9267,8 +9265,8 @@ "logsource.product": "macos", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", - "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_screencapture.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_screencapture.yml", + "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py" ], "tags": [ "attack.collection", @@ -9291,8 +9289,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_security_software_discovery.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_security_software_discovery.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md" ], "tags": [ "attack.discovery", @@ -9364,8 +9362,8 @@ "logsource.product": "macos", "refs": [ "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685", - "https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml", + "https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/" ], "tags": [ "attack.t1566", @@ -9398,8 +9396,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_histfile_operations.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_histfile_operations.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md" ], "tags": [ "attack.credential_access", @@ -9422,10 +9420,10 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml", - "https://www.manpagez.com/man/8/firmwarepasswd/", "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml" + "https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml", + "https://www.manpagez.com/man/8/firmwarepasswd/" ], "tags": [ "attack.impact" @@ -9519,10 +9517,10 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml", "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml" + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97" ], "tags": [ "attack.command_and_control" @@ -9568,9 +9566,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_xcsset_malware_infection.yml", "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_xcsset_malware_infection.yml" + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08" ], "tags": [ "attack.command_and_control" @@ -9898,9 +9896,9 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://zeltser.com/c2-dns-tunneling/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_c2_detection.yml", "https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_c2_detection.yml" + "https://zeltser.com/c2-dns-tunneling/" ], "tags": [ "attack.command_and_control", @@ -10049,9 +10047,9 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_mal_cobaltstrike.yml", "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", - "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_mal_cobaltstrike.yml" + "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/" ], "tags": [ "attack.command_and_control", @@ -10074,8 +10072,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://www.nextron-systems.com/2021/10/24/monero-mining-pool-fqdns/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_pua_cryptocoin_mining_xmr.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_pua_cryptocoin_mining_xmr.yml", + "https://www.nextron-systems.com/2021/10/24/monero-mining-pool-fqdns/" ], "tags": [ "attack.impact", @@ -10125,11 +10123,11 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ + "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", "https://core.telegram.org/bots/faq", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", - "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", - "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_telegram_api.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_telegram_api.yml", + "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/" ], "tags": [ "attack.command_and_control", @@ -10152,9 +10150,9 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://twitter.com/stvemillertime/status/1024707932447854592", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_txt_exec_strings.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_txt_exec_strings.yml", + "https://twitter.com/stvemillertime/status/1024707932447854592" ], "tags": [ "attack.command_and_control", @@ -10202,8 +10200,8 @@ "logsource.product": "No established product", "refs": [ "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", - "https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_apt_equationgroup_c2.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_apt_equationgroup_c2.yml", + "https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195" ], "tags": [ "attack.command_and_control", @@ -10324,8 +10322,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29", "https://github.com/OTRF/detection-hackathon-apt29/issues/37", + "https://github.com/OTRF/detection-hackathon-apt29", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml" ], "tags": [ @@ -10402,11 +10400,11 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml", "https://threatpost.com/microsoft-petitpotam-poc/168163/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml" + "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp" ], "tags": [ "attack.t1557.001", @@ -10429,13 +10427,13 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", - "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", - "https://github.com/corelight/CVE-2021-1675", "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml", "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml" + "https://github.com/corelight/CVE-2021-1675", + "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29" ], "tags": [ "attack.execution", @@ -10460,9 +10458,9 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", - "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", "https://twitter.com/_dirkjan/status/1309214379003588608", + "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", + "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml" ], "tags": [ @@ -10486,8 +10484,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml", + "https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468" ], "tags": [ "attack.command_and_control", @@ -10534,10 +10532,10 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://github.com/nknorg/nkn-sdk-go", - "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_nkn.yml", "https://github.com/Maka8ka/NGLite", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_nkn.yml" + "https://github.com/nknorg/nkn-sdk-go", + "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/" ], "tags": [ "attack.command_and_control" @@ -10560,11 +10558,11 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://twitter.com/neu5ron/status/1346245602502443009", "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", - "https://tools.ietf.org/html/rfc2929#section-2.1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml", "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml" + "https://twitter.com/neu5ron/status/1346245602502443009", + "https://tools.ietf.org/html/rfc2929#section-2.1" ], "tags": [ "attack.t1095", @@ -10611,9 +10609,9 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_executable_download_from_webdav.yml", "https://github.com/OTRF/detection-hackathon-apt29", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_executable_download_from_webdav.yml" + "http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html" ], "tags": [ "attack.command_and_control", @@ -10637,9 +10635,9 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml", "https://twitter.com/neu5ron/status/1438987292971053057?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml" + "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure" ], "tags": [ "attack.privilege_escalation", @@ -10743,8 +10741,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml", + "https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html" ], "tags": [ "attack.credential_access", @@ -10793,8 +10791,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_susp_psexec.yml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml", + "https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_susp_psexec.yml" ], "tags": [ "attack.lateral_movement", @@ -10818,8 +10816,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml", + "https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml" ], "tags": [ "attack.collection" @@ -10841,8 +10839,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://github.com/neo23x0/sigma/blob/373424f14574facf9e261d5c822345a282b91479/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml", + "https://github.com/neo23x0/sigma/blob/373424f14574facf9e261d5c822345a282b91479/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml" ], "tags": [ "attack.credential_access", @@ -10867,8 +10865,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://adsecurity.org/?p=3458", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_susp_kerberos_rc4.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_susp_kerberos_rc4.yml", + "https://adsecurity.org/?p=3458" ], "tags": [ "attack.credential_access", @@ -10891,9 +10889,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.advanced-ip-scanner.com/", "https://www.advanced-port-scanner.com/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_adv_ip_port_scanner_upd_check.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_adv_ip_port_scanner_upd_check.yml", + "https://www.advanced-ip-scanner.com/" ], "tags": [ "attack.discovery", @@ -10916,8 +10914,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "Internal research from Florian Roth", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_apt40.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_apt40.yml", + "Internal research from Florian Roth" ], "tags": [ "attack.command_and_control", @@ -10942,8 +10940,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_apt_domestic_kitten.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_apt_domestic_kitten.yml", + "https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/" ], "tags": [ "attack.command_and_control" @@ -11014,8 +11012,8 @@ "logsource.product": "No established product", "refs": [ "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile", - "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_cobalt_amazon.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_cobalt_amazon.yml", + "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100" ], "tags": [ "attack.defense_evasion", @@ -11039,8 +11037,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_cobalt_malformed_uas.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_cobalt_malformed_uas.yml", + "https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/" ], "tags": [ "attack.defense_evasion", @@ -11064,8 +11062,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_cobalt_ocsp.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_cobalt_ocsp.yml", + "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile" ], "tags": [ "attack.defense_evasion", @@ -11089,8 +11087,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_cobalt_onedrive.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_cobalt_onedrive.yml", + "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile" ], "tags": [ "attack.defense_evasion", @@ -11166,11 +11164,11 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_download_susp_tlds_blacklist.yml", "https://www.spamhaus.org/statistics/tlds/", - "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_download_susp_tlds_blacklist.yml" + "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", + "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/" ], "tags": [ "attack.initial_access", @@ -11247,8 +11245,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://twitter.com/Carlos_Perez/status/883455096645931008", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_empty_ua.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_empty_ua.yml", + "https://twitter.com/Carlos_Perez/status/883455096645931008" ], "tags": [ "attack.defense_evasion", @@ -11272,9 +11270,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ios_implant.yml", "https://twitter.com/craiu/status/1167358457344925696", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ios_implant.yml" + "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html" ], "tags": [ "attack.execution", @@ -11352,8 +11350,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://breakdev.org/pwndrop/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_pwndrop.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_pwndrop.yml", + "https://breakdev.org/pwndrop/" ], "tags": [ "attack.command_and_control", @@ -11405,8 +11403,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_susp_flash_download_loc.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_susp_flash_download_loc.yml", + "https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb" ], "tags": [ "attack.initial_access", @@ -11433,10 +11431,10 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", - "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_telegram_api.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_telegram_api.yml", + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", + "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/" ], "tags": [ "attack.defense_evasion", @@ -11487,8 +11485,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_apt.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_apt.yml", + "Internal Research" ], "tags": [ "attack.command_and_control", @@ -11565,9 +11563,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_cryptominer.yml", "https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65", - "https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_cryptominer.yml" + "https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h" ], "tags": [ "attack.command_and_control", @@ -11641,12 +11639,12 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", - "http://www.botopedia.org/search?searchword=scan&searchphrase=all", + "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_malware.yml", "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", "https://perishablepress.com/blacklist/ua-2013.txt", - "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_malware.yml" + "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", + "http://www.botopedia.org/search?searchword=scan&searchphrase=all" ], "tags": [ "attack.command_and_control", @@ -11742,8 +11740,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ursnif_malware_c2_url.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ursnif_malware_c2_url.yml", + "https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html" ], "tags": [ "attack.initial_access", @@ -11814,8 +11812,8 @@ "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ - "https://github.com/hannob/apache-uaf/blob/da40f2be3684c8095ec6066fa68eb5c07a086233/README.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_apache_threading_error.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_apache_threading_error.yml", + "https://github.com/hannob/apache-uaf/blob/da40f2be3684c8095ec6066fa68eb5c07a086233/README.md" ], "tags": "No established tags" }, @@ -11836,8 +11834,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/projectdiscovery/nuclei-templates", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2010_5278_exploitation_attempt.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2010_5278_exploitation_attempt.yml", + "https://github.com/projectdiscovery/nuclei-templates" ], "tags": [ "attack.initial_access", @@ -11861,9 +11859,9 @@ "logsource.product": "No established product", "refs": [ "https://vk9-sec.com/hfs-code-execution-cve-2014-6287/", - "https://www.exploit-db.com/exploits/39161", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2014_6287_hfs_rce.yml", "https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2014_6287_hfs_rce.yml" + "https://www.exploit-db.com/exploits/39161" ], "tags": [ "attack.initial_access", @@ -11912,9 +11910,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://twitter.com/pyn3rd/status/1020620932967223296", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2018_2894_weblogic_exploit.yml", "https://github.com/LandGrey/CVE-2018-2894", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2018_2894_weblogic_exploit.yml" + "https://twitter.com/pyn3rd/status/1020620932967223296" ], "tags": [ "attack.t1190", @@ -11940,8 +11938,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.exploit-db.com/exploits/47297", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2019_11510_pulsesecure_exploit.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2019_11510_pulsesecure_exploit.yml", + "https://www.exploit-db.com/exploits/47297" ], "tags": [ "attack.initial_access", @@ -11964,12 +11962,12 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://support.citrix.com/article/CTX267679", - "https://support.citrix.com/article/CTX267027", "https://isc.sans.edu/diary/25686", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2019_19781_citrix_exploit.yml", + "https://support.citrix.com/article/CTX267679", "https://twitter.com/mpgn_x64/status/1216787131210829826", - "https://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2019_19781_citrix_exploit.yml" + "https://support.citrix.com/article/CTX267027", + "https://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md" ], "tags": [ "attack.initial_access", @@ -12016,8 +12014,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/Ridter/cve-2020-0688", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_0688_exchange_exploit.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_0688_exchange_exploit.yml", + "https://github.com/Ridter/cve-2020-0688" ], "tags": [ "attack.initial_access", @@ -12064,8 +12062,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://kb.cert.org/vuls/id/843464", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_10148_solarwinds_exploit.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_10148_solarwinds_exploit.yml", + "https://kb.cert.org/vuls/id/843464" ], "tags": [ "attack.initial_access", @@ -12088,10 +12086,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://isc.sans.edu/diary/26734", - "https://twitter.com/jas502n/status/1321416053050667009?s=20", "https://twitter.com/sudo_sudoka/status/1323951871078223874", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_14882_weblogic_exploit.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_14882_weblogic_exploit.yml", + "https://twitter.com/jas502n/status/1321416053050667009?s=20", + "https://isc.sans.edu/diary/26734" ], "tags": [ "attack.t1190", @@ -12115,8 +12113,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/", "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/", + "https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_28188_terramaster_rce_exploit.yml" ], "tags": [ @@ -12169,9 +12167,9 @@ "refs": [ "https://support.f5.com/csp/article/K52145254", "https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", - "https://twitter.com/yorickkoster/status/1279709009151434754", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_5902_f5_bigip.yml", "https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_5902_f5_bigip.yml" + "https://twitter.com/yorickkoster/status/1279709009151434754" ], "tags": [ "attack.initial_access", @@ -12195,9 +12193,9 @@ "logsource.product": "No established product", "refs": [ "https://support.citrix.com/article/CTX276688", - "https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/", "https://dmaasland.github.io/posts/citrix.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_8193_8195_citrix_exploit.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_8193_8195_citrix_exploit.yml", + "https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/" ], "tags": [ "attack.initial_access", @@ -12220,9 +12218,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2", "https://www.tenable.com/security/research/tra-2021-13", "https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild", + "https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml" ], "tags": [ @@ -12274,10 +12272,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.vmware.com/security/advisories/VMSA-2021-0002.html", - "https://f5.pm/go-59627.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml", "https://swarm.ptsecurity.com/unauth-rce-vmware", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml" + "https://f5.pm/go-59627.html", + "https://www.vmware.com/security/advisories/VMSA-2021-0002.html" ], "tags": [ "attack.initial_access", @@ -12300,9 +12298,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://twitter.com/wugeej/status/1369476795255320580", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml", "https://paper.seebug.org/1495/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml" + "https://twitter.com/wugeej/status/1369476795255320580" ], "tags": [ "attack.initial_access", @@ -12326,9 +12324,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_22005_vmware_file_upload.yml", "https://kb.vmware.com/s/article/85717", - "https://www.tenable.com/blog/cve-2021-22005-critical-file-upload-vulnerability-in-vmware-vcenter-server", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_22005_vmware_file_upload.yml" + "https://www.tenable.com/blog/cve-2021-22005-critical-file-upload-vulnerability-in-vmware-vcenter-server" ], "tags": [ "attack.initial_access", @@ -12351,8 +12349,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_22123_fortinet_exploit.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_22123_fortinet_exploit.yml", + "https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection" ], "tags": [ "attack.initial_access", @@ -12375,9 +12373,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_22893_pulse_secure_rce_exploit.yml", "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html", - "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_22893_pulse_secure_rce_exploit.yml" + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784" ], "tags": [ "attack.initial_access", @@ -12426,8 +12424,8 @@ "logsource.category": "webserver", "logsource.product": "windows", "refs": [ - "https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_26858_iis_rce.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_26858_iis_rce.yml", + "https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c" ], "tags": "No established tags" }, @@ -12447,8 +12445,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://twitter.com/GossiTheDog/status/1392965209132871683?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_28480_exchange_exploit.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_28480_exchange_exploit.yml", + "https://twitter.com/GossiTheDog/status/1392965209132871683?s=20" ], "tags": [ "attack.initial_access", @@ -12516,10 +12514,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/", - "https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html", "https://us-cert.cisa.gov/ncas/alerts/aa21-259a", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml" + "https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml", + "https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/" ], "tags": [ "attack.initial_access", @@ -12544,13 +12542,13 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://nvd.nist.gov/vuln/detail/CVE-2021-41773", - "https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782", "https://twitter.com/ptswarm/status/1445376079548624899", - "https://twitter.com/h4x0r_dz/status/1445401960371429381", - "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/cves/2021/CVE-2021-41773.yaml", "https://twitter.com/bl4sty/status/1445462677824761878", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_41773_apache_path_traversal.yml" + "https://nvd.nist.gov/vuln/detail/CVE-2021-41773", + "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/cves/2021/CVE-2021-41773.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_41773_apache_path_traversal.yml", + "https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782", + "https://twitter.com/h4x0r_dz/status/1445401960371429381" ], "tags": [ "attack.initial_access", @@ -12573,9 +12571,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://blog.assetnote.io/2021/11/02/sitecore-rce/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_42237_sitecore_report_ashx.yml", "https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_42237_sitecore_report_ashx.yml" + "https://blog.assetnote.io/2021/11/02/sitecore-rce/" ], "tags": [ "attack.initial_access", @@ -12623,13 +12621,13 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.lunasec.io/docs/blog/log4j-zero-day/", - "https://news.ycombinator.com/item?id=29504755", - "https://github.com/tangxiaofeng7/apache-log4j-poc", - "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", "https://github.com/YfryTchsGD/Log4jAttackSurface", "https://twitter.com/shutingrz/status/1469255861394866177?s=21", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_44228_log4j.yml" + "https://github.com/tangxiaofeng7/apache-log4j-poc", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_44228_log4j.yml", + "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", + "https://www.lunasec.io/docs/blog/log4j-zero-day/", + "https://news.ycombinator.com/item?id=29504755" ], "tags": [ "attack.initial_access", @@ -12652,13 +12650,13 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.lunasec.io/docs/blog/log4j-zero-day/", - "https://news.ycombinator.com/item?id=29504755", - "https://github.com/tangxiaofeng7/apache-log4j-poc", - "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", "https://github.com/YfryTchsGD/Log4jAttackSurface", "https://twitter.com/shutingrz/status/1469255861394866177?s=21", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_44228_log4j_fields.yml" + "https://github.com/tangxiaofeng7/apache-log4j-poc", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_44228_log4j_fields.yml", + "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", + "https://www.lunasec.io/docs/blog/log4j-zero-day/", + "https://news.ycombinator.com/item?id=29504755" ], "tags": [ "attack.initial_access", @@ -12681,10 +12679,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/", "https://www.yang99.top/index.php/archives/82/", "https://github.com/vnhacker1337/CVE-2022-27925-PoC", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_27925_exploit.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_27925_exploit.yml", + "https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/" ], "tags": [ "attack.initial_access", @@ -12757,10 +12755,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_33891_spark_shell_command_injection.yml", "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", - "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", "https://github.com/apache/spark/pull/36315/files", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_33891_spark_shell_command_injection.yml" + "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html" ], "tags": [ "attack.initial_access", @@ -12786,9 +12784,9 @@ "refs": [ "https://twitter.com/_0xf4n9x_/status/1572052954538192901", "https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/", - "https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html", "https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml", + "https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html" ], "tags": [ "attack.initial_access", @@ -12812,9 +12810,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_exploitation_hafnium.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_exploitation_hafnium.yml", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/" ], "tags": [ "attack.initial_access", @@ -12837,10 +12835,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://youtu.be/5mqid-7zp8k?t=2231", - "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_proxyshell.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_proxyshell.yml", + "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://youtu.be/5mqid-7zp8k?t=2231" ], "tags": [ "attack.initial_access", @@ -12863,9 +12861,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://youtu.be/5mqid-7zp8k?t=2231", - "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", + "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://youtu.be/5mqid-7zp8k?t=2231", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_proxyshell_successful.yml" ], "tags": [ @@ -12914,11 +12912,11 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", - "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", - "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_java_payload_in_access_logs.yml", "https://twitter.com/httpvoid0x2f/status/1532924261035384832", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_java_payload_in_access_logs.yml" + "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", + "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", + "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md" ], "tags": [ "cve.2022.26134", @@ -12941,9 +12939,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/pimps/JNDI-Exploit-Kit", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_jndi_exploit.yml", "https://githubmemory.com/repo/FunctFan/JNDIExploit", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_jndi_exploit.yml" + "https://github.com/pimps/JNDI-Exploit-Kit" ], "tags": "No established tags" }, @@ -12987,9 +12985,9 @@ "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ - "https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_nginx_core_dump.yml", "https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_nginx_core_dump.yml" + "https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps" ], "tags": [ "attack.impact", @@ -13013,8 +13011,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/projectdiscovery/nuclei-templates", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_path_traversal_exploitation_attempt.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_path_traversal_exploitation_attempt.yml", + "https://github.com/projectdiscovery/nuclei-templates" ], "tags": [ "attack.initial_access", @@ -13037,9 +13035,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_solarwinds_supernova_webshell.yml", "https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/", - "https://www.anquanke.com/post/id/226029", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_solarwinds_supernova_webshell.yml" + "https://www.anquanke.com/post/id/226029" ], "tags": [ "attack.persistence", @@ -13062,8 +13060,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_sonicwall_jarrewrite_exploit.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_sonicwall_jarrewrite_exploit.yml", + "https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/" ], "tags": [ "attack.t1190", @@ -13113,11 +13111,11 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", - "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", - "https://brightsec.com/blog/sql-injection-payloads/", "https://github.com/payloadbox/sql-injection-payload-list", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_sql_injection_in_access_logs.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_sql_injection_in_access_logs.yml", + "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", + "https://brightsec.com/blog/sql-injection-payloads/", + "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/" ], "tags": "No established tags" }, @@ -13138,8 +13136,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection", "https://github.com/payloadbox/ssti-payloads", + "https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_ssti_in_access_logs.yml" ], "tags": "No established tags" @@ -13160,10 +13158,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_susp_useragents.yml", "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_susp_useragents.yml" + "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb" ], "tags": [ "attack.initial_access", @@ -13186,8 +13184,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_susp_windows_path_uri.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_susp_windows_path_uri.yml", + "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/" ], "tags": [ "attack.persistence", @@ -13236,8 +13234,8 @@ "logsource.product": "No established product", "refs": [ "https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3", - "https://github.com/sensepost/reGeorg", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_webshell_regeorg.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_webshell_regeorg.yml", + "https://github.com/sensepost/reGeorg" ], "tags": [ "attack.persistence", @@ -13288,8 +13286,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/payloadbox/xss-payload-list", "https://portswigger.net/web-security/cross-site-scripting/contexts", + "https://github.com/payloadbox/xss-payload-list", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_xss_in_access_logs.yml" ], "tags": "No established tags" @@ -13312,8 +13310,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://tools.thehacker.recipes/mimikatz/modules", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml", + "https://tools.thehacker.recipes/mimikatz/modules" ], "tags": [ "attack.s0002", @@ -13343,12 +13341,12 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/VM_vivisector/status/1217190929330655232", "https://twitter.com/DidierStevens/status/1217533958096924676", - "https://twitter.com/FlemmingRiis/status/1217147415482060800", "https://www.youtube.com/watch?v=ebmW42YYveI", + "https://twitter.com/FlemmingRiis/status/1217147415482060800", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_audit_cve.yml", "https://nullsec.us/windows-event-log-audit-cve/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_audit_cve.yml" + "https://twitter.com/VM_vivisector/status/1217190929330655232" ], "tags": [ "attack.execution", @@ -13381,10 +13379,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_av_relevant_match.yml", "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_av_relevant_match.yml" + "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31" ], "tags": [ "attack.resource_development", @@ -13430,9 +13428,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/mgreen27/status/1558223256704122882", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_esent_ntdsutil_abuse.yml", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_esent_ntdsutil_abuse.yml" + "https://twitter.com/mgreen27/status/1558223256704122882" ], "tags": [ "attack.execution" @@ -13454,9 +13452,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/mgreen27/status/1558223256704122882", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_esent_ntdsutil_abuse_susp_location.yml", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_esent_ntdsutil_abuse_susp_location.yml" + "https://twitter.com/mgreen27/status/1558223256704122882" ], "tags": [ "attack.execution" @@ -13478,8 +13476,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_msi_install_from_susp_locations.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_msi_install_from_susp_locations.yml", + "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html" ], "tags": [ "attack.execution" @@ -13550,8 +13548,8 @@ "logsource.product": "windows", "refs": [ "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", - "https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", + "https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_disable_audit_settings.yml" ], "tags": [ @@ -13599,8 +13597,8 @@ "logsource.product": "windows", "refs": [ "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", - "https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_sp_procoption_set.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_sp_procoption_set.yml", + "https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16" ], "tags": [ "attack.persistence" @@ -13648,8 +13646,8 @@ "logsource.product": "windows", "refs": [ "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_xp_cmdshell_change.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_xp_cmdshell_change.yml", + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/" ], "tags": [ "attack.execution" @@ -13671,8 +13669,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_software_atera_rmm_agent_install.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_software_atera_rmm_agent_install.yml", + "https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent" ], "tags": [ "attack.t1219" @@ -13694,9 +13692,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_susp_backup_delete.yml", "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_susp_backup_delete.yml" + "https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx" ], "tags": [ "attack.defense_evasion", @@ -13719,8 +13717,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5", "https://technet.microsoft.com/en-us/library/security/4022344", + "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_susp_msmpeng_crash.yml" ], "tags": [ @@ -13794,10 +13792,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml", "https://nxlog.co/documentation/nxlog-user-guide/applocker.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml" + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker" ], "tags": [ "attack.execution", @@ -13826,9 +13824,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", - "https://twitter.com/malmoeb/status/1535142803075960832", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml" + "https://twitter.com/malmoeb/status/1535142803075960832" ], "tags": [ "attack.defense_evasion", @@ -13852,8 +13850,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_local_file.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_local_file.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md" ], "tags": [ "attack.defense_evasion", @@ -13953,8 +13951,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", - "https://twitter.com/malmoeb/status/1535142803075960832", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_uncommon_domain.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_uncommon_domain.yml", + "https://twitter.com/malmoeb/status/1535142803075960832" ], "tags": [ "attack.defense_evasion", @@ -13978,9 +13976,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml", "https://twitter.com/SBousseaden/status/1483810148602814466", - "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml" + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log" ], "tags": [ "attack.execution" @@ -14027,8 +14025,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/wdormann/status/1590434950335320065", - "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintergiry_blocked_driver_load.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintergiry_blocked_driver_load.yml", + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log" ], "tags": [ "attack.privilege_escalation", @@ -14051,9 +14049,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml", "https://twitter.com/nas_bench/status/1539679555908141061", - "https://twitter.com/j00sean/status/1537750439701225472", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml" + "https://twitter.com/j00sean/status/1537750439701225472" ], "tags": [ "attack.execution" @@ -14075,9 +14073,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_apt_gallium.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_apt_gallium.yml", + "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/" ], "tags": [ "attack.credential_access", @@ -14101,9 +14099,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", "https://twitter.com/gentilkiwi/status/861641945944391680", + "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_susp_dns_config.yml" ], "tags": [ @@ -14127,8 +14125,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/", "https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/", + "https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml" ], "tags": [ @@ -14169,8 +14167,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)" ], "tags": "No established tags" }, @@ -14188,8 +14186,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)" ], "tags": "No established tags" }, @@ -14226,8 +14224,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_reset.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_reset.yml", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)" ], "tags": "No established tags" }, @@ -14245,8 +14243,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)" ], "tags": "No established tags" }, @@ -14264,10 +14262,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", - "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml", "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml" + "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", + "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1" ], "tags": [ "attack.discovery", @@ -14340,8 +14338,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/GossiTheDog/status/1429175908905127938", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml", + "https://twitter.com/GossiTheDog/status/1429175908905127938" ], "tags": [ "attack.persistence", @@ -14388,8 +14386,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml", + "https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430" ], "tags": [ "attack.defense_evasion", @@ -14412,8 +14410,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/OTR_Community/status/1371053369071132675", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_set_oabvirtualdirectory_externalurl.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_set_oabvirtualdirectory_externalurl.yml", + "https://twitter.com/OTR_Community/status/1371053369071132675" ], "tags": [ "attack.persistence", @@ -14460,8 +14458,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/blueteamsec1/status/1401290874202382336?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml", + "https://twitter.com/blueteamsec1/status/1401290874202382336?s=20" ], "tags": [ "attack.persistence", @@ -14485,8 +14483,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/JohnLaTwC/status/1004895028995477505", - "https://goo.gl/PsqrhT", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml", + "https://goo.gl/PsqrhT" ], "tags": [ "attack.lateral_movement", @@ -14535,8 +14533,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "n/a", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml", + "n/a" ], "tags": [ "attack.command_and_control", @@ -14559,12 +14557,12 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", - "https://winaero.com/enable-openssh-server-windows-10/", "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", - "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", + "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml", + "https://winaero.com/enable-openssh-server-windows-10/", + "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx" ], "tags": [ "attack.lateral_movement", @@ -14587,10 +14585,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/hhlxf/PrintNightmare", - "https://github.com/afwu/PrintNightmare", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml", "https://twitter.com/fuzzyf10w/status/1410202370835898371", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml" + "https://github.com/afwu/PrintNightmare", + "https://github.com/hhlxf/PrintNightmare" ], "tags": [ "attack.execution", @@ -14614,8 +14612,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/MalwareJake/status/1410421967463731200", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml", + "https://twitter.com/MalwareJake/status/1410421967463731200" ], "tags": [ "attack.execution", @@ -14639,9 +14637,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://o365blog.com/post/hybridhealthagent/", "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml", + "https://o365blog.com/post/hybridhealthagent/" ], "tags": [ "attack.discovery", @@ -14664,9 +14662,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://o365blog.com/post/hybridhealthagent/", "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml", + "https://o365blog.com/post/hybridhealthagent/" ], "tags": [ "attack.discovery", @@ -14689,10 +14687,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_access_token_abuse.yml", "https://attack.mitre.org/techniques/T1134/001/", - "https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation", "https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_access_token_abuse.yml" + "https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation" ], "tags": [ "attack.defense_evasion", @@ -14716,9 +14714,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml", "https://twitter.com/menasec1/status/1111556090137903104", - "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml" + "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf" ], "tags": [ "attack.persistence", @@ -14741,8 +14739,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_account_discovery.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_account_discovery.yml", + "https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html" ], "tags": [ "attack.discovery", @@ -14767,8 +14765,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability.yml", + "https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf" ], "tags": [ "attack.privilege_escalation", @@ -14793,8 +14791,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability_eku.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability_eku.yml", + "https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf" ], "tags": [ "attack.privilege_escalation", @@ -14817,10 +14815,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_add_remove_computer.yml", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_add_remove_computer.yml" + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743" ], "tags": "No established tags" }, @@ -14840,10 +14838,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_logon.yml" + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_logon.yml", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672" ], "tags": "No established tags" }, @@ -14863,8 +14861,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://car.mitre.org/wiki/CAR-2016-04-005", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_rdp_login.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_rdp_login.yml", + "https://car.mitre.org/wiki/CAR-2016-04-005" ], "tags": [ "attack.lateral_movement", @@ -14913,8 +14911,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190101151110.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml", + "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190101151110.html" ], "tags": [ "attack.defense_evasion", @@ -14937,8 +14935,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml", + "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html" ], "tags": [ "attack.credential_access", @@ -14961,8 +14959,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", + "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", "https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_user_enumeration.yml" ], @@ -14987,8 +14985,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_active_directory_user_control.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_active_directory_user_control.yml", + "https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/" ], "tags": [ "attack.persistence", @@ -15011,9 +15009,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://msdn.microsoft.com/en-us/library/cc220234.aspx", "https://adsecurity.org/?p=3466", "https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/", + "https://msdn.microsoft.com/en-us/library/cc220234.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml" ], "tags": [ @@ -15037,9 +15035,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2053", "https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml", + "https://adsecurity.org/?p=2053" ], "tags": [ "attack.defense_evasion", @@ -15063,11 +15061,11 @@ "logsource.product": "windows", "refs": [ "https://github.com/sensepost/ruler", - "https://github.com/sensepost/ruler/issues/47", - "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml" + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776", + "https://github.com/sensepost/ruler/issues/47", + "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427" ], "tags": [ "attack.discovery", @@ -15094,8 +15092,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_apt_chafer_mar18_security.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_apt_chafer_mar18_security.yml", + "https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/" ], "tags": [ "attack.persistence", @@ -15125,8 +15123,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://securelist.com/apt-slingshot/84312/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_apt_slingshot.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_apt_slingshot.yml", + "https://securelist.com/apt-slingshot/84312/" ], "tags": [ "attack.persistence", @@ -15181,8 +15179,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_atsvc_task.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_atsvc_task.yml", + "https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html" ], "tags": [ "attack.lateral_movement", @@ -15208,9 +15206,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_camera_microphone_access.yml", "https://twitter.com/duzvik/status/1269671601852813320", - "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_camera_microphone_access.yml" + "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072" ], "tags": [ "attack.collection", @@ -15233,10 +15231,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sans.org/webcasts/119395", - "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml", + "https://www.sans.org/webcasts/119395", + "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/" ], "tags": [ "attack.execution", @@ -15263,9 +15261,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", - "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", "https://twitter.com/_dirkjan/status/1309214379003588608", + "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", + "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml" ], "tags": [ @@ -15315,11 +15313,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/gentilkiwi/status/1003236624925413376", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml" + "https://twitter.com/gentilkiwi/status/1003236624925413376" ], "tags": [ "attack.credential_access", @@ -15343,8 +15341,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_defender_bypass.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_defender_bypass.yml", + "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/" ], "tags": [ "attack.defense_evasion", @@ -15367,8 +15365,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423", + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_device_installation_blocked.yml" ], "tags": "No established tags" @@ -15389,8 +15387,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L46", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_diagtrack_eop_default_login_username.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_diagtrack_eop_default_login_username.yml", + "https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L46" ], "tags": [ "attack.privilege_escalation" @@ -15412,8 +15410,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bit.ly/WinLogsZero2Hero", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_disable_event_logging.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_disable_event_logging.yml", + "https://bit.ly/WinLogsZero2Hero" ], "tags": [ "attack.defense_evasion", @@ -15460,8 +15458,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dpapi_domain_masterkey_backup_attempt.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dpapi_domain_masterkey_backup_attempt.yml", + "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html" ], "tags": [ "attack.credential_access", @@ -15484,16 +15482,16 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/_xpn_/status/1268712093928378368", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "https://bunnyinside.com/?term=f71e8cb9c76a", - "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_etw_modification.yml" + "https://twitter.com/_xpn_/status/1268712093928378368", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_etw_modification.yml", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr" ], "tags": [ "attack.defense_evasion", @@ -15516,8 +15514,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_event_log_cleared.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_event_log_cleared.yml", + "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml" ], "tags": [ "attack.t1070.001" @@ -15614,9 +15612,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml", "https://twitter.com/menasec1/status/1106899890377052160", - "https://www.secureworks.com/blog/ransomware-as-a-distraction", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml" + "https://www.secureworks.com/blog/ransomware-as-a-distraction" ], "tags": [ "attack.persistence", @@ -15712,8 +15710,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_impacket_secretdump.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_impacket_secretdump.yml", + "https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html" ], "tags": [ "attack.credential_access", @@ -15738,8 +15736,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_clip_services_security.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_clip_services_security.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -15764,8 +15762,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_obfuscated_iex_services_security.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_obfuscated_iex_services_security.yml", + "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888" ], "tags": [ "attack.defense_evasion", @@ -15788,8 +15786,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -15814,8 +15812,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -15840,8 +15838,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -15866,8 +15864,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -15892,8 +15890,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -15918,8 +15916,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -15944,8 +15942,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -15970,8 +15968,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -15996,8 +15994,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -16022,10 +16020,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", - "https://twitter.com/MsftSecIntel/status/1257324139515269121", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_iso_mount.yml" + "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_iso_mount.yml", + "https://twitter.com/MsftSecIntel/status/1257324139515269121" ], "tags": [ "attack.initial_access", @@ -16073,9 +16071,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_lolbas_execution_of_nltest.yml", "https://attack.mitre.org/software/S0359/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_lolbas_execution_of_nltest.yml" + "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm" ], "tags": [ "attack.discovery", @@ -16100,8 +16098,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_lsass_access_non_system_account.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_lsass_access_non_system_account.yml", + "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html" ], "tags": [ "attack.credential_access", @@ -16155,10 +16153,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_service_installs.yml", "https://awakesecurity.com/blog/threat-hunting-for-paexec/", "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", - "https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_service_installs.yml" + "https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf" ], "tags": [ "attack.persistence", @@ -16185,9 +16183,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_wceaux_dll.yml", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", - "https://jpcertcc.github.io/ToolAnalysisResultSheet", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_wceaux_dll.yml" + "https://jpcertcc.github.io/ToolAnalysisResultSheet" ], "tags": [ "attack.credential_access", @@ -16211,8 +16209,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/lib/rex/proto/smb/client.rb", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_metasploit_authentication.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_metasploit_authentication.yml", + "https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/lib/rex/proto/smb/client.rb" ], "tags": [ "attack.lateral_movement", @@ -16235,8 +16233,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bczyz1.github.io/2021/01/30/psexec.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml", + "https://bczyz1.github.io/2021/01/30/psexec.html" ], "tags": [ "attack.lateral_movement", @@ -16288,8 +16286,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_net_ntlm_downgrade.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_net_ntlm_downgrade.yml", + "https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks" ], "tags": [ "attack.defense_evasion", @@ -16409,10 +16407,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", "https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_pass_the_hash_2.yml", "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_pass_the_hash_2.yml" + "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events" ], "tags": [ "attack.lateral_movement", @@ -16460,10 +16458,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/topotam/PetitPotam", - "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/", "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml" + "https://github.com/topotam/PetitPotam", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml", + "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/" ], "tags": [ "attack.credential_access", @@ -16487,10 +16485,10 @@ "logsource.product": "windows", "refs": [ "https://github.com/Neo23x0/sigma/blob/ec5bb710499caae6667c7f7311ca9e92c03b9039/rules/windows/builtin/win_dcsync.yml", - "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml", + "https://twitter.com/gentilkiwi/status/1003236624925413376" ], "tags": [ "attack.credential_access", @@ -16513,8 +16511,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse" ], "tags": [ "attack.execution", @@ -16537,8 +16535,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_protected_storage_service_access.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_protected_storage_service_access.yml", + "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html" ], "tags": [ "attack.lateral_movement", @@ -16639,8 +16637,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1096148422984384514", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx", + "https://twitter.com/SBousseaden/status/1096148422984384514", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml" ], "tags": [ @@ -16669,8 +16667,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_register_new_logon_process_by_rubeus.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_register_new_logon_process_by_rubeus.yml", + "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1" ], "tags": [ "attack.lateral_movement", @@ -16761,8 +16759,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190725024610.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sam_registry_hive_handle_request.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sam_registry_hive_handle_request.yml", + "https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190725024610.html" ], "tags": [ "attack.discovery", @@ -16788,8 +16786,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/matthewdunwoody/status/1352356685982146562", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scheduled_task_deletion.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scheduled_task_deletion.yml", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699" ], "tags": [ "attack.execution", @@ -16862,8 +16860,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scrcons_remote_wmi_scripteventconsumer.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scrcons_remote_wmi_scripteventconsumer.yml", + "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html" ], "tags": [ "attack.lateral_movement", @@ -16888,8 +16886,8 @@ "logsource.category": "security", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html", "https://twitter.com/SBousseaden/status/1490608838701166596", + "https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml" ], "tags": [ @@ -16914,8 +16912,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml", - "https://securitydatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml", + "https://securitydatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file" ], "tags": [ "attack.lateral_movement", @@ -16961,8 +16959,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=1772", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_add_sid_history.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_add_sid_history.yml", + "https://adsecurity.org/?p=1772" ], "tags": [ "attack.persistence", @@ -17009,10 +17007,10 @@ "logsource.category": "security", "logsource.product": "windows", "refs": [ - "https://twitter.com/malmoeb/status/1511760068743766026", "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py", - "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml" + "https://twitter.com/malmoeb/status/1511760068743766026", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml", + "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py" ], "tags": [ "cve.2021.42278", @@ -17038,8 +17036,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=1714", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_dsrm_password_change.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_dsrm_password_change.yml", + "https://adsecurity.org/?p=1714" ], "tags": [ "attack.persistence", @@ -17063,9 +17061,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/deviouspolack/status/832535435960209408", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_eventlog_cleared.yml", "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_eventlog_cleared.yml" + "https://twitter.com/deviouspolack/status/832535435960209408" ], "tags": [ "attack.defense_evasion", @@ -17120,9 +17118,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", "https://www.trimarcsecurity.com/single-post/2018/05/06/trimarc-research-detecting-password-spraying-with-security-event-auditing", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_process.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_process.yml", + "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying" ], "tags": [ "attack.t1110.003", @@ -17290,8 +17288,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_ntlm.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_ntlm.yml", + "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying" ], "tags": [ "attack.t1110.003", @@ -17318,8 +17316,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_ntlm2.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_ntlm2.yml", + "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying" ], "tags": [ "attack.t1110.003", @@ -17343,8 +17341,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://twitter.com/SBousseaden/status/1101431884540710913", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml" ], "tags": [ @@ -17401,8 +17399,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_remote_logons_single_source.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_remote_logons_single_source.yml", + "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying" ], "tags": [ "attack.t1110.003", @@ -17449,9 +17447,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_krbrelayup.yml", "https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_krbrelayup.yml" + "https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g" ], "tags": [ "attack.privilege_escalation", @@ -17474,10 +17472,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", - "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", "https://github.com/fox-it/LDAPFragger", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml" + "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml", + "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/" ], "tags": [ "attack.t1001.003", @@ -17570,8 +17568,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/jackcr/status/807385668833968128", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump.yml", + "https://twitter.com/jackcr/status/807385668833968128" ], "tags": [ "attack.credential_access", @@ -17594,8 +17592,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml" ], "tags": [ @@ -17621,8 +17619,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.manageengine.com/data-security/how-to/how-to-detect-ransomware-attacks.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_multiple_files_renamed_or_deleted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_multiple_files_renamed_or_deleted.yml", + "https://www.manageengine.com/data-security/how-to/how-to-detect-ransomware-attacks.html" ], "tags": [ "attack.impact", @@ -17645,8 +17643,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_net_recon_activity.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_net_recon_activity.yml", + "https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html" ], "tags": [ "attack.discovery", @@ -17734,8 +17732,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/Rubeus", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml", + "https://github.com/GhostPack/Rubeus" ], "tags": [ "attack.lateral_movement", @@ -17758,10 +17756,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html", - "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", "https://twitter.com/SBousseaden/status/1581300963650187264?", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml", + "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", + "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html" ], "tags": [ "attack.credential_access", @@ -17833,9 +17831,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=3458", "https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml", + "https://adsecurity.org/?p=3458" ], "tags": [ "attack.credential_access", @@ -17904,10 +17902,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", - "https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_sdelete.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_sdelete.yml", + "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm", + "https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete" ], "tags": [ "attack.impact", @@ -17935,10 +17933,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", "Live environment caused by malware", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_time_modification.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_time_modification.yml", + "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)" ], "tags": [ "attack.defense_evasion", @@ -17985,8 +17983,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_svcctl_remote_service.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_svcctl_remote_service.yml", + "https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html" ], "tags": [ "attack.lateral_movement", @@ -18010,8 +18008,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190625024610.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_syskey_registry_access.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_syskey_registry_access.yml", + "https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190625024610.html" ], "tags": [ "attack.discovery", @@ -18034,11 +18032,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/Flangvik/status/1283054508084473861", - "https://twitter.com/SecurityJosh/status/1283027365770276866", - "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml", + "https://twitter.com/SecurityJosh/status/1283027365770276866", + "https://twitter.com/Flangvik/status/1283054508084473861", + "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html" ], "tags": [ "attack.defense_evasion", @@ -18084,9 +18082,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_teams_suspicious_objectaccess.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_teams_suspicious_objectaccess.yml", + "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/" ], "tags": [ "attack.credential_access", @@ -18160,8 +18158,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml", + "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1" ], "tags": [ "attack.lateral_movement", @@ -18308,8 +18306,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/mattifestation/status/899646620148539397", "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", + "https://twitter.com/mattifestation/status/899646620148539397", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_wmi_persistence.yml" ], "tags": [ @@ -18334,8 +18332,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml", + "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool" ], "tags": [ "attack.defense_evasion", @@ -18358,8 +18356,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/nasbench/EVTX-ETW-Resources/blob/45fd5be71a51aa518b1b36d4e1f36af498084e27/ETWEventsList/CSV/Windows11/21H2/W11_21H2_Pro_20220719_22000.795/Providers/Microsoft-Windows-Security-Mitigations.csv", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml", + "https://github.com/nasbench/EVTX-ETW-Resources/blob/45fd5be71a51aa518b1b36d4e1f36af498084e27/ETWEventsList/CSV/Windows11/21H2/W11_21H2_Pro_20220719_22000.795/Providers/Microsoft-Windows-Security-Mitigations.csv" ], "tags": [ "attack.defense_evasion", @@ -18406,8 +18404,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml", + "https://nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3" ], "tags": [ "attack.execution" @@ -18429,10 +18427,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/KevTheHermit/status/1410203844064301056", - "https://github.com/hhlxf/PrintNightmare", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml", "https://github.com/afwu/PrintNightmare", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml" + "https://github.com/hhlxf/PrintNightmare", + "https://twitter.com/KevTheHermit/status/1410203844064301056" ], "tags": [ "attack.credential_access", @@ -18457,8 +18455,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/moti_b/status/1032645458634653697", - "https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Cyber-Security/SiSyPHuS/AP10/Logging_Configuration_Guideline.pdf?__blob=publicationFile&v=5", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml", + "https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Cyber-Security/SiSyPHuS/AP10/Logging_Configuration_Guideline.pdf?__blob=publicationFile&v=5" ], "tags": [ "attack.t1021.002", @@ -18481,8 +18479,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_anydesk_service_installation.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_anydesk_service_installation.yml", + "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/" ], "tags": [ "attack.persistence" @@ -18552,8 +18550,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_apt_chafer_mar18_system.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_apt_chafer_mar18_system.yml", + "https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/" ], "tags": [ "attack.persistence", @@ -18583,8 +18581,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_apt_stonedrill.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_apt_stonedrill.yml", + "https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/" ], "tags": [ "attack.persistence", @@ -18633,10 +18631,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sans.org/webcasts/119395", - "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_cobaltstrike_service_installs.yml" + "https://www.sans.org/webcasts/119395", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_cobaltstrike_service_installs.yml", + "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/" ], "tags": [ "attack.execution", @@ -18664,9 +18662,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_defender_disabled.yml", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_defender_disabled.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md" ], "tags": [ "attack.defense_evasion", @@ -18690,9 +18688,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/deviouspolack/status/832535435960209408", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_eventlog_cleared.yml", "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_eventlog_cleared.yml" + "https://twitter.com/deviouspolack/status/832535435960209408" ], "tags": [ "attack.defense_evasion", @@ -18742,8 +18740,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_clip_services.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_clip_services.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -18768,8 +18766,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_obfuscated_iex_services.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_obfuscated_iex_services.yml", + "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888" ], "tags": [ "attack.defense_evasion", @@ -18792,8 +18790,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_stdin_services.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_stdin_services.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -18818,8 +18816,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_var_services.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_var_services.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -18844,8 +18842,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_compress_services.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_compress_services.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -18870,8 +18868,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_rundll_services.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_rundll_services.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -18896,8 +18894,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_stdin_services.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_stdin_services.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -18922,8 +18920,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_clip_services.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_clip_services.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -18948,8 +18946,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_mshta_services.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_mshta_services.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -18974,8 +18972,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_rundll32_services.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_rundll32_services.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -19000,8 +18998,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_var_services.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_var_services.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -19049,8 +19047,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Dec0ne/KrbRelayUp", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_krbrelayup_service_installation.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_krbrelayup_service_installation.yml", + "https://github.com/Dec0ne/KrbRelayUp" ], "tags": [ "attack.privilege_escalation", @@ -19204,10 +19202,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/jonasLyk/status/1347900440000811010", "https://twitter.com/wdormann/status/1347958161609809921", - "https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_ntfs_vuln_exploit.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_ntfs_vuln_exploit.yml", + "https://twitter.com/jonasLyk/status/1347900440000811010", + "https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/" ], "tags": [ "attack.impact", @@ -19351,9 +19349,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/zerosum0x0/CVE-2019-0708", "https://github.com/Ekultek/BlueKeep", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_rdp_potential_cve_2019_0708.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_rdp_potential_cve_2019_0708.yml", + "https://github.com/zerosum0x0/CVE-2019-0708" ], "tags": [ "attack.lateral_movement", @@ -19377,8 +19375,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_hacktools.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_hacktools.yml", + "Internal Research" ], "tags": [ "attack.execution", @@ -19425,8 +19423,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.poweradmin.com/paexec/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_paexec.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_paexec.yml", + "https://www.poweradmin.com/paexec/" ], "tags": [ "attack.execution", @@ -19523,8 +19521,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.remoteutilities.com/support/kb/host-service-won-t-start/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_remote_utilities.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_remote_utilities.yml", + "https://www.remoteutilities.com/support/kb/host-service-won-t-start/" ], "tags": [ "attack.persistence" @@ -19546,9 +19544,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_sliver.yml", "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231", - "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_sliver.yml" + "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/" ], "tags": [ "attack.execution", @@ -19573,8 +19571,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_susp_double_ampersand.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_susp_double_ampersand.yml", + "Internal Research" ], "tags": [ "attack.defense_evasion", @@ -19597,10 +19595,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_dhcp_config.yml", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_dhcp_config.yml" + "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx" ], "tags": [ "attack.defense_evasion", @@ -19623,10 +19621,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_dhcp_config_failed.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_dhcp_config_failed.yml", + "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx" ], "tags": [ "attack.defense_evasion", @@ -19650,9 +19648,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/deviouspolack/status/832535435960209408", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_eventlog_cleared.yml", "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_eventlog_cleared.yml" + "https://twitter.com/deviouspolack/status/832535435960209408" ], "tags": [ "attack.defense_evasion", @@ -19676,8 +19674,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/1kwpeter/status/1397816101455765504", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_proceshacker.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_proceshacker.yml", + "https://twitter.com/1kwpeter/status/1397816101455765504" ], "tags": [ "attack.execution", @@ -19702,8 +19700,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/br-sn/CheekyBlinder/blob/e1764a8a0e7cda8a3716aefa35799f560686e01c/CheekyBlinder/CheekyBlinder.cpp", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_rtcore64_service_install.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_rtcore64_service_install.yml", + "https://github.com/br-sn/CheekyBlinder/blob/e1764a8a0e7cda8a3716aefa35799f560686e01c/CheekyBlinder/CheekyBlinder.cpp" ], "tags": [ "attack.persistence" @@ -20064,8 +20062,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_alert_lsass_access.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_alert_lsass_access.yml", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter" ], "tags": [ "attack.credential_access", @@ -20137,8 +20135,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/_nullbind/status/1204923340810543109", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_exclusions.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_exclusions.yml", + "https://twitter.com/_nullbind/status/1204923340810543109" ], "tags": [ "attack.defense_evasion", @@ -20161,8 +20159,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml", + "https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088" ], "tags": [ "attack.execution", @@ -20185,8 +20183,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_history_delete.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_history_delete.yml", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus" ], "tags": [ "attack.defense_evasion", @@ -20236,8 +20234,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml", + "https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection" ], "tags": [ "attack.defense_evasion", @@ -20284,8 +20282,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/mattifestation/status/899646620148539397", "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", + "https://twitter.com/mattifestation/status/899646620148539397", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/wmi/win_wmi_persistence.yml" ], "tags": [ @@ -20337,8 +20335,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/SBousseaden/status/1090588499517079552", - "https://github.com/mdsecactivebreach/CACTUSTORCH", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_cactustorch.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_cactustorch.yml", + "https://github.com/mdsecactivebreach/CACTUSTORCH" ], "tags": [ "attack.defense_evasion", @@ -20365,9 +20363,9 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f", "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_cobaltstrike_process_injection.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_cobaltstrike_process_injection.yml", + "https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f" ], "tags": [ "attack.defense_evasion", @@ -20390,8 +20388,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-180719170510.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml", + "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-180719170510.html" ], "tags": [ "attack.defense_evasion", @@ -20414,10 +20412,10 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/uscert/ncas/alerts/aa20-259a", - "https://github.com/denandz/KeeFarce", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_keepass.yml", "https://github.com/GhostPack/KeeThief", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_keepass.yml" + "https://www.cisa.gov/uscert/ncas/alerts/aa20-259a", + "https://github.com/denandz/KeeFarce" ], "tags": [ "attack.credential_access", @@ -20440,8 +20438,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_lsass.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_lsass.yml", + "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm" ], "tags": [ "attack.credential_access", @@ -20515,9 +20513,9 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml", "Personal research, statistical analysis", - "https://lolbas-project.github.io", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml" + "https://lolbas-project.github.io" ], "tags": [ "attack.privilege_escalation", @@ -20541,8 +20539,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_target.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_target.yml", + "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/" ], "tags": "No established tags" }, @@ -20637,8 +20635,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml", + "https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/" ], "tags": [ "attack.defense_evasion" @@ -20760,8 +20758,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml", + "https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md" ], "tags": [ "attack.defense_evasion", @@ -20784,10 +20782,10 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", "https://redcanary.com/blog/misbehaving-rats/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_remote_access_software_domains.yml" ], "tags": [ @@ -20811,8 +20809,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte" ], "tags": [ "attack.exfiltration", @@ -20860,8 +20858,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/notwhickey/status/1333900137232523264", - "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_lobas_appinstaller.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_lobas_appinstaller.yml", + "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/" ], "tags": [ "attack.command_and_control", @@ -20884,9 +20882,9 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml", "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", - "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml" + "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/" ], "tags": [ "attack.command_and_control", @@ -20955,9 +20953,9 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml", "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml" + "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/" ], "tags": [ "attack.execution", @@ -20982,9 +20980,9 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_ipify.yml", "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", - "https://twitter.com/neonprimetime/status/1436376497980428318", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_ipify.yml" + "https://twitter.com/neonprimetime/status/1436376497980428318" ], "tags": [ "attack.reconnaissance", @@ -21032,8 +21030,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://www.teamviewer.com/en-us/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_teamviewer.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_teamviewer.yml", + "https://www.teamviewer.com/en-us/" ], "tags": [ "attack.command_and_control", @@ -21056,8 +21054,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_tor_onion.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_tor_onion.yml", + "https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/" ], "tags": [ "attack.command_and_control", @@ -21161,8 +21159,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_powershell_script_installed_as_service.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_powershell_script_installed_as_service.yml", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse" ], "tags": [ "attack.execution", @@ -21209,8 +21207,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_avast_anti_rootkit_driver.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_avast_anti_rootkit_driver.yml", + "https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/" ], "tags": [ "attack.privilege_escalation", @@ -21233,8 +21231,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_dell_driver.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_dell_driver.yml", + "https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/" ], "tags": [ "attack.privilege_escalation", @@ -21258,23 +21256,23 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ + "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/DRIVER7.md", + "https://github.com/jbaines-r7/dellicious", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md", + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", + "https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part", + "https://github.com/CaledoniaProject/drivers-binaries", + "https://www.unknowncheats.me/forum/downloads.php?do=file&id=21780", + "https://github.com/tandasat/ExploitCapcom", + "https://github.com/stong/CVE-2020-15368", + "https://github.com/namazso/physmem_drivers", "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "https://github.com/jbaines-r7/dellicious", - "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", - "https://github.com/namazso/physmem_drivers", - "https://github.com/stong/CVE-2020-15368", - "https://github.com/CaledoniaProject/drivers-binaries", - "https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html", - "https://github.com/tandasat/ExploitCapcom", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/DRIVER7.md", - "https://www.unknowncheats.me/forum/downloads.php?do=file&id=21780", - "https://www.rapid7.com/db/modules/exploit/windows/local/razer_zwopenprocess/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_drivers.yml", "https://www.unknowncheats.me/forum/downloads.php?do=file&id=25444", - "https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_drivers.yml" + "https://www.rapid7.com/db/modules/exploit/windows/local/razer_zwopenprocess/", + "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html" ], "tags": [ "attack.privilege_escalation", @@ -21298,19 +21296,19 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", "https://github.com/jbaines-r7/dellicious", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", - "https://github.com/namazso/physmem_drivers", - "https://github.com/stong/CVE-2020-15368", "https://github.com/CaledoniaProject/drivers-binaries", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala", - "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", - "https://eclypsium.com/2019/11/12/mother-of-all-drivers/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_drivers_names.yml", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_drivers_names.yml" + "https://github.com/Chigusa0w0/AsusDriversPrivEscala", + "https://github.com/stong/CVE-2020-15368", + "https://github.com/namazso/physmem_drivers", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://eclypsium.com/2019/11/12/mother-of-all-drivers/", + "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/" ], "tags": [ "attack.privilege_escalation", @@ -21333,12 +21331,12 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition-e73ee523598b", - "https://twitter.com/malmoeb/status/1551449425842786306", - "https://github.com/fengjixuchui/gdrv-loader", "https://www.virustotal.com/gui/file/31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427/details", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_gigabyte_driver.yml", + "https://github.com/fengjixuchui/gdrv-loader", "https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_gigabyte_driver.yml" + "https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition-e73ee523598b", + "https://twitter.com/malmoeb/status/1551449425842786306" ], "tags": [ "attack.privilege_escalation", @@ -21386,8 +21384,8 @@ "logsource.product": "windows", "refs": [ "https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/", - "https://www.virustotal.com/gui/file/6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5/details", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_hw_driver.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_hw_driver.yml", + "https://www.virustotal.com/gui/file/6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5/details" ], "tags": [ "attack.privilege_escalation", @@ -21410,9 +21408,9 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://support.lenovo.com/de/en/product_security/ps500533-lenovo-diagnostics-vulnerabilities", "https://github.com/alfarom256/CVE-2022-3699/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_lenovo_driver.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_lenovo_driver.yml", + "https://support.lenovo.com/de/en/product_security/ps500533-lenovo-diagnostics-vulnerabilities" ], "tags": [ "attack.privilege_escalation", @@ -21461,8 +21459,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://reqrypt.org/windivert-doc.html", "https://rastamouse.me/ntlm-relaying-via-cobalt-strike/", + "https://reqrypt.org/windivert-doc.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_windivert.yml" ], "tags": [ @@ -21491,9 +21489,9 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users", "https://github.com/lclevy/firepwd", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_browser_credential_stealing.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_browser_credential_stealing.yml", + "https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users" ], "tags": [ "attack.t1003", @@ -21517,8 +21515,8 @@ "logsource.product": "windows", "refs": [ "https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz", - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/" ], "tags": [ "attack.t1003", @@ -21541,9 +21539,9 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20181130065817/http://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/", "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml", + "https://web.archive.org/web/20181130065817/http://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/" ], "tags": [ "attack.credential_access", @@ -21566,9 +21564,9 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml", "https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist", - "https://www.passcape.com/windows_password_recovery_dpapi_credhist", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml" + "https://www.passcape.com/windows_password_recovery_dpapi_credhist" ], "tags": [ "attack.credential_access", @@ -21615,8 +21613,8 @@ "logsource.category": "file_change", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml", + "https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html" ], "tags": [ "attack.initial_access", @@ -21639,8 +21637,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://github.com/hhlxf/PrintNightmare", "https://github.com/cube0x0/CVE-2021-1675", + "https://github.com/hhlxf/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_printspooler_del.yml" ], "tags": [ @@ -21667,8 +21665,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_appli_log.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_appli_log.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md" ], "tags": [ "attack.defense_evasion", @@ -21691,8 +21689,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-6---windows---delete-backup-files", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-6---windows---delete-backup-files" ], "tags": [ "attack.impact", @@ -21762,9 +21760,9 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/9", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml", "https://threathunterplaybook.com/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml" + "https://github.com/OTRF/detection-hackathon-apt29/issues/9" ], "tags": [ "attack.defense_evasion", @@ -21787,8 +21785,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml", + "https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html" ], "tags": [ "attack.initial_access", @@ -21812,8 +21810,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_webserver_access_logs_deleted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_webserver_access_logs_deleted.yml", + "https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html" ], "tags": [ "attack.defense_evasion", @@ -21836,9 +21834,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_access_susp_teams.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_access_susp_teams.yml", + "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/" ], "tags": [ "attack.credential_access", @@ -21886,11 +21884,11 @@ "logsource.product": "windows", "refs": [ "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", - "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml" + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer" ], "tags": [ "attack.discovery", @@ -21983,8 +21981,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml", + "https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection" ], "tags": [ "attack.discovery", @@ -22013,8 +22011,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_crackmapexec_patterns.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_crackmapexec_patterns.yml", + "https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass" ], "tags": [ "attack.credential_access", @@ -22109,8 +22107,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.009/T1574.009.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.009/T1574.009.md" ], "tags": [ "attack.persistence", @@ -22182,8 +22180,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.004/T1027.004.md#atomic-test-2---dynamic-c-compile", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_csharp_compile_artefact.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_csharp_compile_artefact.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.004/T1027.004.md#atomic-test-2---dynamic-c-compile" ], "tags": [ "attack.defense_evasion", @@ -22206,10 +22204,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/hhlxf/PrintNightmare", - "https://github.com/afwu/PrintNightmare", "https://github.com/cube0x0/CVE-2021-1675", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_1675_printspooler.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_1675_printspooler.yml", + "https://github.com/afwu/PrintNightmare", + "https://github.com/hhlxf/PrintNightmare" ], "tags": [ "attack.execution", @@ -22290,8 +22288,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/klinix5/InstallerFileTakeOver", - "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_41379_msi_lpe.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_41379_msi_lpe.yml", + "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/" ], "tags": [ "attack.privilege_escalation", @@ -22339,8 +22337,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2022_24527_lpe.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2022_24527_lpe.yml", + "https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/" ], "tags": [ "attack.privilege_escalation", @@ -22364,8 +22362,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_detect_powerup_dllhijacking.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_detect_powerup_dllhijacking.yml", + "https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/" ], "tags": [ "attack.persistence", @@ -22390,9 +22388,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml", "https://twitter.com/cyb3rops/status/1552932770464292864", - "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml" + "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows" ], "tags": [ "attack.persistence", @@ -22417,9 +22415,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_error_handler_cmd_persistence.yml", "https://github.com/last-byte/PersistenceSniper", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_error_handler_cmd_persistence.yml" + "https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/" ], "tags": [ "attack.persistence" @@ -22443,8 +22441,8 @@ "refs": [ "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", - "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml", + "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html" ], "tags": [ "attack.persistence", @@ -22468,9 +22466,9 @@ "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml", "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", - "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml" + "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html" ], "tags": [ "attack.persistence", @@ -22495,9 +22493,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/SafetyKatz", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ghostpack_safetykatz.yml", "https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ghostpack_safetykatz.yml" + "https://github.com/GhostPack/SafetyKatz" ], "tags": [ "attack.credential_access", @@ -22544,8 +22542,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/outflanknl/Dumpert", "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", + "https://github.com/outflanknl/Dumpert", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hack_dumpert.yml" ], "tags": [ @@ -22570,10 +22568,10 @@ "logsource.product": "windows", "refs": [ "https://github.com/GossiTheDog/HiveNightmare", - "https://github.com/FireFart/hivenightmare/", - "https://github.com/WiredPulse/Invoke-HiveNightmare", "https://twitter.com/cube0x0/status/1418920190759378944", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml" + "https://github.com/WiredPulse/Invoke-HiveNightmare", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml", + "https://github.com/FireFart/hivenightmare/" ], "tags": [ "attack.credential_access", @@ -22597,9 +22595,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml", "https://twitter.com/0gtweet/status/1465282548494487554", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy" ], "tags": [ "attack.credential_access" @@ -22622,8 +22620,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc", - "https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml", + "https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0" ], "tags": [ "attack.t1566", @@ -22674,10 +22672,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_inveigh_artefacts.yml", "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs", "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_inveigh_artefacts.yml" + "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs" ], "tags": [ "attack.command_and_control", @@ -22700,8 +22698,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml", + "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/" ], "tags": [ "attack.persistence", @@ -22752,10 +22750,10 @@ "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore" ], "tags": "No established tags" }, @@ -22799,8 +22797,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_exe.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_exe.yml", + "https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326" ], "tags": [ "attack.defense_evasion", @@ -22847,12 +22845,12 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.google.com/search?q=procdump+lsass", "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", - "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", "https://github.com/helpsystems/nanodump", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_dump.yml" + "https://www.google.com/search?q=procdump+lsass", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_dump.yml", + "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml" ], "tags": [ "attack.credential_access", @@ -22900,8 +22898,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/helpsystems/nanodump", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_werfault_dump.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_werfault_dump.yml", + "https://github.com/helpsystems/nanodump" ], "tags": [ "attack.credential_access", @@ -22924,9 +22922,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_macro_file.yml", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", - "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_macro_file.yml" + "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference" ], "tags": [ "attack.initial_access", @@ -22947,9 +22945,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_adwind.yml", "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", - "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_adwind.yml" + "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf" ], "tags": [ "attack.execution", @@ -22973,8 +22971,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_octopus_scanner.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_octopus_scanner.yml", + "https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain" ], "tags": [ "attack.t1195", @@ -22997,8 +22995,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", + "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_vhd_download.yml" ], @@ -23023,8 +23021,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://cobalt.io/blog/kerberoast-attack-techniques", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mimikatz_kirbi_file_creation.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mimikatz_kirbi_file_creation.yml", + "https://cobalt.io/blog/kerberoast-attack-techniques" ], "tags": [ "attack.credential_access", @@ -23047,8 +23045,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2019/10/21/persistence-security-support-provider/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mimimaktz_memssp_log_file.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mimimaktz_memssp_log_file.yml", + "https://pentestlab.blog/2019/10/21/persistence-security-support-provider/" ], "tags": [ "attack.credential_access", @@ -23096,9 +23094,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_msdt_autorun.yml", "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", - "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_msdt_autorun.yml" + "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/" ], "tags": [ "attack.persistence", @@ -23122,8 +23120,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml", + "Internal Research" ], "tags": [ "attack.defense_evasion", @@ -23146,8 +23144,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Libraries/Desk/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_new_src_file.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_new_src_file.yml", + "https://lolbas-project.github.io/lolbas/Libraries/Desk/" ], "tags": [ "attack.t1218.011", @@ -23194,11 +23192,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", - "https://pentestlab.blog/tag/ntds-dit/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit.yml", + "https://pentestlab.blog/tag/ntds-dit/", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration" ], "tags": [ "attack.credential_access", @@ -23221,10 +23219,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", "https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml" + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb" ], "tags": [ "attack.credential_access", @@ -23247,8 +23245,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_persistence.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_persistence.yml", + "Internal Research" ], "tags": [ "attack.persistence", @@ -23298,8 +23296,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/blueteamsec1/status/1401290874202382336?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_outlook_newform.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_outlook_newform.yml", + "https://twitter.com/blueteamsec1/status/1401290874202382336?s=20" ], "tags": [ "attack.persistence", @@ -23322,9 +23320,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/rbmaslen/status/1321859647091970051", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_pcre_net_temp_file.yml", "https://twitter.com/tifkin_/status/1321916444557365248", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_pcre_net_temp_file.yml" + "https://twitter.com/rbmaslen/status/1321859647091970051" ], "tags": [ "attack.execution", @@ -23347,9 +23345,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_pingback_backdoor.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_pingback_backdoor.yml", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel" ], "tags": [ "attack.persistence", @@ -23372,19 +23370,19 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml", - "https://github.com/PowerShellMafia/PowerSploit", - "https://github.com/NetSPI/PowerUpSQL", - "https://github.com/CsEnox/EventViewer-UACBypass", - "https://github.com/AlsidOfficial/WSUSpendu/", - "https://github.com/nettitude/Invoke-PowerThIEf", "https://github.com/S3cur3Th1sSh1t/WinPwn", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml", + "https://github.com/NetSPI/PowerUpSQL", + "https://github.com/PowerShellMafia/PowerSploit", "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/nettitude/Invoke-PowerThIEf", "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml" + "https://github.com/CsEnox/EventViewer-UACBypass", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml", + "https://github.com/AlsidOfficial/WSUSpendu/" ], "tags": [ "attack.execution", @@ -23408,9 +23406,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml", "https://redcanary.com/blog/intelligence-insights-october-2021/", - "https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder" ], "tags": [ "attack.persistence", @@ -23457,8 +23455,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_rclone_exec_file.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_rclone_exec_file.yml", + "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/" ], "tags": [ "attack.exfiltration", @@ -23503,8 +23501,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/jonasLyk/status/1549338335243534336?t=CrmPocBGLbDyE4p6zTX1cg&s=19", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ripzip_attack.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ripzip_attack.yml", + "https://twitter.com/jonasLyk/status/1549338335243534336?t=CrmPocBGLbDyE4p6zTX1cg&s=19" ], "tags": [ "attack.t1547", @@ -23527,11 +23525,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/search?q=CVE-2021-36934", + "https://github.com/FireFart/hivenightmare", "https://github.com/cube0x0/CVE-2021-36934", "https://www.google.com/search?q=%22reg.exe+save%22+sam", + "https://github.com/search?q=CVE-2021-36934", "https://github.com/HuskyHacks/ShadowSteal", - "https://github.com/FireFart/hivenightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml" ], "tags": [ @@ -23604,8 +23602,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml", + "Internal Research" ], "tags": "No established tags" }, @@ -23625,8 +23623,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml", + "Internal Research" ], "tags": "No established tags" }, @@ -23671,10 +23669,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", - "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", "https://github.com/fox-it/LDAPFragger", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml", + "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", + "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/" ], "tags": [ "attack.t1001.003", @@ -23697,9 +23695,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", "https://github.com/olafhartong/sysmon-modular/blob/5e5f6d90819a7f35eec0aba08021d0d201bb9055/11_file_create/include_dotnet.xml", + "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_clr_logs.yml" ], "tags": [ @@ -23749,8 +23747,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/intelligence-insights-november-2021/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml", + "https://redcanary.com/blog/intelligence-insights-november-2021/" ], "tags": [ "attack.t1055", @@ -23775,8 +23773,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/intelligence-insights-november-2021/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_default_gpo_dir_write.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_default_gpo_dir_write.yml", + "https://redcanary.com/blog/intelligence-insights-november-2021/" ], "tags": [ "attack.t1036.005", @@ -23800,8 +23798,8 @@ "logsource.product": "windows", "refs": [ "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", - "https://twitter.com/SBousseaden/status/1278977301745741825", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml", + "https://twitter.com/SBousseaden/status/1278977301745741825" ], "tags": [ "attack.defense_evasion", @@ -23849,8 +23847,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1486/T1486.md#atomic-test-5---purelocker-ransom-note", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktop_txt.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktop_txt.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1486/T1486.md#atomic-test-5---purelocker-ransom-note" ], "tags": [ "attack.impact", @@ -23873,8 +23871,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://threadreaderapp.com/thread/1533879688141086720.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_diagcab.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_diagcab.yml", + "https://threadreaderapp.com/thread/1533879688141086720.html" ], "tags": [ "attack.resource_development" @@ -23896,11 +23894,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://twitter.com/malwrhunterteam/status/1235135745611960321", + "https://twitter.com/luc4m/status/1073181154126254080", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", - "https://twitter.com/malwrhunterteam/status/1235135745611960321", - "https://twitter.com/luc4m/status/1073181154126254080", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml" ], "tags": [ @@ -23949,8 +23947,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/blackbyte-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_exchange_aspx_write.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_exchange_aspx_write.yml", + "https://redcanary.com/blog/blackbyte-ransomware/" ], "tags": [ "attack.initial_access", @@ -24027,11 +24025,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", - "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", "https://twitter.com/malwrhunterteam/status/1235135745611960321", "https://twitter.com/luc4m/status/1073181154126254080", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", + "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml" ], "tags": [ @@ -24055,9 +24053,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_ntds_dit.yml", "https://adsecurity.org/?p=2398", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_ntds_dit.yml" + "https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/" ], "tags": [ "attack.credential_access", @@ -24156,8 +24154,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml", + "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/" ], "tags": [ "attack.defense_evasion" @@ -24179,8 +24177,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/last-byte/PersistenceSniper", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml", + "https://github.com/last-byte/PersistenceSniper" ], "tags": [ "attack.persistence", @@ -24204,8 +24202,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/PowerSploit_Invoke-Mimikatz.htm", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yml", + "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/PowerSploit_Invoke-Mimikatz.htm" ], "tags": "No established tags" }, @@ -24225,8 +24223,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_task_write.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_task_write.yml", + "Internal Research" ], "tags": [ "attack.persistence", @@ -24372,8 +24370,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_consent_comctl32.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_consent_comctl32.yml", + "https://github.com/hfiref0x/UACME" ], "tags": [ "attack.defense_evasion", @@ -24397,8 +24395,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml", + "https://github.com/hfiref0x/UACME" ], "tags": [ "attack.defense_evasion", @@ -24422,8 +24420,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g", + "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml" ], "tags": [ @@ -24447,8 +24445,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/Wh04m1001/IDiagnosticProfileUAC", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml", + "https://github.com/Wh04m1001/IDiagnosticProfileUAC" ], "tags": [ "attack.execution", @@ -24473,8 +24471,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_ieinstal.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_ieinstal.yml", + "https://github.com/hfiref0x/UACME" ], "tags": [ "attack.defense_evasion", @@ -24523,8 +24521,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yml", + "https://github.com/hfiref0x/UACME" ], "tags": [ "attack.defense_evasion", @@ -24548,8 +24546,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_winsat.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_winsat.yml", + "https://github.com/hfiref0x/UACME" ], "tags": [ "attack.defense_evasion", @@ -24573,8 +24571,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_wmp.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_wmp.yml", + "https://github.com/hfiref0x/UACME" ], "tags": [ "attack.defense_evasion", @@ -24598,8 +24596,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "PT ESC rule and personal experience", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml", + "PT ESC rule and personal experience" ], "tags": [ "attack.persistence", @@ -24672,8 +24670,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/RonnyTNL/status/1436334640617373699?s=20", - "https://twitter.com/vanitasnk/status/1437329511142420483?s=21", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_winword_cve_2021_40444.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_winword_cve_2021_40444.yml", + "https://twitter.com/vanitasnk/status/1437329511142420483?s=21" ], "tags": [ "attack.resource_development", @@ -24771,8 +24769,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_word_template_creation.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_word_template_creation.yml", + "https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies" ], "tags": [ "attack.persistence", @@ -24845,9 +24843,9 @@ "logsource.category": "file_rename", "logsource.product": "windows", "refs": [ - "https://twitter.com/ffforward/status/1481672378639912960", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml", + "https://twitter.com/ffforward/status/1481672378639912960" ], "tags": "No established tags" }, @@ -24867,8 +24865,8 @@ "logsource.category": "file_rename", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/", "https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/", + "https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml" ], "tags": [ @@ -24892,8 +24890,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml", + "https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30" ], "tags": [ "attack.defense_evasion", @@ -25067,9 +25065,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/rbmaslen/status/1321859647091970051", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_pcre_net_load.yml", "https://twitter.com/tifkin_/status/1321916444557365248", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_pcre_net_load.yml" + "https://twitter.com/rbmaslen/status/1321859647091970051" ], "tags": [ "attack.execution", @@ -25092,9 +25090,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_pingback_backdoor.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_pingback_backdoor.yml", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel" ], "tags": [ "attack.persistence", @@ -25143,10 +25141,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/HunterPlaybook/status/1301207718355759107", "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", - "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_imageload_wmi_scripteventconsumer.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_imageload_wmi_scripteventconsumer.yml", + "https://twitter.com/HunterPlaybook/status/1301207718355759107", + "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html" ], "tags": [ "attack.lateral_movement", @@ -25200,8 +25198,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://hijacklibs.net/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml", + "https://hijacklibs.net/" ], "tags": [ "attack.defense_evasion", @@ -25227,8 +25225,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://hijacklibs.net/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml", + "https://hijacklibs.net/" ], "tags": [ "attack.defense_evasion", @@ -25254,11 +25252,11 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://hijacklibs.net/", - "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", - "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml", "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml" + "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", + "https://hijacklibs.net/", + "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/" ], "tags": [ "attack.defense_evasion", @@ -25284,8 +25282,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://hijacklibs.net/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_office_dlls.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_office_dlls.yml", + "https://hijacklibs.net/" ], "tags": [ "attack.defense_evasion", @@ -25311,8 +25309,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://hijacklibs.net/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_third_party.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_third_party.yml", + "https://hijacklibs.net/" ], "tags": [ "attack.defense_evasion", @@ -25338,8 +25336,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://hijacklibs.net/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_web_browsers.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_web_browsers.yml", + "https://hijacklibs.net/" ], "tags": [ "attack.defense_evasion", @@ -25365,8 +25363,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/byt3bl33d3r/SILENTTRINITY", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_silenttrinity_stage_use.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_silenttrinity_stage_use.yml", + "https://github.com/byt3bl33d3r/SILENTTRINITY" ], "tags": [ "attack.command_and_control", @@ -25389,9 +25387,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/hhlxf/PrintNightmare", "https://github.com/ly4k/SpoolFool", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_spoolsv_dll_load.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_spoolsv_dll_load.yml", + "https://github.com/hhlxf/PrintNightmare" ], "tags": [ "attack.persistence", @@ -25418,8 +25416,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/hlldz/Phant0m", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_advapi32_dll.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_advapi32_dll.yml", + "https://github.com/hlldz/Phant0m" ], "tags": [ "attack.defense_evasion", @@ -25664,8 +25662,8 @@ "logsource.product": "windows", "refs": [ "https://www.py2exe.org/", - "https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_python_image_load.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_python_image_load.yml", + "https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/" ], "tags": [ "attack.defense_evasion", @@ -25689,8 +25687,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/tyranid/DotNetToJScript", - "https://thewover.github.io/Introducing-Donut/", "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", + "https://thewover.github.io/Introducing-Donut/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml" ], "tags": [ @@ -25740,8 +25738,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_uncommon_image_load.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_uncommon_image_load.yml", + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html" ], "tags": [ "attack.defense_evasion", @@ -25789,8 +25787,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add", "https://twitter.com/am0nsec/status/1412232114980982787", + "https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_vss_ps_load.yml" ], "tags": [ @@ -25839,8 +25837,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_svchost_dll_search_order_hijack.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_svchost_dll_search_order_hijack.yml", + "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992" ], "tags": [ "attack.persistence", @@ -25865,8 +25863,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/bats3c/EvtMute", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml", + "https://github.com/bats3c/EvtMute" ], "tags": [ "attack.defense_evasion", @@ -25889,10 +25887,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_tttracer_mod_load.yml", "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", "https://twitter.com/mattifestation/status/1196390321783025666", - "https://twitter.com/oulusoyum/status/1191329746069655553", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_tttracer_mod_load.yml" + "https://twitter.com/oulusoyum/status/1191329746069655553" ], "tags": [ "attack.defense_evasion", @@ -25917,9 +25915,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC", "https://twitter.com/wdormann/status/1547583317410607110", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml", + "https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC" ], "tags": [ "attack.defense_evasion", @@ -25943,8 +25941,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://steemit.com/utopian-io/@ah101/uac-bypassing-utility", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uac_bypass_via_dism.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uac_bypass_via_dism.yml", + "https://steemit.com/utopian-io/@ah101/uac-bypassing-utility" ], "tags": [ "attack.persistence", @@ -25971,8 +25969,8 @@ "logsource.product": "windows", "refs": [ "https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", "https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml" ], "tags": [ @@ -26046,8 +26044,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_vmware_xfer_load_dll_from_nondefault_path.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_vmware_xfer_load_dll_from_nondefault_path.yml", + "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/" ], "tags": [ "attack.defense_evasion", @@ -26072,9 +26070,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://securitydatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html", - "https://twitter.com/dez_/status/986614411711442944", "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", + "https://twitter.com/dez_/status/986614411711442944", + "https://securitydatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml" ], "tags": [ @@ -26124,8 +26122,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmi_module_load.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmi_module_load.yml", + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html" ], "tags": [ "attack.execution", @@ -26172,11 +26170,11 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/chadtilbury/status/1275851297770610688", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml", "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", "https://github.com/bohops/WSMan-WinRM", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml" + "https://twitter.com/chadtilbury/status/1275851297770610688" ], "tags": [ "attack.execution", @@ -26204,8 +26202,8 @@ "refs": [ "https://twitter.com/M_haggis/status/900741347035889665", "https://twitter.com/M_haggis/status/1032799638213066752", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_github_com.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_github_com.yml", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1" ], "tags": [ "attack.lateral_movement", @@ -26256,8 +26254,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_certutil.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_certutil.yml", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil" ], "tags": [ "attack.command_and_control", @@ -26280,8 +26278,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.poolwatch.io/coin/monero", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_crypto_mining.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_crypto_mining.yml", + "https://www.poolwatch.io/coin/monero" ], "tags": [ "attack.impact", @@ -26331,9 +26329,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/child-processes/", "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml", + "https://redcanary.com/blog/child-processes/" ], "tags": [ "attack.defense_evasion", @@ -26385,8 +26383,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://corelight.com/blog/detecting-cve-2021-42292", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_excel_outbound_network_connection.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_excel_outbound_network_connection.yml", + "https://corelight.com/blog/detecting-cve-2021-42292" ], "tags": [ "attack.execution", @@ -26409,9 +26407,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_hh.yml", "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", - "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_hh.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md" ], "tags": [ "attack.defense_evasion", @@ -26434,8 +26432,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download", "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_imewdbld.yml" ], "tags": [ @@ -26459,8 +26457,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml", + "https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" ], "tags": [ "attack.command_and_control", @@ -26483,9 +26481,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://megatools.megous.com/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_mega_nz.yml", "https://www.mandiant.com/resources/russian-targeting-gov-business", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_mega_nz.yml" + "https://megatools.megous.com/" ], "tags": [ "attack.exfiltration", @@ -26508,8 +26506,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_msiexec.yml" ], "tags": [ @@ -26534,8 +26532,8 @@ "logsource.product": "windows", "refs": [ "https://ngrok.com/", - "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_io.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_io.yml", + "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/" ], "tags": [ "attack.exfiltration", @@ -26558,9 +26556,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://twitter.com/hakluke/status/1587733971814977537/photo/1", "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_tunnel.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_tunnel.yml", + "https://twitter.com/hakluke/status/1587733971814977537/photo/1" ], "tags": [ "attack.exfiltration", @@ -26590,8 +26588,8 @@ "logsource.product": "windows", "refs": [ "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf", - "https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_notepad_network_connection.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_notepad_network_connection.yml", + "https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/" ], "tags": [ "attack.command_and_control", @@ -26616,8 +26614,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=DLtJTxMWZ2o", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_powershell_network_connection.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_powershell_network_connection.yml", + "https://www.youtube.com/watch?v=DLtJTxMWZ2o" ], "tags": [ "attack.execution", @@ -26641,8 +26639,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python", - "https://pypi.org/project/scapy/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_python.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_python.yml", + "https://pypi.org/project/scapy/" ], "tags": [ "attack.discovery", @@ -26665,8 +26663,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1096148422984384514", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml", + "https://twitter.com/SBousseaden/status/1096148422984384514" ], "tags": [ "attack.command_and_control", @@ -26693,8 +26691,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", - "https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rdp_to_http.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rdp_to_http.yml", + "https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling" ], "tags": [ "attack.command_and_control", @@ -26720,9 +26718,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml", "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml" + "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/" ], "tags": [ "attack.execution", @@ -26871,8 +26869,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/raspberry-robin/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yml", + "https://redcanary.com/blog/raspberry-robin/" ], "tags": [ "attack.defense_evasion" @@ -26918,9 +26916,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml", "https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb", - "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml" + "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east" ], "tags": "No established tags" }, @@ -26963,8 +26961,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/Rubeus", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml", + "https://github.com/GhostPack/Rubeus" ], "tags": [ "attack.credential_access", @@ -27015,8 +27013,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", "https://www.ietf.org/rfc/rfc2821.txt", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml" ], "tags": [ @@ -27040,8 +27038,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml", + "https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" ], "tags": [ "attack.command_and_control", @@ -27138,9 +27136,9 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "Internal Research", "https://attack.mitre.org/groups/G0010/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_apt_turla_namedpipes.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_apt_turla_namedpipes.yml", + "Internal Research" ], "tags": [ "attack.g0010", @@ -27191,8 +27189,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L22", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_diagtrack_eop_default_pipe.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_diagtrack_eop_default_pipe.yml", + "https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L22" ], "tags": [ "attack.privilege_escalation" @@ -27214,9 +27212,9 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1429530155291193354?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_efspotato_namedpipe.yml", "https://github.com/zcgonvh/EfsPotato", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_efspotato_namedpipe.yml" + "https://twitter.com/SBousseaden/status/1429530155291193354?s=20" ], "tags": [ "attack.defense_evasion", @@ -27266,11 +27264,11 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://twitter.com/d4rksystem/status/1357010969264873472", - "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", "https://github.com/Neo23x0/sigma/issues/253", - "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", + "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", + "https://twitter.com/d4rksystem/status/1357010969264873472", + "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml" ], "tags": [ @@ -27321,18 +27319,18 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", - "https://securelist.com/faq-the-projectsauron-apt/75533/", - "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://www.us-cert.gov/ncas/alerts/TA17-117A", - "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", - "https://thedfirreport.com/2020/06/21/snatch-ransomware/", - "https://github.com/RiccardoAncarani/LiquidSnake", "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", + "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", + "https://thedfirreport.com/2020/06/21/snatch-ransomware/", + "https://securelist.com/faq-the-projectsauron-apt/75533/", + "https://github.com/RiccardoAncarani/LiquidSnake", "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", - "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml" ], "tags": [ @@ -27484,8 +27482,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", - "https://o365blog.com/post/adfs/", "https://github.com/Azure/SimuLand", + "https://o365blog.com/post/adfs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_adfs_namedpipe_connection.yml" ], "tags": [ @@ -27585,9 +27583,9 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md" ], "tags": [ "attack.impact", @@ -27660,8 +27658,8 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ - "https://nmap.org/ncat/", "https://github.com/besimorhino/powercat", + "https://nmap.org/ncat/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml" ], @@ -27712,8 +27710,8 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse" ], "tags": [ "attack.execution", @@ -27736,8 +27734,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml" ], "tags": [ @@ -27761,8 +27759,8 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml", + "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html" ], "tags": [ "attack.execution", @@ -27785,8 +27783,8 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell" ], "tags": [ "attack.discovery", @@ -27809,8 +27807,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md" ], "tags": [ "attack.collection", @@ -27833,8 +27831,8 @@ "logsource.category": "ps_classic_provider_start", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_tamper_with_windows_defender.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_tamper_with_windows_defender.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md" ], "tags": [ "attack.defense_evasion", @@ -27857,10 +27855,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/chadtilbury/status/1275851297770610688", "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml", "https://github.com/bohops/WSMan-WinRM", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml" + "https://twitter.com/chadtilbury/status/1275851297770610688" ], "tags": [ "attack.execution", @@ -27885,8 +27883,8 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=46", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=46" ], "tags": [ "attack.execution", @@ -27935,10 +27933,10 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", - "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml", "https://www.mdeditor.tw/pl/pgRt", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml" + "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", + "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/" ], "tags": [ "attack.execution", @@ -27961,8 +27959,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml", + "https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a" ], "tags": [ "attack.defense_evasion", @@ -27985,9 +27983,9 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml", "https://github.com/OTRF/detection-hackathon-apt29/issues/8", - "https://threathunterplaybook.com/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml" + "https://threathunterplaybook.com/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.html" ], "tags": [ "attack.defense_evasion", @@ -28060,8 +28058,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -28086,8 +28084,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml", + "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888" ], "tags": [ "attack.defense_evasion", @@ -28112,8 +28110,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -28138,8 +28136,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -28164,8 +28162,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -28190,8 +28188,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -28216,8 +28214,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -28242,8 +28240,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -28268,8 +28266,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -28294,8 +28292,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -28320,8 +28318,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -28346,8 +28344,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://nmap.org/ncat/", "https://github.com/besimorhino/powercat", + "https://nmap.org/ncat/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_powercat.yml" ], @@ -28422,8 +28420,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml" ], "tags": [ @@ -28470,8 +28468,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell" ], "tags": [ "attack.discovery", @@ -28564,9 +28562,9 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml" + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1" ], "tags": [ "attack.initial_access", @@ -28613,8 +28611,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md" ], "tags": [ "attack.collection", @@ -28637,8 +28635,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml", + "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/" ], "tags": [ "attack.defense_evasion", @@ -28661,8 +28659,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse" ], "tags": [ "attack.execution", @@ -28686,8 +28684,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md" ], "tags": [ "attack.credential_access", @@ -28710,9 +28708,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/NathanMcNulty/status/1569497348841287681", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml", "https://docs.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml" + "https://twitter.com/NathanMcNulty/status/1569497348841287681" ], "tags": [ "attack.impact", @@ -28735,8 +28733,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1", "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319", + "https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml" ], "tags": [ @@ -28761,9 +28759,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", "https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml", + "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/" ], "tags": [ "attack.defense_evasion", @@ -28787,8 +28785,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml", + "https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf" ], "tags": [ "attack.execution", @@ -28898,8 +28896,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-6---windows-screen-capture-copyfromscreen", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-6---windows-screen-capture-copyfromscreen" ], "tags": [ "attack.collection", @@ -28924,8 +28922,8 @@ "refs": [ "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/", "https://www.shellhacks.com/clear-history-powershell/", - "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml", + "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics" ], "tags": [ "attack.defense_evasion", @@ -28949,8 +28947,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml", + "https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a" ], "tags": [ "attack.defense_evasion", @@ -28998,9 +28996,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml", "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", - "https://twitter.com/bohops/status/948061991012327424", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml" + "https://twitter.com/bohops/status/948061991012327424" ], "tags": [ "attack.defense_evasion", @@ -29023,9 +29021,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml", "https://twitter.com/pabraeken/status/995111125447577600", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml" + "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/" ], "tags": [ "attack.defense_evasion", @@ -29048,9 +29046,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml", "https://twitter.com/pabraeken/status/995111125447577600", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml" + "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/" ], "tags": [ "attack.defense_evasion", @@ -29073,9 +29071,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task" ], "tags": [ "attack.persistence", @@ -29098,8 +29096,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1556.002/T1556.002.md#atomic-test-1---install-and-register-password-filter-dll", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1556.002/T1556.002.md#atomic-test-1---install-and-register-password-filter-dll" ], "tags": [ "attack.credential_access", @@ -29122,8 +29120,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.012/T1574.012.md#atomic-test-3---registry-free-process-scope-cor_profiler", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.012/T1574.012.md#atomic-test-3---registry-free-process-scope-cor_profiler" ], "tags": [ "attack.persistence", @@ -29172,9 +29170,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml", "https://attack.mitre.org/datasources/DS0005/", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml" + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7" ], "tags": [ "attack.credential_access", @@ -29221,9 +29219,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md", - "https://techgenix.com/malicious-powershell-scripts-evade-detection/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml" + "https://techgenix.com/malicious-powershell-scripts-evade-detection/" ], "tags": [ "attack.defense_evasion", @@ -29270,8 +29268,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell", "https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml" ], "tags": [ @@ -29320,8 +29318,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md", - "https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml", + "https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps" ], "tags": [ "attack.defense_evasion", @@ -29369,8 +29367,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md" ], "tags": [ "attack.credential_access", @@ -29538,9 +29536,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml" + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2" ], "tags": [ "attack.persistence", @@ -29563,9 +29561,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.powershellgallery.com/packages/DSInternals", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml", + "https://www.powershellgallery.com/packages/DSInternals" ], "tags": [ "attack.credential_access", @@ -29612,8 +29610,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/411Hall/JAWS/blob/233f142fcb1488172aa74228a666f6b3c5c48f1d/jaws-enum.ps1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml", + "https://github.com/411Hall/JAWS/blob/233f142fcb1488172aa74228a666f6b3c5c48f1d/jaws-enum.ps1" ], "tags": [ "attack.discovery" @@ -29635,8 +29633,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp" ], "tags": [ "attack.exfiltration", @@ -29683,9 +29681,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command" ], "tags": [ "attack.lateral_movement", @@ -29708,9 +29706,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml", "https://github.com/Arno0x/DNSExfiltrator", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh" ], "tags": [ "attack.exfiltration", @@ -29733,8 +29731,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/calebstewart/CVE-2021-1675", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml", + "https://github.com/calebstewart/CVE-2021-1675" ], "tags": [ "attack.privilege_escalation", @@ -29757,8 +29755,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -29783,8 +29781,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml", + "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888" ], "tags": [ "attack.defense_evasion", @@ -29809,8 +29807,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -29835,8 +29833,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -29861,8 +29859,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -29887,8 +29885,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -29913,8 +29911,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -29939,8 +29937,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -29965,8 +29963,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -29991,8 +29989,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -30017,8 +30015,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -30043,9 +30041,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1" ], "tags": [ "attack.collection", @@ -30093,11 +30091,11 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://youtu.be/5mqid-7zp8k?t=2481", - "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml", + "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://youtu.be/5mqid-7zp8k?t=2481", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/" ], "tags": [ "attack.exfiltration" @@ -30119,13 +30117,13 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2921", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml" + "https://adsecurity.org/?p=2921", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1" ], "tags": [ "attack.execution", @@ -30221,9 +30219,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml", "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)", - "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml" + "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html" ], "tags": [ "attack.execution", @@ -30270,9 +30268,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "http://www.powertheshell.com/ntfsstreams/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml" + "http://www.powertheshell.com/ntfsstreams/" ], "tags": [ "attack.defense_evasion", @@ -30297,8 +30295,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137.006/T1137.006.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137.006/T1137.006.md" ], "tags": [ "attack.persistence", @@ -30321,8 +30319,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/potential-invoke-mimikatz-powershell-script.html#potential-invoke-mimikatz-powershell-script", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml", + "https://www.elastic.co/guide/en/security/current/potential-invoke-mimikatz-powershell-script.html#potential-invoke-mimikatz-powershell-script" ], "tags": [ "attack.credential_access", @@ -30346,10 +30344,10 @@ "logsource.product": "windows", "refs": [ "https://powersploit.readthedocs.io/en/stable/Recon/README", - "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", - "https://thedfirreport.com/2020/10/08/ryuks-return", "https://adsecurity.org/?p=2277", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml" + "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml", + "https://thedfirreport.com/2020/10/08/ryuks-return" ], "tags": [ "attack.execution", @@ -30372,8 +30370,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/JohnLaTwC/status/850381440629981184", "https://t.co/ezOTGy1a1G", + "https://twitter.com/JohnLaTwC/status/850381440629981184", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml" ], "tags": [ @@ -30446,9 +30444,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle" ], "tags": [ "attack.execution", @@ -30471,9 +30469,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml" + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7" ], "tags": [ "attack.defense_evasion", @@ -30496,8 +30494,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell" ], "tags": [ "attack.credential_access", @@ -30544,8 +30542,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso", "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml" ], "tags": [ @@ -30569,8 +30567,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md" ], "tags": [ "attack.discovery", @@ -30593,10 +30591,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2", "https://www.ietf.org/rfc/rfc2821.txt", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2" ], "tags": [ "attack.exfiltration", @@ -30619,8 +30617,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/malmoeb/status/1570814999370801158", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml", + "https://twitter.com/malmoeb/status/1570814999370801158" ], "tags": [ "attack.discovery", @@ -30643,9 +30641,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", "https://adsecurity.org/?p=2604", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml" ], "tags": [ @@ -30696,8 +30694,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/Shellntel/scripts/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml", + "https://github.com/Shellntel/scripts/" ], "tags": [ "attack.execution", @@ -30720,9 +30718,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", - "https://github.com/harleyQu1nn/AggressorScripts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml" + "https://github.com/harleyQu1nn/AggressorScripts" ], "tags": [ "attack.discovery", @@ -30794,8 +30792,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/oroneequalsone/status/1568432028361830402", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml" ], "tags": [ @@ -30820,8 +30818,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", - "https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml", + "https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents" ], "tags": [ "attack.discovery", @@ -30891,9 +30889,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", "https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a" ], "tags": [ "attack.credential_access", @@ -30916,8 +30914,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md" ], "tags": [ "attack.credential_access", @@ -30940,9 +30938,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1537919885031772161", "https://lolbas-project.github.io/lolbas/Binaries/Msdt/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml", + "https://twitter.com/nas_bench/status/1537919885031772161" ], "tags": [ "attack.defense_evasion", @@ -30965,8 +30963,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/PythonResponder/status/1385064506049630211", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml", + "https://twitter.com/PythonResponder/status/1385064506049630211" ], "tags": [ "attack.credential_access", @@ -30989,8 +30987,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md#atomic-test-2---powershell-execute-com-object", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md#atomic-test-2---powershell-execute-com-object" ], "tags": [ "attack.privilege_escalation", @@ -31014,8 +31012,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_adcomputer.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_adcomputer.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md" ], "tags": [ "attack.discovery", @@ -31038,8 +31036,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml" ], "tags": [ @@ -31087,9 +31085,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script" ], "tags": [ "attack.discovery", @@ -31112,8 +31110,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml" ], "tags": [ @@ -31137,9 +31135,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process" ], "tags": [ "attack.discovery", @@ -31162,9 +31160,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml", "https://attack.mitre.org/datasources/DS0005/", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml" + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7" ], "tags": [ "attack.persistence", @@ -31187,9 +31185,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml", "https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine" ], "tags": [ "attack.defense_evasion", @@ -31258,8 +31256,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#t1071001---web-protocols", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#t1071001---web-protocols" ], "tags": [ "attack.command_and_control", @@ -31307,8 +31305,8 @@ "logsource.product": "windows", "refs": [ "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", - "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", + "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml" ], @@ -31357,8 +31355,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1114.001/T1114.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1114.001/T1114.001.md" ], "tags": [ "attack.collection", @@ -31381,8 +31379,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md" ], "tags": [ "attack.defense_evasion", @@ -31430,8 +31428,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.001/T1110.001.md#atomic-test-2---brute-force-credentials-of-single-active-directory-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.001/T1110.001.md#atomic-test-2---brute-force-credentials-of-single-active-directory-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos" ], "tags": [ "attack.credential_access", @@ -31454,9 +31452,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell" ], "tags": [ "attack.lateral_movement", @@ -31479,8 +31477,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/Arno0x/PowerShellScripts/blob/a6b7d5490fbf0b20f91195838f3a11156724b4f7/proxyTunnel.ps1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml", + "https://github.com/Arno0x/PowerShellScripts/blob/a6b7d5490fbf0b20f91195838f3a11156724b4f7/proxyTunnel.ps1" ], "tags": [ "attack.command_and_control", @@ -31527,8 +31525,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group" ], "tags": [ "attack.impact", @@ -31552,8 +31550,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml" ], "tags": [ @@ -31603,9 +31601,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2", - "https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml" + "https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926" ], "tags": [ "attack.command_and_control", @@ -31628,8 +31626,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml" ], "tags": [ @@ -31653,9 +31651,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream" ], "tags": [ "attack.defense_evasion", @@ -31678,8 +31676,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1491.001/T1491.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1491.001/T1491.001.md" ], "tags": [ "attack.impact", @@ -31702,8 +31700,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1120/T1120.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1120/T1120.md" ], "tags": [ "attack.discovery", @@ -31726,8 +31724,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell" ], "tags": [ "attack.impact", @@ -31750,9 +31748,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml", "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell" ], "tags": [ "attack.impact", @@ -31775,8 +31773,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.003/T1564.003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.003/T1564.003.md" ], "tags": [ "attack.defense_evasion", @@ -31799,8 +31797,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.blackhillsinfosec.com/windows-event-logs-for-red-teams/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml", + "https://www.blackhillsinfosec.com/windows-event-logs-for-red-teams/" ], "tags": [ "attack.defense_evasion" @@ -31822,8 +31820,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md" ], "tags": [ "attack.collection", @@ -31846,8 +31844,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml", + "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/" ], "tags": [ "attack.defense_evasion", @@ -31870,9 +31868,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml" ], "tags": [ @@ -31896,8 +31894,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_defender_remove_mppreference.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_defender_remove_mppreference.yml", + "https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088" ], "tags": [ "attack.defense_evasion", @@ -31920,9 +31918,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell", - "https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml" + "https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps" ], "tags": [ "attack.command_and_control", @@ -31946,8 +31944,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", - "https://www.offensive-security.com/metasploit-unleashed/timestomp/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml", + "https://www.offensive-security.com/metasploit-unleashed/timestomp/" ], "tags": [ "attack.defense_evasion", @@ -31994,10 +31992,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md", - "https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_upload.yml", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_upload.yml" + "https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md" ], "tags": [ "attack.exfiltration", @@ -32021,8 +32019,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml" ], "tags": [ @@ -32048,9 +32046,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_web_request.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_web_request.yml", + "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/" ], "tags": [ "attack.execution", @@ -32097,12 +32095,12 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", - "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", - "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", "http://woshub.com/manage-windows-firewall-powershell/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml", + "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml" + "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", + "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps" ], "tags": [ "attack.defense_evasion", @@ -32125,8 +32123,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md" ], "tags": [ "attack.persistence", @@ -32149,8 +32147,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml", + "https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html" ], "tags": [ "attack.defense_evasion", @@ -32175,8 +32173,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/FortyNorthSecurity/WMImplant", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml", + "https://github.com/FortyNorthSecurity/WMImplant" ], "tags": [ "attack.execution", @@ -32200,9 +32198,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md", "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md" ], "tags": [ "attack.privilege_escalation", @@ -32225,10 +32223,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml", "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml" + "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/" ], "tags": [ "attack.execution", @@ -32251,8 +32249,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-8---powershell-xml-requests", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-8---powershell-xml-requests" ], "tags": [ "attack.execution", @@ -32299,10 +32297,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1541920424635912196", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/process_access_win_susp_seclogon.yml", "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/process_access_win_susp_seclogon.yml" + "https://twitter.com/SBousseaden/status/1541920424635912196" ], "tags": [ "attack.credential_access", @@ -32355,8 +32353,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/boku7/injectAmsiBypass", - "https://github.com/boku7/spawn", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml", + "https://github.com/boku7/spawn" ], "tags": [ "attack.execution", @@ -32381,11 +32379,11 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", - "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml", "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml" + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html" ], "tags": [ "attack.credential_access", @@ -32410,8 +32408,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml", + "https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6" ], "tags": [ "attack.execution", @@ -32434,8 +32432,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html", "https://github.com/codewhitesec/SysmonEnte/", + "https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html", "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hack_sysmonente.yml" ], @@ -32486,9 +32484,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/hlldz/Invoke-Phant0m", "https://twitter.com/timbmsft/status/900724491076214784", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_invoke_phantom.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_invoke_phantom.yml", + "https://github.com/hlldz/Invoke-Phant0m" ], "tags": [ "attack.defense_evasion", @@ -32511,8 +32509,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_in_memory_assembly_execution.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_in_memory_assembly_execution.yml", + "https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/" ], "tags": [ "attack.privilege_escalation", @@ -32537,8 +32535,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/bh4b3sh/status/1303674603819081728", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml", + "https://twitter.com/bh4b3sh/status/1303674603819081728" ], "tags": [ "attack.credential_access", @@ -32587,8 +32585,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/", "https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611", + "https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_load_undocumented_autoelevated_com_interface.yml" ], "tags": [ @@ -32614,8 +32612,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/shantanukhande/status/1229348874298388484", - "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml", + "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/" ], "tags": [ "attack.credential_access", @@ -32638,10 +32636,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", + "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml" ], "tags": [ @@ -32666,10 +32664,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/_xpn_/status/1491557187168178176", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", - "https://twitter.com/mrd0x/status/1460597833917251595", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml" + "https://twitter.com/_xpn_/status/1491557187168178176", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml", + "https://twitter.com/mrd0x/status/1460597833917251595" ], "tags": [ "attack.credential_access", @@ -32693,8 +32691,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/_xpn_/status/1491557187168178176", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", + "https://twitter.com/_xpn_/status/1491557187168178176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml" ], "tags": [ @@ -32720,8 +32718,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/helpsystems/nanodump/commit/578116faea3d278d53d70ea932e2bbfe42569507", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_werfault.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_werfault.yml", + "https://github.com/helpsystems/nanodump/commit/578116faea3d278d53d70ea932e2bbfe42569507" ], "tags": [ "attack.credential_access", @@ -32745,8 +32743,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/JohnLaTwC/status/837743453039534080", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_malware_verclsid_shellcode.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_malware_verclsid_shellcode.yml", + "https://twitter.com/JohnLaTwC/status/837743453039534080" ], "tags": [ "attack.defense_evasion", @@ -32799,8 +32797,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/skelsec/pypykatz", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_pypykatz_cred_dump_lsass_access.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_pypykatz_cred_dump_lsass_access.yml", + "https://github.com/skelsec/pypykatz" ], "tags": [ "attack.credential_access", @@ -32823,12 +32821,12 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml" + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights" ], "tags": [ "attack.credential_access", @@ -32852,10 +32850,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml" ], @@ -32881,12 +32879,12 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml" + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights" ], "tags": [ "attack.credential_access", @@ -32981,8 +32979,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_abusing_debug_privilege.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_abusing_debug_privilege.yml", + "https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg" ], "tags": [ "attack.privilege_escalation", @@ -33031,11 +33029,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", - "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", - "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml" + "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", + "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat" ], "tags": [ "attack.discovery", @@ -33058,13 +33056,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", - "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", - "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_advanced_ip_scanner.yml" + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_advanced_ip_scanner.yml", + "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer" ], "tags": [ "attack.discovery", @@ -33138,8 +33136,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml", + "https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg" ], "tags": [ "attack.privilege_escalation", @@ -33237,8 +33235,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20", - "https://support.anydesk.com/Automatic_Deployment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml", + "https://support.anydesk.com/Automatic_Deployment" ], "tags": [ "attack.command_and_control", @@ -33310,9 +33308,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/", "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_apt29_thinktanks.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_apt29_thinktanks.yml", + "https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/" ], "tags": [ "attack.execution", @@ -33336,8 +33334,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_babyshark.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_babyshark.yml", + "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/" ], "tags": [ "attack.execution", @@ -33365,8 +33363,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_bear_activity_gtr19.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_bear_activity_gtr19.yml", + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/" ], "tags": [ "attack.credential_access", @@ -33414,8 +33412,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_chafer_mar18.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_chafer_mar18.yml", + "https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/" ], "tags": [ "attack.persistence", @@ -33470,9 +33468,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_dragonfly.yml", "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control", - "https://attack.mitre.org/software/S0488/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_dragonfly.yml" + "https://attack.mitre.org/software/S0488/" ], "tags": [ "attack.g0035", @@ -33498,8 +33496,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_elise.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_elise.yml", + "https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting" ], "tags": [ "attack.g0030", @@ -33526,8 +33524,8 @@ "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965", - "https://twitter.com/cyb3rops/status/1168863899531132929", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_emissarypanda_sep19.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_emissarypanda_sep19.yml", + "https://twitter.com/cyb3rops/status/1168863899531132929" ], "tags": [ "attack.defense_evasion", @@ -33550,8 +33548,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/a4107649-8cb0-41af-ad75-113152d4d57b", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_empiremonkey.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_empiremonkey.yml", + "https://app.any.run/tasks/a4107649-8cb0-41af-ad75-113152d4d57b" ], "tags": [ "attack.defense_evasion", @@ -33574,9 +33572,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=", - "https://securelist.com/apt-slingshot/84312/", "https://twitter.com/cyb3rops/status/972186477512839170", + "https://securelist.com/apt-slingshot/84312/", + "https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_equationgroup_dll_u_load.yml" ], "tags": [ @@ -33601,9 +33599,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_evilnum_jul20.yml", "https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_evilnum_jul20.yml" + "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" ], "tags": [ "attack.defense_evasion", @@ -33626,9 +33624,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gallium.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gallium.yml", + "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/" ], "tags": [ "attack.credential_access", @@ -33653,9 +33651,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml", + "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/" ], "tags": [ "attack.credential_access", @@ -33680,8 +33678,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", + "https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gamaredon_ultravnc.yml" ], "tags": [ @@ -33737,8 +33735,8 @@ "refs": [ "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", - "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3", "https://twitter.com/GadixCRK/status/1369313704869834753?s=20", + "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3", "https://twitter.com/BleepinComputer/status/1372218235949617161", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_hafnium.yml" ], @@ -33789,8 +33787,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_judgement_panda_gtr19.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_judgement_panda_gtr19.yml", + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/" ], "tags": [ "attack.lateral_movement", @@ -33818,8 +33816,8 @@ "logsource.product": "windows", "refs": [ "https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf", - "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_ke3chang_regadd.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_ke3chang_regadd.yml", + "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/" ], "tags": [ "attack.g0004", @@ -33843,8 +33841,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml", + "https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/" ], "tags": [ "attack.g0032", @@ -33868,9 +33866,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml", "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", - "https://www.hvs-consulting.de/lazarus-report/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml" + "https://www.hvs-consulting.de/lazarus-report/" ], "tags": [ "attack.g0032", @@ -33894,9 +33892,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hvs-consulting.de/lazarus-report/", "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_loader.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_loader.yml", + "https://www.hvs-consulting.de/lazarus-report/" ], "tags": [ "attack.g0032", @@ -33920,8 +33918,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_session_highjack.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_session_highjack.yml", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf" ], "tags": [ "attack.defense_evasion", @@ -33944,8 +33942,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_mercury.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_mercury.yml", + "https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/" ], "tags": [ "attack.execution", @@ -33969,9 +33967,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_muddywater_dnstunnel.yml", "https://www.vmray.com/analyses/5ad401c3a568/report/overview.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_muddywater_dnstunnel.yml" + "https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/" ], "tags": [ "attack.command_and_control", @@ -33994,10 +33992,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/", - "https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_mustangpanda.yml", "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_mustangpanda.yml" + "https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/", + "https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/" ], "tags": [ "attack.t1587.001", @@ -34021,10 +34019,10 @@ "logsource.product": "windows", "refs": [ "https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers", - "https://www.joesandbox.com/analysis/443736/0/html", "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b", "https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/", "https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/", + "https://www.joesandbox.com/analysis/443736/0/html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_revil_kaseya.yml" ], "tags": [ @@ -34078,8 +34076,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/apt-slingshot/84312/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_slingshot.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_slingshot.yml", + "https://securelist.com/apt-slingshot/84312/" ], "tags": [ "attack.persistence", @@ -34103,10 +34101,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_sofacy.yml", "https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100", "https://twitter.com/ClearskySec/status/960924755355369472", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_sofacy.yml" + "https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/" ], "tags": [ "attack.g0007", @@ -34133,9 +34131,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection", - "https://github.com/Azure/Azure-Sentinel/blob/43e9be273dca321295190bfc4902858e009d4a35/Detections/MultipleDataSources/SOURGUM_IOC.yaml", "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", + "https://github.com/Azure/Azure-Sentinel/blob/43e9be273dca321295190bfc4902858e009d4a35/Detections/MultipleDataSources/SOURGUM_IOC.yaml", + "https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_sourgrum.yml" ], "tags": [ @@ -34234,8 +34232,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_tropictrooper.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_tropictrooper.yml", + "https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/" ], "tags": [ "attack.execution", @@ -34258,8 +34256,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/the-epic-turla-operation/65545/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml", + "https://securelist.com/the-epic-turla-operation/65545/" ], "tags": [ "attack.g0010", @@ -34288,8 +34286,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/the-epic-turla-operation/65545/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_turla_commands_medium.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_turla_commands_medium.yml", + "https://securelist.com/the-epic-turla-operation/65545/" ], "tags": [ "attack.g0010", @@ -34345,8 +34343,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" ], "tags": [ "attack.execution", @@ -34369,9 +34367,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_unc2452_ps.yml" ], "tags": [ @@ -34469,8 +34467,8 @@ "logsource.product": "windows", "refs": [ "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", - "https://twitter.com/SBousseaden/status/1207671369963646976", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_wocao.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_wocao.yml", + "https://twitter.com/SBousseaden/status/1207671369963646976" ], "tags": [ "attack.discovery", @@ -34527,8 +34525,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_arbitrary_shell_execution_via_settingcontent.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_arbitrary_shell_execution_via_settingcontent.yml", + "https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39" ], "tags": [ "attack.t1204", @@ -34602,9 +34600,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nvd.nist.gov/vuln/detail/CVE-2021-26084", - "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", "https://github.com/h3v0x/CVE-2021-26084_Confluence", + "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-26084", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml" ], "tags": [ @@ -34655,8 +34653,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system.yml", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib" ], "tags": [ "attack.defense_evasion", @@ -34680,8 +34678,8 @@ "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4", - "https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml", + "https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0" ], "tags": [ "attack.defense_evasion", @@ -34704,9 +34702,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_automated_collection.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_automated_collection.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md" ], "tags": [ "attack.collection", @@ -34731,14 +34729,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", - "https://www.cobaltstrike.com/help-opsec", - "https://twitter.com/CyberRaiju/status/1251492025678983169", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bad_opsec_sacrificial_processes.yml", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bad_opsec_sacrificial_processes.yml" + "https://twitter.com/CyberRaiju/status/1251492025678983169", + "https://www.cobaltstrike.com/help-opsec", + "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/" ], "tags": [ "attack.defense_evasion", @@ -34787,8 +34785,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_base64_listing_shadowcopy.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_base64_listing_shadowcopy.yml", + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar" ], "tags": [ "attack.execution", @@ -34813,8 +34811,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_base64_reflective_assembly_load.yml" ], "tags": [ @@ -34840,8 +34838,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://isc.sans.edu/diary/22264", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml" ], @@ -34869,11 +34867,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://isc.sans.edu/diary/22264", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker" ], "tags": [ "attack.defense_evasion", @@ -34899,8 +34897,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://isc.sans.edu/diary/22264", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ext.yml" ], @@ -34928,8 +34926,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://isc.sans.edu/diary/22264", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ip.yml" ], @@ -34957,8 +34955,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://isc.sans.edu/diary/22264", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml" ], @@ -34986,8 +34984,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://isc.sans.edu/diary/22264", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" ], @@ -35015,9 +35013,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bootconf_mod.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bootconf_mod.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md" ], "tags": [ "attack.impact", @@ -35065,9 +35063,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bypass_squiblytwo.yml", "https://twitter.com/mattifestation/status/986280382042595328", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bypass_squiblytwo.yml" + "https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html" ], "tags": [ "attack.defense_evasion", @@ -35094,9 +35092,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_c2_sliver.yml", "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_c2_sliver.yml" + "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36" ], "tags": [ "attack.execution", @@ -35119,8 +35117,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/FSecureLABS/C3/blob/11a081fd3be2aaf2a879f6b6e9a96ecdd24966ef/Src/NodeRelayDll/NodeRelayDll.cpp#L12", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_c3_load_by_rundll32.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_c3_load_by_rundll32.yml", + "https://github.com/FSecureLABS/C3/blob/11a081fd3be2aaf2a879f6b6e9a96ecdd24966ef/Src/NodeRelayDll/NodeRelayDll.cpp#L12" ], "tags": [ "attack.defense_evasion", @@ -35143,10 +35141,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_execution.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_execution.yml", + "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2" ], "tags": [ "attack.defense_evasion", @@ -35169,8 +35167,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/issues/243", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml", + "https://github.com/LOLBAS-Project/LOLBAS/issues/243" ], "tags": [ "attack.defense_evasion", @@ -35193,8 +35191,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.001/T1546.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_change_default_file_association.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_change_default_file_association.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.001/T1546.001.md" ], "tags": [ "attack.persistence", @@ -35241,9 +35239,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/jpillora/chisel/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chisel_usage.yml", "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chisel_usage.yml" + "https://github.com/jpillora/chisel/" ], "tags": [ "attack.command_and_control", @@ -35315,9 +35313,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_clip.yml", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_clip.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md" ], "tags": [ "attack.collection", @@ -35341,8 +35339,8 @@ "logsource.product": "windows", "refs": [ "https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation", - "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml", + "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx" ], "tags": [ "attack.credential_access", @@ -35365,8 +35363,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_delete.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_delete.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md" ], "tags": [ "attack.defense_evasion", @@ -35413,8 +35411,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_read_contents.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_read_contents.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md" ], "tags": [ "attack.execution", @@ -35437,8 +35435,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/syntax-redirection.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_redirect.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_redirect.yml", + "https://ss64.com/nt/syntax-redirection.html" ], "tags": [ "attack.discovery", @@ -35461,8 +35459,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml", + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/" ], "tags": [ "attack.execution", @@ -35488,8 +35486,8 @@ "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", "https://twitter.com/hFireF0X/status/897640081053364225", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmstp_com_object_access.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmstp_com_object_access.yml", + "https://github.com/hfiref0x/UACME" ], "tags": [ "attack.execution", @@ -35545,9 +35543,9 @@ "logsource.product": "windows", "refs": [ "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", - "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_cmd.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_cmd.yml", + "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/" ], "tags": [ "attack.execution", @@ -35571,8 +35569,8 @@ "logsource.product": "windows", "refs": [ "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", - "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", + "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml" ], "tags": [ @@ -35596,10 +35594,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cobaltstrike.com/help-windows-executable", "https://redcanary.com/threat-detection-report/", - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_load_by_rundll32.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_load_by_rundll32.yml", + "https://www.cobaltstrike.com/help-windows-executable", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/" ], "tags": [ "attack.defense_evasion", @@ -35647,9 +35645,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_commandline_path_traversal.yml", "https://twitter.com/Oddvarmoe/status/1270633613449723905", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_commandline_path_traversal.yml" + "https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/" ], "tags": [ "attack.execution", @@ -35674,8 +35672,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/hexacorn/status/1448037865435320323", - "https://twitter.com/Gal_B1t/status/1062971006078345217", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml", + "https://twitter.com/Gal_B1t/status/1062971006078345217" ], "tags": [ "attack.defense_evasion", @@ -35698,8 +35696,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -35748,8 +35746,8 @@ "logsource.product": "windows", "refs": [ "https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/", - "https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conti_cmd_ransomware.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conti_cmd_ransomware.yml", + "https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19" ], "tags": [ "attack.impact", @@ -35773,9 +35771,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15", "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", - "https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conti_sqlcmd.yml" ], "tags": [ @@ -35903,13 +35901,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", + "https://reaqta.com/2017/12/mavinject-microsoft-injector/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", - "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", - "https://twitter.com/gN3mes1s/status/941315826107510784", - "https://reaqta.com/2017/12/mavinject-microsoft-injector/", "https://twitter.com/Hexacorn/status/776122138063409152", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_creation_mavinject_process_injection.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_creation_mavinject_process_injection.yml", + "https://twitter.com/gN3mes1s/status/941315826107510784" ], "tags": [ "attack.defense_evasion", @@ -35960,8 +35958,8 @@ "logsource.product": "windows", "refs": [ "https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/", - "https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_credential_access_via_password_filter.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_credential_access_via_password_filter.yml", + "https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter" ], "tags": [ "attack.credential_access", @@ -35982,8 +35980,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/credential-acquisition-via-registry-hive-dumping.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_credential_acquisition_registry_hive_dumping.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_credential_acquisition_registry_hive_dumping.yml", + "https://www.elastic.co/guide/en/security/current/credential-acquisition-via-registry-hive-dumping.html" ], "tags": [ "attack.credential_access", @@ -36007,8 +36005,8 @@ "logsource.product": "windows", "refs": [ "https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/", - "https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crime_fireball.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crime_fireball.yml", + "https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100" ], "tags": [ "attack.execution", @@ -36032,10 +36030,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crime_maze_ransomware.yml", "https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/", "https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crime_maze_ransomware.yml" + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html" ], "tags": [ "attack.execution", @@ -36086,8 +36084,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.poolwatch.io/coin/monero", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crypto_mining_monero.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crypto_mining_monero.yml", + "https://www.poolwatch.io/coin/monero" ], "tags": [ "attack.impact", @@ -36111,8 +36109,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download.yml", + "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464" ], "tags": [ "attack.command_and_control", @@ -36160,9 +36158,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_data_compressed_with_rar.yml", "https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_data_compressed_with_rar.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md" ], "tags": [ "attack.collection", @@ -36257,8 +36255,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/snovvcrash/DInjector", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dinjector.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dinjector.yml", + "https://github.com/snovvcrash/DInjector" ], "tags": [ "attack.defense_evasion", @@ -36281,8 +36279,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dirlister.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dirlister.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md" ], "tags": [ "attack.discovery", @@ -36330,8 +36328,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.004/T1552.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_discover_private_keys.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_discover_private_keys.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.004/T1552.004.md" ], "tags": [ "attack.credential_access", @@ -36354,8 +36352,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dll_sideload_defender.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dll_sideload_defender.yml", + "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool" ], "tags": [ "attack.defense_evasion", @@ -36378,8 +36376,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml", + "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/" ], "tags": [ "attack.defense_evasion", @@ -36403,9 +36401,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/lukebaggett/dnscat2-powershell", - "https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html", "https://ragged-lab.blogspot.com/2020/06/it-is-always-dns-powershell-edition.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscat2_powershell_implementation.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscat2_powershell_implementation.yml", + "https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html" ], "tags": [ "attack.command_and_control", @@ -36509,9 +36507,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", "https://twitter.com/_felamos/status/1204705548668555264", "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dotnet.yml" ], "tags": [ @@ -36535,8 +36533,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/dsacls.html", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", + "https://ss64.com/nt/dsacls.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml" ], "tags": [ @@ -36560,9 +36558,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone", - "https://ss64.com/nt/dsacls.html", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", + "https://ss64.com/nt/dsacls.html", + "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml" ], "tags": [ @@ -36634,8 +36632,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml", + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_email_exfil_via_powershell.yml" ], "tags": [ @@ -36658,8 +36656,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.x86matthew.com/view_post?id=embed_exe_lnk", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_embed_exe_lnk.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_embed_exe_lnk.yml", + "https://www.x86matthew.com/view_post?id=embed_exe_lnk" ], "tags": [ "attack.execution", @@ -36730,11 +36728,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", - "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml" + "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml", + "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password" ], "tags": [ "attack.credential_access", @@ -36781,10 +36779,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", - "https://redcanary.com/threat-detection-report/threats/qbot/", "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml", + "https://redcanary.com/threat-detection-report/threats/qbot/", + "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/" ], "tags": [ "attack.collection", @@ -36807,16 +36805,16 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_xpn_/status/1268712093928378368", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml", "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "https://bunnyinside.com/?term=f71e8cb9c76a", - "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml" + "https://twitter.com/_xpn_/status/1268712093928378368", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr" ], "tags": [ "attack.defense_evasion", @@ -36839,10 +36837,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_etw_trace_evasion.yml", "https://abuse.io/lockergoga.txt", - "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_etw_trace_evasion.yml" + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", + "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63" ], "tags": [ "attack.defense_evasion", @@ -36867,8 +36865,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm", "https://github.com/Hackplayers/evil-winrm", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_evil_winrm.yml" ], "tags": [ @@ -36966,8 +36964,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll", "https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/", + "https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml" ], "tags": [ @@ -37043,9 +37041,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_11882.yml", "https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100", - "https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_11882.yml" + "https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw" ], "tags": [ "attack.execution", @@ -37072,8 +37070,8 @@ "logsource.product": "windows", "refs": [ "https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", - "https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_8759.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_8759.yml", + "https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100" ], "tags": [ "attack.execution", @@ -37099,8 +37097,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2019_1378.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2019_1378.yml", + "https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua" ], "tags": [ "attack.privilege_escalation", @@ -37127,9 +37125,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388", "https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2019_1388.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2019_1388.yml", + "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388" ], "tags": [ "attack.privilege_escalation", @@ -37153,8 +37151,8 @@ "logsource.product": "windows", "refs": [ "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html", - "https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_10189.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_10189.yml", + "https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224" ], "tags": [ "attack.initial_access", @@ -37182,8 +37180,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://windows-internals.com/printdemon-cve-2020-1048/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1048.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1048.yml", + "https://windows-internals.com/printdemon-cve-2020-1048/" ], "tags": [ "attack.persistence", @@ -37208,8 +37206,8 @@ "logsource.product": "windows", "refs": [ "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", - "https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1350.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1350.yml", + "https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html" ], "tags": [ "attack.initial_access", @@ -37235,8 +37233,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/klinix5/InstallerFileTakeOver", - "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_lpe_cve_2021_41379.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_lpe_cve_2021_41379.yml", + "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/" ], "tags": [ "attack.privilege_escalation", @@ -37259,8 +37257,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/GossiTheDog/SystemNightmare", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_systemnightmare.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_systemnightmare.yml", + "https://github.com/GossiTheDog/SystemNightmare" ], "tags": [ "attack.privilege_escalation", @@ -37283,8 +37281,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_false_sysinternalsuite.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_false_sysinternalsuite.yml", + "https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite" ], "tags": [ "attack.execution", @@ -37311,8 +37309,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11)" ], "tags": [ "attack.defense_evasion", @@ -37359,8 +37357,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml", + "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1" ], "tags": [ "attack.credential_access", @@ -37431,9 +37429,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://asec.ahnlab.com/en/38156/", "https://github.com/fatedier/frp", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_frp.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_frp.yml", + "https://asec.ahnlab.com/en/38156/" ], "tags": [ "attack.command_and_control", @@ -37456,9 +37454,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Turla has used fsutil fsinfo drives to list connected drives. https://attack.mitre.org/techniques/T1120/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml", "https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml" + "Turla has used fsutil fsinfo drives to list connected drives. https://attack.mitre.org/techniques/T1120/" ], "tags": [ "attack.discovery", @@ -37481,9 +37479,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml", "https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware", - "https://docs.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml" + "https://docs.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior" ], "tags": [ "attack.execution", @@ -37578,10 +37576,10 @@ "logsource.product": "windows", "refs": [ "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", - "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_grabbing_sensitive_hives_via_reg.yml" + "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_grabbing_sensitive_hives_via_reg.yml", + "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation" ], "tags": [ "attack.credential_access", @@ -37607,8 +37605,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hacktool_imphashes.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hacktool_imphashes.yml", + "Internal Research" ], "tags": "No established tags" }, @@ -37628,8 +37626,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/bats3c/ADCSPwn", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_adcspwn.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_adcspwn.yml", + "https://github.com/bats3c/ADCSPwn" ], "tags": [ "attack.credential_access", @@ -37652,8 +37650,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/BloodHoundAD/BloodHound", "https://github.com/BloodHoundAD/SharpHound", + "https://github.com/BloodHoundAD/BloodHound", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_bloodhound.yml" ], "tags": [ @@ -37683,9 +37681,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/cube0x0", "https://www.virustotal.com/gui/search/metadata%253ACube0x0/files", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_cube0x0_tools.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_cube0x0_tools.yml", + "https://github.com/cube0x0" ], "tags": "No established tags" }, @@ -37705,8 +37703,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/outflanknl/Dumpert", "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", + "https://github.com/outflanknl/Dumpert", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_dumpert.yml" ], "tags": [ @@ -37756,9 +37754,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_inveigh.yml", "https://github.com/Kevin-Robertson/Inveigh", - "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_inveigh.yml" + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/" ], "tags": [ "attack.credential_access", @@ -37781,10 +37779,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_koadic.yml", "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js", "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_koadic.yml" + "https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/" ], "tags": [ "attack.execution", @@ -37809,8 +37807,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/cube0x0/KrbRelay", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_krbrelay.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_krbrelay.yml", + "https://github.com/cube0x0/KrbRelay" ], "tags": [ "attack.credential_access", @@ -37833,8 +37831,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Dec0ne/KrbRelayUp", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_krbrelayup.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_krbrelayup.yml", + "https://github.com/Dec0ne/KrbRelayUp" ], "tags": [ "attack.credential_access", @@ -37859,10 +37857,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/", - "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_rubeus.yml", "https://github.com/GhostPack/Rubeus", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_rubeus.yml" + "https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/", + "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html" ], "tags": [ "attack.credential_access", @@ -37888,8 +37886,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/SafetyKatz", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_safetykatz.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_safetykatz.yml", + "https://github.com/GhostPack/SafetyKatz" ], "tags": [ "attack.credential_access", @@ -37912,8 +37910,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securityxploded.com/", "https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/", + "https://securityxploded.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_secutyxploded.yml" ], "tags": [ @@ -37937,9 +37935,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml", "https://github.com/mandiant/SharPersist", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml" + "https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit" ], "tags": [ "attack.persistence", @@ -38061,8 +38059,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1478234484881436672?s=12", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_headless_browser_file_download.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_headless_browser_file_download.yml", + "https://twitter.com/mrd0x/status/1478234484881436672?s=12" ], "tags": [ "attack.command_and_control", @@ -38085,9 +38083,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm.yml", "https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md" ], "tags": [ "attack.defense_evasion", @@ -38110,9 +38108,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_http.yml", "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", - "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_http.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md" ], "tags": [ "attack.defense_evasion", @@ -38135,8 +38133,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hiding_malware_in_fonts_folder.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hiding_malware_in_fonts_folder.yml", + "https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/" ], "tags": [ "attack.t1211", @@ -38161,8 +38159,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/6", "https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html", + "https://github.com/OTRF/detection-hackathon-apt29/issues/6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_high_integrity_sdclt.yml" ], "tags": [ @@ -38187,8 +38185,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml", + "https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass" ], "tags": [ "attack.credential_access", @@ -38211,8 +38209,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml", + "https://github.com/hfiref0x/UACME" ], "tags": [ "attack.defense_evasion", @@ -38237,8 +38235,8 @@ "logsource.product": "windows", "refs": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_html_help_spawn.yml" ], "tags": [ @@ -38274,12 +38272,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", - "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", - "https://twitter.com/cyberwar_15/status/1187287262054076416", - "https://blog.alyac.co.kr/1901", "https://en.wikipedia.org/wiki/Hangul_(word_processor)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml" + "https://twitter.com/cyberwar_15/status/1187287262054076416", + "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", + "https://blog.alyac.co.kr/1901", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml", + "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1" ], "tags": [ "attack.initial_access", @@ -38306,8 +38304,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/1df999e6-1cb8-45e3-8b61-499d1b7d5a9b/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_icacls_deny.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_icacls_deny.yml", + "https://app.any.run/tasks/1df999e6-1cb8-45e3-8b61-499d1b7d5a9b/" ], "tags": [ "attack.defense_evasion", @@ -38330,8 +38328,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/microsoft-iis-connection-strings-decryption.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml", + "https://www.elastic.co/guide/en/security/current/microsoft-iis-connection-strings-decryption.html" ], "tags": [ "attack.credential_access", @@ -38354,8 +38352,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.002/T1562.002.md#atomic-test-1---disable-windows-iis-http-logging", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_http_logging.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_http_logging.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.002/T1562.002.md#atomic-test-1---disable-windows-iis-http-logging" ], "tags": [ "attack.defense_evasion", @@ -38426,8 +38424,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.21-dev-binaries", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_impacket_compiled_tools.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_impacket_compiled_tools.yml", + "https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.21-dev-binaries" ], "tags": [ "attack.execution", @@ -38450,11 +38448,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml" + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py" ], "tags": [ "attack.execution", @@ -38479,9 +38477,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://docs.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_import_cert_susp_locations.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_import_cert_susp_locations.yml", + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/" ], "tags": [ "attack.defense_evasion", @@ -38505,9 +38503,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1202/T1202.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_indirect_cmd.yml", "https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_indirect_cmd.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1202/T1202.md" ], "tags": [ "attack.defense_evasion", @@ -38530,9 +38528,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_indirect_command_execution_forfiles.yml", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-73d61931b2c77fde294189ce5d62323b416296a7c23ea98a608f425566538d1a", - "https://lolbas-project.github.io/lolbas/Binaries/Forfiles/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_indirect_command_execution_forfiles.yml" + "https://lolbas-project.github.io/lolbas/Binaries/Forfiles/" ], "tags": [ "attack.defense_evasion", @@ -38555,9 +38553,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_infdefaultinstall.yml", "https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_infdefaultinstall.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution" ], "tags": [ "attack.defense_evasion", @@ -38603,8 +38601,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/m417z/status/1566674631788007425", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_inline_win_api_access.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_inline_win_api_access.yml", + "https://twitter.com/m417z/status/1566674631788007425" ], "tags": [ "attack.execution", @@ -38627,9 +38625,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml", + "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/" ], "tags": [ "attack.persistence", @@ -38654,8 +38652,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md", - "https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_interactive_at.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_interactive_at.yml", + "https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html" ], "tags": [ "attack.privilege_escalation", @@ -38678,8 +38676,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_clip.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_clip.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -38704,8 +38702,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_obfuscated_iex_commandline.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_obfuscated_iex_commandline.yml", + "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888" ], "tags": [ "attack.defense_evasion", @@ -38730,8 +38728,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_stdin.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_stdin.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -38756,8 +38754,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_var.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_var.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -38782,8 +38780,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_compress.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_compress.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -38808,8 +38806,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_rundll.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_rundll.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -38834,8 +38832,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_stdin.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_stdin.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -38860,8 +38858,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_clip.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_clip.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -38886,8 +38884,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_mhsta.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_mhsta.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -38912,8 +38910,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -38938,8 +38936,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_var.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_var.yml", + "https://github.com/Neo23x0/sigma/issues/1009" ], "tags": [ "attack.defense_evasion", @@ -39014,9 +39012,9 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/0gtweet/status/1564968845726580736", - "https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml" + "https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html" ], "tags": [ "attack.command_and_control", @@ -39041,8 +39039,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://codewhitesec.blogspot.com/2018/07/lethalhta.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lethalhta.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lethalhta.yml", + "https://codewhitesec.blogspot.com/2018/07/lethalhta.html" ], "tags": [ "attack.defense_evasion", @@ -39065,8 +39063,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_local_system_owner_account_discovery.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_local_system_owner_account_discovery.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md" ], "tags": [ "attack.discovery", @@ -39090,8 +39088,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_logmein.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_logmein.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows" ], "tags": [ "attack.command_and_control", @@ -39138,13 +39136,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", - "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml", "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml" + "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", + "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml" ], "tags": [ "attack.t1204.002", @@ -39170,9 +39168,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml" + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml" ], "tags": [ "attack.t1204.002", @@ -39198,9 +39196,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/", "https://twitter.com/nas_bench/status/1534916659676422152", "https://twitter.com/nas_bench/status/1534915321856917506", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml" ], "tags": [ @@ -39225,8 +39223,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_aspnet_compiler.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_aspnet_compiler.yml", + "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/" ], "tags": [ "attack.defense_evasion", @@ -39249,8 +39247,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bash/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_bash.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_bash.yml", + "https://lolbas-project.github.io/lolbas/Binaries/Bash/" ], "tags": [ "attack.defense_evasion", @@ -39321,9 +39319,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml", "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", - "https://twitter.com/bohops/status/948061991012327424", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml" + "https://twitter.com/bohops/status/948061991012327424" ], "tags": [ "attack.defense_evasion", @@ -39346,9 +39344,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_loadassembly.yml", "https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_loadassembly.yml" + "https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/" ], "tags": [ "attack.defense_evasion", @@ -39371,8 +39369,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_mutexverifiers.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_mutexverifiers.yml", + "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/" ], "tags": [ "attack.defense_evasion", @@ -39396,8 +39394,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/", - "https://twitter.com/SwiftOnSecurity/status/1455897435063074824", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cmdl32.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cmdl32.yml", + "https://twitter.com/SwiftOnSecurity/status/1455897435063074824" ], "tags": [ "attack.execution", @@ -39498,12 +39496,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", - "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", - "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml", + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", + "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services" ], "tags": [ "attack.exfiltration", @@ -39526,8 +39524,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/pull/147", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml", + "https://github.com/LOLBAS-Project/LOLBAS/pull/147" ], "tags": [ "attack.defense_evasion", @@ -39696,8 +39694,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Extrac32/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml", + "https://lolbas-project.github.io/lolbas/Binaries/Extrac32/" ], "tags": [ "attack.command_and_control", @@ -39720,8 +39718,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Extrac32/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml", + "https://lolbas-project.github.io/lolbas/Binaries/Extrac32/" ], "tags": [ "attack.defense_evasion", @@ -39744,10 +39742,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml", + "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f" ], "tags": [ "attack.defense_evasion", @@ -39773,8 +39771,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Forfiles/", "https://pentestlab.blog/2020/07/06/indirect-command-execution/", + "https://lolbas-project.github.io/lolbas/Binaries/Forfiles/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml" ], "tags": [ @@ -39799,10 +39797,10 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", - "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", + "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/" ], "tags": [ "attack.execution", @@ -39825,8 +39823,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Ftp/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml", + "https://lolbas-project.github.io/lolbas/Binaries/Ftp/" ], "tags": [ "attack.execution", @@ -39852,8 +39850,8 @@ "logsource.product": "windows", "refs": [ "https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/", - "https://lolbas-project.github.io/lolbas/Binaries/Gpscript/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml", + "https://lolbas-project.github.io/lolbas/Binaries/Gpscript/" ], "tags": [ "attack.defense_evasion", @@ -39876,9 +39874,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml", "https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/", - "https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml" + "https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/" ], "tags": [ "attack.defense_evasion", @@ -39923,8 +39921,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Ilasm/", - "https://www.echotrail.io/insights/search/ilasm.exe", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ilasm.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ilasm.yml", + "https://www.echotrail.io/insights/search/ilasm.exe" ], "tags": [ "attack.defense_evasion", @@ -39947,8 +39945,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/pull/239", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_installutil_download.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_installutil_download.yml", + "https://github.com/LOLBAS-Project/LOLBAS/pull/239" ], "tags": [ "attack.defense_evasion", @@ -39971,8 +39969,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Jsc/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml", + "https://lolbas-project.github.io/lolbas/Binaries/Jsc/" ], "tags": [ "attack.defense_evasion", @@ -39995,8 +39993,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nasbench.medium.com/lolbined-using-kaspersky-endpoint-security-kes-installer-to-execute-arbitrary-commands-1c999f1b7fea", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_kavremover.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_kavremover.yml", + "https://nasbench.medium.com/lolbined-using-kaspersky-endpoint-security-kes-installer-to-execute-arbitrary-commands-1c999f1b7fea" ], "tags": [ "attack.defense_evasion", @@ -40019,8 +40017,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1535981653239255040", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml", + "https://twitter.com/nas_bench/status/1535981653239255040" ], "tags": [ "attack.defense_evasion", @@ -40043,8 +40041,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mftrace.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mftrace.yml", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/" ], "tags": [ "attack.defense_evasion", @@ -40067,8 +40065,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Msdt/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml", + "https://lolbas-project.github.io/lolbas/Binaries/Msdt/" ], "tags": [ "attack.defense_evasion", @@ -40092,8 +40090,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/pull/238/files", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msohtmed_download.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msohtmed_download.yml", + "https://github.com/LOLBAS-Project/LOLBAS/pull/238/files" ], "tags": [ "attack.defense_evasion", @@ -40117,8 +40115,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/pull/238/files", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mspub_download.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mspub_download.yml", + "https://github.com/LOLBAS-Project/LOLBAS/pull/238/files" ], "tags": [ "attack.defense_evasion", @@ -40166,8 +40164,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1537563834478645252", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml", + "https://twitter.com/nas_bench/status/1537563834478645252" ], "tags": [ "attack.execution", @@ -40291,8 +40289,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost.yml", + "https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/" ], "tags": [ "attack.defense_evasion", @@ -40316,8 +40314,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/pull/239/files", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost_download.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost_download.yml", + "https://github.com/LOLBAS-Project/LOLBAS/pull/239/files" ], "tags": [ "attack.defense_evasion", @@ -40367,8 +40365,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/Pubprn/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml", + "https://lolbas-project.github.io/lolbas/Scripts/Pubprn/" ], "tags": [ "attack.defense_evasion", @@ -40391,9 +40389,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", - "https://github.com/fireeye/DueDLLigence", "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", + "https://github.com/fireeye/DueDLLigence", + "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml" ], "tags": [ @@ -40417,10 +40415,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fortiguard.com/threat-signal-report/4718?s=09", - "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml", "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml" + "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", + "https://www.fortiguard.com/threat-signal-report/4718?s=09" ], "tags": [ "attack.defense_evasion", @@ -40443,8 +40441,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_register_app.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_register_app.yml", + "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20" ], "tags": [ "attack.defense_evasion", @@ -40467,9 +40465,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml", + "https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/" ], "tags": [ "attack.defense_evasion", @@ -40492,9 +40490,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Replace/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/replace", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml" + "https://lolbas-project.github.io/lolbas/Binaries/Replace/" ], "tags": [ "attack.command_and_control", @@ -40517,8 +40515,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Libraries/Desk/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rundll32_installscreensaver.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rundll32_installscreensaver.yml", + "https://lolbas-project.github.io/lolbas/Libraries/Desk/" ], "tags": [ "attack.t1218.011", @@ -40566,8 +40564,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/pull/264", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sftp.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sftp.yml", + "https://github.com/LOLBAS-Project/LOLBAS/pull/264" ], "tags": [ "attack.defense_evasion", @@ -40615,9 +40613,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sigverif.yml", "https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/", - "https://twitter.com/0gtweet/status/1457676633809330184", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sigverif.yml" + "https://twitter.com/0gtweet/status/1457676633809330184" ], "tags": [ "attack.defense_evasion", @@ -40664,10 +40662,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", - "https://twitter.com/bohops/status/1477717351017680899?s=12", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml" + "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml", + "https://twitter.com/bohops/status/1477717351017680899?s=12" ], "tags": [ "attack.execution" @@ -40689,9 +40687,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_atbroker.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_atbroker.yml", + "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/" ], "tags": [ "attack.defense_evasion", @@ -40741,8 +40739,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax", - "https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml", + "https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html" ], "tags": [ "attack.persistence", @@ -40765,9 +40763,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/", "https://twitter.com/harr0ey/status/992008180904419328", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/" ], "tags": [ "attack.defense_evasion", @@ -40790,8 +40788,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1526833181831200770", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml", + "https://twitter.com/0gtweet/status/1526833181831200770" ], "tags": [ "attack.persistence", @@ -40841,10 +40839,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/countuponsec/status/910977826853068800", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml", "https://twitter.com/countuponsec/status/910969424215232518", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml" + "https://twitter.com/countuponsec/status/910977826853068800" ], "tags": [ "attack.credential_access", @@ -40896,8 +40894,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml", + "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/" ], "tags": [ "attack.defense_evasion", @@ -40921,8 +40919,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", - "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml", + "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/" ], "tags": [ "attack.defense_evasion", @@ -40970,10 +40968,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml", "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", "https://twitter.com/mattifestation/status/1196390321783025666", - "https://twitter.com/oulusoyum/status/1191329746069655553", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml" + "https://twitter.com/oulusoyum/status/1191329746069655553" ], "tags": [ "attack.defense_evasion", @@ -41024,9 +41022,9 @@ "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", - "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml", "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml" + "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/" ], "tags": [ "attack.defense_evasion", @@ -41097,8 +41095,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml" ], "tags": [ @@ -41122,9 +41120,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_winword.yml", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/", - "https://github.com/D4Vinci/One-Lin3r/blob/9fdfa5f0b9c698dfbd4cdfe7d2473192777ae1c6/one_lin3r/core/liners/windows/cmd/dll_loader_word.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_winword.yml" + "https://github.com/D4Vinci/One-Lin3r/blob/9fdfa5f0b9c698dfbd4cdfe7d2473192777ae1c6/one_lin3r/core/liners/windows/cmd/dll_loader_word.py" ], "tags": [ "attack.defense_evasion", @@ -41170,8 +41168,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_long_powershell_commandline.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_long_powershell_commandline.yml", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse" ], "tags": [ "attack.execution", @@ -41194,9 +41192,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html", "https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", + "https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_dump.yml" ], "tags": [ @@ -41220,11 +41218,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://youtu.be/5mqid-7zp8k?t=2481", - "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml", + "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://youtu.be/5mqid-7zp8k?t=2481", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/" ], "tags": [ "attack.exfiltration" @@ -41271,9 +41269,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_7zip.yml", "https://twitter.com/vxunderground/status/1423336151860002816?s=20", - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_7zip.yml" + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection" ], "tags": [ "attack.collection", @@ -41296,10 +41294,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml", "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml" + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection" ], "tags": [ "attack.impact", @@ -41350,10 +41348,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/my-name-is-dtrack/93338/", - "https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/", "https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_dtrack.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_dtrack.yml", + "https://securelist.com/my-name-is-dtrack/93338/", + "https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/" ], "tags": [ "attack.impact", @@ -41376,11 +41374,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/", "https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/", "https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_emotet.yml", "https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_emotet.yml" + "https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/" ], "tags": [ "attack.execution", @@ -41405,11 +41403,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer", - "https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/", "https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/", - "https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_formbook.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_formbook.yml", + "https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/", + "https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer", + "https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/" ], "tags": [ "attack.resource_development", @@ -41432,9 +41430,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/schroedingers-petya/78870/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml", "https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml" + "https://securelist.com/schroedingers-petya/78870/" ], "tags": [ "attack.defense_evasion", @@ -41462,8 +41460,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/killamjr/status/1179034907932315648", - "https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_qbot.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_qbot.yml", + "https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/" ], "tags": [ "attack.execution", @@ -41486,8 +41484,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_ryuk.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_ryuk.yml", + "https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/" ], "tags": [ "attack.persistence", @@ -41536,8 +41534,8 @@ "logsource.product": "windows", "refs": [ "https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/", - "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_trickbot_recon_activity.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_trickbot_recon_activity.yml", + "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/" ], "tags": [ "attack.discovery", @@ -41561,8 +41559,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", - "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_trickbot_wermgr.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_trickbot_wermgr.yml", + "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/" ], "tags": [ "attack.execution", @@ -41666,10 +41664,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_darkside_ransomware.yml", "https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/", - "https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_darkside_ransomware.yml" + "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", + "https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2" ], "tags": [ "attack.execution", @@ -41692,8 +41690,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia" ], "tags": [ "attack.execution", @@ -41718,9 +41716,9 @@ "logsource.product": "windows", "refs": [ "https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a", - "https://blog.f-secure.com/analysis-of-lockergoga-ransomware/", "https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_lockergoga_ransomware.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_lockergoga_ransomware.yml", + "https://blog.f-secure.com/analysis-of-lockergoga-ransomware/" ], "tags": [ "attack.impact", @@ -41743,8 +41741,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_ryuk.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_ryuk.yml", + "https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/" ], "tags": [ "attack.execution", @@ -41767,12 +41765,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", - "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", "https://twitter.com/bohops/status/980659399495741441", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_manage_bde_lolbas.yml", + "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", "https://twitter.com/JohnLaTwC/status/1223292479270600706", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_manage_bde_lolbas.yml" + "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md" ], "tags": [ "attack.defense_evasion", @@ -41851,9 +41849,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mmc20_lateral_movement.yml", "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/", - "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mmc20_lateral_movement.yml" + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing" ], "tags": [ "attack.execution", @@ -41874,8 +41872,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mmc_spawn_shell.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mmc_spawn_shell.yml", + "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/" ], "tags": [ "attack.lateral_movement", @@ -41948,10 +41946,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html", "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml" + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml", + "http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html" ], "tags": [ "attack.defense_evasion", @@ -41975,8 +41973,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf", - "https://sourceforge.net/projects/mouselock/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mouse_lock.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mouse_lock.yml", + "https://sourceforge.net/projects/mouselock/" ], "tags": [ "attack.credential_access", @@ -42000,10 +41998,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/", - "https://twitter.com/pabraeken/status/995837734379032576", "https://twitter.com/pabraeken/status/999090532839313408", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdeploy.yml" + "https://twitter.com/pabraeken/status/995837734379032576", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdeploy.yml", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/" ], "tags": [ "attack.execution", @@ -42026,10 +42024,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nao_sec/status/1530196847679401984", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", - "https://twitter.com/_JohnHammond/status/1531672601067675648", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt.yml", + "https://twitter.com/nao_sec/status/1530196847679401984", + "https://twitter.com/_JohnHammond/status/1531672601067675648" ], "tags": [ "attack.defense_evasion", @@ -42052,10 +42050,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_diagcab.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_diagcab.yml", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", + "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab" ], "tags": [ "attack.defense_evasion", @@ -42078,8 +42076,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1537896324837781506", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml", + "https://twitter.com/nas_bench/status/1537896324837781506" ], "tags": [ "attack.defense_evasion", @@ -42102,9 +42100,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nao_sec/status/1530196847679401984", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml", + "https://twitter.com/nao_sec/status/1530196847679401984" ], "tags": [ "attack.defense_evasion", @@ -42128,8 +42126,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1478234484881436672?s=12", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msedge_minimized_download.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msedge_minimized_download.yml", + "https://twitter.com/mrd0x/status/1478234484881436672?s=12" ], "tags": [ "attack.command_and_control", @@ -42232,8 +42230,8 @@ "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", - "https://twitter.com/_st0pp3r_/status/1583914515996897281", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml", + "https://twitter.com/_st0pp3r_/status/1583914515996897281" ], "tags": [ "attack.defense_evasion", @@ -42256,8 +42254,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_embedding.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_embedding.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md" ], "tags": [ "attack.t1218.007", @@ -42280,10 +42278,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", - "https://twitter.com/_st0pp3r_/status/1583914515996897281", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml" + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", + "https://twitter.com/_st0pp3r_/status/1583914515996897281" ], "tags": [ "attack.defense_evasion", @@ -42306,10 +42304,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", - "https://twitter.com/_st0pp3r_/status/1583914244344799235", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", + "https://twitter.com/_st0pp3r_/status/1583914244344799235" ], "tags": [ "attack.defense_evasion", @@ -42332,8 +42330,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_remote.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_remote.yml", + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/" ], "tags": [ "attack.defense_evasion", @@ -42356,8 +42354,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/", "https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf", + "https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml" ], "tags": [ @@ -42382,8 +42380,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc.yml" ], "tags": [ @@ -42457,8 +42455,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_allow_port_rdp.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_allow_port_rdp.yml", + "https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/" ], "tags": [ "attack.defense_evasion", @@ -42481,9 +42479,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add.yml", "https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)", - "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add.yml" + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf" ], "tags": [ "attack.defense_evasion", @@ -42507,8 +42505,8 @@ "logsource.product": "windows", "refs": [ "https://www.virusradar.com/en/Win32_Kasidet.AD/description", - "https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add_susp_image.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add_susp_image.yml", + "https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100" ], "tags": [ "attack.defense_evasion", @@ -42555,9 +42553,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall", - "https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml" + "https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior" ], "tags": [ "attack.defense_evasion", @@ -42606,9 +42604,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", - "https://adepts.of0x.cc/netsh-portproxy-code/", "https://www.dfirnotes.net/portproxy_detection/", + "https://adepts.of0x.cc/netsh-portproxy-code/", + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_fwd.yml" ], "tags": [ @@ -42660,8 +42658,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_wifi_credential_harvesting.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_wifi_credential_harvesting.yml", + "https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/" ], "tags": [ "attack.discovery", @@ -42709,10 +42707,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", - "https://ss64.com/nt/for.html", "https://ss64.com/ps/foreach-object.htmll", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_network_scan_loop.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_network_scan_loop.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://ss64.com/nt/for.html" ], "tags": [ "attack.execution", @@ -42737,8 +42735,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_network_sniffing.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_network_sniffing.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md" ], "tags": [ "attack.credential_access", @@ -42762,8 +42760,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", + "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml" ], @@ -42789,8 +42787,8 @@ "logsource.product": "windows", "refs": [ "https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_enum.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_enum.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md" ], "tags": [ "attack.discovery", @@ -42814,10 +42812,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_recon.yml", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_recon.yml" + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/" ], "tags": [ "attack.discovery", @@ -42842,8 +42840,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", + "https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_add.yml" ], "tags": [ @@ -42867,8 +42865,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_add_never_expire.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_add_never_expire.yml", + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/" ], "tags": [ "attack.persistence", @@ -42915,9 +42913,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_new_network_provider.yml", "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade", - "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_new_network_provider.yml" + "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy" ], "tags": [ "attack.credential_access", @@ -42965,8 +42963,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nimgrab.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nimgrab.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md" ], "tags": [ "attack.command_and_control", @@ -42989,13 +42987,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", - "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", - "https://attack.mitre.org/techniques/T1482/", "https://attack.mitre.org/techniques/T1016/", "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", + "https://attack.mitre.org/techniques/T1482/", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml", + "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/" ], "tags": [ "attack.discovery", @@ -43019,11 +43017,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", - "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", "https://nodejs.org/api/cli.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml" + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml", + "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return" ], "tags": [ "attack.defense_evasion", @@ -43070,8 +43068,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_non_priv_reg_or_ps.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_non_priv_reg_or_ps.yml", + "https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg" ], "tags": [ "attack.defense_evasion", @@ -43094,8 +43092,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/ehang-io/nps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nps.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nps.yml", + "https://github.com/ehang-io/nps" ], "tags": [ "attack.command_and_control", @@ -43118,8 +43116,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1566489367232651264", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml", + "https://twitter.com/Alh4zr3d/status/1566489367232651264" ], "tags": [ "attack.defense_evasion" @@ -43139,8 +43137,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/alh4zr3d/status/1566489367232651264", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml", + "https://twitter.com/alh4zr3d/status/1566489367232651264" ], "tags": [ "attack.command_and_control", @@ -43188,10 +43186,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", - "https://twitter.com/frack113/status/1555830623633375232", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml", + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://twitter.com/frack113/status/1555830623633375232" ], "tags": [ "attack.defense_evasion", @@ -43214,8 +43212,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://twitter.com/frack113/status/1555830623633375232", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml" ], @@ -43240,8 +43238,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://twitter.com/jonasLyk/status/1555914501802921984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml" ], @@ -43266,10 +43264,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", - "https://twitter.com/jonasLyk/status/1555914501802921984", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml", + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://twitter.com/jonasLyk/status/1555914501802921984" ], "tags": [ "attack.defense_evasion", @@ -43448,9 +43446,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_shell.yml", "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_shell.yml" + "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100" ], "tags": [ "attack.execution", @@ -43501,9 +43499,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "sha256=23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57c", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml", "https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml" + "sha256=23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57c" ], "tags": [ "attack.execution", @@ -43528,8 +43526,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic", "https://github.com/med0x2e/vba2clr", + "https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_svchost_child.yml" ], "tags": [ @@ -43553,8 +43551,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", + "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_outlook_shell.yml" ], "tags": [ @@ -43578,8 +43576,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/malmoeb/status/1550483085472432128", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml", + "https://twitter.com/malmoeb/status/1550483085472432128" ], "tags": [ "attack.execution" @@ -43601,9 +43599,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pdq_deploy.yml", "https://www.pdq.com/pdq-deploy/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pdq_deploy.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md" ], "tags": [ "attack.execution", @@ -43627,9 +43625,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/dez_/status/1560101453150257154", "https://forensafe.com/blogs/typedpaths.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_persistence_typed_paths.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_persistence_typed_paths.yml", + "https://twitter.com/dez_/status/1560101453150257154" ], "tags": [ "attack.persistence" @@ -43651,9 +43649,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pingback_backdoor.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pingback_backdoor.yml", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel" ], "tags": [ "attack.persistence", @@ -43676,8 +43674,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/", "https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/", + "http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_plugx_susp_exe_locations.yml" ], "tags": [ @@ -43703,8 +43701,8 @@ "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", - "https://pentestlab.blog/2017/03/31/insecure-registry-permissions/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml", + "https://pentestlab.blog/2017/03/31/insecure-registry-permissions/" ], "tags": [ "attack.privilege_escalation", @@ -43727,8 +43725,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mattifestation/status/735261176745988096", "https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120", + "https://twitter.com/mattifestation/status/735261176745988096", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_bypass.yml" ], "tags": [ @@ -43752,9 +43750,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", "https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md" ], "tags": [ "attack.collection", @@ -43777,8 +43775,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1063072865992523776", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_b64_shellcode.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_b64_shellcode.yml", + "https://twitter.com/cyb3rops/status/1063072865992523776" ], "tags": [ "attack.defense_evasion", @@ -43801,8 +43799,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_bitsjob.yml" ], "tags": [ @@ -43827,8 +43825,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65" ], "tags": [ "attack.defense_evasion", @@ -43853,9 +43851,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml", "https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/", - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml" + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66" ], "tags": [ "attack.defense_evasion", @@ -43882,8 +43880,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64" ], "tags": [ "attack.defense_evasion", @@ -43908,8 +43906,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_specific_comb_methods.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_specific_comb_methods.yml", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65" ], "tags": [ "attack.defense_evasion", @@ -43934,8 +43932,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_susp_comb_methods.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_susp_comb_methods.yml", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65" ], "tags": [ "attack.defense_evasion", @@ -43961,10 +43959,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_base64.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_base64.yml", + "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus" ], "tags": [ "attack.defense_evasion", @@ -43988,8 +43986,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE", + "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml" ], @@ -44015,10 +44013,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml", + "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus" ], "tags": [ "attack.defense_evasion", @@ -44041,8 +44039,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", + "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_disable_windef_av.yml" ], @@ -44067,8 +44065,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/p3nt4/PowerShdll/blob/62cfa172fb4e1f7f4ac00ca942685baeb88ff356/README.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_dll_execution.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_dll_execution.yml", + "https://github.com/p3nt4/PowerShdll/blob/62cfa172fb4e1f7f4ac00ca942685baeb88ff356/README.md" ], "tags": [ "attack.defense_evasion", @@ -44139,9 +44137,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml", "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", - "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml" + "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html" ], "tags": [ "attack.execution", @@ -44164,8 +44162,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml", + "https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639" ], "tags": [ "attack.t1027", @@ -44236,9 +44234,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/" ], "tags": [ "attack.execution", @@ -44261,9 +44259,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/" ], "tags": [ "attack.execution", @@ -44288,8 +44286,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml", + "http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier" ], "tags": [ "attack.execution", @@ -44338,8 +44336,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1", - "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powersploit_empire_schtasks.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powersploit_empire_schtasks.yml", + "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py" ], "tags": [ "attack.execution", @@ -44369,8 +44367,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/privilege-escalation-via-named-pipe-impersonation.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_priv_escalation_via_named_pipe.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_priv_escalation_via_named_pipe.yml", + "https://www.elastic.co/guide/en/security/current/privilege-escalation-via-named-pipe-impersonation.html" ], "tags": [ "attack.lateral_movement", @@ -44393,8 +44391,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_procdump.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_procdump.yml", + "Internal Research" ], "tags": [ "attack.defense_evasion", @@ -44418,8 +44416,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1480785527901204481", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_procdump_evasion.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_procdump_evasion.yml", + "https://twitter.com/mrd0x/status/1480785527901204481" ], "tags": [ "attack.defense_evasion", @@ -44467,13 +44465,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml", "https://twitter.com/shantanukhande/status/1229348874298388484", - "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", + "https://twitter.com/Wietze/status/1542107456507203586", + "https://twitter.com/SBousseaden/status/1167417096374050817", "https://twitter.com/Hexacorn/status/1224848930795552769", "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", - "https://twitter.com/SBousseaden/status/1167417096374050817", - "https://twitter.com/Wietze/status/1542107456507203586", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml" + "https://twitter.com/pythonresponder/status/1385064506049630211?s=21" ], "tags": [ "attack.defense_evasion", @@ -44525,8 +44523,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1511415432888131586?s=20&t=DvVrzeZ1OcGiWowbhPV8Lg", "https://twitter.com/mrd0x/status/1511489821247684615", + "https://twitter.com/mrd0x/status/1511415432888131586?s=20&t=DvVrzeZ1OcGiWowbhPV8Lg", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_dumpminitool.yml" ], "tags": [ @@ -44551,8 +44549,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_rdrleakdiag.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_rdrleakdiag.yml", + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/" ], "tags": [ "attack.defense_evasion", @@ -44576,9 +44574,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1511415432888131586", "https://twitter.com/mrd0x/status/1511489821247684615", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_susp_dumpminitool.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_susp_dumpminitool.yml", + "https://twitter.com/mrd0x/status/1511415432888131586" ], "tags": [ "attack.defense_evasion", @@ -44602,11 +44600,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", - "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", - "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", "https://attack.mitre.org/techniques/T1036/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_wrong_parent.yml" + "https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_wrong_parent.yml", + "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", + "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf" ], "tags": [ "attack.defense_evasion", @@ -44704,8 +44702,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_psh_amsi_bypass_pattern_nov22.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_psh_amsi_bypass_pattern_nov22.yml", + "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/" ], "tags": [ "attack.defense_evasion", @@ -44729,8 +44727,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/matterpreter/DefenderCheck", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml", + "https://github.com/matterpreter/DefenderCheck" ], "tags": [ "attack.defense_evasion", @@ -44753,8 +44751,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/Seatbelt", "https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html", + "https://github.com/GhostPack/Seatbelt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml" ], "tags": [ @@ -44780,8 +44778,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/blackbyte-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_public_folder_parent.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_public_folder_parent.yml", + "https://redcanary.com/blog/blackbyte-ransomware/" ], "tags": "No established tags" }, @@ -44825,9 +44823,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/skelsec/pypykatz", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pypykatz.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pypykatz.yml", + "https://github.com/skelsec/pypykatz" ], "tags": [ "attack.credential_access", @@ -44850,8 +44848,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_pty_spawn.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_pty_spawn.yml", + "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/" ], "tags": [ "attack.execution", @@ -44945,8 +44943,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/blackbyte-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ransom_blackbyte.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ransom_blackbyte.yml", + "https://redcanary.com/blog/blackbyte-ransomware/" ], "tags": "No established tags" }, @@ -44966,8 +44964,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_raspberry_robin_single_dot_ending_file.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_raspberry_robin_single_dot_ending_file.yml", + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/" ], "tags": [ "attack.execution" @@ -44989,9 +44987,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdp_hijack_shadowing.yml", "https://twitter.com/kmkz_security/status/1220694202301976576", - "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdp_hijack_shadowing.yml" + "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet" ], "tags": [ "attack.lateral_movement", @@ -45015,8 +45013,8 @@ "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_redirect_local_admin_share.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_redirect_local_admin_share.yml", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html" ], "tags": "No established tags" }, @@ -45188,10 +45186,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini.yml" + "https://lolbas-project.github.io/lolbas/Binaries/Regini/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini.yml", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini" ], "tags": [ "attack.t1112", @@ -45214,10 +45212,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_ads.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_ads.yml", + "https://lolbas-project.github.io/lolbas/Binaries/Regini/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini" ], "tags": [ "attack.t1112", @@ -45242,9 +45240,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml", "https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/", - "https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml" + "https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys" ], "tags": [ "attack.persistence", @@ -45291,9 +45289,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml", "https://redcanary.com/threat-detection-report/threats/qbot/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml" + "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/" ], "tags": [ "attack.defense_evasion", @@ -45364,8 +45362,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml", + "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465" ], "tags": [ "attack.defense_evasion", @@ -45388,8 +45386,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_dump_sam.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_dump_sam.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets" ], "tags": [ "attack.credential_access", @@ -45438,8 +45436,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import" ], "tags": [ "attack.t1112", @@ -45583,8 +45581,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md", + "https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml" ], "tags": [ @@ -45608,9 +45606,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remove_windows_defender_definition_files.yml", "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remove_windows_defender_definition_files.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md" ], "tags": [ "attack.defense_evasion", @@ -45635,9 +45633,9 @@ "logsource.product": "windows", "refs": [ "https://attack.mitre.org/techniques/T1036/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml", "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", - "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml" + "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html" ], "tags": [ "attack.defense_evasion", @@ -45660,10 +45658,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml", "https://attack.mitre.org/techniques/T1036/", "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", - "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml" + "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html" ], "tags": [ "attack.defense_evasion", @@ -45686,8 +45684,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mariuszbit/status/1531631015139102720", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml", + "https://twitter.com/mariuszbit/status/1531631015139102720" ], "tags": [ "attack.t1528", @@ -45736,8 +45734,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml", + "https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf" ], "tags": [ "attack.execution", @@ -45834,8 +45832,8 @@ "logsource.product": "windows", "refs": [ "sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc", - "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf" ], "tags": [ "attack.defense_evasion", @@ -45913,8 +45911,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/procdump", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml", + "https://docs.microsoft.com/en-us/sysinternals/downloads/procdump" ], "tags": [ "attack.defense_evasion", @@ -46035,9 +46033,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sdelete.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sdelete.yml", + "https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete" ], "tags": [ "attack.impact", @@ -46085,8 +46083,8 @@ "logsource.product": "windows", "refs": [ "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml", + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/" ], "tags": [ "attack.discovery", @@ -46136,9 +46134,9 @@ "logsource.product": "windows", "refs": [ "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809", - "https://www.bleepingcomputer.com/startups/RpcSs.exe-14544.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcss_anomalies.yml", "https://twitter.com/cyb3rops/status/1514217991034097664", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcss_anomalies.yml" + "https://www.bleepingcomputer.com/startups/RpcSs.exe-14544.html" ], "tags": [ "attack.initial_access", @@ -46210,9 +46208,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml", "https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md" ], "tags": [ "attack.privilege_escalation", @@ -46236,8 +46234,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml", + "https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code" ], "tags": [ "attack.defense_evasion", @@ -46262,8 +46260,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bczyz1.github.io/2021/01/30/psexec.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_without_parameters.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_without_parameters.yml", + "https://bczyz1.github.io/2021/01/30/psexec.html" ], "tags": [ "attack.lateral_movement", @@ -46310,8 +46308,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-4---execution-from-compressed-file", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_from_zip.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_from_zip.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-4---execution-from-compressed-file" ], "tags": [ "attack.impact", @@ -46358,9 +46356,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_powershell_script_from_input_stream.yml", "https://twitter.com/Moriarty_Meng/status/984380793383370752", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_powershell_script_from_input_stream.yml" + "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml" ], "tags": [ "attack.defense_evasion", @@ -46384,10 +46382,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/techniques/T1564/006/", - "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/", "https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_virtualbox.yml" + "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_virtualbox.yml", + "https://attack.mitre.org/techniques/T1564/006/" ], "tags": [ "attack.defense_evasion", @@ -46411,8 +46409,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/" ], "tags": [ "attack.execution", @@ -46437,8 +46435,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_once_0000.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_once_0000.yml", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte" ], "tags": "No established tags" }, @@ -46484,8 +46482,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/" ], "tags": [ "attack.execution", @@ -46510,9 +46508,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_system.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_system.yml", + "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern" ], "tags": [ "attack.execution", @@ -46560,9 +46558,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_screenconnect_anomaly.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_screenconnect_anomaly.yml", + "https://www.mandiant.com/resources/telegram-malware-iranian-espionage" ], "tags": [ "attack.command_and_control", @@ -46585,9 +46583,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/child-processes/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_script_event_consumer_spawn.yml", "https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_script_event_consumer_spawn.yml" + "https://redcanary.com/blog/child-processes/" ], "tags": [ "attack.execution", @@ -46635,8 +46633,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-1---system-service-discovery", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_query.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_query.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-1---system-service-discovery" ], "tags": [ "attack.discovery", @@ -46659,8 +46657,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml", + "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html" ], "tags": [ "attack.persistence", @@ -46684,8 +46682,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/6", "https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html", + "https://github.com/OTRF/detection-hackathon-apt29/issues/6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml" ], "tags": [ @@ -46733,10 +46731,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nao_sec/status/1530196847679401984", - "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/", + "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/", + "https://twitter.com/nao_sec/status/1530196847679401984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml" ], "tags": [ @@ -46761,11 +46759,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_selectmyparent.yml", "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", - "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", - "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_selectmyparent.yml" + "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", + "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files" ], "tags": [ "attack.defense_evasion", @@ -46835,11 +46833,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", "https://adsecurity.org/?p=2604", - "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml" + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", + "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/" ], "tags": [ "attack.execution", @@ -46862,9 +46860,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadowcopy_deletion_via_powershell.yml", "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadowcopy_deletion_via_powershell.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell" ], "tags": [ "attack.impact", @@ -46913,8 +46911,8 @@ "logsource.product": "windows", "refs": [ "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadow_copies_creation.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadow_copies_creation.yml", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/" ], "tags": [ "attack.credential_access", @@ -46940,15 +46938,15 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/Neo23x0/Raccine#the-process", + "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", "https://blog.talosintelligence.com/2017/05/wannacry.html", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", - "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", - "https://github.com/Neo23x0/Raccine#the-process", - "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", - "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadow_copies_deletion.yml" ], "tags": [ @@ -46974,8 +46972,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/SharpUp", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sharpup.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sharpup.yml", + "https://github.com/GhostPack/SharpUp" ], "tags": [ "attack.privilege_escalation", @@ -47000,9 +46998,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml", "https://github.com/shantanu561993/SharpChisel", - "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml" + "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/" ], "tags": [ "attack.command_and_control", @@ -47078,8 +47076,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/byt3bl33d3r/SILENTTRINITY", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_silenttrinity_stage_use.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_silenttrinity_stage_use.yml", + "https://github.com/byt3bl33d3r/SILENTTRINITY" ], "tags": [ "attack.command_and_control", @@ -47102,9 +47100,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_software_discovery.yml", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", - "https://github.com/harleyQu1nn/AggressorScripts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_software_discovery.yml" + "https://github.com/harleyQu1nn/AggressorScripts" ], "tags": [ "attack.discovery", @@ -47127,9 +47125,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_soundrec_audio_capture.yml", "https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_soundrec_audio_capture.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md" ], "tags": [ "attack.collection", @@ -47152,8 +47150,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_spn_enum.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_spn_enum.yml", + "https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation" ], "tags": [ "attack.credential_access", @@ -47177,8 +47175,8 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2021/12/13/diavol-ransomware/", - "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml", + "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html" ], "tags": [ "attack.collection", @@ -47225,8 +47223,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_stickykey_like_backdoor.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_stickykey_like_backdoor.yml", + "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/" ], "tags": [ "attack.privilege_escalation", @@ -47253,8 +47251,8 @@ "logsource.product": "windows", "refs": [ "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html", - "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml", + "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf" ], "tags": [ "attack.t1546.008", @@ -47277,8 +47275,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html", "https://twitter.com/eral4m/status/1451112385041911809", + "https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_stordiag_execution.yml" ], "tags": [ @@ -47302,11 +47300,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml", "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", - "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml" + "https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", + "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/" ], "tags": [ "attack.defense_evasion" @@ -47328,8 +47326,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/3proxy/3proxy", "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://github.com/3proxy/3proxy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml" ], "tags": [ @@ -47425,8 +47423,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop.yml", + "https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/" ], "tags": [ "attack.persistence", @@ -47452,10 +47450,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.joeware.net/freetools/tools/adfind/", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adfind_enumeration.yml", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adfind_enumeration.yml" + "https://www.joeware.net/freetools/tools/adfind/" ], "tags": [ "attack.discovery", @@ -47478,13 +47476,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.joeware.net/freetools/tools/adfind/", - "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adfind_usage.yml", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adfind_usage.yml" + "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://www.joeware.net/freetools/tools/adfind/" ], "tags": [ "attack.discovery", @@ -47510,8 +47508,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-9---remote-system-discovery---adidnsdump", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adidnsdump.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adidnsdump.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-9---remote-system-discovery---adidnsdump" ], "tags": [ "attack.discovery", @@ -47535,9 +47533,9 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/splinter_code/status/1483815103279603714", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_advancedrun.yml" ], "tags": "No established tags" @@ -47559,9 +47557,9 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/splinter_code/status/1483815103279603714", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_advancedrun_priv_user.yml" ], "tags": "No established tags" @@ -47582,8 +47580,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_athremotefxvgpudisablementcommand.yml" ], "tags": [ @@ -47633,8 +47631,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_base64_load.yml" ], "tags": [ @@ -47658,9 +47656,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bcdedit.yml", "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set", - "https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bcdedit.yml" + "https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2" ], "tags": [ "attack.defense_evasion", @@ -47685,9 +47683,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bginfo.yml", "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bginfo.yml" + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/" ], "tags": [ "attack.execution", @@ -47713,8 +47711,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bitstransfer.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bitstransfer.yml", + "https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps" ], "tags": [ "attack.exfiltration", @@ -47790,10 +47788,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/", "http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cdb.yml", "https://twitter.com/nas_bench/status/1534957360032120833", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cdb.yml" + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/" ], "tags": [ "attack.execution", @@ -47819,11 +47817,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/JohnLaTwC/status/835149808817991680", - "https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/", - "https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/", - "https://twitter.com/egre55/status/1087685529016193025", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://twitter.com/JohnLaTwC/status/835149808817991680", + "https://twitter.com/egre55/status/1087685529016193025", + "https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/", + "https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_certutil_command.yml" ], "tags": [ @@ -47856,9 +47854,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_certutil_encode.yml", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_certutil_encode.yml" + "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/" ], "tags": [ "attack.defense_evasion", @@ -47881,9 +47879,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_char_in_cmd.yml", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_char_in_cmd.yml" + "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation" ], "tags": [ "attack.defense_evasion", @@ -47906,11 +47904,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", - "https://github.com/antonioCoco/RogueWinRM", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml", + "https://github.com/antonioCoco/RogueWinRM" ], "tags": [ "attack.privilege_escalation", @@ -47958,11 +47956,11 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/vysecurity/status/885545634958385153", - "https://twitter.com/Hexacorn/status/885553465417756673", - "https://twitter.com/Hexacorn/status/885570278637678592", "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", "http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_escape.yml" + "https://twitter.com/Hexacorn/status/885553465417756673", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_escape.yml", + "https://twitter.com/Hexacorn/status/885570278637678592" ], "tags": [ "attack.defense_evasion", @@ -47985,8 +47983,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Kostastsale/status/1565257924204986369", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml", + "https://twitter.com/Kostastsale/status/1565257924204986369" ], "tags": [ "attack.defense_evasion", @@ -48061,10 +48059,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml", "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml" + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection" ], "tags": [ "attack.impact", @@ -48087,9 +48085,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml", "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml" + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp" ], "tags": [ "attack.discovery", @@ -48112,9 +48110,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_codepage_switch.yml", "https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", - "https://twitter.com/cglyer/status/1183756892952248325", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_codepage_switch.yml" + "https://twitter.com/cglyer/status/1183756892952248325" ], "tags": [ "attack.t1036", @@ -48137,8 +48135,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_commandline_chars.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_commandline_chars.yml", + "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation" ], "tags": "No established tags" }, @@ -48158,8 +48156,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1184067445612535811", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_compression_params.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_compression_params.yml", + "https://twitter.com/SBousseaden/status/1184067445612535811" ], "tags": [ "attack.collection", @@ -48231,10 +48229,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_control_cve_2021_40444.yml", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", - "https://twitter.com/neonprimetime/status/1435584010202255375", "https://www.joesandbox.com/analysis/476188/1/iochtml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_control_cve_2021_40444.yml" + "https://twitter.com/neonprimetime/status/1435584010202255375" ], "tags": [ "attack.execution", @@ -48257,8 +48255,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/rikvduijn/status/853251879320662017", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_control_dll_load.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_control_dll_load.yml", + "https://twitter.com/rikvduijn/status/853251879320662017" ], "tags": [ "attack.defense_evasion", @@ -48281,11 +48279,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1211636381086339073", "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", - "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml" + "https://twitter.com/SBousseaden/status/1211636381086339073", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml", + "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html" ], "tags": [ "attack.lateral_movement", @@ -48314,9 +48312,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system32.yml", "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system32.yml" + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html" ], "tags": [ "attack.defense_evasion", @@ -48363,8 +48361,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/byt3bl33d3r/CrackMapExec", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_execution.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_execution.yml", + "https://github.com/byt3bl33d3r/CrackMapExec" ], "tags": [ "attack.execution", @@ -48392,10 +48390,10 @@ "logsource.product": "windows", "refs": [ "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", - "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_flags.yml", "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_flags.yml" + "https://www.mandiant.com/resources/telegram-malware-iranian-espionage" ], "tags": "No established tags" }, @@ -48415,9 +48413,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/byt3bl33d3r/CrackMapExec", "https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml", + "https://github.com/byt3bl33d3r/CrackMapExec" ], "tags": [ "attack.execution", @@ -48442,8 +48440,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1094924091256176641", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csc.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csc.yml", + "https://twitter.com/SBousseaden/status/1094924091256176641" ], "tags": [ "attack.execution", @@ -48470,8 +48468,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.005/T1059.005.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cscript_vbs.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cscript_vbs.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.005/T1059.005.md" ], "tags": [ "attack.execution", @@ -48495,11 +48493,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", - "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", + "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csc_folder.yml", "https://twitter.com/gN3mes1s/status/1206874118282448897", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csc_folder.yml" + "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/" ], "tags": [ "attack.defense_evasion", @@ -48522,9 +48520,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csexec.yml", "https://github.com/malcomvetter/CSExec", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csexec.yml" + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/" ], "tags": [ "attack.resource_development", @@ -48550,10 +48548,10 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", "https://twitter.com/Z3Jpa29z/status/1317545798981324801", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csi.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csi.yml", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/" ], "tags": [ "attack.execution", @@ -48578,11 +48576,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/max_mal_/status/1542461200797163522", - "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", - "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml", "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml" + "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", + "https://twitter.com/max_mal_/status/1542461200797163522", + "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464" ], "tags": [ "attack.command_and_control", @@ -48605,11 +48603,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/d1r4c/status/1279042657508081664", - "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", "https://curl.se/docs/manpage.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", + "https://twitter.com/d1r4c/status/1279042657508081664", + "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76" ], "tags": [ "attack.exfiltration", @@ -48633,8 +48631,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_start_combo.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_start_combo.yml", + "https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983" ], "tags": [ "attack.execution", @@ -48660,8 +48658,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://curl.se/docs/manpage.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#atomic-test-2---malicious-user-agents---cmd", + "https://curl.se/docs/manpage.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_useragent.yml" ], "tags": [ @@ -48711,8 +48709,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_del.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_del.yml", + "https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D" ], "tags": [ "attack.defense_evasion", @@ -48735,9 +48733,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_desktopimgdownldr.yml", "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", - "https://twitter.com/SBousseaden/status/1278977301745741825", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_desktopimgdownldr.yml" + "https://twitter.com/SBousseaden/status/1278977301745741825" ], "tags": [ "attack.command_and_control", @@ -48785,9 +48783,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_devtoolslauncher.yml", "https://twitter.com/_felamos/status/1179811992841797632", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_devtoolslauncher.yml" + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/" ], "tags": [ "attack.defense_evasion", @@ -48861,9 +48859,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1359039665232306183?s=21", "https://ss64.com/nt/logman.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_disable_eventlog.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_disable_eventlog.yml", + "https://twitter.com/0gtweet/status/1359039665232306183?s=21" ], "tags": [ "attack.defense_evasion", @@ -48936,8 +48934,8 @@ "logsource.product": "windows", "refs": [ "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_diskshadow.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_diskshadow.yml", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration" ], "tags": [ "attack.execution", @@ -48985,9 +48983,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/child-processes/", "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dllhost_no_cli.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dllhost_no_cli.yml", + "https://redcanary.com/blog/child-processes/" ], "tags": [ "attack.defense_evasion", @@ -49011,8 +49009,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", - "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dnx.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dnx.yml", + "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/" ], "tags": [ "attack.defense_evasion", @@ -49036,8 +49034,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html", "https://twitter.com/blackorbird/status/1140519090961825792", + "https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml" ], "tags": [ @@ -49062,8 +49060,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/an0n_r0/status/1474698356635193346?s=12", - "https://twitter.com/mrd0x/status/1475085452784844803?s=12", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml", + "https://twitter.com/mrd0x/status/1475085452784844803?s=12" ], "tags": "No established tags" }, @@ -49083,8 +49081,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1474899714290208777?s=12", "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace", + "https://twitter.com/0gtweet/status/1474899714290208777?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dtrace_kernel_dump.yml" ], "tags": "No established tags" @@ -49105,9 +49103,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://taggart-tech.com/quasar-electron/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml", "https://github.com/mttaggart/quasar", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml" + "https://taggart-tech.com/quasar-electron/" ], "tags": [ "attack.execution" @@ -49154,9 +49152,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vxunderground/status/1423336151860002816", - "https://attack.mitre.org/software/S0404/", "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", + "https://attack.mitre.org/software/S0404/", + "https://twitter.com/vxunderground/status/1423336151860002816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_esentutl_params.yml" ], "tags": [ @@ -49182,8 +49180,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml" ], "tags": [ @@ -49209,9 +49207,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", - "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml" ], "tags": [ @@ -49283,9 +49281,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/nas_bench/status/1535322450858233858", "https://twitter.com/CyberRaiju/status/1273597319322058752", "https://twitter.com/bohops/status/1276357235954909188?s=12", - "https://twitter.com/nas_bench/status/1535322450858233858", "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_explorer_break_proctree.yml" ], @@ -49335,8 +49333,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/muddywater/88059/", "https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection", + "https://securelist.com/muddywater/88059/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml" ], "tags": [ @@ -49435,8 +49433,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/bigmacjpg/status/1349727699863011328?s=12", - "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/", "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", + "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_finger_usage.yml" ], "tags": [ @@ -49485,10 +49483,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_fsutil_usage.yml", "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_fsutil_usage.yml" + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md" ], "tags": [ "attack.defense_evasion", @@ -49512,10 +49510,10 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", - "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml" + "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult" ], "tags": [ "attack.discovery", @@ -49587,8 +49585,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1535322182863179776", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gup_download.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gup_download.yml", + "https://twitter.com/nas_bench/status/1535322182863179776" ], "tags": [ "attack.command_and_control", @@ -49611,8 +49609,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1535322445439180803", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gup_execution.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gup_execution.yml", + "https://twitter.com/nas_bench/status/1535322445439180803" ], "tags": [ "attack.execution" @@ -49634,9 +49632,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_hostname.yml", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/hostname", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_hostname.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows" ], "tags": [ "attack.discovery", @@ -49703,8 +49701,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", "https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool", + "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_instalutil.yml" ], "tags": [ @@ -49751,9 +49749,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_iss_module_install.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_iss_module_install.yml", + "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/" ], "tags": [ "attack.persistence", @@ -49776,8 +49774,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", + "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_logoff.yml" ], "tags": [ @@ -49801,9 +49799,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB_30.09.2022.txt", "https://app.any.run/tasks/4985c746-601e-401a-9ccf-ae350ac2e887/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lolbin_non_c_drive.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lolbin_non_c_drive.yml", + "https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB_30.09.2022.txt" ], "tags": [ "attack.execution", @@ -49827,8 +49825,8 @@ "logsource.product": "windows", "refs": [ "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", - "https://twitter.com/Hexacorn/status/1420053502554951689", "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", + "https://twitter.com/Hexacorn/status/1420053502554951689", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_clone.yml" ], "tags": [ @@ -49877,8 +49875,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_microsoft_onenote_child_process.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_microsoft_onenote_child_process.yml", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18" ], "tags": [ "attack.t1566", @@ -49902,9 +49900,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1562072617552678912", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_missing_spaces.yml", "https://ss64.com/nt/cmd.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_missing_spaces.yml" + "https://twitter.com/cyb3rops/status/1562072617552678912" ], "tags": [ "attack.execution", @@ -49927,9 +49925,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", - "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", "https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", + "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml" ], "tags": [ @@ -49977,9 +49975,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mpiexec_lolbin.yml", "https://twitter.com/mrd0x/status/1465058133303246867", - "https://docs.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mpiexec_lolbin.yml" + "https://docs.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps" ], "tags": [ "attack.execution", @@ -50003,12 +50001,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://blog.sevagas.com/?Hacking-around-HTA-files", - "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", - "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", "https://twitter.com/mattifestation/status/1326228491302563846", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshta_execution.yml" + "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshta_execution.yml", + "http://blog.sevagas.com/?Hacking-around-HTA-files", + "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script" ], "tags": [ "attack.defense_evasion", @@ -50035,10 +50033,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://en.wikipedia.org/wiki/HTML_Application", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshta_pattern.yml", "https://www.echotrail.io/insights/search/mshta.exe", - "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshta_pattern.yml" + "https://en.wikipedia.org/wiki/HTML_Application", + "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/" ], "tags": [ "attack.execution", @@ -50061,8 +50059,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/n1nj4sec/status/1421190238081277959", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshtml_runhtmlapplication.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshtml_runhtmlapplication.yml", + "https://twitter.com/n1nj4sec/status/1421190238081277959" ], "tags": [ "attack.defense_evasion" @@ -50084,8 +50082,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/200_okay_/status/1194765831911215104", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msiexec_cwd.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msiexec_cwd.yml", + "https://twitter.com/200_okay_/status/1194765831911215104" ], "tags": [ "attack.defense_evasion", @@ -50108,8 +50106,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msiexec_web_install.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msiexec_web_install.yml", + "https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/" ], "tags": [ "attack.defense_evasion", @@ -50134,10 +50132,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", - "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msoffice.yml", "Reegun J (OCBC Bank)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msoffice.yml" + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", + "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191" ], "tags": [ "attack.command_and_control", @@ -50160,8 +50158,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsh_discovery_command.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsh_discovery_command.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules" ], "tags": [ "attack.discovery", @@ -50184,9 +50182,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md", "https://attack.mitre.org/software/S0108/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsh_dll_persistence.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsh_dll_persistence.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md" ], "tags": [ "attack.privilege_escalation", @@ -50210,10 +50208,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/", "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsh_firewall_disable.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsh_firewall_disable.yml", + "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/" ], "tags": [ "attack.defense_evasion", @@ -50237,8 +50235,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/misbehaving-rats/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsupport_rat_exec_location.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsupport_rat_exec_location.yml", + "https://redcanary.com/blog/misbehaving-rats/" ], "tags": [ "attack.defense_evasion" @@ -50260,8 +50258,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-1---system-network-configuration-discovery-on-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_command.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_command.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-1---system-network-configuration-discovery-on-windows" ], "tags": [ "attack.discovery", @@ -50284,8 +50282,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_listing_connections.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_listing_connections.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery" ], "tags": [ "attack.discovery", @@ -50308,12 +50306,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/", "https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html", - "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html", - "https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html", + "https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_net_execution.yml", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_net_execution.yml" + "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html", + "https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html" ], "tags": [ "attack.discovery", @@ -50348,8 +50346,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/ShadowChasing1/status/1552595370961944576", - "https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_net_use.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_net_use.yml", + "https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior" ], "tags": [ "attack.execution", @@ -50372,8 +50370,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_net_use_password_plaintext.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_net_use_password_plaintext.yml", + "Internal Research" ], "tags": "No established tags" }, @@ -50393,8 +50391,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_new_kernel_driver_via_sc.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_new_kernel_driver_via_sc.yml", + "https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/" ], "tags": [ "attack.persistence", @@ -50418,9 +50416,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_new_service_creation.yml", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_new_service_creation.yml" + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html" ], "tags": [ "attack.persistence", @@ -50445,12 +50443,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ngrok.com/docs", "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", - "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/.", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml", + "https://ngrok.com/docs", + "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection" ], "tags": [ "attack.command_and_control", @@ -50473,9 +50471,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nmap.org/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_nmap.yml", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_nmap.yml" + "https://nmap.org/" ], "tags": [ "attack.discovery", @@ -50498,8 +50496,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlaboratories.com/2021/12/08/process-ghosting/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml", + "https://pentestlaboratories.com/2021/12/08/process-ghosting/" ], "tags": [ "attack.defense_evasion" @@ -50544,14 +50542,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://github.com/zcgonvh/NTDSDumpEx", "https://pentestlab.blog/tag/ntds-dit/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", - "https://github.com/zcgonvh/NTDSDumpEx", "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration" ], "tags": [ "attack.credential_access", @@ -50575,9 +50573,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntdsutil_usage.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntdsutil_usage.yml", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)" ], "tags": [ "attack.credential_access", @@ -50600,9 +50598,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/med0x2e/status/1520402518685200384", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntlmrelay.yml", "https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntlmrelay.yml" + "https://twitter.com/med0x2e/status/1520402518685200384" ], "tags": [ "attack.privilege_escalation", @@ -50626,8 +50624,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Windows%202000%20Resource%20Kit%20Tools/AuditPol", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml", + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Windows%202000%20Resource%20Kit%20Tools/AuditPol" ], "tags": [ "attack.defense_evasion", @@ -50650,11 +50648,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", - "https://twitter.com/Hexacorn/status/1187143326673330176", "https://redcanary.com/blog/raspberry-robin/", + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-94a1964b682707e4e3f77dd61a3bfface5401d08d8cf81145f388e09614aceca", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_odbcconf.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_odbcconf.yml", + "https://twitter.com/Hexacorn/status/1187143326673330176" ], "tags": [ "attack.defense_evasion", @@ -50701,9 +50699,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_openwith.yml", "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml", - "https://twitter.com/harr0ey/status/991670870384021504", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_openwith.yml" + "https://twitter.com/harr0ey/status/991670870384021504" ], "tags": [ "attack.defense_evasion", @@ -50726,9 +50724,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_outlook.yml", "https://github.com/sensepost/ruler", - "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_outlook.yml" + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" ], "tags": [ "attack.execution", @@ -50776,8 +50774,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/x86matthew/status/1505476263464607744?s=12", - "https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parents.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parents.yml", + "https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b" ], "tags": "No established tags" }, @@ -50797,8 +50795,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parent_of_conhost.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parent_of_conhost.yml", + "https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html" ], "tags": [ "attack.execution", @@ -50823,8 +50821,8 @@ "refs": [ "http://www.xuetr.com/", "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", - "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml", + "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/" ], "tags": "No established tags" }, @@ -50844,9 +50842,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/", "https://twitter.com/harr0ey/status/989617817849876488", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pcwutl.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pcwutl.yml", + "https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/" ], "tags": [ "attack.defense_evasion", @@ -50895,8 +50893,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Oddvarmoe/status/993383596244258816", "https://twitter.com/_st0pp3r_/status/1560072680887525378", + "https://twitter.com/Oddvarmoe/status/993383596244258816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pester_parent.yml" ], "tags": [ @@ -50922,11 +50920,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ping_del.yml", "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ping_del.yml" + "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack" ], "tags": [ "attack.defense_evasion", @@ -50950,8 +50948,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna", - "https://twitter.com/vysecurity/status/977198418354491392", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ping_hex_ip.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ping_hex_ip.yml", + "https://twitter.com/vysecurity/status/977198418354491392" ], "tags": [ "attack.defense_evasion", @@ -50975,9 +50973,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/", "https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_plink_port_forward.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_plink_port_forward.yml", + "https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/" ], "tags": [ "attack.command_and_control", @@ -51002,8 +51000,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_plink_usage.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_plink_usage.yml", + "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/" ], "tags": [ "attack.command_and_control", @@ -51050,8 +51048,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_download_cradles.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_download_cradles.yml", + "https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd" ], "tags": "No established tags" }, @@ -51071,8 +51069,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml", + "https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd" ], "tags": [ "attack.execution", @@ -51095,11 +51093,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_launch.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_launch.yml", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", + "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64" ], "tags": [ "attack.execution", @@ -51122,8 +51120,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_uac_bypass.yml" ], "tags": [ @@ -51149,10 +51147,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml", "https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets" ], "tags": [ "attack.execution", @@ -51223,8 +51221,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/PythonResponder/status/1385064506049630211", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_getprocess_lsass.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_getprocess_lsass.yml", + "https://twitter.com/PythonResponder/status/1385064506049630211" ], "tags": [ "attack.credential_access", @@ -51247,8 +51245,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_hidden_b64_cmd.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_hidden_b64_cmd.yml", + "http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/" ], "tags": [ "attack.execution", @@ -51271,8 +51269,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2" ], "tags": "No established tags" }, @@ -51366,8 +51364,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/ankit_anubhav/status/1518835408502620162", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_sub_processes.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_sub_processes.yml", + "https://twitter.com/ankit_anubhav/status/1518835408502620162" ], "tags": "No established tags" }, @@ -51437,9 +51435,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Print/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_print.yml", "https://twitter.com/Oddvarmoe/status/985518877076541440", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_print.yml" + "https://lolbas-project.github.io/lolbas/Binaries/Print/" ], "tags": [ "attack.defense_evasion", @@ -51463,8 +51461,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_procdump_lsass.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_procdump_lsass.yml", + "Internal Research" ], "tags": [ "attack.defense_evasion", @@ -51512,8 +51510,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_progname.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_progname.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md" ], "tags": "No established tags" }, @@ -51533,8 +51531,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexec_eula.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexec_eula.yml", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" ], "tags": [ "attack.execution", @@ -51558,9 +51556,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexesvc.yml", "https://www.youtube.com/watch?v=ro2QuZTIMBM", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexesvc.yml" + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec" ], "tags": [ "attack.execution" @@ -51582,8 +51580,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexesvc_as_system.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexesvc_as_system.yml", + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec" ], "tags": [ "attack.execution" @@ -51605,9 +51603,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexesvc_renamed.yml", "https://www.youtube.com/watch?v=ro2QuZTIMBM", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexesvc_renamed.yml" + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec" ], "tags": [ "attack.execution" @@ -51629,10 +51627,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml", "https://www.poweradmin.com/paexec/", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml" + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec" ], "tags": [ "attack.resource_development", @@ -51656,10 +51654,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml", "https://www.poweradmin.com/paexec/", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml" + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec" ], "tags": [ "attack.resource_development", @@ -51683,10 +51681,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", - "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml", + "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", + "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos" ], "tags": [ "attack.discovery", @@ -51711,8 +51709,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Psr/", "https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf", + "https://lolbas-project.github.io/lolbas/Binaries/Psr/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psr_capture_screenshots.yml" ], @@ -51738,8 +51736,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/JohnLaTwC/status/1082851155481288706", - "https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ps_appdata.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ps_appdata.yml", + "https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03" ], "tags": [ "attack.execution", @@ -51789,8 +51787,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/fcadca91-3580-4ede-aff4-4d2bf809bf99/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ps_encoded_obfusc.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ps_encoded_obfusc.yml", + "https://app.any.run/tasks/fcadca91-3580-4ede-aff4-4d2bf809bf99/" ], "tags": [ "attack.defense_evasion" @@ -51839,8 +51837,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", "https://ss64.com/bash/rar.html", + "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rar_flags.yml" ], @@ -51915,12 +51913,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rclone_execution.yml", "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", - "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rclone_execution.yml" + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", + "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone" ], "tags": [ "attack.exfiltration", @@ -51943,8 +51941,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_recon.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_recon.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md" ], "tags": [ "attack.collection", @@ -51967,8 +51965,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_recon_network_activity.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_recon_network_activity.yml", + "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/" ], "tags": [ "attack.discovery", @@ -51993,8 +51991,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/1kwpeter/status/1397816101455765504", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regedit_trustedinstaller.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regedit_trustedinstaller.yml", + "https://twitter.com/1kwpeter/status/1397816101455765504" ], "tags": [ "attack.privilege_escalation", @@ -52017,9 +52015,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/PhilipTsukerman/status/992021361106268161", "https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_register_cimprovider.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_register_cimprovider.yml", + "https://twitter.com/PhilipTsukerman/status/992021361106268161" ], "tags": [ "attack.defense_evasion", @@ -52042,8 +52040,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20", "https://ss64.com/vb/cscript.html", + "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_registration_via_cscript.yml" ], "tags": [ @@ -52067,9 +52065,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml", "https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html", - "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml" + "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/" ], "tags": [ "attack.defense_evasion", @@ -52118,9 +52116,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1461041276514623491c19-ps", "https://twitter.com/tccontre18/status/1480950986650832903", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_http_pattern.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_http_pattern.yml", + "https://twitter.com/mrd0x/status/1461041276514623491c19-ps" ], "tags": [ "attack.defense_evasion", @@ -52143,10 +52141,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", - "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://guides.lib.umich.edu/c.php?g=282942&p=1885348", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_image.yml" + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_image.yml", + "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/" ], "tags": [ "attack.defense_evasion", @@ -52169,8 +52167,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_no_dll.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_no_dll.yml", + "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/" ], "tags": [ "attack.defense_evasion", @@ -52218,9 +52216,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/intelligence-insights-april-2022/", "https://www.echotrail.io/insights/search/regsvr32.exe", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_spawn_explorer.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_spawn_explorer.yml", + "https://redcanary.com/blog/intelligence-insights-april-2022/" ], "tags": [ "attack.defense_evasion", @@ -52243,9 +52241,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml" ], "tags": [ @@ -52270,8 +52268,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_bitlocker.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_bitlocker.yml", + "https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" ], "tags": [ "attack.impact", @@ -52295,10 +52293,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/JohnLaTwC/status/1415295021041979392", "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", "https://vms.drweb.fr/virus/?i=24144899", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", + "https://twitter.com/JohnLaTwC/status/1415295021041979392", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_disable_sec_services.yml" ], "tags": [ @@ -52346,13 +52344,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.joeware.net/freetools/tools/adfind/", - "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_adfind.yml" + "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_adfind.yml", + "https://www.joeware.net/freetools/tools/adfind/" ], "tags": [ "attack.discovery", @@ -52378,9 +52376,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_createdump.yml", "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", - "https://twitter.com/bopin2020/status/1366400799199272960", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_createdump.yml" + "https://twitter.com/bopin2020/status/1366400799199272960" ], "tags": [ "attack.defense_evasion", @@ -52459,8 +52457,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.poweradmin.com/paexec/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_paexec.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_paexec.yml", + "https://www.poweradmin.com/paexec/" ], "tags": [ "attack.defense_evasion", @@ -52484,10 +52482,10 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", - "https://twitter.com/vysecurity/status/974806438316072960", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rpcping.yml", "https://twitter.com/vysecurity/status/873181705024266241", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rpcping.yml" + "https://twitter.com/vysecurity/status/974806438316072960" ], "tags": [ "attack.credential_access", @@ -52510,12 +52508,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", - "https://twitter.com/Hexacorn/status/885258886428725250", + "https://twitter.com/eral4m/status/1479080793003671557", "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", "https://twitter.com/nas_bench/status/1433344116071583746", + "https://twitter.com/Hexacorn/status/885258886428725250", "https://twitter.com/eral4m/status/1479106975967240209", - "https://twitter.com/eral4m/status/1479080793003671557", + "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml" ], "tags": [ @@ -52540,10 +52538,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/", - "https://github.com/Neo23x0/DLLRunner", "https://twitter.com/cyb3rops/status/1186631731543236608", "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", + "https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/", + "https://github.com/Neo23x0/DLLRunner", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml" ], "tags": [ @@ -52567,8 +52565,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_inline_vbs.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_inline_vbs.yml", + "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" ], "tags": [ "attack.defense_evasion", @@ -52687,11 +52685,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", - "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", - "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml" + "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", + "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml", + "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf" ], "tags": [ "attack.defense_evasion", @@ -52738,8 +52736,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_sys.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_sys.yml", + "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" ], "tags": [ "attack.defense_evasion", @@ -52785,9 +52783,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/990717080805789697", "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml", + "https://twitter.com/pabraeken/status/990717080805789697" ], "tags": [ "attack.defense_evasion", @@ -52861,8 +52859,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/misbehaving-rats/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rurat_exec_location.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rurat_exec_location.yml", + "https://redcanary.com/blog/misbehaving-rats/" ], "tags": [ "attack.defense_evasion" @@ -52884,9 +52882,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_change.yml", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_change.yml" + "Internal Research" ], "tags": [ "attack.execution", @@ -52909,8 +52907,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml", + "Internal Research" ], "tags": [ "attack.impact", @@ -52933,8 +52931,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete_all.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete_all.yml", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete" ], "tags": [ "attack.impact", @@ -52957,10 +52955,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", "https://twitter.com/MichalKoczwara/status/1553634816016498688", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/" ], "tags": [ "attack.impact", @@ -52984,9 +52982,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml", "https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml" + "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/" ], "tags": [ "attack.execution", @@ -53009,8 +53007,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_folder_combos.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_folder_combos.yml", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical" ], "tags": [ "attack.execution", @@ -53082,9 +53080,9 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create" ], "tags": [ "attack.execution", @@ -53107,9 +53105,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type_system.yml", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type_system.yml" + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create" ], "tags": [ "attack.execution", @@ -53210,8 +53208,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_screenconnect_access.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_screenconnect_access.yml", + "https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies" ], "tags": [ "attack.initial_access", @@ -53234,8 +53232,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_screensaver_reg.yml" ], "tags": [ @@ -53283,8 +53281,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml", + "https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f" ], "tags": [ "attack.execution", @@ -53332,8 +53330,8 @@ "logsource.product": "windows", "refs": [ "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", - "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification.yml", + "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings" ], "tags": [ "attack.persistence", @@ -53357,8 +53355,8 @@ "logsource.product": "windows", "refs": [ "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", - "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification_set_service.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification_set_service.yml", + "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings" ], "tags": [ "attack.persistence", @@ -53381,8 +53379,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml", + "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/" ], "tags": [ "attack.defense_evasion", @@ -53405,9 +53403,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_modification.yml", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_modification.yml" + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/" ], "tags": [ "attack.defense_evasion", @@ -53430,9 +53428,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_path_modification.yml", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_path_modification.yml" + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html" ], "tags": [ "attack.persistence", @@ -53456,9 +53454,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg", "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_stop.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_stop.yml", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg" ], "tags": [ "attack.defense_evasion", @@ -53481,8 +53479,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml", + "https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/" ], "tags": [ "attack.persistence", @@ -53531,10 +53529,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/tevora-threat/SharpView/", - "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml", + "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", + "https://github.com/tevora-threat/SharpView/" ], "tags": [ "attack.discovery", @@ -53562,8 +53560,8 @@ "logsource.product": "windows", "refs": [ "https://redcanary.com/blog/raspberry-robin/", - "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shellexec_rundll_usage.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shellexec_rundll_usage.yml", + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/" ], "tags": [ "attack.defense_evasion" @@ -53611,8 +53609,8 @@ "logsource.product": "windows", "refs": [ "https://redcanary.com/blog/intelligence-insights-december-2021", - "https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_by_java_keytool.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_by_java_keytool.yml", + "https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html" ], "tags": [ "attack.initial_access", @@ -53709,8 +53707,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shutdown.yml" ], "tags": [ @@ -53734,8 +53732,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/sbousseaden/status/1429401053229891590?s=12", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_splwow64.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_splwow64.yml", + "https://twitter.com/sbousseaden/status/1429401053229891590?s=12" ], "tags": [ "attack.defense_evasion", @@ -53939,8 +53937,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", "https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b", + "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysprep_appdata.yml" ], "tags": [ @@ -53964,9 +53962,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_systeminfo.yml", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_systeminfo.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery" ], "tags": [ "attack.discovery", @@ -53991,9 +53989,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Internal Research", "https://tools.thehacker.recipes/mimikatz/modules", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml", + "Internal Research" ], "tags": "No established tags" }, @@ -54013,9 +54011,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2288", "https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml", + "https://adsecurity.org/?p=2288" ], "tags": [ "attack.credential_access", @@ -54039,9 +54037,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_takeown.yml", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_takeown.yml" + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown" ], "tags": [ "attack.defense_evasion", @@ -54064,8 +54062,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.group-ib.com/resources/threat-research/red-curl-2.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_target_location_shell32.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_target_location_shell32.yml", + "https://www.group-ib.com/resources/threat-research/red-curl-2.html" ], "tags": [ "attack.defense_evasion", @@ -54089,8 +54087,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1489/T1489.md#atomic-test-3---windows---stop-service-by-killing-process", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_taskkill.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_taskkill.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1489/T1489.md#atomic-test-3---windows---stop-service-by-killing-process" ], "tags": [ "attack.impact", @@ -54113,8 +54111,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-2---process-discovery---tasklist", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tasklist_command.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tasklist_command.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-2---process-discovery---tasklist" ], "tags": [ "attack.discovery", @@ -54183,8 +54181,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tracker_execution.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tracker_execution.yml", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/" ], "tags": [ "attack.defense_evasion", @@ -54234,10 +54232,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", - "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tscon_localsystem.yml", "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tscon_localsystem.yml" + "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", + "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html" ], "tags": [ "attack.command_and_control", @@ -54260,9 +54258,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tscon_rdp_redirect.yml", "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tscon_rdp_redirect.yml" + "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html" ], "tags": [ "attack.lateral_movement", @@ -54287,10 +54285,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e", - "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_uac_bypass_trustedpath.yml", "https://github.com/netero1010/TrustedPath-UACBypass-BOF", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_uac_bypass_trustedpath.yml" + "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e", + "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows" ], "tags": [ "attack.defense_evasion", @@ -54313,8 +54311,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1139811587760562176", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml", + "https://twitter.com/SBousseaden/status/1139811587760562176" ], "tags": [ "attack.defense_evasion", @@ -54361,9 +54359,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/", "https://twitter.com/bryon_/status/975835709587075072", + "https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml" ], "tags": [ @@ -54389,9 +54387,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_sqltoolsps_bin.yml", "https://twitter.com/pabraeken/status/993298228840992768", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_sqltoolsps_bin.yml" + "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml" ], "tags": [ "attack.execution", @@ -54417,9 +54415,9 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", - "https://twitter.com/pabraeken/status/993298228840992768", "https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml", + "https://twitter.com/pabraeken/status/993298228840992768" ], "tags": [ "attack.t1218" @@ -54442,8 +54440,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/pabraeken/status/990758590020452353", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/", "https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml" ], "tags": [ @@ -54491,9 +54489,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml", "https://twitter.com/pabraeken/status/993497996179492864", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_vboxdrvinst.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_vboxdrvinst.yml", + "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml" ], "tags": [ "attack.defense_evasion", @@ -54540,8 +54538,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1354766164166115331", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_volsnap_disable.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_volsnap_disable.yml", + "https://twitter.com/0gtweet/status/1354766164166115331" ], "tags": [ "attack.defense_evasion", @@ -54564,8 +54562,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bohops/status/1583916360404729857", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_vslsagent_agentextensionpath_load.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_vslsagent_agentextensionpath_load.yml", + "https://twitter.com/bohops/status/1583916360404729857" ], "tags": [ "attack.defense_evasion", @@ -54589,8 +54587,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/OTRF/detection-hackathon-apt29/issues/17", - "https://threathunterplaybook.com/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml", + "https://threathunterplaybook.com/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.html" ], "tags": [ "attack.exfiltration", @@ -54613,9 +54611,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd.yml", + "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/" ], "tags": [ "attack.execution", @@ -54638,8 +54636,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_web_sysaidserver.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_web_sysaidserver.yml", + "https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/" ], "tags": "No established tags" }, @@ -54660,8 +54658,8 @@ "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", - "https://www.echotrail.io/insights/search/wermgr.exe", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml", + "https://www.echotrail.io/insights/search/wermgr.exe" ], "tags": "No established tags" }, @@ -54707,9 +54705,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_whoami.yml", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_whoami.yml" + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/" ], "tags": [ "attack.discovery", @@ -54735,9 +54733,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", - "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml" ], "tags": [ @@ -54787,8 +54785,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml", + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/" ], "tags": [ "attack.collection", @@ -54811,8 +54809,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1460978167628406785", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_winrar_execution.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_winrar_execution.yml", + "https://twitter.com/cyb3rops/status/1460978167628406785" ], "tags": [ "attack.collection", @@ -54859,8 +54857,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bohops/status/994405551751815170", "https://redcanary.com/blog/lateral-movement-winrm-wmi/", + "https://twitter.com/bohops/status/994405551751815170", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml" ], "tags": [ @@ -54908,9 +54906,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/johnlatwc/status/1408062131321270282?s=12", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_eventconsumer_create.yml", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_eventconsumer_create.yml" + "https://twitter.com/johnlatwc/status/1408062131321270282?s=12" ], "tags": [ "attack.persistence", @@ -54935,8 +54933,8 @@ "refs": [ "https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/", "https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1", - "https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_execution.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_execution.yml", + "https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/" ], "tags": [ "attack.execution", @@ -54960,8 +54958,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml" ], "tags": [ @@ -54985,11 +54983,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cglyer/status/1355171195654709249", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_security_product_uninstall.yml", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_security_product_uninstall.yml" + "https://twitter.com/cglyer/status/1355171195654709249" ], "tags": [ "attack.defense_evasion", @@ -55012,8 +55010,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/elliotkillick/status/1449812843772227588", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_workfolders.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_workfolders.yml", + "https://twitter.com/elliotkillick/status/1449812843772227588" ], "tags": [ "attack.defense_evasion", @@ -55062,8 +55060,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/blackbyte-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wuauclt_cmdline.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wuauclt_cmdline.yml", + "https://redcanary.com/blog/blackbyte-ransomware/" ], "tags": "No established tags" }, @@ -55083,8 +55081,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1451237393017839616", "https://github.com/Tylous/ZipExec", + "https://twitter.com/SBousseaden/status/1451237393017839616", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_zipexec.yml" ], "tags": [ @@ -55110,8 +55108,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_zip_compress.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_zip_compress.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md" ], "tags": [ "attack.collection", @@ -55134,8 +55132,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sus_auditpol_usage.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sus_auditpol_usage.yml", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" ], "tags": [ "attack.defense_evasion", @@ -55259,9 +55257,9 @@ "logsource.product": "windows", "refs": [ "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120", - "https://twitter.com/filip_dragovic/status/1590052248260055041", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml", "https://twitter.com/filip_dragovic/status/1590104354727436290", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml" + "https://twitter.com/filip_dragovic/status/1590052248260055041" ], "tags": "No established tags" }, @@ -55281,9 +55279,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml", "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", - "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml" + "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100" ], "tags": [ "attack.defense_evasion", @@ -55331,8 +55329,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/GelosSnake/status/934900723426439170", "https://asec.ahnlab.com/en/39828/", + "https://twitter.com/GelosSnake/status/934900723426439170", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml" ], "tags": [ @@ -55403,10 +55401,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml", "https://www.exploit-db.com/exploits/37525", - "https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection", "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml" + "https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection" ], "tags": [ "attack.defense_evasion", @@ -55456,9 +55454,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml", + "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/" ], "tags": [ "attack.credential_access", @@ -55508,13 +55506,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/techniques/T1557/001/", - "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", - "https://pentestlab.blog/2017/04/13/hot-potato/", - "https://github.com/ohpe/juicy-potato", "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tools_relay_attacks.yml", + "https://attack.mitre.org/techniques/T1557/001/", "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tools_relay_attacks.yml" + "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", + "https://github.com/ohpe/juicy-potato", + "https://pentestlab.blog/2017/04/13/hot-potato/" ], "tags": [ "attack.execution", @@ -55537,8 +55535,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tools_uac_bypass_computerdefaults.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tools_uac_bypass_computerdefaults.yml", + "https://github.com/hfiref0x/UACME" ], "tags": [ "attack.defense_evasion", @@ -55562,9 +55560,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.nirsoft.net/utils/nircmd.html", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.nirsoft.net/utils/nircmd2.html#using", + "https://www.nirsoft.net/utils/nircmd.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml" ], "tags": [ @@ -55589,9 +55587,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.nirsoft.net/utils/nircmd.html", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.nirsoft.net/utils/nircmd2.html#using", + "https://www.nirsoft.net/utils/nircmd.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_nircmd_as_system.yml" ], "tags": [ @@ -55616,9 +55614,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nsudo.m2team.org/en-us/", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_nsudo_execution.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_nsudo_execution.yml", + "https://nsudo.m2team.org/en-us/" ], "tags": [ "attack.execution", @@ -55668,8 +55666,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.d7xtech.com/free-software/runx/", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://www.d7xtech.com/free-software/runx/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_runx_as_system.yml" ], "tags": [ @@ -55694,8 +55692,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tor_browser.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tor_browser.yml", + "https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/" ], "tags": [ "attack.command_and_control", @@ -55718,9 +55716,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_trufflesnout.yml", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md", - "https://github.com/dsnezhkov/TruffleSnout", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_trufflesnout.yml" + "https://github.com/dsnezhkov/TruffleSnout" ], "tags": [ "attack.discovery", @@ -55743,12 +55741,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md", - "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_trust_discovery.yml", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_trust_discovery.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md", + "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/" ], "tags": [ "attack.discovery", @@ -55771,10 +55769,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", - "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml" + "https://github.com/hfiref0x/UACME", + "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b" ], "tags": [ "attack.defense_evasion", @@ -55823,10 +55821,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md", - "https://lolbas-project.github.io/lolbas/Binaries/Cmstp/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml" + "https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml", + "https://lolbas-project.github.io/lolbas/Binaries/Cmstp/" ], "tags": [ "attack.privilege_escalation", @@ -55851,8 +55849,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml", + "https://github.com/hfiref0x/UACME" ], "tags": [ "attack.defense_evasion", @@ -55876,8 +55874,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml", + "https://github.com/hfiref0x/UACME" ], "tags": [ "attack.defense_evasion", @@ -55901,8 +55899,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md", + "https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml" ], "tags": [ @@ -55950,8 +55948,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/uac-bypass-via-icmluautil-elevated-com-interface.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml", + "https://www.elastic.co/guide/en/security/current/uac-bypass-via-icmluautil-elevated-com-interface.html" ], "tags": [ "attack.defense_evasion", @@ -55975,8 +55973,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Wh04m1001/IDiagnosticProfileUAC", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml", + "https://github.com/Wh04m1001/IDiagnosticProfileUAC" ], "tags": [ "attack.execution", @@ -56001,8 +55999,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml", + "https://github.com/hfiref0x/UACME" ], "tags": [ "attack.defense_evasion", @@ -56051,8 +56049,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml", + "https://github.com/hfiref0x/UACME" ], "tags": [ "attack.defense_evasion", @@ -56126,8 +56124,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml", + "https://github.com/hfiref0x/UACME" ], "tags": [ "attack.defense_evasion", @@ -56151,11 +56149,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", - "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", - "https://www.activecyber.us/activelabs/windows-uac-bypass", "https://twitter.com/ReaQta/status/1222548288731217921", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml", + "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", + "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", + "https://www.activecyber.us/activelabs/windows-uac-bypass" ], "tags": [ "attack.privilege_escalation", @@ -56179,10 +56177,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml", "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", - "https://github.com/hfiref0x/UACME", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml" + "https://github.com/hfiref0x/UACME" ], "tags": [ "attack.defense_evasion", @@ -56230,8 +56228,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1219/T1219.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultravnc.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultravnc.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1219/T1219.md" ], "tags": [ "attack.command_and_control", @@ -56350,8 +56348,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml" ], "tags": [ @@ -56376,8 +56374,8 @@ "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", - "https://pentestlab.blog/2017/03/30/weak-service-permissions/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_sc_to_change_sevice_image_path_by_non_admin.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_sc_to_change_sevice_image_path_by_non_admin.yml", + "https://pentestlab.blog/2017/03/30/weak-service-permissions/" ], "tags": [ "attack.persistence", @@ -56403,9 +56401,9 @@ "logsource.product": "windows", "refs": [ "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml", "https://twitter.com/Alh4zr3d/status/1580925761996828672", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml" + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/" ], "tags": [ "attack.persistence", @@ -56455,8 +56453,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_set_service_to_hide_services.yml" ], "tags": [ @@ -56482,10 +56480,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", - "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml" + "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml", + "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5" ], "tags": [ "attack.defense_evasion", @@ -56533,8 +56531,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://dzone.com/articles/remote-debugging-java-applications-with-jdwp", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml", + "https://dzone.com/articles/remote-debugging-java-applications-with-jdwp" ], "tags": [ "attack.t1203", @@ -56557,9 +56555,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_w32tm.yml", "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_w32tm.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md" ], "tags": [ "attack.discovery", @@ -56582,10 +56580,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", + "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/" ], "tags": [ "attack.defense_evasion", @@ -56608,10 +56606,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml" + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml", + "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/" ], "tags": [ "attack.defense_evasion", @@ -56635,9 +56633,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml" ], "tags": [ @@ -56712,9 +56710,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_detection.yml", "https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_detection.yml" + "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html" ], "tags": [ "attack.persistence", @@ -56740,8 +56738,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://youtu.be/7aemGhaE9ds?t=641", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml", + "https://youtu.be/7aemGhaE9ds?t=641" ], "tags": [ "attack.persistence", @@ -56791,8 +56789,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_spawn.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_spawn.yml", + "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF" ], "tags": [ "attack.persistence", @@ -56816,8 +56814,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html" ], "tags": [ "attack.discovery" @@ -56840,8 +56838,8 @@ "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", - "https://nsudo.m2team.org/en-us/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_as_priv_user.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_as_priv_user.yml", + "https://nsudo.m2team.org/en-us/" ], "tags": [ "attack.privilege_escalation", @@ -56940,8 +56938,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/windowsterminalprofile.html", "https://twitter.com/nas_bench/status/1550836225652686848", + "https://persistence-info.github.io/Data/windowsterminalprofile.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml" ], "tags": [ @@ -57016,8 +57014,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_computersystem_recon.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_computersystem_recon.yml", + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/" ], "tags": [ "attack.discovery", @@ -57065,9 +57063,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_hotfix_enum.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_hotfix_enum.yml", + "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat" ], "tags": [ "attack.execution", @@ -57091,8 +57089,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic" ], "tags": [ "attack.execution", @@ -57115,9 +57113,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml", "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml" + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic" ], "tags": [ "attack.execution", @@ -57141,8 +57139,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic" ], "tags": [ "attack.execution", @@ -57213,8 +57211,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", + "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml" ], @@ -57263,9 +57261,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cglyer/status/1182389676876980224", "https://twitter.com/cglyer/status/1182391019633029120", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml", + "https://twitter.com/cglyer/status/1182389676876980224" ], "tags": [ "attack.persistence", @@ -57340,8 +57338,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_workflow_compiler.yml" ], "tags": [ @@ -57440,8 +57438,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_susp_cab_extraction.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_susp_cab_extraction.yml", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html" ], "tags": [ "attack.execution" @@ -57463,9 +57461,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_susp_cap_extraction_from_susp_paths.yml", "https://www.echotrail.io/insights/search/wusa.exe/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_susp_cap_extraction_from_susp_paths.yml" + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html" ], "tags": [ "attack.execution" @@ -57487,8 +57485,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/audibleblink/xordump", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_xordump.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_xordump.yml", + "https://github.com/audibleblink/xordump" ], "tags": [ "attack.defense_evasion", @@ -57514,8 +57512,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_xsl_script_processing.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_xsl_script_processing.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md" ], "tags": [ "attack.defense_evasion", @@ -57563,8 +57561,8 @@ "logsource.product": "windows", "refs": [ "https://persistence-info.github.io/Data/amsi.html", - "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml", + "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c" ], "tags": [ "attack.persistence" @@ -57587,8 +57585,8 @@ "logsource.product": "windows", "refs": [ "https://attack.mitre.org/techniques/T1037/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.001/T1037.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.001/T1037.001.md" ], "tags": [ "attack.t1037.001", @@ -57612,12 +57610,12 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", - "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", - "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", - "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_mal_netwire.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_mal_netwire.yml", + "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", + "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", + "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", + "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/" ], "tags": [ "attack.defense_evasion", @@ -57640,9 +57638,9 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml", "https://blog.yoroi.company/research/ursnif-long-live-the-steganography/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml" + "https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/" ], "tags": [ "attack.execution", @@ -57665,8 +57663,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml", + "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/" ], "tags": [ "attack.persistence", @@ -57689,8 +57687,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml", + "Internal Research" ], "tags": [ "attack.resource_development", @@ -57738,8 +57736,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://twitter.com/Moti_B/status/1008587936735035392", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml", + "https://twitter.com/Moti_B/status/1008587936735035392" ], "tags": [ "attack.resource_development", @@ -57762,9 +57760,9 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml", "https://github.com/OTRF/detection-hackathon-apt29/issues/9", - "https://threathunterplaybook.com/evals/apt29/detections/4.B.2_59A9AC92-124D-4C4B-A6BF-3121C98677C3.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml" + "https://threathunterplaybook.com/evals/apt29/detections/4.B.2_59A9AC92-124D-4C4B-A6BF-3121C98677C3.html" ], "tags": [ "attack.defense_evasion", @@ -57787,9 +57785,9 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_set_disk_cleanup_handler_new_entry_persistence.yml", "https://persistence-info.github.io/Data/diskcleanuphandler.html", - "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_set_disk_cleanup_handler_new_entry_persistence.yml" + "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/" ], "tags": [ "attack.persistence" @@ -57811,8 +57809,8 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml", + "https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/" ], "tags": [ "attack.defense_evasion", @@ -57861,8 +57859,8 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://seclists.org/fulldisclosure/2020/Mar/45", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml" ], "tags": [ @@ -57886,12 +57884,12 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", "https://github.com/OTRF/detection-hackathon-apt29/issues/7", "https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html", - "https://docs.microsoft.com/en-us/windows/win32/shell/launch", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml", "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", - "https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml" + "https://docs.microsoft.com/en-us/windows/win32/shell/launch" ], "tags": [ "attack.defense_evasion", @@ -57962,8 +57960,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1387530414185664538", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml", + "https://twitter.com/SBousseaden/status/1387530414185664538" ], "tags": [ "attack.persistence", @@ -57986,8 +57984,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_chafer_mar18.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_chafer_mar18.yml", + "https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/" ], "tags": [ "attack.persistence", @@ -58039,9 +58037,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml", "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", - "https://github.com/eset/malware-ioc/tree/master/oceanlotus", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml" + "https://github.com/eset/malware-ioc/tree/master/oceanlotus" ], "tags": [ "attack.defense_evasion", @@ -58090,8 +58088,8 @@ "logsource.product": "windows", "refs": [ "https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly", - "https://lolbas-project.github.io/lolbas/Binaries/Wsreset", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml", + "https://lolbas-project.github.io/lolbas/Binaries/Wsreset" ], "tags": [ "attack.defense_evasion", @@ -58142,8 +58140,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1182516740955226112", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml", + "https://twitter.com/0gtweet/status/1182516740955226112" ], "tags": [ "attack.defense_evasion", @@ -58240,8 +58238,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/Cyb3rWard0g/status/1381642789369286662", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml", + "https://twitter.com/Cyb3rWard0g/status/1381642789369286662" ], "tags": [ "attack.resource_development", @@ -58264,8 +58262,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mal_azorult.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mal_azorult.yml", + "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a" ], "tags": [ "attack.execution", @@ -58312,10 +58310,10 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", - "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml" + "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml", + "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf" ], "tags": [ "attack.execution", @@ -58340,9 +58338,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md" ], "tags": [ "attack.persistence", @@ -58390,8 +58388,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml", + "https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks" ], "tags": [ "attack.defense_evasion", @@ -58415,8 +58413,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html", + "http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml" ], "tags": [ @@ -58440,8 +58438,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml", + "https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html" ], "tags": [ "attack.persistence", @@ -58464,8 +58462,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/techniques/T1137/002/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_office_test_regadd.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_office_test_regadd.yml", + "https://attack.mitre.org/techniques/T1137/002/" ], "tags": [ "attack.persistence", @@ -58513,9 +58511,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", - "https://adepts.of0x.cc/netsh-portproxy-code/", "https://www.dfirnotes.net/portproxy_detection/", + "https://adepts.of0x.cc/netsh-portproxy-code/", + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml" ], "tags": [ @@ -58565,8 +58563,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" ], "tags": [ "attack.persistence", @@ -58589,9 +58587,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/990717080805789697", "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml", + "https://twitter.com/pabraeken/status/990717080805789697" ], "tags": [ "attack.defense_evasion", @@ -58614,10 +58612,10 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", + "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", - "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", + "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml" ], "tags": [ @@ -58644,8 +58642,8 @@ "logsource.product": "windows", "refs": [ "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", - "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml", + "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/" ], "tags": [ "attack.credential_access", @@ -58692,9 +58690,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml", + "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/" ], "tags": [ "attack.privilege_escalation", @@ -58720,9 +58718,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml", "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml" + "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/" ], "tags": [ "attack.defense_evasion", @@ -58771,9 +58769,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://blog.xpnsec.com/exploring-mimikatz-part-1/", "https://twitter.com/SBousseaden/status/1183745981189427200", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml", + "https://blog.xpnsec.com/exploring-mimikatz-part-1/" ], "tags": [ "attack.execution", @@ -58797,8 +58795,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_mic_cam_access.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_mic_cam_access.yml", + "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072" ], "tags": [ "attack.collection", @@ -58822,9 +58820,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_trust_record_modification.yml", "https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/", - "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_trust_record_modification.yml" + "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html" ], "tags": [ "attack.initial_access", @@ -58873,8 +58871,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_hidden_user.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_hidden_user.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md" ], "tags": [ "attack.defense_evasion", @@ -58897,9 +58895,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network" ], "tags": [ "attack.defense_evasion", @@ -58970,8 +58968,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md" ], "tags": [ "attack.defense_evasion", @@ -58995,10 +58993,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns" ], "tags": [ "attack.persistence", @@ -59022,11 +59020,11 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://persistence-info.github.io/Data/userinitmprlogonscript.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns" ], "tags": [ "attack.persistence", @@ -59050,10 +59048,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns" ], "tags": [ "attack.persistence", @@ -59077,11 +59075,11 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns" ], "tags": [ "attack.persistence", @@ -59105,10 +59103,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns" ], "tags": [ "attack.persistence", @@ -59132,9 +59130,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml" ], "tags": [ @@ -59159,10 +59157,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns" ], "tags": [ "attack.persistence", @@ -59186,10 +59184,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns" ], "tags": [ "attack.persistence", @@ -59214,9 +59212,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml" ], "tags": [ @@ -59241,9 +59239,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml" ], "tags": [ @@ -59268,10 +59266,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml" ], "tags": [ @@ -59296,9 +59294,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml" ], "tags": [ @@ -59323,9 +59321,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml" ], "tags": [ @@ -59349,9 +59347,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml", "https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml" + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/" ], "tags": [ "attack.defense_evasion", @@ -59374,10 +59372,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml", "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", - "https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml" + "https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623" ], "tags": [ "attack.privilege_escalation", @@ -59401,9 +59399,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml" + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/" ], "tags": [ "attack.persistence", @@ -59452,8 +59450,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#atomic-test-1---rdp-to-domaincontroller", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#atomic-test-1---rdp-to-domaincontroller" ], "tags": [ "attack.persistence", @@ -59476,9 +59474,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", "https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_security_zones.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_security_zones.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone" ], "tags": [ "attack.persistence", @@ -59526,10 +59524,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/", - "https://learn.microsoft.com/en-us/windows/win32/api/winevt/", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml", + "https://learn.microsoft.com/en-us/windows/win32/api/winevt/", + "https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/" ], "tags": [ "attack.defense_evasion", @@ -59552,9 +59550,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_chm_persistence.yml", "https://persistence-info.github.io/Data/htmlhelpauthor.html", - "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_chm_persistence.yml" + "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/" ], "tags": [ "attack.persistence" @@ -59600,8 +59598,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml", + "https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395" ], "tags": [ "attack.execution", @@ -59629,8 +59627,8 @@ "logsource.product": "windows", "refs": [ "http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass", - "https://www.exploit-db.com/exploits/47696", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml", + "https://www.exploit-db.com/exploits/47696" ], "tags": [ "attack.privilege_escalation", @@ -59678,8 +59676,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md" ], "tags": [ "attack.defense_evasion", @@ -59702,8 +59700,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md" ], "tags": [ "attack.defense_evasion", @@ -59750,8 +59748,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://windows-internals.com/printdemon-cve-2020-1048/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2020_1048_new_printer_port.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2020_1048_new_printer_port.yml", + "https://windows-internals.com/printdemon-cve-2020-1048/" ], "tags": [ "attack.persistence", @@ -59804,9 +59802,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2022_30190_msdt_follina.yml", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190", - "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2022_30190_msdt_follina.yml" + "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/" ], "tags": [ "attack.defense_evasion", @@ -59829,9 +59827,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml", "https://github.com/last-byte/PersistenceSniper", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml" + "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/" ], "tags": [ "attack.persistence", @@ -59854,8 +59852,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/_nullbind/status/1204923340810543109", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml", + "https://twitter.com/_nullbind/status/1204923340810543109" ], "tags": [ "attack.defense_evasion", @@ -59878,10 +59876,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml" + "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx" ], "tags": [ "attack.defense_evasion", @@ -59953,8 +59951,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml", + "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html" ], "tags": [ "attack.defense_evasion", @@ -60001,8 +59999,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md#atomic-test-4---disable-administrative-share-creation-at-startup", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md#atomic-test-4---disable-administrative-share-creation-at-startup" ], "tags": [ "attack.defense_evasion", @@ -60026,8 +60024,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/MichalKoczwara/status/1553634816016498688", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/" ], "tags": [ "attack.defense_evasion" @@ -60049,8 +60047,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-2---disable-microsoft-defender-firewall-via-registry", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-2---disable-microsoft-defender-firewall-via-registry" ], "tags": [ "attack.defense_evasion", @@ -60074,8 +60072,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", - "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions" ], "tags": [ "attack.defense_evasion", @@ -60098,10 +60096,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml", "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope", - "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml" + "https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/", + "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba" ], "tags": [ "attack.defense_evasion" @@ -60123,10 +60121,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", - "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/" ], "tags": [ "attack.defense_evasion", @@ -60149,8 +60147,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1562.001/T1562.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1562.001/T1562.001.md" ], "tags": [ "attack.defense_evasion", @@ -60173,8 +60171,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md" ], "tags": [ "attack.defense_evasion", @@ -60271,8 +60269,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.004/T1562.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.004/T1562.004.md" ], "tags": [ "attack.defense_evasion", @@ -60295,9 +60293,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml", "https://twitter.com/WhichbufferArda/status/1543900539280293889", - "https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml" + "https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp" ], "tags": [ "attack.defense_evasion", @@ -60320,8 +60318,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md" ], "tags": [ "attack.defense_evasion", @@ -60344,9 +60342,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml", "https://persistence-info.github.io/Data/diskcleanuphandler.html", - "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml" + "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/" ], "tags": [ "attack.persistence" @@ -60368,11 +60366,11 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", - "https://github.com/elastic/detection-rules/issues/1371", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml", "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", + "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml" + "https://github.com/elastic/detection-rules/issues/1371" ], "tags": [ "attack.defense_evasion", @@ -60419,10 +60417,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/jamieantisocial/status/1304520651248668673", - "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml", "https://www.sans.org/cyber-security-summit/archives", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml" + "https://twitter.com/jamieantisocial/status/1304520651248668673", + "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors" ], "tags": [ "attack.persistence", @@ -60471,16 +60469,16 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/_xpn_/status/1268712093928378368", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "https://bunnyinside.com/?term=f71e8cb9c76a", - "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_etw_disabled.yml" + "https://twitter.com/_xpn_/status/1268712093928378368", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_etw_disabled.yml", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr" ], "tags": [ "attack.defense_evasion", @@ -60503,8 +60501,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml", + "https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/" ], "tags": [ "attack.defense_evasion", @@ -60527,9 +60525,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/dottor_morte/status/1544652325570191361", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml", "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml" + "https://twitter.com/dottor_morte/status/1544652325570191361" ], "tags": [ "attack.defense_evasion", @@ -60552,9 +60550,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/dottor_morte/status/1544652325570191361", "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml", + "https://twitter.com/dottor_morte/status/1544652325570191361" ], "tags": [ "attack.defense_evasion", @@ -60627,9 +60625,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml", "https://persistence-info.github.io/Data/wer_debugger.html", - "https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml" + "https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/" ], "tags": [ "attack.persistence" @@ -60651,9 +60649,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml", "https://persistence-info.github.io/Data/hhctrl.html", - "https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml" + "https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/" ], "tags": [ "attack.persistence" @@ -60676,8 +60674,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd", - "https://unit42.paloaltonetworks.com/ransomware-families/", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A", + "https://unit42.paloaltonetworks.com/ransomware-families/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hidden_extention.yml" ], "tags": [ @@ -60749,8 +60747,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml", + "https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments" ], "tags": [ "attack.defense_evasion", @@ -60798,10 +60796,10 @@ "logsource.product": "windows", "refs": [ "https://persistence-info.github.io/Data/ifilters.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ifilter_persistence.yml", "https://twitter.com/0gtweet/status/1468548924600459267", - "https://github.com/gtworek/PSBits/tree/master/IFilter", "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ifilter_persistence.yml" + "https://github.com/gtworek/PSBits/tree/master/IFilter" ], "tags": [ "attack.persistence" @@ -60823,9 +60821,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store", "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store" ], "tags": [ "attack.impact", @@ -60848,8 +60846,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml", + "https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/" ], "tags": [ "attack.command_and_control", @@ -60873,8 +60871,8 @@ "logsource.product": "windows", "refs": [ "https://persistence-info.github.io/Data/lsaaextension.html", - "https://twitter.com/0gtweet/status/1476286368385019906", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsa_extension_persistence.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsa_extension_persistence.yml", + "https://twitter.com/0gtweet/status/1476286368385019906" ], "tags": [ "attack.persistence" @@ -60945,9 +60943,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/mpnotify.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_mpnotify_persistence.yml", "https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_mpnotify_persistence.yml" + "https://persistence-info.github.io/Data/mpnotify.html" ], "tags": [ "attack.persistence" @@ -60971,9 +60969,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml", "https://github.com/OTRF/detection-hackathon-apt29/issues/1", - "https://threathunterplaybook.com/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml" + "https://threathunterplaybook.com/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.html" ], "tags": [ "attack.execution", @@ -60996,9 +60994,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_network_provider.yml", "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade", - "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_network_provider.yml" + "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy" ], "tags": [ "attack.credential_access", @@ -61021,8 +61019,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/ADV170021", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml", + "https://msrc.microsoft.com/update-guide/vulnerability/ADV170021" ], "tags": [ "attack.execution", @@ -61045,10 +61043,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/inversecos/status/1494174785621819397", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_security.yml", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", - "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_security.yml" + "https://twitter.com/inversecos/status/1494174785621819397", + "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/" ], "tags": [ "attack.defense_evasion", @@ -61072,8 +61070,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/_vivami/status/1347925307643355138", - "https://vanmieghem.io/stealth-outlook-persistence/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml", + "https://vanmieghem.io/stealth-outlook-persistence/" ], "tags": [ "attack.t1137.006", @@ -61147,8 +61145,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70", "https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml" ], "tags": [ @@ -61173,8 +61171,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md", - "https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_security.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_security.yml", + "https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings" ], "tags": [ "attack.persistence", @@ -61197,9 +61195,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml", "https://github.com/rootm0s/WinPwnage", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml" + "https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/" ], "tags": [ "attack.persistence", @@ -61222,9 +61220,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml", "https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/", - "https://persistence-info.github.io/Data/autodialdll.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml" + "https://persistence-info.github.io/Data/autodialdll.html" ], "tags": [ "attack.persistence" @@ -61246,8 +61244,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml", + "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)" ], "tags": [ "attack.persistence", @@ -61270,8 +61268,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml", + "https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/" ], "tags": [ "attack.persistence" @@ -61293,9 +61291,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml", "https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/", - "https://attack.mitre.org/techniques/T1546/015/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml" + "https://attack.mitre.org/techniques/T1546/015/" ], "tags": [ "attack.persistence", @@ -61318,9 +61316,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/dez_/status/1560101453150257154", "https://forensafe.com/blogs/typedpaths.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml", + "https://twitter.com/dez_/status/1560101453150257154" ], "tags": [ "attack.persistence" @@ -61343,8 +61341,8 @@ "logsource.product": "windows", "refs": [ "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", - "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml", + "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465" ], "tags": [ "attack.defense_evasion" @@ -61367,8 +61365,8 @@ "logsource.product": "windows", "refs": [ "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", - "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml", + "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465" ], "tags": [ "attack.defense_evasion" @@ -61390,8 +61388,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse" ], "tags": [ "attack.execution", @@ -61414,9 +61412,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml", "https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry", - "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml" + "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html" ], "tags": [ "attack.persistence", @@ -61439,8 +61437,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-32---windows-powershell-logging-disabled", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-32---windows-powershell-logging-disabled" ], "tags": [ "attack.defense_evasion", @@ -61463,8 +61461,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://ladydebug.com/blog/2019/06/21/custom-protocol-handler-cph/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_register_custom_protocol_handler.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_register_custom_protocol_handler.yml", + "https://ladydebug.com/blog/2019/06/21/custom-protocol-handler-cph/" ], "tags": [ "attack.defense_evasion", @@ -61487,8 +61485,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml", + "Internal Research" ], "tags": [ "attack.resource_development", @@ -61535,10 +61533,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/VakninHai/status/1517027824984547329", "https://twitter.com/pabraeken/status/998627081360695297", "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml", + "https://twitter.com/VakninHai/status/1517027824984547329" ], "tags": [ "attack.defense_evasion", @@ -61612,9 +61610,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_shim_databases_persistence.yml", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb", - "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_shim_databases_persistence.yml" + "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html" ], "tags": [ "attack.persistence", @@ -61638,8 +61636,8 @@ "logsource.product": "windows", "refs": [ "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", - "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml", + "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/" ], "tags": [ "attack.persistence", @@ -61662,10 +61660,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/codesigning.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml", "https://github.com/gtworek/PSBits/tree/master/SIP", "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml" + "https://persistence-info.github.io/Data/codesigning.html" ], "tags": [ "attack.persistence", @@ -61737,8 +61735,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md" ], "tags": [ "attack.defense_evasion", @@ -61786,8 +61784,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index", "https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files", + "https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml" ], "tags": [ @@ -61811,8 +61809,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1410545674773467140", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml", + "https://twitter.com/SBousseaden/status/1410545674773467140" ], "tags": [ "attack.privilege_escalation", @@ -61836,8 +61834,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml", + "https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/" ], "tags": [ "attack.persistence", @@ -61860,8 +61858,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml", + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" ], "tags": [ "attack.persistence", @@ -61934,8 +61932,8 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://labs.f-secure.com/blog/scheduled-task-tampering/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml", + "https://labs.f-secure.com/blog/scheduled-task-tampering/" ], "tags": [ "attack.persistence", @@ -61983,14 +61981,14 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", - "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", - "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", + "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml", "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml" + "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/" ], "tags": [ "attack.defense_evasion", @@ -62014,14 +62012,14 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", - "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", - "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", + "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml", + "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/" ], "tags": [ "attack.defense_evasion", @@ -62070,9 +62068,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml", "https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md" ], "tags": [ "attack.persistence", @@ -62095,9 +62093,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml", "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", - "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml" + "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100" ], "tags": [ "attack.defense_evasion", @@ -62122,9 +62120,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml", "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml" + "https://github.com/hfiref0x/UACME" ], "tags": [ "attack.defense_evasion", @@ -62174,8 +62172,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml", + "https://github.com/hfiref0x/UACME" ], "tags": [ "attack.defense_evasion", @@ -62199,8 +62197,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml", + "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" ], "tags": [ "attack.persistence", @@ -62223,10 +62221,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml", - "https://twitter.com/Hexacorn/status/991447379864932352", "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml", + "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml", + "https://twitter.com/Hexacorn/status/991447379864932352" ], "tags": [ "attack.defense_evasion", @@ -62274,11 +62272,11 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml" + "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105" ], "tags": [ "attack.defense_evasion", @@ -62349,8 +62347,8 @@ "logsource.product": "windows", "refs": [ "https://persistence-info.github.io/Data/naturallanguage6.html", - "https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/regsitry_set_natural_language_persistence.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/regsitry_set_natural_language_persistence.yml", + "https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/" ], "tags": [ "attack.persistence" @@ -62444,9 +62442,9 @@ "logsource.category": "sysmon_status", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_status.yml", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_status.yml" + "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html" ], "tags": [ "attack.defense_evasion", @@ -62494,8 +62492,8 @@ "logsource.category": "file_block", "logsource.product": "windows", "refs": [ - "https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_file_block_exe.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_file_block_exe.yml", + "https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e" ], "tags": [ "attack.defense_evasion" @@ -62517,9 +62515,9 @@ "logsource.category": "process_tampering", "logsource.product": "windows", "refs": [ - "https://twitter.com/SecurePeacock/status/1486054048390332423?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_process_hollowing.yml", "https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_process_hollowing.yml" + "https://twitter.com/SecurePeacock/status/1486054048390332423?s=20" ], "tags": [ "attack.defense_evasion", @@ -62592,10 +62590,10 @@ "logsource.category": "wmi_event", "logsource.product": "windows", "refs": [ - "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", - "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", "https://github.com/RiccardoAncarani/LiquidSnake", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml", + "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", + "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19" ], "tags": [ "attack.execution",