diff --git a/clusters/sigma-rules.json b/clusters/sigma-rules.json index 7e1bdb11..ed7c7959 100644 --- a/clusters/sigma-rules.json +++ b/clusters/sigma-rules.json @@ -76,8 +76,8 @@ "logsource.category": "firewall", "logsource.product": "No established product", "refs": [ - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_cleartext_protocols.yml" ], @@ -99,8 +99,8 @@ "logsource.category": "firewall", "logsource.product": "No established product", "refs": [ - "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195", + "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_apt_equationgroup_c2.yml" ], "tags": [ @@ -134,10 +134,10 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", - "https://core.telegram.org/bots/faq", "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", + "https://core.telegram.org/bots/faq", + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_telegram_api.yml" ], "tags": [ @@ -212,8 +212,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", + "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_mal_cobaltstrike.yml" ], "tags": [ @@ -246,8 +246,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://twitter.com/stvemillertime/status/1024707932447854592", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1", + "https://twitter.com/stvemillertime/status/1024707932447854592", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_txt_exec_strings.yml" ], "tags": [ @@ -1209,9 +1209,9 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", + "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", "https://threatpost.com/microsoft-petitpotam-poc/168163/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml" ], @@ -1649,9 +1649,9 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://twitter.com/_dirkjan/status/1309214379003588608", - "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", + "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", + "https://twitter.com/_dirkjan/status/1309214379003588608", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml" ], "tags": [ @@ -1726,12 +1726,12 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", - "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", - "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", + "https://github.com/corelight/CVE-2021-1675", "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", + "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", - "https://github.com/corelight/CVE-2021-1675", + "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml" ], "tags": [ @@ -1863,10 +1863,10 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://twitter.com/neu5ron/status/1346245602502443009", - "https://tools.ietf.org/html/rfc2929#section-2.1", - "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", + "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", + "https://tools.ietf.org/html/rfc2929#section-2.1", + "https://twitter.com/neu5ron/status/1346245602502443009", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml" ], "tags": [ @@ -2007,8 +2007,8 @@ "logsource.category": "application", "logsource.product": "spring", "refs": [ - "https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection", "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", + "https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/spring/spring_spel_injection.yml" ], "tags": [ @@ -2277,10 +2277,10 @@ "logsource.category": "application", "logsource.product": "ruby_on_rails", "refs": [ - "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", - "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", "http://edgeguides.rubyonrails.org/security.html", "http://guides.rubyonrails.org/action_controller_overview.html", + "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", + "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml" ], "tags": [ @@ -2314,9 +2314,9 @@ "logsource.product": "rpc_firewall", "refs": [ "https://github.com/zeronetworks/rpcfirewall", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml" ], "tags": [ @@ -2350,9 +2350,9 @@ "logsource.product": "rpc_firewall", "refs": [ "https://github.com/zeronetworks/rpcfirewall", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml" ], "tags": [ @@ -2375,10 +2375,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml" ], "tags": [ @@ -2401,10 +2401,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml" ], "tags": [ @@ -2437,10 +2437,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml" ], "tags": [ @@ -2481,8 +2481,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml" @@ -2541,10 +2541,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml" ], "tags": [ @@ -2585,8 +2585,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml" ], @@ -2628,10 +2628,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml" ], "tags": [ @@ -2673,10 +2673,10 @@ "logsource.product": "rpc_firewall", "refs": [ "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml" ], @@ -2700,10 +2700,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", + "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml" ], "tags": [ @@ -2736,9 +2736,9 @@ "logsource.product": "rpc_firewall", "refs": [ "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml" ], "tags": [ @@ -2761,10 +2761,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml" ], "tags": [ @@ -2788,9 +2788,9 @@ "logsource.product": "rpc_firewall", "refs": [ "https://github.com/zeronetworks/rpcfirewall", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml" ], "tags": [ @@ -2823,10 +2823,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", + "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml" ], "tags": [ @@ -2849,10 +2849,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml" ], "tags": [ @@ -2876,8 +2876,8 @@ "logsource.category": "application", "logsource.product": "velocity", "refs": [ - "https://antgarsil.github.io/posts/velocity/", "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", + "https://antgarsil.github.io/posts/velocity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/velocity/velocity_ssti_injection.yml" ], "tags": [ @@ -2943,10 +2943,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml" ], @@ -2981,8 +2981,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/shantanukhande/status/1229348874298388484", "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", + "https://twitter.com/shantanukhande/status/1229348874298388484", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml" ], "tags": [ @@ -3418,10 +3418,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", + "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", + "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", - "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml" ], "tags": [ @@ -3455,10 +3455,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml" ], "tags": [ @@ -3493,10 +3493,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml" ], @@ -3531,10 +3531,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml" ], @@ -3561,9 +3561,7 @@ "meta": { "author": "Christian Burkard (Nextron Systems), Tim Shelton", "creation_date": "2021/07/28", - "falsepositive": [ - "Unknown" - ], + "falsepositive": "No established falsepositives", "filename": "proc_access_win_direct_syscall_ntopenprocess.yml", "level": "high", "logsource.category": "process_access", @@ -3787,9 +3785,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ + "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", "https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html", "https://github.com/codewhitesec/SysmonEnte/", - "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hack_sysmonente.yml" ], "tags": [ @@ -3822,8 +3820,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/boku7/injectAmsiBypass", "https://github.com/boku7/spawn", + "https://github.com/boku7/injectAmsiBypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml" ], "tags": [ @@ -3865,9 +3863,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", - "https://twitter.com/SBousseaden/status/1541920424635912196", "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", + "https://twitter.com/SBousseaden/status/1541920424635912196", + "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_seclogon.yml" ], "tags": [ @@ -3900,8 +3898,8 @@ "logsource.category": "process_tampering", "logsource.product": "windows", "refs": [ - "https://twitter.com/SecurePeacock/status/1486054048390332423?s=20", "https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/", + "https://twitter.com/SecurePeacock/status/1486054048390332423?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_tampering/proc_tampering_process_hollowing.yml" ], "tags": [ @@ -4096,10 +4094,10 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/issues/253", - "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", "https://twitter.com/d4rksystem/status/1357010969264873472", + "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", + "https://github.com/SigmaHQ/sigma/issues/253", "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml" ], @@ -4145,7 +4143,7 @@ "value": "HackTool - DiagTrackEoP Default Named Pipe" }, { - "description": "Detects the pattern of a pipe name as used by the hacktool EfsPotato", + "description": "Detects the pattern of a pipe name as used by the hack tool EfsPotato", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/08/23", @@ -4259,8 +4257,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://github.com/kavika13/RemCom", "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", + "https://github.com/kavika13/RemCom", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_remcom_default_pipe.yml" ], "tags": [ @@ -4336,17 +4334,17 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", - "https://github.com/RiccardoAncarani/LiquidSnake", "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", - "https://securelist.com/faq-the-projectsauron-apt/75533/", - "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", "https://www.us-cert.gov/ncas/alerts/TA17-117A", + "https://securelist.com/faq-the-projectsauron-apt/75533/", + "https://thedfirreport.com/2020/06/21/snatch-ransomware/", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", - "https://thedfirreport.com/2020/06/21/snatch-ransomware/", + "https://github.com/RiccardoAncarani/LiquidSnake", "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml" ], @@ -4381,8 +4379,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", + "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml" ], "tags": [ @@ -4416,8 +4414,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml" ], "tags": [ @@ -4474,8 +4472,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", "https://github.com/malcomvetter/CSExec", + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_csexec_default_pipe.yml" ], "tags": [ @@ -4560,8 +4558,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", - "https://github.com/Azure/SimuLand", "https://o365blog.com/post/adfs/", + "https://github.com/Azure/SimuLand", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_adfs_namedpipe_connection.yml" ], "tags": [ @@ -4627,8 +4625,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", + "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_re.yml" ], "tags": [ @@ -4649,6 +4647,41 @@ "uuid": "0e7163d4-9e19-4fa7-9be6-000c61aad77a", "value": "CobaltStrike Named Pipe Pattern Regex" }, + { + "description": "Detects the pattern of a pipe name as used by the hack tool CoercedPotato", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2023/10/11", + "falsepositive": [ + "Unknown" + ], + "filename": "pipe_created_hktl_coercedpotato.yml", + "level": "high", + "logsource.category": "pipe_created", + "logsource.product": "windows", + "refs": [ + "https://github.com/hackvens/CoercedPotato", + "https://blog.hackvens.fr/articles/CoercedPotato.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_coercedpotato.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" + ] + }, + "related": [ + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "4d0083b3-580b-40da-9bba-626c19fe4033", + "value": "HackTool - CoercedPotato Named Pipe Creation" + }, { "description": "Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack", "meta": { @@ -4791,8 +4824,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/#", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", + "https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/#", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml" ], "tags": [ @@ -5191,9 +5224,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", "https://twitter.com/MsftSecIntel/status/1257324139515269121", "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", + "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_iso_mount.yml" ], @@ -5227,8 +5260,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml" ], "tags": [ @@ -5342,7 +5375,7 @@ "Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it" ], "filename": "win_security_susp_lsass_dump_generic.yml", - "level": "high", + "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ @@ -5366,7 +5399,7 @@ } ], "uuid": "4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76", - "value": "Generic Password Dumper Activity on LSASS" + "value": "Potentially Suspicious AccessMask Requested From LSASS" }, { "description": "Detects when the password policy is enumerated.", @@ -5379,8 +5412,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/jpalanco/alienvault-ossim/blob/f74359c0c027e42560924b5cff25cdf121e5505a/os-sim/agent/src/ParserUtil.py#L951", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4661", + "https://github.com/jpalanco/alienvault-ossim/blob/f74359c0c027e42560924b5cff25cdf121e5505a/os-sim/agent/src/ParserUtil.py#L951", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_password_policy_enumerated.yml" ], "tags": [ @@ -5413,8 +5446,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_device_installation_blocked.yml" ], "tags": [ @@ -5480,8 +5513,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_logon.yml" ], @@ -5567,8 +5600,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://twitter.com/mattifestation/status/899646620148539397", + "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_wmi_persistence.yml" ], "tags": [ @@ -5703,11 +5736,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776", "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", + "https://github.com/sensepost/ruler", "https://github.com/sensepost/ruler/issues/47", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776", - "https://github.com/sensepost/ruler", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml" ], "tags": [ @@ -5797,9 +5830,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", "https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf", "https://awakesecurity.com/blog/threat-hunting-for-paexec/", + "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_service_installs.yml" ], "tags": [ @@ -5992,9 +6025,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647", - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_logoff.yml" ], "tags": "No established tags" @@ -6047,9 +6080,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete", - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_sdelete.yml" ], "tags": [ @@ -6168,9 +6201,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/_dirkjan/status/1309214379003588608", - "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", + "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", + "https://twitter.com/_dirkjan/status/1309214379003588608", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml" ], "tags": [ @@ -6510,9 +6543,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", "https://github.com/fox-it/LDAPFragger", "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", - "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml" ], "tags": [ @@ -6799,9 +6832,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Live environment caused by malware", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616", "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616", + "Live environment caused by malware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_time_modification.yml" ], "tags": [ @@ -6941,8 +6974,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", "https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/service_registry_permissions_weakness_check/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml" ], "tags": [ @@ -7051,8 +7084,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/menasec1/status/1111556090137903104", "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", + "https://twitter.com/menasec1/status/1111556090137903104", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml" ], "tags": [ @@ -7151,8 +7184,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/blob/master/documentation/logsource-guides/windows/service/security.md", "https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit", + "https://github.com/SigmaHQ/sigma/blob/master/documentation/logsource-guides/windows/service/security.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_disable_event_auditing_critical.yml" ], "tags": [ @@ -7415,9 +7448,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", - "https://twitter.com/SecurityJosh/status/1283027365770276866", "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", + "https://twitter.com/SecurityJosh/status/1283027365770276866", + "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", "https://twitter.com/Flangvik/status/1283054508084473861", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml" ], @@ -7732,8 +7765,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/topotam/PetitPotam", - "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/", "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", + "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml" ], "tags": [ @@ -7842,8 +7875,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml" ], "tags": [ @@ -7885,8 +7918,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity", "https://adsecurity.org/?p=3458", + "https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml" ], "tags": [ @@ -8026,9 +8059,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_add_remove_computer.yml" ], "tags": [ @@ -8419,9 +8452,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_workstation_was_locked.yml" ], @@ -8443,16 +8476,16 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "http://managed670.rssing.com/chan-5590147/all_p1.html", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://twitter.com/_xpn_/status/1268712093928378368", "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://twitter.com/_xpn_/status/1268712093928378368", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml" ], "tags": [ @@ -8757,8 +8790,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.harmj0y.net/redteaming/another-word-on-delegation/", "https://adsecurity.org/?p=2053", + "https://blog.harmj0y.net/redteaming/another-word-on-delegation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml" ], "tags": [ @@ -8915,8 +8948,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://securitydatasets.com/notebooks/atomic/windows/lateral_movement/SDWIN-200806015757.html?highlight=create%20file", "https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml", + "https://securitydatasets.com/notebooks/atomic/windows/lateral_movement/SDWIN-200806015757.html?highlight=create%20file", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml" ], "tags": [ @@ -8949,8 +8982,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072", "https://twitter.com/duzvik/status/1269671601852813320", + "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_camera_microphone_access.yml" ], "tags": [ @@ -9017,8 +9050,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all", "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", + "https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all", "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_user_enumeration.yml" ], @@ -9052,9 +9085,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.harmj0y.net/redteaming/another-word-on-delegation/", "https://adsecurity.org/?p=3466", "https://msdn.microsoft.com/en-us/library/cc220234.aspx", + "https://blog.harmj0y.net/redteaming/another-word-on-delegation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml" ], "tags": [ @@ -9088,8 +9121,8 @@ "logsource.product": "windows", "refs": [ "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", - "https://twitter.com/SBousseaden/status/1581300963650187264?", "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html", + "https://twitter.com/SBousseaden/status/1581300963650187264?", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml" ], "tags": [ @@ -9157,9 +9190,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", - "https://www.sans.org/webcasts/119395", "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", + "https://www.sans.org/webcasts/119395", + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml" ], "tags": [ @@ -9243,8 +9276,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", + "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml" @@ -9280,8 +9313,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://twitter.com/SBousseaden/status/1101431884540710913", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml" ], "tags": [ @@ -9317,8 +9350,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1490608838701166596", "https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html", + "https://twitter.com/SBousseaden/status/1490608838701166596", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml" ], "tags": [ @@ -9384,9 +9417,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py", "https://twitter.com/malmoeb/status/1511760068743766026", "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", - "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml" ], "tags": [ @@ -9522,8 +9555,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", - "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", "https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis", + "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml" ], "tags": [ @@ -9615,8 +9648,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html", "https://twitter.com/Purp1eW0lf/status/1616144561965002752", + "https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml" ], "tags": [ @@ -9750,11 +9783,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml" ], "tags": [ @@ -9855,11 +9888,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml" ], "tags": [ @@ -9996,8 +10029,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html", "https://twitter.com/Purp1eW0lf/status/1616144561965002752", + "https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml" ], "tags": [ @@ -10081,11 +10114,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml" ], "tags": [ @@ -10361,11 +10394,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/FlemmingRiis/status/1217147415482060800", - "https://twitter.com/DidierStevens/status/1217533958096924676", "https://twitter.com/VM_vivisector/status/1217190929330655232", - "https://nullsec.us/windows-event-log-audit-cve/", + "https://twitter.com/DidierStevens/status/1217533958096924676", "https://www.youtube.com/watch?v=ebmW42YYveI", + "https://nullsec.us/windows-event-log-audit-cve/", + "https://twitter.com/FlemmingRiis/status/1217147415482060800", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml" ], "tags": [ @@ -10443,8 +10476,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx", "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", + "https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft_windows_backup/win_susp_backup_delete.yml" ], "tags": [ @@ -10561,8 +10594,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/deepinstinct/Lsass-Shtinkering", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55", + "https://github.com/deepinstinct/Lsass-Shtinkering", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml" ], @@ -10630,9 +10663,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01", "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", + "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/Other/win_av_relevant_match.yml" ], "tags": [ @@ -10665,8 +10698,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling", "https://github.com/SigmaHQ/sigma/pull/4467", + "https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml" ], "tags": [ @@ -10699,8 +10732,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling", "https://github.com/SigmaHQ/sigma/pull/4467", + "https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml" ], "tags": [ @@ -10848,6 +10881,40 @@ "uuid": "570ae5ec-33dc-427c-b815-db86228ad43e", "value": "Application Uninstalled" }, + { + "description": "Detects failed logon attempts from clients to MSSQL server.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems), j4son", + "creation_date": "2023/10/11", + "falsepositive": [ + "This event could stem from users changing an account's password that's used to authenticate via a job or an automated process. Investigate the source of such events and mitigate them" + ], + "filename": "win_mssql_failed_logon.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html", + "https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1110" + ] + }, + "related": [ + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "218d2855-2bba-4f61-9c85-81d0ea63ac71", + "value": "MSSQL Server Failed Logon" + }, { "description": "Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started", "meta": { @@ -10861,8 +10928,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16", + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml" ], "tags": [ @@ -10897,6 +10964,40 @@ "uuid": "d08dd86f-681e-4a00-a92c-1db218754417", "value": "MSSQL XPCmdshell Option Change" }, + { + "description": "Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack.", + "meta": { + "author": "j4son", + "creation_date": "2023/10/11", + "falsepositive": [ + "Unknown" + ], + "filename": "win_mssql_failed_logon_from_external_network.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html", + "https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1110" + ] + }, + "related": [ + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d", + "value": "MSSQL Server Failed Logon From External Network" + }, { "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure is used to execute commands", "meta": { @@ -10957,9 +11058,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml" ], "tags": [ @@ -11213,9 +11314,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", "https://twitter.com/SBousseaden/status/1483810148602814466", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml" ], @@ -11314,9 +11415,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", "https://twitter.com/wdormann/status/1590434950335320065", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml" ], "tags": [ @@ -11409,9 +11510,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/KevTheHermit/status/1410203844064301056", "https://github.com/afwu/PrintNightmare", "https://github.com/hhlxf/PrintNightmare", + "https://twitter.com/KevTheHermit/status/1410203844064301056", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml" ], "tags": [ @@ -11467,11 +11568,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://winaero.com/enable-openssh-server-windows-10/", + "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml" ], "tags": [ @@ -11505,8 +11606,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection", - "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml", "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers", + "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml" ], "tags": [ @@ -11554,8 +11655,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection", + "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml" ], "tags": [ @@ -11733,9 +11834,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "Internal Research", "https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346", - "https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml" ], "tags": [ @@ -11891,8 +11992,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware", + "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml" ], "tags": [ @@ -12095,10 +12196,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", - "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml" ], "tags": [ @@ -12166,8 +12267,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/malmoeb/status/1535142803075960832", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://twitter.com/malmoeb/status/1535142803075960832", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml" ], @@ -12302,9 +12403,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://twitter.com/gentilkiwi/status/861641945944391680", "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", - "https://twitter.com/gentilkiwi/status/861641945944391680", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml" ], "tags": [ @@ -12434,8 +12535,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Ekultek/BlueKeep", "https://github.com/zerosum0x0/CVE-2019-0708", + "https://github.com/Ekultek/BlueKeep", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml" ], "tags": [ @@ -12525,9 +12626,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/wdormann/status/1347958161609809921", "https://twitter.com/jonasLyk/status/1347900440000811010", "https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/", + "https://twitter.com/wdormann/status/1347958161609809921", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/ntfs/win_system_ntfs_vuln_exploit.yml" ], "tags": [ @@ -12744,8 +12845,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" ], "tags": [ @@ -13211,9 +13312,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", - "https://www.sans.org/webcasts/119395", "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", + "https://www.sans.org/webcasts/119395", + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml" ], "tags": [ @@ -13449,8 +13550,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231", + "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml" ], "tags": [ @@ -14460,6 +14561,30 @@ "uuid": "e6f81941-b1cd-4766-87db-9fc156f658ee", "value": "KDC RC4-HMAC Downgrade CVE-2022-37966" }, + { + "description": "Detects a user certificate that was valid but could not be mapped to a user in a strong way (such as via explicit mapping, key trust mapping, or a SID)\nThis could be a sign of exploitation of the elevation of privilege vulnerabilities (CVE-2022-34691, CVE-2022-26931, CVE-2022-26923) that can occur when the KDC allows certificate spoofing by not requiring a strong mapping.\nEvents where the AccountName and CN of the Subject do not match, or where the CN ends in a dollar sign indicating a machine, may indicate certificate spoofing.\n", + "meta": { + "author": "@br4dy5", + "creation_date": "2023/10/09", + "falsepositive": [ + "If prevalent in the environment, filter on events where the AccountName and CN of the Subject do not reference the same user", + "If prevalent in the environment, filter on CNs that end in a dollar sign indicating it is a machine name" + ], + "filename": "win_system_kdcsvc_cert_use_no_strong_mapping.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_cert_use_no_strong_mapping.yml" + ], + "tags": [ + "attack.privilege_escalation" + ] + }, + "uuid": "993c2665-e6ef-40e3-a62a-e1a97686af79", + "value": "Certificate Use With No Strong Mapping" + }, { "description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded", "meta": { @@ -14473,8 +14598,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml" ], @@ -14508,8 +14633,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml" ], @@ -14543,8 +14668,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml" ], "tags": [ @@ -14667,8 +14792,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://twitter.com/mattifestation/status/899646620148539397", + "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/wmi/win_wmi_persistence.yml" ], "tags": [ @@ -14834,8 +14959,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", + "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml" ], "tags": [ @@ -14868,9 +14993,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker", "https://nxlog.co/documentation/nxlog-user-guide/applocker.html", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml" ], "tags": [ @@ -14941,11 +15066,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", - "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c", + "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", + "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml" ], "tags": [ @@ -14994,10 +15119,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "Internal Research", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml" ], "tags": [ @@ -15020,10 +15145,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "Internal Research", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml" ], "tags": [ @@ -15046,10 +15171,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "Internal Research", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml" ], "tags": [ @@ -15072,10 +15197,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "Internal Research", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml" ], "tags": [ @@ -15122,9 +15247,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml" ], "tags": [ @@ -15555,8 +15680,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md", "https://labs.withsecure.com/publications/detecting-onenote-abuse", + "https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml" ], "tags": [ @@ -15789,8 +15914,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://www.dfirnotes.net/portproxy_detection/", + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://adepts.of0x.cc/netsh-portproxy-code/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml" ], @@ -15826,8 +15951,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/", "https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf", + "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/", "https://persistence-info.github.io/Data/recyclebin.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml" ], @@ -15861,8 +15986,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1183745981189427200", "https://blog.xpnsec.com/exploring-mimikatz-part-1/", + "https://twitter.com/SBousseaden/status/1183745981189427200", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml" ], "tags": [ @@ -15931,10 +16056,10 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ + "https://nvd.nist.gov/vuln/detail/cve-2021-34527", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", - "https://nvd.nist.gov/vuln/detail/cve-2021-1675", "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", - "https://nvd.nist.gov/vuln/detail/cve-2021-34527", + "https://nvd.nist.gov/vuln/detail/cve-2021-1675", "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml" ], @@ -16004,8 +16129,8 @@ "logsource.product": "windows", "refs": [ "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html", - "https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/", "https://twitter.com/inversecos/status/1494174785621819397", + "https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_office_trust_record_modification.yml" ], "tags": [ @@ -16038,8 +16163,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/990717080805789697", "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", + "https://twitter.com/pabraeken/status/990717080805789697", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml" ], "tags": [ @@ -16311,8 +16436,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", "https://github.com/eset/malware-ioc/tree/master/oceanlotus", + "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml" ], "tags": [ @@ -16654,8 +16779,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", + "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml" ], "tags": [ @@ -16829,10 +16954,10 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", - "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", + "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", + "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml" ], "tags": [ @@ -17013,9 +17138,9 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ + "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", "https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer", "http://woshub.com/how-to-clear-rdp-connections-history/", - "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml" ], "tags": [ @@ -17189,11 +17314,11 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/shell/launch", - "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/7", + "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", + "https://docs.microsoft.com/en-us/windows/win32/shell/launch", "https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml" ], "tags": [ @@ -17226,8 +17351,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/", "https://blog.yoroi.company/research/ursnif-long-live-the-steganography/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_malware_ursnif.yml" ], "tags": [ @@ -17293,8 +17418,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/diskcleanuphandler.html", "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", + "https://persistence-info.github.io/Data/diskcleanuphandler.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml" ], "tags": [ @@ -17352,10 +17477,10 @@ "logsource.product": "windows", "refs": [ "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", - "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", - "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", + "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", + "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_malware_netwire.yml" ], "tags": [ @@ -17554,9 +17679,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/", "https://twitter.com/Hexacorn/status/991447379864932352", "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml", - "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml" ], "tags": [ @@ -17689,8 +17814,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/", "https://persistence-info.github.io/Data/htmlhelpauthor.html", + "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_chm.yml" ], "tags": [ @@ -17736,8 +17861,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/rootm0s/WinPwnage", "https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/", + "https://github.com/rootm0s/WinPwnage", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml" ], "tags": [ @@ -17770,8 +17895,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1674399582162153472", "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", + "https://twitter.com/0gtweet/status/1674399582162153472", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml" ], "tags": [ @@ -17945,11 +18070,11 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html", - "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN", - "https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6", "https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/", + "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html", + "https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html", + "https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml" ], "tags": [ @@ -17982,8 +18107,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", + "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml" ], "tags": [ @@ -18007,9 +18132,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml" ], "tags": [ @@ -18042,13 +18167,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", + "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml" ], "tags": [ @@ -18140,9 +18265,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml" ], "tags": [ @@ -18230,8 +18355,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.exploit-db.com/exploits/47696", "http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass", + "https://www.exploit-db.com/exploits/47696", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml" ], "tags": [ @@ -18305,8 +18430,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/", "https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml" ], "tags": [ @@ -18458,10 +18583,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml" ], "tags": [ @@ -18494,8 +18619,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index", "https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files", + "https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml" ], "tags": [ @@ -18705,8 +18830,8 @@ "logsource.product": "windows", "refs": [ "https://persistence-info.github.io/Data/codesigning.html", - "https://github.com/gtworek/PSBits/tree/master/SIP", "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf", + "https://github.com/gtworek/PSBits/tree/master/SIP", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml" ], "tags": [ @@ -18741,9 +18866,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml" ], "tags": [ @@ -18842,8 +18967,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/last-byte/PersistenceSniper", "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", + "https://github.com/last-byte/PersistenceSniper", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml" ], "tags": [ @@ -18876,8 +19001,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "Internal Research", "https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml" ], "tags": [ @@ -19033,8 +19158,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp", "https://twitter.com/WhichbufferArda/status/1543900539280293889", + "https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml" ], "tags": [ @@ -19176,8 +19301,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "Internal Research", "https://twitter.com/inversecos/status/1494174785621819397", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml" ], "tags": [ @@ -19210,8 +19335,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", "https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry", + "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml" ], "tags": [ @@ -19314,8 +19439,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/diskcleanuphandler.html", "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", + "https://persistence-info.github.io/Data/diskcleanuphandler.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml" ], "tags": [ @@ -19528,10 +19653,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://persistence-info.github.io/Data/userinitmprlogonscript.html", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml" ], "tags": [ @@ -19671,13 +19796,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", + "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml" ], "tags": [ @@ -19745,9 +19870,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml" ], "tags": [ @@ -19781,9 +19906,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml" ], "tags": [ @@ -20036,8 +20161,8 @@ "logsource.product": "windows", "refs": [ "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf", - "https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise", "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", + "https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml" ], "tags": [ @@ -20060,8 +20185,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", + "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml" ], "tags": [ @@ -20117,8 +20242,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", + "https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/", "https://learn.microsoft.com/en-us/windows/win32/api/winevt/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml" ], @@ -20153,9 +20278,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml" ], "tags": [ @@ -20188,10 +20313,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine", - "https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html", "https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html", "https://www.virustotal.com/gui/file/6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d/detection", + "https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html", + "https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml" ], "tags": [ @@ -20224,8 +20349,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCommonCore/Public/winget/AdminSettings.h#L13", + "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_winget_admin_settings_tampering.yml" ], "tags": [ @@ -20373,9 +20498,9 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/JAMESWT_MHT/status/1699042827261391247", - "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://twitter.com/M_haggis/status/1699056847154725107", "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content", + "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml" ], "tags": [ @@ -20529,12 +20654,12 @@ "logsource.product": "windows", "refs": [ "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", - "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", + "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml" ], "tags": [ @@ -20567,8 +20692,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70", "https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml" ], "tags": [ @@ -20601,8 +20726,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store", + "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml" ], "tags": [ @@ -20668,8 +20793,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", "https://github.com/hfiref0x/UACME", + "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml" ], "tags": [ @@ -20755,9 +20880,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", - "https://twitter.com/inversecos/status/1494174785621819397", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", + "https://twitter.com/inversecos/status/1494174785621819397", + "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml" ], "tags": [ @@ -20847,9 +20972,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://www.blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf", "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", - "https://www.blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml" ], "tags": [ @@ -21048,8 +21173,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", "https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_security_zones.yml" ], "tags": [ @@ -21082,8 +21207,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/naturallanguage6.html", "https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/", + "https://persistence-info.github.io/Data/naturallanguage6.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml" ], "tags": [ @@ -21176,9 +21301,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml" ], "tags": [ @@ -21211,8 +21336,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek", "https://persistence-info.github.io/Data/mpnotify.html", + "https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml" ], "tags": [ @@ -21236,9 +21361,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml" ], "tags": [ @@ -21362,9 +21487,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml" ], "tags": [ @@ -21431,8 +21556,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/deepinstinct/Lsass-Shtinkering", "https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", + "https://github.com/deepinstinct/Lsass-Shtinkering", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml" ], @@ -21466,8 +21591,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml" ], @@ -21510,9 +21635,9 @@ "logsource.product": "windows", "refs": [ "https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", + "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml" ], "tags": [ @@ -21545,8 +21670,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_special_accounts.yml" ], "tags": [ @@ -21580,8 +21705,8 @@ "logsource.product": "windows", "refs": [ "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", - "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb", + "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml" ], "tags": [ @@ -21715,9 +21840,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", "https://www.sans.org/cyber-security-summit/archives", "https://twitter.com/jamieantisocial/status/1304520651248668673", + "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml" ], "tags": [ @@ -21911,8 +22036,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/", + "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml" ], "tags": [ @@ -22012,9 +22137,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", - "https://twitter.com/inversecos/status/1494174785621819397", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", + "https://twitter.com/inversecos/status/1494174785621819397", + "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml" ], "tags": [ @@ -22071,8 +22196,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd", + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml" ], "tags": [ @@ -22175,8 +22300,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/1", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml" ], "tags": [ @@ -22243,9 +22368,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/VakninHai/status/1517027824984547329", - "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", "https://twitter.com/pabraeken/status/998627081360695297", + "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", + "https://twitter.com/VakninHai/status/1517027824984547329", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml" ], "tags": [ @@ -22345,8 +22470,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/", "https://persistence-info.github.io/Data/autodialdll.html", + "https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml" ], "tags": [ @@ -22438,10 +22563,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml" ], "tags": [ @@ -22507,9 +22632,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd", "https://unit42.paloaltonetworks.com/ransomware-families/", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hidden_extention.yml" ], "tags": [ @@ -22617,8 +22742,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5", "https://learn.microsoft.com/en-us/visualstudio/deployment/how-to-configure-the-clickonce-trust-prompt-behavior", + "https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml" ], "tags": [ @@ -22684,9 +22809,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/", - "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope", "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", + "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope", + "https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml" ], "tags": [ @@ -22709,10 +22834,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/elastic/detection-rules/issues/1371", "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", - "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", - "https://github.com/elastic/detection-rules/issues/1371", + "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml" ], "tags": [ @@ -22753,8 +22878,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html", "https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/", + "https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml" ], "tags": [ @@ -22820,10 +22945,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/", "https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1112/T1112.md", - "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks", "https://twitter.com/nas_bench/status/1626648985824788480", + "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks", + "https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml" ], "tags": [ @@ -22890,8 +23015,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://twitter.com/MichalKoczwara/status/1553634816016498688", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml" ], @@ -22915,17 +23040,17 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "http://managed670.rssing.com/chan-5590147/all_p1.html", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://twitter.com/_xpn_/status/1268712093928378368", "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", + "https://twitter.com/_xpn_/status/1268712093928378368", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml" ], "tags": [ @@ -23000,9 +23125,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml" ], "tags": [ @@ -23102,9 +23227,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml" ], "tags": [ @@ -23137,8 +23262,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass", "https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/", + "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml" ], "tags": [ @@ -23171,10 +23296,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1468548924600459267", - "https://github.com/gtworek/PSBits/tree/master/IFilter", "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", + "https://twitter.com/0gtweet/status/1468548924600459267", "https://persistence-info.github.io/Data/ifilters.html", + "https://github.com/gtworek/PSBits/tree/master/IFilter", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml" ], "tags": [ @@ -23255,8 +23380,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time", "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml" ], "tags": [ @@ -23360,9 +23485,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", "https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html", "https://twitter.com/dez_/status/986614411711442944", + "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml" ], "tags": [ @@ -23565,8 +23690,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", "https://decoded.avast.io/martinchlumecky/png-steganography/", + "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_svchost_dlls.yml" ], "tags": [ @@ -23609,9 +23734,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html", - "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", "https://twitter.com/HunterPlaybook/status/1301207718355759107", + "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", + "https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml" ], "tags": [ @@ -23690,10 +23815,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/bohops/WSMan-WinRM", - "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://twitter.com/chadtilbury/status/1275851297770610688", "https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", + "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", + "https://github.com/bohops/WSMan-WinRM", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml" ], "tags": [ @@ -24397,12 +24522,12 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", - "https://decoded.avast.io/martinchlumecky/png-steganography/", - "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://github.com/Wh04m1001/SysmonEoP", + "https://decoded.avast.io/martinchlumecky/png-steganography/", "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", - "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml" ], "tags": [ @@ -24488,8 +24613,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "Internal Research", "https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml" ], "tags": [ @@ -24554,8 +24679,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp", "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/", + "http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_jsschhlp.yml" ], "tags": [ @@ -24750,10 +24875,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", "https://hijacklibs.net/", - "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", + "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", + "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml" ], "tags": [ @@ -24796,8 +24921,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html", "https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/", + "https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml" ], "tags": [ @@ -24830,8 +24955,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add", "https://twitter.com/am0nsec/status/1412232114980982787", + "https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml" ], "tags": [ @@ -25027,8 +25152,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/p3nt4/PowerShdll", "https://adsecurity.org/?p=2921", + "https://github.com/p3nt4/PowerShdll", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml" ], "tags": [ @@ -25182,8 +25307,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/blog/lnk-between-browsers", "https://wazuh.com/blog/detecting-xll-files-used-for-dropping-fin7-jssloader-with-wazuh/", + "https://www.mandiant.com/resources/blog/lnk-between-browsers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_excel_xll_susp_load.yml" ], "tags": [ @@ -25475,10 +25600,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://thewover.github.io/Introducing-Donut/", "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", "https://github.com/tyranid/DotNetToJScript", + "https://thewover.github.io/Introducing-Donut/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml" ], "tags": [ @@ -25633,8 +25758,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/WhichbufferArda/status/1658829954182774784", "https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/", + "https://twitter.com/WhichbufferArda/status/1658829954182774784", "https://securelist.com/apt-luminousmoth/103332/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_wwlib.yml" ], @@ -25711,9 +25836,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/mattifestation/status/1196390321783025666", "https://twitter.com/oulusoyum/status/1191329746069655553", "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", + "https://twitter.com/mattifestation/status/1196390321783025666", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_tttracer_module_load.yml" ], "tags": [ @@ -25842,9 +25967,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/StopMalvertisin/status/1648604148848549888", - "https://twitter.com/t3ft3lb/status/1656194831830401024", "https://www.roboform.com/", + "https://twitter.com/t3ft3lb/status/1656194831830401024", + "https://twitter.com/StopMalvertisin/status/1648604148848549888", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_robform.yml" ], "tags": [ @@ -26269,8 +26394,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", "https://mobile.twitter.com/0gtweet/status/1564131230941122561", + "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_shell_chrome_api.yml" ], "tags": [ @@ -26730,10 +26855,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/S12cybersecurity/RDPCredentialStealer", + "https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", "https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html", + "https://github.com/S12cybersecurity/RDPCredentialStealer", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", - "https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml" ], "tags": [ @@ -26842,8 +26967,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", - "https://github.com/RiccardoAncarani/LiquidSnake", "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", + "https://github.com/RiccardoAncarani/LiquidSnake", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml" ], "tags": [ @@ -26911,9 +27036,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/bohops/WSMan-WinRM", - "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://twitter.com/chadtilbury/status/1275851297770610688", + "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", + "https://github.com/bohops/WSMan-WinRM", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml" ], "tags": [ @@ -27133,8 +27258,8 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ - "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", + "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml" ], "tags": [ @@ -27332,8 +27457,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_remotefxvgpudisablement_abuse.yml" ], "tags": [ @@ -27511,9 +27636,9 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/samratashok/ADModule", - "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", + "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", + "https://github.com/samratashok/ADModule", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml" ], "tags": [ @@ -27572,8 +27697,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/8", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml" ], "tags": [ @@ -27756,8 +27881,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md", "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml" ], "tags": [ @@ -27865,24 +27990,24 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/samratashok/nishang", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://github.com/adrecon/AzureADRecon", + "https://github.com/adrecon/ADRecon", "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/samratashok/nishang", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/calebstewart/CVE-2021-1675", - "https://github.com/adrecon/ADRecon", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/adrecon/AzureADRecon", + "https://github.com/besimorhino/powercat", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/besimorhino/powercat", - "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/calebstewart/CVE-2021-1675", "https://adsecurity.org/?p=2921", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/Kevin-Robertson/Powermad", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml" ], "tags": [ @@ -28247,22 +28372,22 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/nettitude/Invoke-PowerThIEf", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/samratashok/nishang", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/besimorhino/powercat", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/NetSPI/PowerUpSQL", "https://github.com/PowerShellMafia/PowerSploit", "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/samratashok/nishang", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/besimorhino/powercat", + "https://github.com/nettitude/Invoke-PowerThIEf", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/HarmJ0y/DAMP", "https://github.com/AlsidOfficial/WSUSpendu/", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/NetSPI/PowerUpSQL", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/S3cur3Th1sSh1t/WinPwn", "https://github.com/CsEnox/EventViewer-UACBypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml" ], @@ -28477,8 +28602,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml" ], "tags": [ @@ -28511,8 +28636,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml" ], "tags": [ @@ -28686,8 +28811,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content", "https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell", + "https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_add_windows_capability.yml" ], "tags": [ @@ -28811,8 +28936,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml" ], "tags": [ @@ -29053,8 +29178,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml" ], @@ -29121,9 +29246,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt", "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", + "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml" ], "tags": [ @@ -29275,9 +29400,9 @@ "logsource.product": "windows", "refs": [ "https://adsecurity.org/?p=2277", - "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", "https://powersploit.readthedocs.io/en/stable/Recon/README", "https://thedfirreport.com/2020/10/08/ryuks-return", + "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml" ], "tags": [ @@ -29420,9 +29545,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", - "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -29658,10 +29783,10 @@ "logsource.product": "windows", "refs": [ "http://woshub.com/manage-windows-firewall-powershell/", - "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", - "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", + "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", + "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml" ], "tags": [ @@ -29852,9 +29977,9 @@ "logsource.product": "windows", "refs": [ "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", - "https://youtu.be/5mqid-7zp8k?t=2481", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", + "https://youtu.be/5mqid-7zp8k?t=2481", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml" ], "tags": [ @@ -29943,8 +30068,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.fortypoundhead.com/showcontent.asp?artid=24022", "https://labs.withsecure.com/publications/fin7-target-veeam-servers", + "https://www.fortypoundhead.com/showcontent.asp?artid=24022", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml" ], "tags": [ @@ -30010,8 +30135,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2", + "https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml" ], "tags": [ @@ -30628,8 +30753,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml" ], "tags": [ @@ -30662,8 +30787,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/JohnLaTwC/status/850381440629981184", "https://t.co/ezOTGy1a1G", + "https://twitter.com/JohnLaTwC/status/850381440629981184", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml" ], "tags": [ @@ -30697,8 +30822,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml" ], "tags": [ @@ -30930,9 +31055,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/samratashok/ADModule", - "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", + "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", + "https://github.com/samratashok/ADModule", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml" ], "tags": [ @@ -30957,8 +31082,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1", "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319", + "https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml" ], "tags": [ @@ -30992,8 +31117,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml" ], "tags": [ @@ -31026,8 +31151,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml" ], "tags": [ @@ -31188,8 +31313,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell", + "https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml" ], "tags": [ @@ -31384,8 +31509,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://o365blog.com/aadinternals/", "https://github.com/Gerenios/AADInternals", + "https://o365blog.com/aadinternals/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml" ], "tags": [ @@ -31496,8 +31621,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml" ], "tags": [ @@ -31606,8 +31731,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting", + "https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml" ], "tags": [ @@ -31775,8 +31900,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml" ], "tags": [ @@ -31843,8 +31968,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://www.pwndefend.com/2021/02/15/retrieving-passwords-from-veeam-backup-servers/", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml" ], "tags": [ @@ -31924,9 +32049,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", "https://twitter.com/oroneequalsone/status/1568432028361830402", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", + "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml" ], "tags": [ @@ -32058,9 +32183,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml" ], "tags": [ @@ -32093,9 +32218,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", "https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html", "https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_export_certificate.yml" ], "tags": [ @@ -32161,8 +32286,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA", "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", + "https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml" ], "tags": [ @@ -32196,8 +32321,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso", + "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml" ], "tags": [ @@ -32297,8 +32422,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml" ], "tags": [ @@ -32501,9 +32626,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1087.002/T1087.002.md", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1087.002/T1087.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml" ], "tags": [ @@ -32544,8 +32669,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", "https://github.com/harleyQu1nn/AggressorScripts", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml" ], "tags": [ @@ -32653,8 +32778,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", + "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml" ], "tags": [ @@ -32687,10 +32812,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", + "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", - "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", - "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml" ], "tags": [ @@ -32757,8 +32882,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", - "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml" ], "tags": [ @@ -32848,8 +32973,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml" ], "tags": [ @@ -33090,10 +33215,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", - "https://twitter.com/ScumBots/status/1610626724257046529", + "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", + "https://twitter.com/ScumBots/status/1610626724257046529", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml" ], "tags": [ @@ -33127,8 +33252,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml" ], "tags": [ @@ -33302,24 +33427,24 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/samratashok/nishang", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://github.com/adrecon/AzureADRecon", + "https://github.com/adrecon/ADRecon", "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/samratashok/nishang", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/calebstewart/CVE-2021-1675", - "https://github.com/adrecon/ADRecon", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/adrecon/AzureADRecon", + "https://github.com/besimorhino/powercat", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/besimorhino/powercat", - "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/calebstewart/CVE-2021-1675", "https://adsecurity.org/?p=2921", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/Kevin-Robertson/Powermad", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml" ], "tags": [ @@ -33451,9 +33576,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/", "https://www.shellhacks.com/clear-history-powershell/", "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", + "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml" ], "tags": [ @@ -33494,9 +33619,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://github.com/GhostPack/Rubeus", "https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus", + "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml" ], "tags": [ @@ -33654,8 +33779,8 @@ "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", - "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", + "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml" ], "tags": [ @@ -33930,8 +34055,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md", "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml" ], "tags": [ @@ -34064,8 +34189,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml" ], "tags": [ @@ -34272,8 +34397,8 @@ "logsource.product": "windows", "refs": [ "https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml" ], "tags": [ @@ -34505,9 +34630,9 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/KeeThief", "https://github.com/denandz/KeeFarce", "https://www.cisa.gov/uscert/ncas/alerts/aa20-259a", + "https://github.com/GhostPack/KeeThief", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml" ], "tags": [ @@ -34942,8 +35067,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://systeminformer.sourceforge.io/", "https://github.com/winsiderss/systeminformer", + "https://systeminformer.sourceforge.io/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_pua_system_informer.yml" ], "tags": [ @@ -35085,8 +35210,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://rastamouse.me/ntlm-relaying-via-cobalt-strike/", "https://reqrypt.org/windivert-doc.html", + "https://rastamouse.me/ntlm-relaying-via-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_windivert.yml" ], "tags": [ @@ -35419,8 +35544,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python", "https://pypi.org/project/scapy/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_python.yml" ], "tags": [ @@ -35453,8 +35578,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf", "https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/", + "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_notepad_network_connection.yml" ], "tags": [ @@ -35548,8 +35673,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://content.fireeye.com/apt-41/rpt-apt41", "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", + "https://content.fireeye.com/apt-41/rpt-apt41", "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml" ], @@ -35990,11 +36115,11 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://twitter.com/M_haggis/status/900741347035889665", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://twitter.com/M_haggis/status/1032799638213066752", "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", - "https://twitter.com/M_haggis/status/900741347035889665", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_susp_com.yml" ], "tags": [ @@ -36027,8 +36152,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", "https://twitter.com/hakluke/status/1587733971814977537/photo/1", + "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_tunnel.yml" ], "tags": [ @@ -36254,10 +36379,10 @@ "logsource.product": "windows", "refs": [ "https://github.com/looCiprian/GC2-sheet", - "https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/", - "https://youtu.be/n2dFlSaBBKo", "https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/", + "https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/", "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf", + "https://youtu.be/n2dFlSaBBKo", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_google_api_non_browser_access.yml" ], "tags": [ @@ -36508,9 +36633,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ + "https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al", "https://twitter.com/kleiton0x7e/status/1600567316810551296", "https://github.com/kleiton0x00/RedditC2", - "https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_reddit_api_non_browser_access.yml" ], "tags": [ @@ -36543,8 +36668,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://medium.com/@huskyhacks.mk/we-put-a-c2-in-your-notetaking-app-offensivenotion-3e933bace332", "https://github.com/mttaggart/OffensiveNotion", + "https://medium.com/@huskyhacks.mk/we-put-a-c2-in-your-notetaking-app-offensivenotion-3e933bace332", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_notion_api_susp_communication.yml" ], "tags": [ @@ -36687,8 +36812,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/", "https://twitter.com/forensicitguy/status/1513538712986079238", + "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_eqnedt.yml" ], "tags": [ @@ -36721,10 +36846,10 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md", - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a", "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", + "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_external_ip_lookup.yml" ], "tags": [ @@ -36885,12 +37010,12 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/helpsystems/nanodump", - "https://www.google.com/search?q=procdump+lsass", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", "https://github.com/CCob/MirrorDump", - "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", + "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", + "https://github.com/helpsystems/nanodump", + "https://www.google.com/search?q=procdump+lsass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml" ], "tags": [ @@ -37025,9 +37150,9 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/cube0x0/status/1418920190759378944", - "https://github.com/GossiTheDog/HiveNightmare", - "https://github.com/WiredPulse/Invoke-HiveNightmare", "https://github.com/FireFart/hivenightmare/", + "https://github.com/WiredPulse/Invoke-HiveNightmare", + "https://github.com/GossiTheDog/HiveNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml" ], "tags": [ @@ -37061,8 +37186,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "Internal Research", "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_creation.yml" ], "tags": [ @@ -37138,10 +37263,10 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/luc4m/status/1073181154126254080", + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://twitter.com/malwrhunterteam/status/1235135745611960321", - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml" ], "tags": [ @@ -37344,8 +37469,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", + "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml" ], "tags": [ @@ -37370,10 +37495,10 @@ "logsource.product": "windows", "refs": [ "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", - "https://labs.withsecure.com/publications/detecting-onenote-abuse", - "https://twitter.com/MaD_c4t/status/1623414582382567424", "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", + "https://labs.withsecure.com/publications/detecting-onenote-abuse", "https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/", + "https://twitter.com/MaD_c4t/status/1623414582382567424", "https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml" ], @@ -37398,9 +37523,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", - "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", "https://pentestlab.blog/tag/ntds-dit/", + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml" ], "tags": [ @@ -37512,10 +37637,10 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/luc4m/status/1073181154126254080", + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://twitter.com/malwrhunterteam/status/1235135745611960321", - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml" ], "tags": [ @@ -37581,9 +37706,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/Yaxser/Backstab", "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/", "https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks", + "https://github.com/Yaxser/Backstab", "https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml" ], @@ -37792,8 +37917,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "Internal Research", "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", + "Internal Research", "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_addin_persistence.yml" ], @@ -37894,9 +38019,9 @@ "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/", - "https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions", - "http://addbalance.com/word/startup.htm", "https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3", + "http://addbalance.com/word/startup.htm", + "https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml" ], "tags": [ @@ -38009,8 +38134,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish", "http://www.irongeek.com/homoglyph-attack-generator.php", + "https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml" ], "tags": [ @@ -38100,9 +38225,9 @@ "logsource.product": "windows", "refs": [ "https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76", "https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79", - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml" ], "tags": [ @@ -38170,8 +38295,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/wpbbin.html", "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", + "https://persistence-info.github.io/Data/wpbbin.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml" ], "tags": [ @@ -38481,6 +38606,43 @@ "uuid": "a6976974-ea6f-4e97-818e-ea08625c52cb", "value": "Potential RipZip Attack on Startup Folder" }, + { + "description": "Detects the creation of hidden file/folder with the \"::$index_allocation\" stream. Which can be used as a technique to prevent access to folder and files from tooling such as \"explorer.exe\" and \"powershell.exe\"\n", + "meta": { + "author": "Scoubi (@ScoubiMtl)", + "creation_date": "2023/10/09", + "falsepositive": [ + "Unlikely" + ], + "filename": "file_event_win_susp_hidden_dir_index_allocation.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", + "https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/", + "https://twitter.com/pfiatde/status/1681977680688738305", + "https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation", + "https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ] + }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "a8f866e1-bdd4-425e-a27a-37619238d9c7", + "value": "Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream" + }, { "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", "meta": { @@ -38494,10 +38656,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", - "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml" ], @@ -38565,26 +38727,26 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/HarmJ0y/DAMP", + "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/besimorhino/powercat", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/AlsidOfficial/WSUSpendu/", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/besimorhino/powercat", - "https://github.com/CsEnox/EventViewer-UACBypass", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/adrecon/AzureADRecon", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/adrecon/ADRecon", - "https://github.com/Kevin-Robertson/Powermad", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/PowerShellMafia/PowerSploit", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/NetSPI/PowerUpSQL", - "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://github.com/adrecon/AzureADRecon", "https://github.com/nettitude/Invoke-PowerThIEf", "https://github.com/samratashok/nishang", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/NetSPI/PowerUpSQL", + "https://github.com/PowerShellMafia/PowerSploit", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/CsEnox/EventViewer-UACBypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml" ], "tags": [ @@ -38617,9 +38779,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", - "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", + "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", + "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml" ], "tags": [ @@ -38760,8 +38922,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "Internal Research", "https://labs.withsecure.com/publications/fin7-target-veeam-servers", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml" ], "tags": [ @@ -39029,8 +39191,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies", "https://learn.microsoft.com/en-us/office/troubleshoot/excel/use-startup-folders", + "https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_startup_persistence.yml" ], "tags": [ @@ -39063,8 +39225,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", + "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml" ], "tags": [ @@ -39285,8 +39447,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", + "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml" ], "tags": [ @@ -39320,10 +39482,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", - "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", + "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", + "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml" ], "tags": [ @@ -39356,9 +39518,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs", "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs", + "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml" ], "tags": [ @@ -39391,9 +39553,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g", "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", - "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml" ], "tags": [ @@ -39417,9 +39579,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", - "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", + "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", + "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml" ], "tags": [ @@ -39492,8 +39654,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", "https://github.com/outflanknl/Dumpert", + "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_dumpert.yml" ], "tags": [ @@ -39835,8 +39997,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder", "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml" ], "tags": [ @@ -39869,8 +40031,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml" ], "tags": [ @@ -40004,9 +40166,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb", - "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", "https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405", + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml" ], "tags": [ @@ -40141,8 +40303,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1278977301745741825", "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", + "https://twitter.com/SBousseaden/status/1278977301745741825", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml" ], "tags": [ @@ -40209,8 +40371,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "Internal Research", "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml" ], "tags": [ @@ -40234,10 +40396,10 @@ "logsource.product": "windows", "refs": [ "https://github.com/HuskyHacks/ShadowSteal", - "https://github.com/cube0x0/CVE-2021-36934", "https://github.com/search?q=CVE-2021-36934", - "https://github.com/FireFart/hivenightmare", "https://www.google.com/search?q=%22reg.exe+save%22+sam", + "https://github.com/cube0x0/CVE-2021-36934", + "https://github.com/FireFart/hivenightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml" ], "tags": [ @@ -40876,8 +41038,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63", "https://github.com/GhostPack/SafetyKatz", + "https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_safetykatz.yml" ], "tags": [ @@ -40943,10 +41105,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", - "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", + "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", + "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml" ], "tags": [ @@ -41078,8 +41240,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/last-byte/PersistenceSniper", "https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/", + "https://github.com/last-byte/PersistenceSniper", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_errorhandler_persistence.yml" ], "tags": [ @@ -41102,9 +41264,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", "https://github.com/fox-it/LDAPFragger", "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", - "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml" ], "tags": [ @@ -41239,8 +41401,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml" ], "tags": [ @@ -41273,10 +41435,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory", "https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence", - "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", "https://liberty-shell.com/sec/2020/02/25/shim-persistence/", + "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml" ], "tags": [ @@ -41297,18 +41459,19 @@ "value": "New Shim Database Created in the Default Directory" }, { - "description": "Possible webshell file creation on a static web site", + "description": "Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell.", "meta": { - "author": "Beyu Denis, oscd.community, Tim Shelton", + "author": "Beyu Denis, oscd.community, Tim Shelton, Thurein Oo", "creation_date": "2019/10/22", "falsepositive": [ "Legitimate administrator or developer creating legitimate executable files in a web application folder" ], "filename": "file_event_win_webshell_creation_detect.yml", - "level": "high", + "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/c95a0a1a2855dc0cd7f7327614545fe30482a636/Upload%20Insecure%20Files/README.md", "PT ESC rule and personal experience", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml" ], @@ -41327,7 +41490,7 @@ } ], "uuid": "39f1f9f2-9636-45de-98f6-a4046aa8e4b9", - "value": "Windows Webshell Creation" + "value": "Potential Webshell Creation On Static Website" }, { "description": "Get-Variable is a valid PowerShell cmdlet\nWindowsApps is by default in the path where PowerShell is executed.\nSo when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.\n", @@ -41418,8 +41581,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml" ], "tags": [ @@ -41620,12 +41783,12 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc", "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", + "https://github.com/Wh04m1001/SysmonEoP", "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", - "https://github.com/Wh04m1001/SysmonEoP", - "https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc", - "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml" ], "tags": [ @@ -41710,8 +41873,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "Internal Research", "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml" ], "tags": [ @@ -41838,8 +42001,8 @@ "logsource.category": "file_rename", "logsource.product": "windows", "refs": [ - "https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/", "https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/", + "https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml" ], "tags": [ @@ -41973,8 +42136,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://github.com/cube0x0/CVE-2021-1675", "https://github.com/hhlxf/PrintNightmare", + "https://github.com/cube0x0/CVE-2021-1675", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml" ], "tags": [ @@ -42243,8 +42406,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "Internal Research", "https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml" ], "tags": [ @@ -42313,8 +42476,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users", "https://github.com/lclevy/firepwd", + "https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_browser_credential_access.yml" ], "tags": [ @@ -42347,8 +42510,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords", "http://blog.harmj0y.net/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/", + "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml" ], "tags": [ @@ -42415,8 +42578,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://www.passcape.com/windows_password_recovery_dpapi_credhist", "https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist", + "https://www.passcape.com/windows_password_recovery_dpapi_credhist", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml" ], "tags": [ @@ -42583,10 +42746,10 @@ "logsource.product": "windows", "refs": [ "https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093", + "https://redcanary.com/blog/misbehaving-rats/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", - "https://redcanary.com/blog/misbehaving-rats/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml" ], "tags": [ @@ -42819,8 +42982,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", + "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml" ], "tags": [ @@ -42964,12 +43127,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", - "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", - "https://redcanary.com/blog/raspberry-robin/", - "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", + "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", + "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", + "https://redcanary.com/blog/raspberry-robin/", + "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml" ], "tags": [ @@ -43059,9 +43222,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", "http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/", "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml" ], "tags": [ @@ -43185,8 +43348,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml" ], "tags": [ @@ -43288,8 +43451,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1638069413717975046", "https://docs.microsoft.com/en-us/sysinternals/downloads/pssuspend", + "https://twitter.com/0gtweet/status/1638069413717975046", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml" ], "tags": [ @@ -43322,8 +43485,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", "https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool", + "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_instalutil_no_log_execution.yml" ], "tags": [ @@ -43370,11 +43533,11 @@ "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://www.joeware.net/freetools/tools/adfind/", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://thedfirreport.com/2020/05/08/adfind-recon/", - "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", - "https://www.joeware.net/freetools/tools/adfind/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml" ], "tags": [ @@ -43548,8 +43711,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml" ], "tags": [ @@ -43689,8 +43852,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/countuponsec/status/910977826853068800", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/", + "https://twitter.com/countuponsec/status/910977826853068800", "https://twitter.com/countuponsec/status/910969424215232518", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml" ], @@ -43725,8 +43888,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", - "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", "https://www.fortiguard.com/threat-signal-report/4718?s=09", + "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regasm_suspicious_execution.yml" ], "tags": [ @@ -43792,8 +43955,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://h.43z.one/ipconverter/", "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", + "https://h.43z.one/ipconverter/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml" ], "tags": [ @@ -43998,8 +44161,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml" ], @@ -44034,8 +44197,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/shantanu561993/SharpChisel", "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/", + "https://github.com/shantanu561993/SharpChisel", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharp_chisel.yml" ], "tags": [ @@ -44068,8 +44231,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_susp_flags.yml" ], @@ -44137,13 +44300,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", - "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", - "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", + "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", + "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", - "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", + "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", + "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml" ], "tags": [ @@ -44177,12 +44340,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", - "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", "https://twitter.com/xorJosh/status/1598646907802451969", - "https://ngrok.com/docs", "https://www.softwaretestinghelp.com/how-to-use-ngrok/", "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", + "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", + "https://ngrok.com/docs", + "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml" ], @@ -44250,8 +44413,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/1ZRR4H/status/1534259727059787783", "https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/", + "https://twitter.com/1ZRR4H/status/1534259727059787783", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_archiver_iso_phishing.yml" ], "tags": [ @@ -44284,14 +44447,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest", + "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", - "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", - "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", - "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", + "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml" ], "tags": [ @@ -44332,10 +44495,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/hfiref0x/UACME", "https://twitter.com/hFireF0X/status/897640081053364225", - "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml" ], "tags": [ @@ -44417,8 +44580,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1535431474429808642", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", + "https://twitter.com/nas_bench/status/1535431474429808642", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wsl_lolbin_execution.yml" ], "tags": [ @@ -44460,9 +44623,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2023/03/06/2022-year-in-review/", "https://learn.microsoft.com/en-us/answers/questions/253555/software-list-inventory-wmic-product", "https://www.yeahhub.com/list-installed-programs-version-path-windows/", - "https://thedfirreport.com/2023/03/06/2022-year-in-review/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml" ], "tags": [ @@ -44495,10 +44658,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", "https://mez0.cc/posts/cobaltstrike-powershell-exec/", - "https://zero2auto.com/2020/05/19/netwalker-re/", "https://redcanary.com/blog/yellow-cockatoo/", - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", + "https://zero2auto.com/2020/05/19/netwalker-re/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml" ], "tags": [ @@ -44548,8 +44711,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/intelligence-insights-december-2021", "https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html", + "https://redcanary.com/blog/intelligence-insights-december-2021", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_keytool_susp_child_process.yml" ], "tags": [ @@ -44656,9 +44819,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://www.joeware.net/freetools/tools/adfind/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml" ], "tags": [ @@ -44837,8 +45000,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Gal_B1t/status/1062971006078345217", "https://twitter.com/hexacorn/status/1448037865435320323", + "https://twitter.com/Gal_B1t/status/1062971006078345217", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml" ], "tags": [ @@ -45027,16 +45190,16 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "http://managed670.rssing.com/chan-5590147/all_p1.html", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://twitter.com/_xpn_/status/1268712093928378368", "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://twitter.com/_xpn_/status/1268712093928378368", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml" ], "tags": [ @@ -45069,8 +45232,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1457676633809330184", "https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/", + "https://twitter.com/0gtweet/status/1457676633809330184", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sigverif.yml" ], "tags": [ @@ -45103,8 +45266,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml" ], @@ -45139,9 +45302,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://www.poweradmin.com/paexec/", "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml" ], "tags": [ @@ -45174,8 +45337,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml" ], "tags": [ @@ -45217,8 +45380,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1638069413717975046", "https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend", + "https://twitter.com/0gtweet/status/1638069413717975046", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml" ], "tags": [ @@ -45318,9 +45481,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/jonasLyk/status/1555914501802921984", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", - "https://twitter.com/jonasLyk/status/1555914501802921984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml" ], "tags": [ @@ -45570,8 +45733,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1628720819537936386", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", + "https://twitter.com/0gtweet/status/1628720819537936386", "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml" ], @@ -45605,8 +45768,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Internal Research", "https://linux.die.net/man/1/bash", + "Internal Research", "https://lolbas-project.github.io/lolbas/Binaries/Bash/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml" ], @@ -45640,8 +45803,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/", "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html", + "https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_detection.yml" ], "tags": [ @@ -45698,8 +45861,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20220830122045/http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html", "https://blog.talosintelligence.com/modernloader-delivers-multiple-stealers-cryptominers-and-rats/", + "https://web.archive.org/web/20220830122045/http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml" ], "tags": [ @@ -46006,8 +46169,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://twitter.com/splinter_code/status/1483815103279603714", + "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml" @@ -46127,9 +46290,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://github.com/GhostPack/Rubeus", "https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus", + "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml" ], "tags": [ @@ -46245,10 +46408,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", "https://twitter.com/Z3Jpa29z/status/1317545798981324801", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csi_execution.yml" ], "tags": [ @@ -46323,8 +46486,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/", "https://github.com/S3cur3Th1sSh1t/SharpImpersonation", + "https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml" ], "tags": [ @@ -46468,8 +46631,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html", "https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462", + "https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webdav_lnk_execution.yml" ], "tags": [ @@ -46645,8 +46808,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js", - "https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/", "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", + "https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_koadic.yml" ], "tags": [ @@ -46762,8 +46925,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml" ], "tags": [ @@ -46879,8 +47042,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml" ], "tags": [ @@ -47054,8 +47217,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://twitter.com/splinter_code/status/1483815103279603714", + "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml" @@ -47126,8 +47289,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml" ], @@ -47162,9 +47325,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", "https://twitter.com/EricaZelic/status/1614075109827874817", - "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml" ], @@ -47282,8 +47445,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/999090532839313408", "https://twitter.com/pabraeken/status/995837734379032576", + "https://twitter.com/pabraeken/status/999090532839313408", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml" ], @@ -47351,8 +47514,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/", "https://twitter.com/0gtweet/status/1206692239839289344", + "https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml" ], "tags": [ @@ -47419,8 +47582,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml" ], "tags": [ @@ -47443,8 +47606,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", + "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml" ], @@ -47478,9 +47641,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", "https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/", "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md", - "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml" ], "tags": [ @@ -47614,8 +47777,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://dtm.uk/wuauclt/", "https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/", + "https://dtm.uk/wuauclt/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml" ], "tags": [ @@ -47649,8 +47812,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/right-to-left-override/", "https://unicode-explorer.com/c/202E", + "https://redcanary.com/blog/right-to-left-override/", "https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml" ], @@ -47684,9 +47847,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", "https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", - "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml" ], "tags": [ @@ -47729,8 +47892,8 @@ "refs": [ "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior", - "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior", + "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml" ], "tags": [ @@ -47763,8 +47926,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml" ], "tags": [ @@ -47830,14 +47993,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://reaqta.com/2017/12/mavinject-microsoft-injector/", + "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://twitter.com/Hexacorn/status/776122138063409152", - "https://reaqta.com/2017/12/mavinject-microsoft-injector/", + "https://github.com/SigmaHQ/sigma/issues/3742", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", "https://twitter.com/gN3mes1s/status/941315826107510784", - "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", - "https://github.com/SigmaHQ/sigma/issues/3742", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml" ], "tags": [ @@ -47879,9 +48042,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml" ], "tags": [ @@ -48014,8 +48177,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1562072617552678912", "https://ss64.com/nt/cmd.html", + "https://twitter.com/cyb3rops/status/1562072617552678912", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml" ], "tags": [ @@ -48133,9 +48296,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml" ], "tags": [ @@ -48168,8 +48331,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1278977301745741825", "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", + "https://twitter.com/SBousseaden/status/1278977301745741825", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml" ], "tags": [ @@ -48236,10 +48399,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", "https://twitter.com/Hexacorn/status/885553465417756673", "https://twitter.com/vysecurity/status/885545634958385153", "https://twitter.com/Hexacorn/status/885570278637678592", - "https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", "https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml" ], @@ -48433,8 +48596,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows", "https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/", + "https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml" ], "tags": [ @@ -48537,7 +48700,7 @@ "Unknown" ], "filename": "proc_creation_win_susp_elevated_system_shell.yml", - "level": "high", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ @@ -48561,7 +48724,7 @@ } ], "uuid": "178e615d-e666-498b-9630-9ed363038101", - "value": "Suspicious Elevated System Shell" + "value": "Elevated System Shell Spawned" }, { "description": "Detects potentially suspicious child processes spawned by PowerShell", @@ -48673,8 +48836,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/locked-out/68960/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md", + "https://securelist.com/locked-out/68960/", "https://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml" ], @@ -48709,8 +48872,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py", - "https://blog.viettelcybersecurity.com/saml-show-stopper/", "https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/", + "https://blog.viettelcybersecurity.com/saml-show-stopper/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml" ], "tags": [ @@ -48744,8 +48907,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://www.dfirnotes.net/portproxy_detection/", + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://adepts.of0x.cc/netsh-portproxy-code/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml" ], @@ -48781,8 +48944,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", "https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/", + "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml" ], "tags": [ @@ -49132,8 +49295,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/", "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/", + "https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_virtualbox_execution.yml" ], "tags": [ @@ -49207,10 +49370,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", - "https://github.com/defaultnamehere/cookie_crimes/", "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", + "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password", + "https://github.com/defaultnamehere/cookie_crimes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml" ], "tags": [ @@ -49386,8 +49549,8 @@ "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode.yml" ], "tags": [ @@ -49454,8 +49617,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", + "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml" ], "tags": [ @@ -49512,8 +49675,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2017/03/30/weak-service-permissions/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://pentestlab.blog/2017/03/30/weak-service-permissions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml" ], "tags": [ @@ -49582,8 +49745,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp", + "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml" ], "tags": [ @@ -49616,8 +49779,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/mandiant/SharPersist", "https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit", + "https://github.com/mandiant/SharPersist", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml" ], "tags": [ @@ -49724,8 +49887,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/3proxy/3proxy", + "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml" ], "tags": [ @@ -49759,8 +49922,8 @@ "logsource.product": "windows", "refs": [ "https://www.activecyber.us/activelabs/windows-uac-bypass", - "https://twitter.com/ReaQta/status/1222548288731217921", "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", + "https://twitter.com/ReaQta/status/1222548288731217921", "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml" ], @@ -49795,9 +49958,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.python.org/3/using/cmdline.html#cmdoption-c", "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", - "https://docs.python.org/3/using/cmdline.html#cmdoption-c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml" ], "tags": [ @@ -49956,8 +50119,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nsudo.m2team.org/en-us/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://nsudo.m2team.org/en-us/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml" ], "tags": [ @@ -50041,15 +50204,15 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", + "https://blog.talosintelligence.com/2017/05/wannacry.html", + "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", + "https://github.com/Neo23x0/Raccine#the-process", "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", - "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", - "https://blog.talosintelligence.com/2017/05/wannacry.html", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", - "https://github.com/Neo23x0/Raccine#the-process", "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml" ], "tags": [ @@ -50091,8 +50254,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml", "Turla has used fsutil fsinfo drives to list connected drives.", + "https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml" ], "tags": [ @@ -50159,11 +50322,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://man.openbsd.org/ssh_config#ProxyCommand", "https://lolbas-project.github.io/lolbas/Binaries/Ssh/", - "https://github.com/LOLBAS-Project/LOLBAS/pull/211/files", - "https://man.openbsd.org/ssh_config#LocalCommand", "https://gtfobins.github.io/gtfobins/ssh/", - "https://man.openbsd.org/ssh_config#ProxyCommand", + "https://man.openbsd.org/ssh_config#LocalCommand", + "https://github.com/LOLBAS-Project/LOLBAS/pull/211/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml" ], "tags": [ @@ -50196,8 +50359,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip.yml" ], "tags": [ @@ -50220,8 +50383,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit", "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_secedit_execution.yml" ], "tags": [ @@ -50362,9 +50525,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml" ], "tags": [ @@ -50388,9 +50551,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml" ], "tags": [ @@ -50433,10 +50596,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://twitter.com/Max_Mal_/status/1633863678909874176", "https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465", + "https://twitter.com/Max_Mal_/status/1633863678909874176", "https://twitter.com/_JohnHammond/status/1588155401752788994", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml" ], "tags": [ @@ -50610,13 +50773,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", + "https://twitter.com/CyberRaiju/status/1251492025678983169", "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", + "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", "https://www.cobaltstrike.com/help-opsec", - "https://twitter.com/CyberRaiju/status/1251492025678983169", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml" ], "tags": [ @@ -50649,10 +50812,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://twitter.com/egre55/status/1087685529016193025", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", + "https://twitter.com/egre55/status/1087685529016193025", "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml" ], @@ -50852,8 +51015,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/decoder-it/LocalPotato", "https://www.localpotato.com/localpotato_html/LocalPotato.html", + "https://github.com/decoder-it/LocalPotato", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml" ], "tags": [ @@ -50878,8 +51041,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/sensepost/impersonate", "https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/", + "https://github.com/sensepost/impersonate", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml" ], "tags": [ @@ -51014,9 +51177,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install", "https://lolbas-project.github.io/lolbas/Binaries/Winget/", + "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml" ], "tags": [ @@ -51084,8 +51247,8 @@ "logsource.product": "windows", "refs": [ "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", - "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", "https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", + "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml" ], "tags": [ @@ -51152,8 +51315,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b", "https://twitter.com/x86matthew/status/1505476263464607744?s=12", + "https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parents.yml" ], "tags": [ @@ -51187,9 +51350,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml" ], "tags": [ @@ -51245,8 +51408,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cglyer/status/1183756892952248325", "https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", + "https://twitter.com/cglyer/status/1183756892952248325", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch.yml" ], "tags": [ @@ -51312,9 +51475,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/", - "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml" ], "tags": [ @@ -51426,8 +51589,8 @@ "logsource.product": "windows", "refs": [ "https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html", - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_export.yml" ], "tags": [ @@ -51540,9 +51703,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/samratashok/ADModule", - "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", + "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", + "https://github.com/samratashok/ADModule", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml" ], "tags": [ @@ -51645,10 +51808,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", + "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml" ], "tags": [ @@ -51933,8 +52096,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", "https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certmgr_certificate_installation.yml" ], "tags": [ @@ -52036,8 +52199,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1475085452784844803?s=12", "https://twitter.com/an0n_r0/status/1474698356635193346?s=12", + "https://twitter.com/mrd0x/status/1475085452784844803?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml" ], "tags": [ @@ -52079,9 +52242,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://www.poweradmin.com/paexec/", "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml" ], "tags": [ @@ -52149,8 +52312,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/", "https://www.echotrail.io/insights/search/defaultpack.exe", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml" ], "tags": [ @@ -52184,10 +52347,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine", "https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html", "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", - "https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultravnc_susp_execution.yml" ], "tags": [ @@ -52221,8 +52384,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/JohnLaTwC/status/1082851155481288706", "https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03", + "https://twitter.com/JohnLaTwC/status/1082851155481288706", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_appdata.yml" ], "tags": [ @@ -52321,9 +52484,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control", + "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml" ], "tags": [ @@ -52390,8 +52553,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20220514073704/https://github.com/ch2sh/Jlaive", "https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool", + "https://web.archive.org/web/20220514073704/https://github.com/ch2sh/Jlaive", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml" ], "tags": [ @@ -52425,8 +52588,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://twitter.com/ForensicITGuy/status/1334734244120309760", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml" ], @@ -52477,10 +52640,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", - "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", + "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", + "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml" ], "tags": [ @@ -52603,9 +52766,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/jonasLyk/status/1555914501802921984", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", - "https://twitter.com/jonasLyk/status/1555914501802921984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml" ], "tags": [ @@ -52849,9 +53012,9 @@ "logsource.product": "windows", "refs": [ "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml" ], @@ -52937,8 +53100,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Internal Research", "https://tools.thehacker.recipes/mimikatz/modules", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml" ], "tags": [ @@ -53070,9 +53233,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", "https://twitter.com/Hexacorn/status/1420053502554951689", + "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_process_clone.yml" ], "tags": [ @@ -53113,8 +53276,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/", "https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866", + "https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml" ], "tags": [ @@ -53156,8 +53319,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1674399582162153472", "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", + "https://twitter.com/0gtweet/status/1674399582162153472", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml" ], "tags": [ @@ -53192,8 +53355,8 @@ "refs": [ "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", - "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", + "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml" ], @@ -53271,8 +53434,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", "https://lolbas-project.github.io/lolbas/Binaries/Regini/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_execution.yml" ], "tags": [ @@ -53338,13 +53501,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", - "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", - "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", + "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", + "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", - "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", + "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", + "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml" ], "tags": [ @@ -53377,10 +53540,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", - "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" ], "tags": [ @@ -53456,9 +53619,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915", - "https://github.com/electron/rcedit", "https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe", + "https://github.com/electron/rcedit", + "https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml" ], "tags": [ @@ -53516,9 +53679,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE", "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files", + "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml" ], "tags": [ @@ -53586,8 +53749,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntdsutil_susp_usage.yml" ], "tags": [ @@ -53620,9 +53783,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation", "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx", "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1003.005/T1003.005.md#atomic-test-1---cached-credential-dump-via-cmdkey", - "https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml" ], "tags": [ @@ -53706,10 +53869,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", - "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml" ], "tags": [ @@ -53930,9 +54093,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml" ], "tags": [ @@ -53975,8 +54138,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1534916659676422152", "https://twitter.com/nas_bench/status/1534915321856917506", + "https://twitter.com/nas_bench/status/1534916659676422152", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml" ], @@ -54202,10 +54365,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/nas_bench/status/1537896324837781506", + "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", - "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", - "https://twitter.com/nas_bench/status/1537896324837781506", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml" ], "tags": [ @@ -54238,12 +54401,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", - "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", + "https://positive.security/blog/ms-officecmd-rce", "https://lolbas-project.github.io/lolbas/Binaries/Teams/", - "https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc", + "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", - "https://positive.security/blog/ms-officecmd-rce", + "https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc", + "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml" ], "tags": [ @@ -54381,8 +54544,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", "https://github.com/outflanknl/Dumpert", + "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_dumpert.yml" ], "tags": [ @@ -54415,10 +54578,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", - "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml" ], "tags": [ @@ -54600,9 +54763,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mattifestation/status/1196390321783025666", "https://twitter.com/oulusoyum/status/1191329746069655553", "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", + "https://twitter.com/mattifestation/status/1196390321783025666", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml" ], "tags": [ @@ -54644,8 +54807,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", + "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", "https://redcanary.com/threat-detection-report/threats/qbot/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml" ], @@ -54679,8 +54842,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml" ], @@ -54738,10 +54901,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", + "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", + "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", - "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml" ], "tags": [ @@ -55028,8 +55191,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100", "https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100", + "https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_http_appdata.yml" ], "tags": [ @@ -55113,8 +55276,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/", "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing", + "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mmc_mmc20_lateral_movement.yml" ], "tags": [ @@ -55148,8 +55311,8 @@ "logsource.product": "windows", "refs": [ "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", - "https://www.gpg4win.de/documentation.html", "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", + "https://www.gpg4win.de/documentation.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml" ], "tags": [ @@ -55287,8 +55450,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http", "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml" ], "tags": [ @@ -55354,8 +55517,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.radmin.fr/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md", + "https://www.radmin.fr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_radmin.yml" ], "tags": [ @@ -55423,9 +55586,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/defaultnamehere/cookie_crimes/", - "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", "https://github.com/wunderwuzzi23/firefox-cookiemonster", "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", + "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml" ], "tags": [ @@ -55458,8 +55621,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace", "https://twitter.com/0gtweet/status/1474899714290208777?s=12", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml" ], "tags": [ @@ -55525,8 +55688,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/blackorbird/status/1140519090961825792", "https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html", + "https://twitter.com/blackorbird/status/1140519090961825792", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml" ], "tags": [ @@ -55559,10 +55722,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", - "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", + "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", + "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml" ], "tags": [ @@ -55628,8 +55791,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_guid_task_name.yml" ], "tags": [ @@ -55795,8 +55958,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml" ], "tags": [ @@ -55862,9 +56025,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/", "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf", "https://twitter.com/RedDrip7/status/1506480588827467785", - "https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml" ], "tags": [ @@ -56006,8 +56169,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/", "https://github.com/LOLBAS-Project/LOLBAS/pull/180", + "https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml" ], "tags": [ @@ -56040,9 +56203,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf", "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", "https://redcanary.com/blog/child-processes/", + "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml" ], "tags": [ @@ -56117,8 +56280,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/", "https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/", + "https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cl_loadassembly.yml" ], "tags": [ @@ -56151,8 +56314,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", "https://github.com/cloudflare/cloudflared", + "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml" ], "tags": [ @@ -56337,8 +56500,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/", "https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys", + "https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml" ], "tags": [ @@ -56441,8 +56604,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_clip_execution.yml" ], "tags": [ @@ -56533,8 +56696,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.d7xtech.com/free-software/runx/", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://www.d7xtech.com/free-software/runx/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_runxcmd.yml" ], "tags": [ @@ -56568,8 +56731,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f", "https://twitter.com/mrd0x/status/1511415432888131586", + "https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/", "https://twitter.com/mrd0x/status/1511489821247684615", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml" @@ -56646,9 +56809,9 @@ "logsource.product": "windows", "refs": [ "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", - "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", - "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", + "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", + "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml" ], @@ -56797,9 +56960,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "https://attack.mitre.org/software/S0404/", "https://twitter.com/vxunderground/status/1423336151860002816", + "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_params.yml" ], "tags": [ @@ -56917,8 +57080,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nsudo.m2team.org/en-us/", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://nsudo.m2team.org/en-us/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nsudo.yml" ], "tags": [ @@ -56985,8 +57148,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml" ], "tags": [ @@ -57019,8 +57182,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cglyer/status/1182389676876980224", "https://twitter.com/cglyer/status/1182391019633029120", + "https://twitter.com/cglyer/status/1182389676876980224", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" ], "tags": [ @@ -57200,14 +57363,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://reaqta.com/2017/12/mavinject-microsoft-injector/", + "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://twitter.com/Hexacorn/status/776122138063409152", - "https://reaqta.com/2017/12/mavinject-microsoft-injector/", + "https://github.com/SigmaHQ/sigma/issues/3742", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", "https://twitter.com/gN3mes1s/status/941315826107510784", - "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", - "https://github.com/SigmaHQ/sigma/issues/3742", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml" ], "tags": [ @@ -57249,8 +57412,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/", "https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/", + "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_aspnet_compiler_exectuion.yml" ], "tags": [ @@ -57384,8 +57547,8 @@ "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44", - "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048", + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml" ], "tags": [ @@ -57461,8 +57624,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/16", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml" ], "tags": [ @@ -57529,9 +57692,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/frack113/status/1555830623633375232", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", - "https://twitter.com/frack113/status/1555830623633375232", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml" ], "tags": [ @@ -57654,8 +57817,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Internal Research", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml" ], "tags": [ @@ -57678,13 +57841,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/shantanukhande/status/1229348874298388484", "https://twitter.com/Wietze/status/1542107456507203586", "https://twitter.com/Hexacorn/status/1224848930795552769", + "https://twitter.com/shantanukhande/status/1229348874298388484", "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", "https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py", - "https://twitter.com/SBousseaden/status/1167417096374050817", "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", + "https://twitter.com/SBousseaden/status/1167417096374050817", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml" ], "tags": [ @@ -57760,8 +57923,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml" ], "tags": [ @@ -57796,10 +57959,10 @@ "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks", + "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", - "https://twitter.com/christophetd/status/1164506034720952320", "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/", - "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", + "https://twitter.com/christophetd/status/1164506034720952320", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml" ], "tags": [ @@ -57900,11 +58063,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml" ], @@ -57946,8 +58109,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", + "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml" ], "tags": [ @@ -58020,10 +58183,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", - "https://twitter.com/eral4m/status/1479080793003671557", "https://twitter.com/Hexacorn/status/885258886428725250", "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", + "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", + "https://twitter.com/eral4m/status/1479080793003671557", "https://twitter.com/nas_bench/status/1433344116071583746", "https://twitter.com/eral4m/status/1479106975967240209", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml" @@ -58126,9 +58289,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml" ], "tags": [ @@ -58229,8 +58392,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_st0pp3r_/status/1560072680887525378", "https://twitter.com/Oddvarmoe/status/993383596244258816", + "https://twitter.com/_st0pp3r_/status/1560072680887525378", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pester.yml" ], "tags": [ @@ -58409,9 +58572,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1036.003/T1036.003.md#atomic-test-1---masquerading-as-windows-lsass-process", "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", + "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml" ], "tags": [ @@ -58638,8 +58801,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5", "https://twitter.com/mrd0x/status/1463526834918854661", + "https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml" ], "tags": [ @@ -58674,8 +58837,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/jseerden/status/1247985304667066373/photo/1", - "https://twitter.com/lefterispan/status/1286259016436514816", "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", + "https://twitter.com/lefterispan/status/1286259016436514816", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml" ], @@ -58709,11 +58872,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyberwar_15/status/1187287262054076416", - "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", "https://en.wikipedia.org/wiki/Hangul_(word_processor)", "https://blog.alyac.co.kr/1901", + "https://twitter.com/cyberwar_15/status/1187287262054076416", "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", + "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml" ], "tags": [ @@ -58898,8 +59061,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml" ], "tags": [ @@ -58955,9 +59118,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/", "https://twitter.com/nas_bench/status/1534957360032120833", "https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cdb.yml" ], "tags": [ @@ -59041,8 +59204,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/cw1997/NATBypass", "https://github.com/HiwinCN/HTran", + "https://github.com/cw1997/NATBypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml" ], "tags": [ @@ -59076,9 +59239,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.nirsoft.net/utils/nircmd2.html#using", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.nirsoft.net/utils/nircmd.html", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://www.nirsoft.net/utils/nircmd2.html#using", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml" ], "tags": [ @@ -59244,8 +59407,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains", "https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md", + "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_w32tm.yml" ], "tags": [ @@ -59278,8 +59441,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1674399582162153472", "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", + "https://twitter.com/0gtweet/status/1674399582162153472", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml" ], "tags": [ @@ -59378,8 +59541,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", + "https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml" ], "tags": [ @@ -59412,9 +59575,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", + "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml" ], "tags": [ @@ -59438,9 +59601,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml" ], "tags": [ @@ -59723,9 +59886,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/", "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", "https://twitter.com/bigmacjpg/status/1349727699863011328?s=12", + "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_finger_usage.yml" ], "tags": [ @@ -59826,8 +59989,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/nao_sec/status/1530196847679401984", - "https://twitter.com/_JohnHammond/status/1531672601067675648", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://twitter.com/_JohnHammond/status/1531672601067675648", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml" ], "tags": [ @@ -60206,13 +60369,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://www.joeware.net/freetools/tools/adfind/", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://thedfirreport.com/2020/05/08/adfind-recon/", - "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects", - "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", - "https://www.joeware.net/freetools/tools/adfind/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml" ], "tags": [ @@ -60269,8 +60432,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/carlospolop/PEASS-ng", "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation", + "https://github.com/carlospolop/PEASS-ng", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml" ], "tags": [ @@ -60319,8 +60482,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://docs.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps", + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml" ], "tags": [ @@ -60422,8 +60585,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Internal Research", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_change.yml" ], "tags": [ @@ -60456,10 +60619,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", + "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", + "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", - "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml" ], "tags": [ @@ -60492,9 +60655,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall", - "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_disable.yml" ], "tags": [ @@ -60645,8 +60808,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", "https://twitter.com/MichalKoczwara/status/1553634816016498688", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml" ], @@ -60781,8 +60944,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content", "https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell", + "https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yml" ], "tags": [ @@ -60840,8 +61003,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/PhilipTsukerman/status/992021361106268161", "https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/", + "https://twitter.com/PhilipTsukerman/status/992021361106268161", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml" ], "tags": [ @@ -60874,8 +61037,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html", "https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core", + "https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml" ], "tags": [ @@ -60908,10 +61071,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", - "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", + "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", "https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", + "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml" ], "tags": [ @@ -61002,8 +61165,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml" ], @@ -61049,8 +61212,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html", "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax", + "https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml" ], "tags": [ @@ -61217,9 +61380,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", - "https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml" ], "tags": [ @@ -61286,6 +61449,43 @@ "uuid": "4782eb5a-a513-4523-a0ac-f3082b26ac5c", "value": "Mshtml DLL RunHTMLApplication Abuse" }, + { + "description": "Detects command line containing reference to the \"::$index_allocation\" stream, which can be used as a technique to prevent access to folders or files from tooling such as \"explorer.exe\" or \"powershell.exe\"\n", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems), Scoubi (@ScoubiMtl)", + "creation_date": "2023/10/09", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_susp_hidden_dir_index_allocation.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", + "https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/", + "https://twitter.com/pfiatde/status/1681977680688738305", + "https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation", + "https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ] + }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "0900463c-b33b-49a8-be1d-552a3b553dae", + "value": "Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI" + }, { "description": "Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.", "meta": { @@ -61441,10 +61641,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://twitter.com/egre55/status/1087685529016193025", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", + "https://twitter.com/egre55/status/1087685529016193025", "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml" ], @@ -61531,6 +61731,41 @@ "uuid": "a642964e-bead-4bed-8910-1bb4d63e3b4d", "value": "HackTool - Mimikatz Execution" }, + { + "description": "Detects the use of CoercedPotato, a tool for privilege escalation", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2023/10/11", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hktl_coercedpotato.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/hackvens/CoercedPotato", + "https://blog.hackvens.fr/articles/CoercedPotato.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" + ] + }, + "related": [ + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e8d34729-86a4-4140-adfd-0a29c2106307", + "value": "HackTool - CoercedPotato Execution" + }, { "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", "meta": { @@ -61544,8 +61779,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#bypass-or-avoid-amsi-by-version-downgrade-", "http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/", + "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#bypass-or-avoid-amsi-by-version-downgrade-", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml" ], "tags": [ @@ -61679,9 +61914,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", "https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html", "https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml" ], "tags": [ @@ -61815,9 +62050,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://guides.lib.umich.edu/c.php?g=282942&p=1885348", "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", - "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml" ], "tags": [ @@ -61953,8 +62188,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1359039665232306183?s=21", "https://ss64.com/nt/logman.html", + "https://twitter.com/0gtweet/status/1359039665232306183?s=21", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_logman_disable_eventlog.yml" ], "tags": [ @@ -61996,9 +62231,9 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", - "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", "https://twitter.com/cglyer/status/1355171195654709249", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml" ], @@ -62032,8 +62267,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", + "https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html", "https://github.com/frgnca/AudioDeviceCmdlets", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml" ], @@ -62067,9 +62302,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", - "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -62102,9 +62337,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", "https://nodejs.org/api/cli.html", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml" ], @@ -62138,9 +62373,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/hfiref0x/UACME", - "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml" ], "tags": [ @@ -62207,8 +62442,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior", "https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware", + "https://docs.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml" ], "tags": [ @@ -62274,8 +62509,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml" ], "tags": [ @@ -62447,13 +62682,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", - "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", + "https://positive.security/blog/ms-officecmd-rce", + "https://github.com/mttaggart/quasar", + "https://lolbas-project.github.io/lolbas/Binaries/Teams/", "https://taggart-tech.com/quasar-electron/", + "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", - "https://lolbas-project.github.io/lolbas/Binaries/Teams/", - "https://github.com/mttaggart/quasar", - "https://positive.security/blog/ms-officecmd-rce", + "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml" ], "tags": [ @@ -62552,9 +62787,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "http://www.xuetr.com/", "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", - "http://www.xuetr.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml" ], "tags": [ @@ -62870,8 +63105,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/", "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", + "https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml" ], "tags": [ @@ -62904,9 +63139,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml" ], "tags": [ @@ -62947,9 +63182,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/", "https://twitter.com/pabraeken/status/990758590020452353", + "https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml" ], "tags": [ @@ -63122,8 +63357,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/", + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml" ], "tags": [ @@ -63179,9 +63414,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", + "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml" ], "tags": [ @@ -63204,10 +63439,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.pureid.io/dumping-abusing-windows-credentials-part-1/", "https://twitter.com/0gtweet/status/1299071304805560321?s=21", - "https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/", + "https://www.pureid.io/dumping-abusing-windows-credentials-part-1/", "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", + "https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml" ], "tags": [ @@ -63240,10 +63475,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", - "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml" ], "tags": [ @@ -63309,9 +63544,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", "https://en.wikipedia.org/wiki/HTML_Application", "https://www.echotrail.io/insights/search/mshta.exe", + "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml" ], "tags": [ @@ -63346,8 +63581,8 @@ "refs": [ "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior", - "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior", + "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml" ], "tags": [ @@ -63382,11 +63617,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe", - "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", "https://twitter.com/gN3mes1s/status/1206874118282448897", "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", + "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", + "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml" ], "tags": [ @@ -63461,8 +63696,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/eral4m/status/1451112385041911809", "https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html", + "https://twitter.com/eral4m/status/1451112385041911809", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml" ], "tags": [ @@ -63495,9 +63730,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.nirsoft.net/utils/nircmd2.html#using", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.nirsoft.net/utils/nircmd.html", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://www.nirsoft.net/utils/nircmd2.html#using", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd_as_system.yml" ], "tags": [ @@ -63720,8 +63955,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md", "https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml" ], "tags": [ @@ -63754,8 +63989,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", + "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dnx.yml" ], "tags": [ @@ -63854,8 +64089,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html", "https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/", + "https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml" ], "tags": [ @@ -64023,11 +64258,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file", "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", - "https://twitter.com/max_mal_/status/1542461200797163522", - "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", + "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file", + "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", + "https://twitter.com/max_mal_/status/1542461200797163522", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml" ], "tags": [ @@ -64093,13 +64328,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", - "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", - "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", + "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", + "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", - "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", + "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", + "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml" ], "tags": [ @@ -64242,9 +64477,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://www.intrinsec.com/apt27-analysis/", - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml" ], "tags": [ @@ -64436,8 +64671,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", + "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml" ], @@ -64472,8 +64707,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/mrd0x/status/1461041276514623491", - "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", "https://twitter.com/tccontre18/status/1480950986650832903", + "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml" ], "tags": [ @@ -64506,8 +64741,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md", "https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1", + "https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml" ], "tags": [ @@ -64541,10 +64776,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/", "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml" ], "tags": [ @@ -64653,9 +64888,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/frack113/status/1555830623633375232", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", - "https://twitter.com/frack113/status/1555830623633375232", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml" ], "tags": [ @@ -64689,11 +64924,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", - "https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt", - "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", - "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", + "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", + "https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml" ], "tags": [ @@ -64835,8 +65070,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml" ], "tags": [ @@ -64927,9 +65162,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/cloudflare/cloudflared", "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", "https://blog.reconinfosec.com/emergence-of-akira-ransomware-group", - "https://github.com/cloudflare/cloudflared", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml" ], "tags": [ @@ -64980,10 +65215,10 @@ "refs": [ "https://twitter.com/JohnLaTwC/status/835149808817991680", "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", - "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil", + "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_decode.yml" ], "tags": [ @@ -65017,9 +65252,9 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", - "https://github.com/antonioCoco/RogueWinRM", - "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", + "https://github.com/antonioCoco/RogueWinRM", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml" ], "tags": [ @@ -65052,8 +65287,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://o365blog.com/aadinternals/", "https://github.com/Gerenios/AADInternals", + "https://o365blog.com/aadinternals/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml" ], "tags": [ @@ -65114,9 +65349,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement", + "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_localsystem.yml" ], "tags": [ @@ -65149,8 +65384,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/core/diagnostics/dotnet-dump#dotnet-dump-collect", "https://twitter.com/bohops/status/1635288066909966338", + "https://learn.microsoft.com/en-us/dotnet/core/diagnostics/dotnet-dump#dotnet-dump-collect", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dotnet_dump.yml" ], "tags": [ @@ -65183,8 +65418,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/", "https://docs.microsoft.com/en-us/azure/dns/dns-zones-records", + "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml" ], @@ -65295,8 +65530,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "https://github.com/malcomvetter/CSExec", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_csexec.yml" ], "tags": [ @@ -65411,8 +65646,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1535431474429808642", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", + "https://twitter.com/nas_bench/status/1535431474429808642", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml" ], "tags": [ @@ -65454,8 +65689,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", + "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml" ], "tags": [ @@ -65624,8 +65859,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://learn.microsoft.com/en-us/windows/package-manager/winget/source", + "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml" ], "tags": [ @@ -65659,8 +65894,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", + "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_atbroker.yml" ], "tags": [ @@ -65693,9 +65928,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", - "https://github.com/fireeye/DueDLLigence", "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", + "https://github.com/fireeye/DueDLLigence", + "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml" ], "tags": [ @@ -65947,8 +66182,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_execution.yml" ], "tags": [ @@ -66015,8 +66250,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/6", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml" ], "tags": [ @@ -66107,10 +66342,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html", "https://atomicredteam.io/defense-evasion/T1220/", - "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", + "https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html", "https://twitter.com/mattifestation/status/986280382042595328", + "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml" ], "tags": [ @@ -66235,8 +66470,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/", "https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/", + "https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml" ], "tags": [ @@ -66292,10 +66527,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", "https://twitter.com/JohnLaTwC/status/1415295021041979392", - "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", "https://vms.drweb.fr/virus/?i=24144899", + "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", + "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml" ], "tags": [ @@ -66328,8 +66563,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf", "https://sourceforge.net/projects/mouselock/", + "https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_mouselock_execution.yml" ], "tags": [ @@ -66457,8 +66692,8 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml" ], "tags": [ @@ -66483,8 +66718,8 @@ "logsource.product": "windows", "refs": [ "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html", - "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf", "https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors", + "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml" ], "tags": [ @@ -66690,8 +66925,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html", "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", + "https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_plink.yml" ], "tags": [ @@ -66854,10 +67089,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml" ], "tags": [ @@ -66892,10 +67127,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", - "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", - "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", + "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml" ], "tags": [ @@ -66962,12 +67197,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/helpsystems/nanodump", - "https://github.com/Hackndo/lsassy", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", "https://github.com/CCob/MirrorDump", - "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", + "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", + "https://github.com/helpsystems/nanodump", + "https://github.com/Hackndo/lsassy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml" ], "tags": [ @@ -67143,9 +67378,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml" ], "tags": [ @@ -67178,10 +67413,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml" ], "tags": [ @@ -67247,8 +67482,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", + "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", "https://twitter.com/_felamos/status/1204705548668555264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dotnet.yml" ], @@ -67351,8 +67586,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", "https://github.com/harleyQu1nn/AggressorScripts", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_software_discovery.yml" ], "tags": [ @@ -67471,8 +67706,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/jseerden/status/1247985304667066373/photo/1", - "https://twitter.com/lefterispan/status/1286259016436514816", "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", + "https://twitter.com/lefterispan/status/1286259016436514816", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml" ], @@ -67573,10 +67808,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml" ], "tags": [ @@ -67789,9 +68024,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", - "https://twitter.com/bohops/status/1477717351017680899?s=12", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/", + "https://twitter.com/bohops/status/1477717351017680899?s=12", + "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml" ], "tags": [ @@ -67814,9 +68049,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1564968845726580736", "https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", + "https://twitter.com/0gtweet/status/1564968845726580736", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml" ], "tags": [ @@ -67858,17 +68093,17 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml", - "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", - "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", - "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html", + "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", + "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", "https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/", + "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", + "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml" ], "tags": [ @@ -68055,11 +68290,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic", "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar", + "https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/", "https://nwgat.ninja/getting-system-information-with-wmic-on-windows/", - "https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic", "https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/", - "https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_discovery.yml" ], "tags": [ @@ -68160,8 +68395,8 @@ "logsource.product": "windows", "refs": [ "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml" ], "tags": [ @@ -68194,8 +68429,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vysecurity/status/977198418354491392", "https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna", + "https://twitter.com/vysecurity/status/977198418354491392", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ping_hex_ip.yml" ], "tags": [ @@ -68278,10 +68513,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control", - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", + "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml" ], "tags": [ @@ -68314,10 +68549,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", - "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", "https://pentestlab.blog/2017/04/13/hot-potato/", "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", + "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", + "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", "https://github.com/ohpe/juicy-potato", "https://www.localpotato.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml" @@ -68426,8 +68661,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/malmoeb/status/1665463817130725378?s=12&t=C0_T_re0wRP_NfKa27Xw9w", "https://www.autoitscript.com/site/", + "https://twitter.com/malmoeb/status/1665463817130725378?s=12&t=C0_T_re0wRP_NfKa27Xw9w", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml" ], "tags": [ @@ -68460,11 +68695,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://twitter.com/0gtweet/status/1628720819537936386", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", - "https://twitter.com/0gtweet/status/1628720819537936386", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml" ], "tags": [ @@ -68659,8 +68894,8 @@ "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", "http://blog.sevagas.com/?Hacking-around-HTA-files", - "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", "https://twitter.com/mattifestation/status/1326228491302563846", + "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml" ], "tags": [ @@ -68804,8 +69039,8 @@ "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", - "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", + "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml" ], "tags": [ @@ -68905,8 +69140,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/wpbbin.html", "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", + "https://persistence-info.github.io/Data/wpbbin.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wpbbin_potential_persistence.yml" ], "tags": [ @@ -69007,8 +69242,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options", + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powercfg_execution.yml" ], "tags": [ @@ -69068,8 +69303,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", + "https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_add.yml" ], "tags": [ @@ -69102,8 +69337,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/", "https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/", + "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml" ], "tags": [ @@ -69137,8 +69372,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", - "https://twitter.com/pabraeken/status/990717080805789697", "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", + "https://twitter.com/pabraeken/status/990717080805789697", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_runonce_execution.yml" ], "tags": [ @@ -69171,9 +69406,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", + "https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml" ], "tags": [ @@ -69272,9 +69507,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://www.poweradmin.com/paexec/", "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml" ], "tags": [ @@ -69502,8 +69737,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/quarkslab/quarkspwdump", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", + "https://github.com/quarkslab/quarkspwdump", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_quarks_pwdump.yml" ], "tags": [ @@ -69949,9 +70184,9 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", - "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", - "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", + "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", + "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml" ], "tags": [ @@ -69984,8 +70219,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules", "https://ss64.com/nt/netsh.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml" ], "tags": [ @@ -70018,8 +70253,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/cube0x0", "https://www.virustotal.com/gui/search/metadata%253ACube0x0/files", + "https://github.com/cube0x0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml" ], "tags": [ @@ -70159,8 +70394,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", + "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml" ], @@ -70194,9 +70429,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49", "https://github.com/sensepost/ruler", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49", + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml" ], "tags": [ @@ -70237,10 +70472,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/", "https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png", "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/", "https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/", - "https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/", "https://twitter.com/aceresponder/status/1636116096506818562", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml" ], @@ -70275,8 +70510,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1618021838407495681", "https://twitter.com/nas_bench/status/1618021415852335105", + "https://twitter.com/nas_bench/status/1618021838407495681", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml" ], "tags": [ @@ -70463,8 +70698,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vysecurity/status/974806438316072960", "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", + "https://twitter.com/vysecurity/status/974806438316072960", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", "https://twitter.com/vysecurity/status/873181705024266241", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml" @@ -70574,8 +70809,8 @@ "logsource.product": "windows", "refs": [ "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml" ], "tags": [ @@ -70641,9 +70876,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", - "https://github.com/tevora-threat/SharpView/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", + "https://github.com/tevora-threat/SharpView/", + "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml" ], "tags": [ @@ -70708,9 +70943,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/hfiref0x/UACME", - "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml" ], "tags": [ @@ -70777,8 +71012,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", + "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml" ], "tags": [ @@ -70853,9 +71088,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/", "https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yml" ], "tags": [ @@ -70930,9 +71165,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.revshells.com/", "https://nmap.org/ncat/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", - "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_netcat.yml" ], "tags": [ @@ -70965,10 +71200,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://twitter.com/egre55/status/1087685529016193025", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", + "https://twitter.com/egre55/status/1087685529016193025", "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download.yml" ], @@ -71002,8 +71237,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_systeminfo_execution.yml" ], "tags": [ @@ -71036,8 +71271,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb?gi=41b97a644843", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md", + "https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb?gi=41b97a644843", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml" ], "tags": [ @@ -71071,8 +71306,8 @@ "logsource.product": "windows", "refs": [ "https://ss64.com/nt/for.html", - "https://ss64.com/ps/foreach-object.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://ss64.com/ps/foreach-object.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml" ], "tags": [ @@ -71137,8 +71372,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.005/T1218.005.md", "https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.005/T1218.005.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml" ], "tags": [ @@ -71304,8 +71539,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://h.43z.one/ipconverter/", "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", + "https://h.43z.one/ipconverter/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml" ], "tags": [ @@ -71362,8 +71597,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish", "http://www.irongeek.com/homoglyph-attack-generator.php", + "https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_homoglyph_cyrillic_lookalikes.yml" ], "tags": [ @@ -71404,9 +71639,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", "https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2", "https://github.com/swagkarna/Defeat-Defender-V1.2.0", + "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml" ], "tags": [ @@ -71439,9 +71674,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/sysinternals/downloads/livekd", "https://kb.acronis.com/content/60892", "https://4sysops.com/archives/creating-a-complete-memory-dump-without-a-blue-screen/", - "https://learn.microsoft.com/en-us/sysinternals/downloads/livekd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml" ], "tags": [ @@ -71487,8 +71722,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml" ], "tags": [ @@ -71545,10 +71780,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", - "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_susp_execution.yml" ], "tags": [ @@ -71689,11 +71924,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", - "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", + "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml" ], "tags": [ @@ -72073,9 +72308,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/regsvr32.exe", - "https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo", "https://redcanary.com/blog/intelligence-insights-april-2022/", + "https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo", + "https://www.echotrail.io/insights/search/regsvr32.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml" ], "tags": [ @@ -72109,8 +72344,8 @@ "logsource.product": "windows", "refs": [ "https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/", - "https://www.scythe.io/library/threat-emulation-qakbot", "https://thedfirreport.com/2021/12/13/diavol-ransomware/", + "https://www.scythe.io/library/threat-emulation-qakbot", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml" ], "tags": [ @@ -72200,8 +72435,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://learn.microsoft.com/en-us/windows/package-manager/winget/source", + "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml" ], "tags": [ @@ -72335,11 +72570,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://isc.sans.edu/diary/22264", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://isc.sans.edu/diary/22264", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml" ], "tags": [ @@ -72382,10 +72617,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/", "https://twitter.com/nao_sec/status/1530196847679401984", "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml" ], "tags": [ @@ -72459,8 +72694,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/", "https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/", + "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml" ], "tags": [ @@ -72528,8 +72763,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://asec.ahnlab.com/en/39828/", "https://twitter.com/GelosSnake/status/934900723426439170", + "https://asec.ahnlab.com/en/39828/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml" ], "tags": [ @@ -72562,8 +72797,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml" ], "tags": [ @@ -72697,8 +72932,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/shell/csidl", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military", + "https://learn.microsoft.com/en-us/windows/win32/shell/csidl", "https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml" ], @@ -72756,8 +72991,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/bohops/status/994405551751815170", - "https://lolbas-project.github.io/lolbas/Scripts/Winrm/", "https://redcanary.com/blog/lateral-movement-winrm-wmi/", + "https://lolbas-project.github.io/lolbas/Scripts/Winrm/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml" ], "tags": [ @@ -72814,8 +73049,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66", + "https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml" ], "tags": [ @@ -72922,8 +73157,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://learn.microsoft.com/en-us/windows/package-manager/winget/source", + "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_add_custom_source.yml" ], "tags": [ @@ -73169,9 +73404,9 @@ "logsource.product": "windows", "refs": [ "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", - "https://youtu.be/5mqid-7zp8k?t=2481", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", + "https://youtu.be/5mqid-7zp8k?t=2481", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_mailboxexport_share.yml" ], "tags": [ @@ -73297,8 +73532,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", + "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml" ], "tags": [ @@ -73385,8 +73620,8 @@ "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", - "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", + "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml" ], "tags": [ @@ -73419,8 +73654,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md", "https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml" ], "tags": [ @@ -73585,8 +73820,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml" ], "tags": [ @@ -73619,8 +73854,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml" ], @@ -73654,8 +73889,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", "https://twitter.com/_st0pp3r_/status/1583914515996897281", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml" ], @@ -73757,9 +73992,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection", - "https://www.exploit-db.com/exploits/37525", "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer", + "https://www.exploit-db.com/exploits/37525", + "https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml" ], "tags": [ @@ -73911,8 +74146,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml" ], "tags": [ @@ -74076,8 +74311,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cobaltstrike.com/help-opsec", "https://twitter.com/ber_m1ng/status/1397948048135778309", + "https://www.cobaltstrike.com/help-opsec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml" ], "tags": [ @@ -74154,11 +74389,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", - "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", - "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" ], "tags": [ @@ -74233,10 +74468,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", + "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml" ], @@ -74270,9 +74505,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", - "https://abuse.io/lockergoga.txt", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", + "https://abuse.io/lockergoga.txt", + "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml" ], "tags": [ @@ -74415,9 +74650,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", "https://redcanary.com/blog/raspberry-robin/", - "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml" ], "tags": [ @@ -74607,8 +74842,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/6", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yml" ], "tags": [ @@ -74675,8 +74910,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://klausjochem.me/2016/02/03/netsh-the-cyber-attackers-tool-of-choice/", "https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/", + "https://klausjochem.me/2016/02/03/netsh-the-cyber-attackers-tool-of-choice/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_packet_capture.yml" ], "tags": [ @@ -74743,9 +74978,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", - "https://github.com/binderlabs/DirCreate2System", "https://www.echotrail.io/insights/search/wermgr.exe", + "https://github.com/binderlabs/DirCreate2System", + "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml" ], "tags": [ @@ -74809,9 +75044,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/", "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan", "https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/", - "https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml" ], "tags": [ @@ -74846,8 +75081,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", - "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml" ], "tags": [ @@ -74893,9 +75128,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml" ], "tags": [ @@ -74993,8 +75228,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml", "https://twitter.com/pabraeken/status/993298228840992768", + "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml" ], "tags": [ @@ -75036,8 +75271,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon", "https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom", + "https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver.yml" ], "tags": [ @@ -75119,9 +75354,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml" ], "tags": [ @@ -75221,24 +75456,24 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/samratashok/nishang", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://github.com/adrecon/AzureADRecon", + "https://github.com/adrecon/ADRecon", "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/samratashok/nishang", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/calebstewart/CVE-2021-1675", - "https://github.com/adrecon/ADRecon", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/adrecon/AzureADRecon", + "https://github.com/besimorhino/powercat", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/besimorhino/powercat", - "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/calebstewart/CVE-2021-1675", "https://adsecurity.org/?p=2921", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/Kevin-Robertson/Powermad", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml" ], "tags": [ @@ -75361,8 +75596,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", "https://twitter.com/_st0pp3r_/status/1583914244344799235", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml" ], @@ -75396,9 +75631,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", - "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", "https://www.hackingarticles.in/rdp-session-hijacking-with-tscon/", + "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", + "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_rdp_redirect.yml" ], "tags": [ @@ -75473,8 +75708,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load.yml" ], "tags": [ @@ -75524,8 +75759,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md", + "https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml" ], "tags": [ @@ -75558,8 +75793,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode", + "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_anomaly.yml" ], "tags": [ @@ -75592,8 +75827,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml" ], "tags": [ @@ -75768,8 +76003,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/mrd0x/status/1461041276514623491", - "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", "https://twitter.com/tccontre18/status/1480950986650832903", + "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml" ], "tags": [ @@ -76253,9 +76488,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html", "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md", + "https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml" ], "tags": [ @@ -76371,8 +76606,8 @@ "logsource.product": "windows", "refs": [ "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", - "https://www.gpg4win.de/documentation.html", "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", + "https://www.gpg4win.de/documentation.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml" ], "tags": [ @@ -76395,10 +76630,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml" ], "tags": [ @@ -76522,9 +76757,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/blog/lnk-between-browsers", "https://emkc.org/s/RJjuLa", "https://redcanary.com/blog/chromeloader/", + "https://www.mandiant.com/resources/blog/lnk-between-browsers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml" ], "tags": [ @@ -76591,8 +76826,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/jpillora/chisel/", "https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/", + "https://github.com/jpillora/chisel/", "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_chisel.yml" ], @@ -76626,8 +76861,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", "https://mobile.twitter.com/0gtweet/status/1564131230941122561", + "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml" ], "tags": [ @@ -76660,10 +76895,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/bohops/status/980659399495741441", + "https://twitter.com/JohnLaTwC/status/1223292479270600706", "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", - "https://twitter.com/JohnLaTwC/status/1223292479270600706", - "https://twitter.com/bohops/status/980659399495741441", "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml" ], @@ -76744,11 +76979,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html", "https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe", - "https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html", "https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html", + "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html", + "https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_susp_execution.yml" ], "tags": [ @@ -76855,8 +77090,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml" ], @@ -76890,9 +77125,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/993298228840992768", "https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", + "https://twitter.com/pabraeken/status/993298228840992768", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml" ], "tags": [ @@ -76991,8 +77226,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", + "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml" ], "tags": [ @@ -77049,9 +77284,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", - "https://github.com/binderlabs/DirCreate2System", "https://www.echotrail.io/insights/search/wermgr.exe", + "https://github.com/binderlabs/DirCreate2System", + "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_exec_location.yml" ], "tags": [ @@ -77148,8 +77383,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms", + "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csvde_export.yml" ], @@ -77173,9 +77408,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", "http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html", - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml" ], "tags": [ @@ -77208,9 +77443,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/CyberRaiju/status/1273597319322058752", "https://twitter.com/bohops/status/1276357235954909188?s=12", "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", - "https://twitter.com/CyberRaiju/status/1273597319322058752", "https://twitter.com/nas_bench/status/1535322450858233858", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml" ], @@ -77277,8 +77512,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall", + "https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml" ], "tags": [ @@ -77451,8 +77686,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Print/", "https://twitter.com/Oddvarmoe/status/985518877076541440", + "https://lolbas-project.github.io/lolbas/Binaries/Print/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml" ], "tags": [ @@ -77519,8 +77754,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1550836225652686848", "https://persistence-info.github.io/Data/windowsterminalprofile.html", + "https://twitter.com/nas_bench/status/1550836225652686848", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml" ], "tags": [ @@ -77544,8 +77779,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/BloodHoundAD/BloodHound", "https://github.com/BloodHoundAD/SharpHound", + "https://github.com/BloodHoundAD/BloodHound", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml" ], "tags": [ @@ -77686,13 +77921,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", + "https://github.com/zcgonvh/NTDSDumpEx", "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://pentestlab.blog/tag/ntds-dit/", - "https://github.com/zcgonvh/NTDSDumpEx", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", - "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml" ], "tags": [ @@ -77865,9 +78100,9 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/JAMESWT_MHT/status/1699042827261391247", - "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://twitter.com/M_haggis/status/1699056847154725107", "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content", + "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml" ], "tags": [ @@ -77924,8 +78159,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/mklink.html", "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md", + "https://ss64.com/nt/mklink.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml" ], "tags": [ @@ -78091,8 +78326,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Replace/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/replace", + "https://lolbas-project.github.io/lolbas/Binaries/Replace/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml" ], "tags": [ @@ -78184,8 +78419,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/991335019833708544", "https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/", + "https://twitter.com/pabraeken/status/991335019833708544", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml" ], "tags": [ @@ -78284,9 +78519,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml" ], "tags": [ @@ -78319,9 +78554,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml" ], "tags": [ @@ -78431,8 +78666,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml", "https://twitter.com/harr0ey/status/991670870384021504", + "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_openwith.yml" ], "tags": [ @@ -78507,9 +78742,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0", - "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml" ], "tags": [ @@ -78552,8 +78787,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04", "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/", + "https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml" ], "tags": [ @@ -78709,8 +78944,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5", "https://twitter.com/mrd0x/status/1463526834918854661", + "https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml" ], "tags": [ @@ -78809,8 +79044,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1465058133303246867", "https://docs.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps", + "https://twitter.com/mrd0x/status/1465058133303246867", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mpiexec.yml" ], "tags": [ @@ -78953,8 +79188,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", "https://lolbas-project.github.io/lolbas/Binaries/Regini/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_ads.yml" ], "tags": [ @@ -79101,8 +79336,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", + "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml" ], "tags": [ @@ -79214,8 +79449,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/msbuild.exe", "https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/", + "https://www.echotrail.io/insights/search/msbuild.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml" ], "tags": [ @@ -79272,9 +79507,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://ss64.com/bash/rar.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_compression_with_password.yml" ], "tags": [ @@ -79330,8 +79565,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Hexacorn/status/1224848930795552769", "http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/", + "https://twitter.com/Hexacorn/status/1224848930795552769", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml" ], "tags": [ @@ -79355,8 +79590,8 @@ "logsource.product": "windows", "refs": [ "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e", - "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://github.com/netero1010/TrustedPath-UACBypass-BOF", + "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml" ], "tags": [ @@ -79667,8 +79902,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/", "https://twitter.com/harr0ey/status/992008180904419328", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml" ], "tags": [ @@ -79734,8 +79969,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", + "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml" ], "tags": [ @@ -79911,8 +80146,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md", "https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml" ], "tags": [ @@ -80001,8 +80236,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20", "https://support.anydesk.com/Automatic_Deployment", + "https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml" ], "tags": [ @@ -80035,9 +80270,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", - "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml" ], @@ -80071,8 +80306,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/rikvduijn/status/853251879320662017", "https://twitter.com/felixw3000/status/853354851128025088", + "https://twitter.com/rikvduijn/status/853251879320662017", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml" ], "tags": [ @@ -80105,8 +80340,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1674399582162153472", "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", + "https://twitter.com/0gtweet/status/1674399582162153472", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml" ], "tags": [ @@ -80139,8 +80374,8 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619", "https://www.nextron-systems.com/?s=antivirus", + "https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619", "https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_password_dumper.yml" ], @@ -80198,8 +80433,8 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://twitter.com/mvelazco/status/1410291741241102338", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675", + "https://twitter.com/mvelazco/status/1410291741241102338", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_printernightmare_cve_2021_34527.yml" ], @@ -80266,9 +80501,9 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797", "https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424", "https://www.nextron-systems.com/?s=antivirus", + "https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797", "https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_exploiting.yml" ], @@ -80311,8 +80546,8 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/", "https://www.nextron-systems.com/?s=antivirus", + "https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_hacktool.yml" ], "tags": [ @@ -80345,16 +80580,16 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", + "https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection", + "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", - "https://github.com/tennc/webshell", + "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", + "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", - "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", - "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", - "https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection", "https://www.nextron-systems.com/?s=antivirus", - "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", + "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", + "https://github.com/tennc/webshell", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_webshell.yml" ], "tags": [ @@ -80388,11 +80623,11 @@ "logsource.product": "No established product", "refs": [ "https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c", + "https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916", "https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d", "https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7", - "https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916", - "https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045", "https://www.nextron-systems.com/?s=antivirus", + "https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_ransomware.yml" ], "tags": [ @@ -80561,8 +80796,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/okta/workflows-templates/blob/master/workflows/suspicious_activity_reported/readme.md", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_suspicious_activity_enduser_report.yml" ], "tags": [ @@ -80842,8 +81077,8 @@ "logsource.product": "okta", "refs": [ "https://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data", - "https://developer.okta.com/docs/reference/api/system-log/", "https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_password_in_alternateid_field.yml" ], "tags": [ @@ -81021,7 +81256,7 @@ "logsource.product": "m365", "refs": [ "https://research.splunk.com/cloud/c783dd98-c703-4252-9e8a-f19d9f5c949e/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_disabling_mfa.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/audit/microsoft365_disabling_mfa.yml" ], "tags": [ "attack.persistence", @@ -81040,6 +81275,77 @@ "uuid": "60de9b57-dc4d-48b9-a6a0-b39e0469f876", "value": "Disabling Multi Factor Authentication" }, + { + "description": "Detects the addition of a new Federated Domain.", + "meta": { + "author": "Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule)", + "creation_date": "2023/09/18", + "falsepositive": [ + "The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider." + ], + "filename": "microsoft365_new_federated_domain_added_audit.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "m365", + "refs": [ + "https://o365blog.com/post/aadbackdoor/", + "https://research.splunk.com/cloud/e155876a-6048-11eb-ae93-0242ac130002/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/audit/microsoft365_new_federated_domain_added_audit.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1136.003" + ] + }, + "related": [ + { + "dest-uuid": "a009cb25-4801-4116-9105-80a91cf15c1b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "58f88172-a73d-442b-94c9-95eaed3cbb36", + "value": "New Federated Domain Added" + }, + { + "description": "Detects the addition of a new Federated Domain.", + "meta": { + "author": "Splunk Threat Research Team (original rule), '@ionsor (rule)'", + "creation_date": "2022/02/08", + "falsepositive": [ + "The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider." + ], + "filename": "microsoft365_new_federated_domain_added_exchange.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "m365", + "refs": [ + "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", + "https://www.sygnia.co/golden-saml-advisory", + "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", + "https://o365blog.com/post/aadbackdoor/", + "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/exchange/microsoft365_new_federated_domain_added_exchange.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1136.003" + ] + }, + "related": [ + { + "dest-uuid": "a009cb25-4801-4116-9105-80a91cf15c1b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "42127bdd-9133-474f-a6f1-97b6c08a4339", + "value": "New Federated Domain Added - Exchange" + }, { "description": "Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address.", "meta": { @@ -81053,9 +81359,9 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml" + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_activity_from_anonymous_ip_addresses.yml" ], "tags": [ "attack.command_and_control", @@ -81087,9 +81393,9 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml" + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_data_exfiltration_to_unsanctioned_app.yml" ], "tags": [ "attack.exfiltration", @@ -81108,40 +81414,6 @@ "uuid": "2b669496-d215-47d8-bd9a-f4a45bf07cda", "value": "Data Exfiltration to Unsanctioned Apps" }, - { - "description": "Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence.\nThese IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.\n", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/23", - "falsepositive": [ - "Unknown" - ], - "filename": "microsoft365_from_susp_ip_addresses.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "m365", - "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_from_susp_ip_addresses.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1573" - ] - }, - "related": [ - { - "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "a3501e8e-af9e-43c6-8cd6-9360bdaae498", - "value": "Activity from Suspicious IP Addresses" - }, { "description": "Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.", "meta": { @@ -81155,9 +81427,9 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_susp_inbox_forwarding.yml" + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_susp_inbox_forwarding.yml" ], "tags": [ "attack.exfiltration", @@ -81189,9 +81461,9 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml" + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_activity_by_terminated_user.yml" ], "tags": [ "attack.impact" @@ -81200,43 +81472,6 @@ "uuid": "2e669ed8-742e-4fe5-b3c4-5a59b486c2ee", "value": "Activity Performed by Terminated User" }, - { - "description": "Detects the addition of a new Federated Domain.", - "meta": { - "author": "Splunk Threat Research Team (original rule), '@ionsor (rule)'", - "creation_date": "2022/02/08", - "falsepositive": [ - "The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider." - ], - "filename": "microsoft365_new_federated_domain_added_exchange.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "m365", - "refs": [ - "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", - "https://o365blog.com/post/aadbackdoor/", - "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", - "https://www.sygnia.co/golden-saml-advisory", - "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_new_federated_domain_added_exchange.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1136.003" - ] - }, - "related": [ - { - "dest-uuid": "a009cb25-4801-4116-9105-80a91cf15c1b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "42127bdd-9133-474f-a6f1-97b6c08a4339", - "value": "New Federated Domain Added - Exchange" - }, { "description": "Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.", "meta": { @@ -81250,9 +81485,9 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml" + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_logon_from_risky_ip_address.yml" ], "tags": [ "attack.initial_access", @@ -81285,7 +81520,7 @@ "logsource.product": "m365", "refs": [ "https://learn.microsoft.com/en-us/powershell/module/exchange/new-compliancesearchaction?view=exchange-ps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_pst_export_alert_using_new_compliancesearchaction.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_pst_export_alert_using_new_compliancesearchaction.yml" ], "tags": [ "attack.collection", @@ -81317,9 +81552,9 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml" + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_unusual_volume_of_file_deletion.yml" ], "tags": [ "attack.impact", @@ -81351,9 +81586,9 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml" + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_user_restricted_from_sending_email.yml" ], "tags": [ "attack.initial_access", @@ -81385,9 +81620,9 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_susp_oauth_app_file_download_activities.yml" + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_susp_oauth_app_file_download_activities.yml" ], "tags": [ "attack.exfiltration" @@ -81409,9 +81644,9 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_impossible_travel_activity.yml" + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_impossible_travel_activity.yml" ], "tags": [ "attack.initial_access", @@ -81443,9 +81678,9 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml" + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_potential_ransomware_activity.yml" ], "tags": [ "attack.impact", @@ -81465,88 +81700,88 @@ "value": "Microsoft 365 - Potential Ransomware Activity" }, { - "description": "Detects the addition of a new Federated Domain.", + "description": "Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content", "meta": { - "author": "Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule)", - "creation_date": "2023/09/18", + "author": "Sorina Ionescu", + "creation_date": "2022/02/08", "falsepositive": [ - "The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider." + "PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored." ], - "filename": "microsoft365_new_federated_domain_added_audit.yml", + "filename": "microsoft365_pst_export_alert.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://o365blog.com/post/aadbackdoor/", - "https://research.splunk.com/cloud/e155876a-6048-11eb-ae93-0242ac130002/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_new_federated_domain_added_audit.yml" + "https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_pst_export_alert.yml" ], "tags": [ - "attack.persistence", - "attack.t1136.003" + "attack.collection", + "attack.t1114" ] }, "related": [ { - "dest-uuid": "a009cb25-4801-4116-9105-80a91cf15c1b", + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "58f88172-a73d-442b-94c9-95eaed3cbb36", - "value": "New Federated Domain Added" + "uuid": "18b88d08-d73e-4f21-bc25-4b9892a4fdd0", + "value": "PST Export Alert Using eDiscovery Alert" }, { - "description": "Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content", + "description": "Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization.", "meta": { - "author": "Sorina Ionescu", - "creation_date": "2022/02/08", + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/23", "falsepositive": [ - "PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored." + "Unknown" ], - "filename": "microsoft365_pst_export_alert.yml", + "filename": "microsoft365_activity_from_infrequent_country.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_pst_export_alert.yml" + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_activity_from_infrequent_country.yml" ], "tags": [ - "attack.collection", - "attack.t1114" + "attack.command_and_control", + "attack.t1573" ] }, "related": [ { - "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "18b88d08-d73e-4f21-bc25-4b9892a4fdd0", - "value": "PST Export Alert Using eDiscovery Alert" + "uuid": "0f2468a2-5055-4212-a368-7321198ee706", + "value": "Activity from Infrequent Country" }, { - "description": "Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization.", + "description": "Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence.\nThese IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.\n", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021/08/23", "falsepositive": [ "Unknown" ], - "filename": "microsoft365_activity_from_infrequent_country.yml", + "filename": "microsoft365_from_susp_ip_addresses.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml" + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_detection/microsoft365_from_susp_ip_addresses.yml" ], "tags": [ "attack.command_and_control", @@ -81562,8 +81797,8 @@ "type": "related-to" } ], - "uuid": "0f2468a2-5055-4212-a368-7321198ee706", - "value": "Activity from Infrequent Country" + "uuid": "a3501e8e-af9e-43c6-8cd6-9360bdaae498", + "value": "Activity from Suspicious IP Addresses" }, { "description": "Detects when a new member is added or invited to a github organization.", @@ -81733,9 +81968,9 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", - "https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization", "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions", + "https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization", + "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_disable_high_risk_configuration.yml" ], "tags": [ @@ -81863,7 +82098,7 @@ "logsource.product": "gcp", "refs": [ "https://cloud.google.com/dns/docs/reference/v1/managedZones", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_dns_zone_modified_or_deleted.yml" ], "tags": [ "attack.impact" @@ -81887,7 +82122,7 @@ "logsource.product": "gcp", "refs": [ "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_secrets_modified_or_deleted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_kubernetes_secrets_modified_or_deleted.yml" ], "tags": [ "attack.credential_access" @@ -81912,7 +82147,7 @@ "logsource.product": "gcp", "refs": [ "https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/users/update", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_sql_database_modified_or_deleted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_sql_database_modified_or_deleted.yml" ], "tags": [ "attack.impact" @@ -81936,7 +82171,7 @@ "logsource.product": "gcp", "refs": [ "https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_service_account_modified.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_service_account_modified.yml" ], "tags": [ "attack.impact" @@ -81959,12 +82194,12 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://github.com/elastic/detection-rules/pull/1267", "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", - "https://github.com/elastic/detection-rules/pull/1267", "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_rolebinding.yml" + "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_kubernetes_rolebinding.yml" ], "tags": [ "attack.credential_access" @@ -81988,7 +82223,7 @@ "logsource.product": "gcp", "refs": [ "https://cloud.google.com/storage/docs/json_api/v1/buckets", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_bucket_enumeration.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_bucket_enumeration.yml" ], "tags": [ "attack.discovery" @@ -82011,10 +82246,10 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://kubernetes.io/docs/concepts/workloads/controllers/job/", - "https://cloud.google.com/kubernetes-engine/docs", "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_cronjob.yml" + "https://cloud.google.com/kubernetes-engine/docs", + "https://kubernetes.io/docs/concepts/workloads/controllers/job/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_kubernetes_cronjob.yml" ], "tags": [ "attack.persistence", @@ -82041,7 +82276,7 @@ "logsource.product": "gcp", "refs": [ "https://any-api.com/googleapis_com/compute/docs/vpnTunnels", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_vpn_tunnel_modified_or_deleted.yml" ], "tags": [ "attack.impact" @@ -82066,7 +82301,7 @@ "refs": [ "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_firewall_rule_modified_or_deleted.yml" ], "tags": [ "attack.defense_evasion", @@ -82099,7 +82334,7 @@ "logsource.product": "gcp", "refs": [ "https://cloud.google.com/dlp/docs/reference/rest/v2/projects.content/reidentify", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_dlp_re_identifies_sensitive_information.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_dlp_re_identifies_sensitive_information.yml" ], "tags": [ "attack.impact", @@ -82133,7 +82368,7 @@ "logsource.product": "gcp", "refs": [ "https://cloud.google.com/kubernetes-engine/docs", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_admission_controller.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_kubernetes_admission_controller.yml" ], "tags": [ "attack.persistence", @@ -82184,7 +82419,7 @@ "logsource.product": "gcp", "refs": [ "https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_service_account_disabled_or_deleted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_service_account_disabled_or_deleted.yml" ], "tags": [ "attack.impact", @@ -82218,7 +82453,7 @@ "logsource.product": "gcp", "refs": [ "https://cloud.google.com/storage/docs/json_api/v1/buckets", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_bucket_modified_or_deleted.yml" ], "tags": [ "attack.impact" @@ -82241,9 +82476,9 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml" + "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_full_network_traffic_packet_capture.yml" ], "tags": [ "attack.collection", @@ -82263,170 +82498,170 @@ "value": "Google Full Network Traffic Packet Capture" }, { - "description": "Detects when an an application is removed from Google Workspace.", + "description": "Detects when an a role privilege is deleted in Google Workspace.", "meta": { "author": "Austin Songer", - "creation_date": "2021/08/26", + "creation_date": "2021/08/24", "falsepositive": [ - "Application being removed may be performed by a System Administrator." + "Unknown" ], - "filename": "gworkspace_application_removed.yml", + "filename": "gcp_gworkspace_role_privilege_deleted.yml", "level": "medium", "logsource.category": "No established category", - "logsource.product": "google_workspace", + "logsource.product": "gcp", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_application_removed.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_role_privilege_deleted.yml" ], "tags": [ "attack.impact" ] }, - "uuid": "ee2803f0-71c8-4831-b48b-a1fc57601ee4", - "value": "Google Workspace Application Removed" + "uuid": "bf638ef7-4d2d-44bb-a1dc-a238252e6267", + "value": "Google Workspace Role Privilege Deleted" }, { - "description": "Detects when an Google Workspace user is granted admin privileges.", + "description": "Detects when multi-factor authentication (MFA) is disabled.", "meta": { "author": "Austin Songer", - "creation_date": "2021/08/23", + "creation_date": "2021/08/26", "falsepositive": [ - "Google Workspace admin role privileges, may be modified by system administrators." + "MFA may be disabled and performed by a system administrator." ], - "filename": "gworkspace_user_granted_admin_privileges.yml", + "filename": "gcp_gworkspace_mfa_disabled.yml", "level": "medium", "logsource.category": "No established category", - "logsource.product": "google_workspace", + "logsource.product": "gcp", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml" + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_mfa_disabled.yml" ], "tags": [ - "attack.persistence", - "attack.t1098" + "attack.impact" ] }, - "related": [ - { - "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "2d1b83e4-17c6-4896-a37b-29140b40a788", - "value": "Google Workspace User Granted Admin Privileges" + "uuid": "780601d1-6376-4f2a-884e-b8d45599f78c", + "value": "Google Workspace MFA Disabled" }, { - "description": "Detects when an a role is modified or deleted in Google Workspace.", + "description": "Detects when an an application is removed from Google Workspace.", "meta": { "author": "Austin Songer", - "creation_date": "2021/08/24", + "creation_date": "2021/08/26", "falsepositive": [ - "Unknown" + "Application being removed may be performed by a System Administrator." ], - "filename": "gworkspace_role_modified_or_deleted.yml", + "filename": "gcp_gworkspace_application_removed.yml", "level": "medium", "logsource.category": "No established category", - "logsource.product": "google_workspace", + "logsource.product": "gcp", "refs": [ + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml" + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_removed.yml" ], "tags": [ "attack.impact" ] }, - "uuid": "6aef64e3-60c6-4782-8db3-8448759c714e", - "value": "Google Workspace Role Modified or Deleted" + "uuid": "ee2803f0-71c8-4831-b48b-a1fc57601ee4", + "value": "Google Workspace Application Removed" }, { - "description": "Detects when an a role privilege is deleted in Google Workspace.", + "description": "Detects when an API access service account is granted domain authority.", "meta": { "author": "Austin Songer", - "creation_date": "2021/08/24", + "creation_date": "2021/08/23", "falsepositive": [ "Unknown" ], - "filename": "gworkspace_role_privilege_deleted.yml", + "filename": "gcp_gworkspace_granted_domain_api_access.yml", "level": "medium", "logsource.category": "No established category", - "logsource.product": "google_workspace", + "logsource.product": "gcp", "refs": [ "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml" + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_granted_domain_api_access.yml" ], "tags": [ - "attack.impact" + "attack.persistence", + "attack.t1098" ] }, - "uuid": "bf638ef7-4d2d-44bb-a1dc-a238252e6267", - "value": "Google Workspace Role Privilege Deleted" + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "04e2a23a-9b29-4a5c-be3a-3542e3f982ba", + "value": "Google Workspace Granted Domain API Access" }, { - "description": "Detects when multi-factor authentication (MFA) is disabled.", + "description": "Detects when an Google Workspace user is granted admin privileges.", "meta": { "author": "Austin Songer", - "creation_date": "2021/08/26", + "creation_date": "2021/08/23", "falsepositive": [ - "MFA may be disabled and performed by a system administrator." + "Google Workspace admin role privileges, may be modified by system administrators." ], - "filename": "gworkspace_mfa_disabled.yml", + "filename": "gcp_gworkspace_user_granted_admin_privileges.yml", "level": "medium", "logsource.category": "No established category", - "logsource.product": "google_workspace", + "logsource.product": "gcp", "refs": [ + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml" ], "tags": [ - "attack.impact" + "attack.persistence", + "attack.t1098" ] }, - "uuid": "780601d1-6376-4f2a-884e-b8d45599f78c", - "value": "Google Workspace MFA Disabled" + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "2d1b83e4-17c6-4896-a37b-29140b40a788", + "value": "Google Workspace User Granted Admin Privileges" }, { - "description": "Detects when an API access service account is granted domain authority.", + "description": "Detects when an a role is modified or deleted in Google Workspace.", "meta": { "author": "Austin Songer", - "creation_date": "2021/08/23", + "creation_date": "2021/08/24", "falsepositive": [ "Unknown" ], - "filename": "gworkspace_granted_domain_api_access.yml", + "filename": "gcp_gworkspace_role_modified_or_deleted.yml", "level": "medium", "logsource.category": "No established category", - "logsource.product": "google_workspace", + "logsource.product": "gcp", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_role_modified_or_deleted.yml" ], "tags": [ - "attack.persistence", - "attack.t1098" + "attack.impact" ] }, - "related": [ - { - "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "04e2a23a-9b29-4a5c-be3a-3542e3f982ba", - "value": "Google Workspace Granted Domain API Access" + "uuid": "6aef64e3-60c6-4782-8db3-8448759c714e", + "value": "Google Workspace Role Modified or Deleted" }, { "description": "Detects when an user assumed another user account.", @@ -82487,14 +82722,14 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", + "https://github.com/elastic/detection-rules/pull/1145/files", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", - "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", - "https://github.com/elastic/detection-rules/pull/1145/files", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_s3_data_management_tampering.yml" + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_s3_data_management_tampering.yml" ], "tags": [ "attack.exfiltration", @@ -82528,7 +82763,7 @@ "logsource.product": "aws", "refs": [ "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ec2_disable_encryption.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_ec2_disable_encryption.yml" ], "tags": [ "attack.impact", @@ -82570,7 +82805,7 @@ "logsource.product": "aws", "refs": [ "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__backdoor_users_keys/main.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_iam_backdoor_users_keys.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_iam_backdoor_users_keys.yml" ], "tags": [ "attack.persistence", @@ -82604,7 +82839,7 @@ "logsource.product": "aws", "refs": [ "https://docs.aws.amazon.com/cli/latest/reference/securityhub/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_securityhub_finding_evasion.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_securityhub_finding_evasion.yml" ], "tags": [ "attack.defense_evasion", @@ -82637,7 +82872,7 @@ "logsource.product": "aws", "refs": [ "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_delete_identity.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_delete_identity.yml" ], "tags": [ "attack.defense_evasion", @@ -82670,7 +82905,7 @@ "logsource.product": "aws", "refs": [ "https://www.justice.gov/file/1080281/download", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_snapshot_backup_exfiltration.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_snapshot_backup_exfiltration.yml" ], "tags": [ "attack.exfiltration", @@ -82703,7 +82938,7 @@ "logsource.product": "aws", "refs": [ "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_efs_fileshare_mount_modified_or_deleted.yml" ], "tags": [ "attack.impact", @@ -82736,7 +82971,7 @@ "logsource.product": "aws", "refs": [ "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_route_53_domain_transferred_to_another_account.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_to_another_account.yml" ], "tags": [ "attack.persistence", @@ -82773,7 +83008,7 @@ "refs": [ "https://github.com/elastic/detection-rules/pull/1214", "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_sts_assumerole_misuse.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_sts_assumerole_misuse.yml" ], "tags": [ "attack.lateral_movement", @@ -82823,7 +83058,7 @@ "logsource.product": "aws", "refs": [ "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_rds_change_master_password.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_rds_change_master_password.yml" ], "tags": [ "attack.exfiltration", @@ -82856,7 +83091,7 @@ "logsource.product": "aws", "refs": [ "https://github.com/elastic/detection-rules/blob/7d5efd68603f42be5e125b5a6a503b2ef3ac0f4e/rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_elasticache_security_group_modified_or_deleted.yml" ], "tags": [ "attack.impact", @@ -82890,9 +83125,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_susp_saml_activity.yml" + "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml" ], "tags": [ "attack.initial_access", @@ -82953,7 +83188,7 @@ "logsource.product": "aws", "refs": [ "https://any-api.com/amazonaws_com/eks/docs/API_Description", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_eks_cluster_created_or_deleted.yml" ], "tags": [ "attack.impact", @@ -82986,7 +83221,7 @@ "logsource.product": "aws", "refs": [ "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_rds_public_db_restore.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_rds_public_db_restore.yml" ], "tags": [ "attack.exfiltration", @@ -83019,7 +83254,7 @@ "logsource.product": "aws", "refs": [ "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml" ], "tags": [ "attack.execution", @@ -83061,7 +83296,7 @@ "logsource.product": "aws", "refs": [ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_cloudtrail_disable_logging.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml" ], "tags": [ "attack.defense_evasion", @@ -83094,7 +83329,7 @@ "logsource.product": "aws", "refs": [ "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__startup_shell_script/main.py#L9", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ec2_startup_script_change.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_ec2_startup_script_change.yml" ], "tags": [ "attack.execution", @@ -83143,9 +83378,9 @@ "logsource.product": "aws", "refs": [ "https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html", - "https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md", "https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_enum_buckets.yml" + "https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml" ], "tags": [ "attack.discovery", @@ -83178,7 +83413,7 @@ "logsource.product": "aws", "refs": [ "https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_update_login_profile.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_update_login_profile.yml" ], "tags": [ "attack.persistence", @@ -83209,7 +83444,7 @@ "logsource.product": "aws", "refs": [ "https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ec2_vm_export_failure.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_ec2_vm_export_failure.yml" ], "tags": [ "attack.collection", @@ -83250,10 +83485,10 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html", "https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-info-in-cloudtrail.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html", "https://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_sso_idp_change.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml" ], "tags": [ "attack.persistence", @@ -83287,7 +83522,7 @@ "refs": [ "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html", "https://github.com/elastic/detection-rules/pull/1213", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml" ], "tags": [ "attack.lateral_movement", @@ -83337,9 +83572,9 @@ "logsource.product": "aws", "refs": [ "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html", - "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html", "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ecs_task_definition_cred_endpoint_query.yml" + "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml" ], "tags": [ "attack.persistence", @@ -83372,7 +83607,7 @@ "logsource.product": "aws", "refs": [ "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_iam_s3browser_loginprofile_creation.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml" ], "tags": [ "attack.execution", @@ -83414,7 +83649,7 @@ "logsource.product": "aws", "refs": [ "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/guardduty__whitelist_ip/main.py#L9", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_guardduty_disruption.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_guardduty_disruption.yml" ], "tags": [ "attack.defense_evasion", @@ -83448,7 +83683,7 @@ "logsource.product": "aws", "refs": [ "https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_attached_malicious_lambda_layer.yml" ], "tags": [ "attack.privilege_escalation" @@ -83470,10 +83705,10 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml" + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", + "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml" ], "tags": [ "attack.persistence", @@ -83507,7 +83742,7 @@ "logsource.product": "aws", "refs": [ "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_efs_fileshare_modified_or_deleted.yml" ], "tags": [ "attack.impact" @@ -83530,9 +83765,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", "https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_passed_role_to_glue_development_endpoint.yml" + "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml" ], "tags": [ "attack.privilege_escalation" @@ -83555,7 +83790,7 @@ "logsource.product": "aws", "refs": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_root_account_usage.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_root_account_usage.yml" ], "tags": [ "attack.privilege_escalation", @@ -83588,7 +83823,7 @@ "logsource.product": "aws", "refs": [ "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_iam_s3browser_user_or_accesskey_creation.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml" ], "tags": [ "attack.execution", @@ -83629,7 +83864,7 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_config_disable_recording.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml" ], "tags": [ "attack.defense_evasion", @@ -83662,7 +83897,7 @@ "logsource.product": "aws", "refs": [ "https://github.com/elastic/detection-rules/blob/598f3d7e0a63221c0703ad9a0ea7e22e7bc5961e/rules/integrations/aws/persistence_elasticache_security_group_creation.toml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_elasticache_security_group_created.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_elasticache_security_group_created.yml" ], "tags": [ "attack.persistence", @@ -83689,6 +83924,244 @@ "uuid": "4ae68615-866f-4304-b24b-ba048dfa5ca7", "value": "AWS ElastiCache Security Group Created" }, + { + "description": "Identifies an event where there are there are too many accounts assigned the Global Administrator role.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/14", + "falsepositive": [ + "Investigate if threshold setting in PIM is too low." + ], + "filename": "azure_pim_too_many_global_admins.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml" + ], + "tags": [ + "attack.t1078", + "attack.persistence", + "attack.privilege_escalation" + ] + }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7bbc309f-e2b1-4eb1-8369-131a367d67d3", + "value": "Too Many Global Admins" + }, + { + "description": "Identifies when a user has been assigned a privilege role and are not using that role.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/14", + "falsepositive": [ + "Investigate if potential generic account that cannot be removed." + ], + "filename": "azure_pim_role_not_used.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml" + ], + "tags": [ + "attack.t1078", + "attack.persistence", + "attack.privilege_escalation" + ] + }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "8c6ec464-4ae4-43ac-936a-291da66ed13d", + "value": "Roles Are Not Being Used" + }, + { + "description": "Identifies when the same privilege role has multiple activations by the same user.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/14", + "falsepositive": [ + "Investigate where if active time period for a role is set too short." + ], + "filename": "azure_pim_role_frequent_activation.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml" + ], + "tags": [ + "attack.t1078", + "attack.persistence", + "attack.privilege_escalation" + ] + }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "645fd80d-6c07-435b-9e06-7bc1b5656cba", + "value": "Roles Activated Too Frequently" + }, + { + "description": "Identifies when an organization doesn't have the proper license for PIM and is out of compliance.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/14", + "falsepositive": [ + "Investigate if licenses have expired." + ], + "filename": "azure_pim_invalid_license.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#the-organization-doesnt-have-microsoft-entra-premium-p2-or-microsoft-entra-id-governance", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml" + ], + "tags": [ + "attack.t1078", + "attack.persistence", + "attack.privilege_escalation" + ] + }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "58af08eb-f9e1-43c8-9805-3ad9b0482bd8", + "value": "Invalid PIM License" + }, + { + "description": "Identifies when a privilege role can be activated without performing mfa.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/14", + "falsepositive": [ + "Investigate if user is performing MFA at sign-in." + ], + "filename": "azure_pim_role_no_mfa_required.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml" + ], + "tags": [ + "attack.t1078", + "attack.persistence", + "attack.privilege_escalation" + ] + }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "94a66f46-5b64-46ce-80b2-75dcbe627cc0", + "value": "Roles Activation Doesn't Require MFA" + }, + { + "description": "Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/14", + "falsepositive": [ + "Investigate where users are being assigned privileged roles outside of Privileged Identity Management and prohibit future assignments from there." + ], + "filename": "azure_pim_role_assigned_outside_of_pim.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml" + ], + "tags": [ + "attack.t1078", + "attack.persistence", + "attack.privilege_escalation" + ] + }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b1bc08d1-8224-4758-a0e6-fbcfc98c73bb", + "value": "Roles Assigned Outside PIM" + }, + { + "description": "Identifies when an account hasn't signed in during the past n number of days.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/14", + "falsepositive": [ + "Investigate if potential generic account that cannot be removed." + ], + "filename": "azure_pim_account_stale.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml" + ], + "tags": [ + "attack.t1078", + "attack.persistence", + "attack.privilege_escalation" + ] + }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e402c26a-267a-45bd-9615-bd9ceda6da85", + "value": "Stale Accounts In A Privileged Role" + }, { "description": "Alert on when legecy authentication has been used on an account", "meta": { @@ -83703,7 +84176,7 @@ "logsource.product": "azure", "refs": [ "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_legacy_authentication_protocols.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_legacy_authentication_protocols.yml" ], "tags": [ "attack.initial_access", @@ -83731,39 +84204,6 @@ "uuid": "60f6535a-760f-42a9-be3f-c9a0a025906e", "value": "Use of Legacy Authentication Protocols" }, - { - "description": "Detects when an end user consents to an application", - "meta": { - "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", - "creation_date": "2022/07/28", - "falsepositive": [ - "Unknown" - ], - "filename": "azure_app_end_user_consent.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#end-user-consent", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_end_user_consent.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1528" - ] - }, - "related": [ - { - "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "9b2cc4c4-2ad4-416d-8e8e-ee6aa6f5035a", - "value": "End User Consent" - }, { "description": "Define a baseline threshold for failed sign-ins due to Conditional Access failures", "meta": { @@ -83780,7 +84220,7 @@ "logsource.product": "azure", "refs": [ "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_conditional_access_failure.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_conditional_access_failure.yml" ], "tags": [ "attack.initial_access", @@ -83808,40 +84248,6 @@ "uuid": "b4a6d707-9430-4f5f-af68-0337f52d5c42", "value": "Sign-in Failure Due to Conditional Access Requirements Not Met" }, - { - "description": "Detects when an app is assigned Azure AD roles, such as global adminsitrator, or Azure RBAC roles, such as subscription owner.", - "meta": { - "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", - "creation_date": "2022/07/19", - "falsepositive": [ - "When the permission is legitimately needed for the app" - ], - "filename": "azure_app_role_added.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#service-principal-assigned-to-a-role", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_role_added.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1098.003" - ] - }, - "related": [ - { - "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "b04934b2-0a68-4845-8a19-bdfed3a68a7a", - "value": "App Role Added" - }, { "description": "Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly.\nThe application then uses those credentials to authenticate the user against the identity provider.\n", "meta": { @@ -83856,7 +84262,7 @@ "logsource.product": "azure", "refs": [ "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-authentication-flows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_ropc_authentication.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_app_ropc_authentication.yml" ], "tags": [ "attack.t1078", @@ -83879,67 +84285,98 @@ "value": "Applications That Are Using ROPC Authentication Flow" }, { - "description": "Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.", + "description": "Detect access has been blocked by Conditional Access policies.\nThe access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts.\n", "meta": { "author": "AlertIQ", "creation_date": "2021/10/10", "falsepositive": [ "Unknown" ], - "filename": "azure_change_to_authentication_method.yml", + "filename": "azure_user_login_blocked_by_conditional_access.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_change_to_authentication_method.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_user_login_blocked_by_conditional_access.yml" ], "tags": [ "attack.credential_access", - "attack.t1556", - "attack.persistence", - "attack.defense_evasion", - "attack.t1098" + "attack.initial_access", + "attack.t1110", + "attack.t1078.004" ] }, "related": [ { - "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { - "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "4d78a000-ab52-4564-88a5-7ab5242b20c7", - "value": "Change to Authentication Method" + "uuid": "9a60e676-26ac-44c3-814b-0c2a8b977adf", + "value": "User Access Blocked by Azure Conditional Access" }, { - "description": "Detects when a user that doesn't have permissions to invite a guest user attempts to invite one.", + "description": "Detects when sign-ins increased by 10% or greater.", "meta": { - "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", - "creation_date": "2022/08/10", + "author": "Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1'", + "creation_date": "2022/08/11", "falsepositive": [ - "A non malicious user is unaware of the proper process" + "Unlikely" ], - "filename": "azure_guest_invite_failure.yml", + "filename": "azure_ad_auth_failure_increase.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_guest_invite_failure.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_auth_failure_increase.yml" ], "tags": [ - "attack.persistence", "attack.defense_evasion", + "attack.t1078" + ] + }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e1d02b53-c03c-4948-b11d-4d00cca49d03", + "value": "Increased Failed Authentications Of Any Type" + }, + { + "description": "Detect when users in your Azure AD tenant are authenticating to other Azure AD Tenants.", + "meta": { + "author": "MikeDuddington, '@dudders1'", + "creation_date": "2022/06/30", + "falsepositive": [ + "If this was approved by System Administrator." + ], + "filename": "azure_users_authenticating_to_other_azure_ad_tenants.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-external-user-sign-ins", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_users_authenticating_to_other_azure_ad_tenants.yml" + ], + "tags": [ + "attack.initial_access", "attack.t1078.004" ] }, @@ -83952,138 +84389,178 @@ "type": "related-to" } ], - "uuid": "0b4b72e3-4c53-4d5b-b198-2c58cfef39a9", - "value": "Guest User Invited By Non Approved Inviters" + "uuid": "5f521e4b-0105-4b72-845b-2198a54487b9", + "value": "Users Authenticating To Other Azure AD Tenants" }, { - "description": "Identifies when a service principal is created in Azure.", + "description": "Detect when authentications to important application(s) only required single-factor authentication", "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/09/02", + "author": "MikeDuddington, '@dudders1'", + "creation_date": "2022/07/28", "falsepositive": [ - "Service principal being created may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Service principal created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + "If this was approved by System Administrator." ], - "filename": "azure_service_principal_created.yml", + "filename": "azure_ad_auth_to_important_apps_using_single_factor_auth.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_service_principal_created.yml" + "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_auth_to_important_apps_using_single_factor_auth.yml" ], "tags": [ - "attack.defense_evasion" + "attack.initial_access", + "attack.t1078" ] }, - "uuid": "0ddcff6d-d262-40b0-804b-80eb592de8e3", - "value": "Azure Service Principal Created" + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f272fb46-25f2-422c-b667-45837994980f", + "value": "Authentications To Important Apps Using Single Factor Authentication" }, { - "description": "Identifies when a key vault is modified or deleted.", + "description": "Detects when successful sign-ins increased by 10% or greater.", "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/16", + "author": "Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton", + "creation_date": "2022/08/11", "falsepositive": [ - "Key Vault being modified or deleted may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Key Vault modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + "Increase of users in the environment" ], - "filename": "azure_keyvault_modified_or_deleted.yml", + "filename": "azure_ad_auth_sucess_increase.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_auth_sucess_increase.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1078" + ] + }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "67d5f8fc-8325-44e4-8f5f-7c0ac07cb5ae", + "value": "Measurable Increase Of Successful Authentications" + }, + { + "description": "Detect successful authentications from countries you do not operate out of.", + "meta": { + "author": "MikeDuddington, '@dudders1'", + "creation_date": "2022/07/28", + "falsepositive": [ + "If this was approved by System Administrator." + ], + "filename": "azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_keyvault_modified_or_deleted.yml" + "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml" ], "tags": [ - "attack.impact", + "attack.initial_access", "attack.credential_access", - "attack.t1552", - "attack.t1552.001" + "attack.t1078.004", + "attack.t1110" ] }, "related": [ { - "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { - "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "459a2970-bb84-4e6a-a32e-ff0fbd99448d", - "value": "Azure Key Vault Modified or Deleted" + "uuid": "8c944ecb-6970-4541-8496-be554b8e2846", + "value": "Successful Authentications From Countries You Do Not Operate Out Of" }, { - "description": "Detect access has been blocked by Conditional Access policies.\nThe access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts.\n", + "description": "Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.", "meta": { - "author": "AlertIQ", - "creation_date": "2021/10/10", + "author": "Harjot Singh, '@cyb3rjy0t'", + "creation_date": "2023/03/20", "falsepositive": [ - "Unknown" + "Known Legacy Accounts" ], - "filename": "azure_user_login_blocked_by_conditional_access.yml", - "level": "medium", + "filename": "azure_ad_suspicious_signin_bypassing_mfa.yml", + "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml" + "https://blooteem.com/march-2022", + "https://www.microsoft.com/en-us/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml" ], "tags": [ - "attack.credential_access", "attack.initial_access", - "attack.t1110", - "attack.t1078.004" + "attack.credential_access", + "attack.t1078.004", + "attack.t1110" ] }, "related": [ { - "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { - "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "9a60e676-26ac-44c3-814b-0c2a8b977adf", - "value": "User Access Blocked by Azure Conditional Access" + "uuid": "53bb4f7f-48a8-4475-ac30-5a82ddfdf6fc", + "value": "Potential MFA Bypass Using Legacy Client Authentication" }, { - "description": "Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated", + "description": "Monitor and alert for device registration or join events where MFA was not performed.", "meta": { - "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", - "creation_date": "2022/08/10", + "author": "Michael Epping, '@mepples21'", + "creation_date": "2022/06/28", "falsepositive": [ - "Administrator adding a legitimate temporary access pass" + "Unknown" ], - "filename": "azure_tap_added.yml", - "level": "high", + "filename": "azure_ad_device_registration_or_join_without_mfa.yml", + "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_tap_added.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_device_registration_or_join_without_mfa.yml" ], "tags": [ - "attack.persistence", + "attack.defense_evasion", "attack.t1078.004" ] }, @@ -84096,244 +84573,276 @@ "type": "related-to" } ], - "uuid": "fa84aaf5-8142-43cd-9ec2-78cfebf878ce", - "value": "Temporary Access Pass Added To An Account" + "uuid": "5afa454e-030c-4ab4-9253-a90aa7fcc581", + "value": "Device Registration or Join Without MFA" }, { - "description": "Detects when a user has been elevated to manage all Azure Subscriptions.\nThis change should be investigated immediately if it isn't planned.\nThis setting could allow an attacker access to Azure subscriptions in your environment.\n", + "description": "Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.", "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/11/26", + "author": "Janantha Marasinghe", + "creation_date": "2022/11/27", "falsepositive": [ - "If this was approved by System Administrator." + "Unknown" ], - "filename": "azure_subscription_permissions_elevation_via_auditlogs.yml", + "filename": "azure_ad_azurehound_discovery.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#assignment-and-elevation", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_subscription_permissions_elevation_via_auditlogs.yml" + "https://github.com/BloodHoundAD/AzureHound", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_azurehound_discovery.yml" ], "tags": [ - "attack.initial_access", - "attack.t1078" + "attack.discovery", + "attack.t1087.004", + "attack.t1526" ] }, "related": [ { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e24fcba8-2557-4442-a139-1ee2f2e784db", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "ca9bf243-465e-494a-9e54-bf9fc239057d", - "value": "Azure Subscription Permission Elevation Via AuditLogs" + "uuid": "35b781cc-1a08-4a5a-80af-42fd7c315c6b", + "value": "Discovery Using AzureHound" }, { - "description": "Detects when an account was created and deleted in a short period of time.", + "description": "Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.", "meta": { - "author": "Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton", - "creation_date": "2022/08/11", + "author": "AlertIQ", + "creation_date": "2021/10/10", "falsepositive": [ - "Legit administrative action" + "Unknown" ], - "filename": "azure_ad_account_created_deleted.yml", - "level": "high", + "filename": "azure_account_lockout.yml", + "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_account_created_deleted.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_account_lockout.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1078" + "attack.credential_access", + "attack.t1110" ] }, "related": [ { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "6f583da0-3a90-4566-a4ed-83c09fe18bbf", - "value": "Account Created And Deleted Within A Close Time Frame" + "uuid": "2b7d6fc0-71ac-4cf7-8ed1-b5788ee5257a", + "value": "Account Lockout" }, { - "description": "Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.", + "description": "Monitor and alert for Sign-ins by unknown devices from non-Trusted locations.", "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/08", + "author": "Michael Epping, '@mepples21'", + "creation_date": "2022/06/28", "falsepositive": [ - "Rule Collections (Application, NAT, and Network) being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Rule Collections (Application, NAT, and Network) modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + "Unknown" ], - "filename": "azure_firewall_rule_collection_modified_or_deleted.yml", - "level": "medium", + "filename": "azure_ad_sign_ins_from_unknown_devices.yml", + "level": "low", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_unknown_devices.yml" ], "tags": [ - "attack.impact", "attack.defense_evasion", - "attack.t1562.004" + "attack.t1078.004" ] }, "related": [ { - "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "025c9fe7-db72-49f9-af0d-31341dd7dd57", - "value": "Azure Firewall Rule Collection Modified or Deleted" + "uuid": "4d136857-6a1a-432a-82fc-5dd497ee5e7c", + "value": "Sign-ins by Unknown Devices" }, { - "description": "Identifies when an admission controller is executed in Azure Kubernetes.\nA Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server.\nThe behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster.\nAn adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster.\nFor example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod.\nAn adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials.\nAn adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.\n", + "description": "Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.", "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/11/25", + "author": "AlertIQ", + "creation_date": "2021/10/10", "falsepositive": [ - "Azure Kubernetes Admissions Controller may be done by a system administrator.", - "If known behavior is causing false positives, it can be exempted from the rule." + "Unknown" ], - "filename": "azure_kubernetes_admission_controller.yml", + "filename": "azure_mfa_interrupted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_admission_controller.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_mfa_interrupted.yml" ], "tags": [ - "attack.persistence", - "attack.t1078", + "attack.initial_access", "attack.credential_access", - "attack.t1552", - "attack.t1552.007" + "attack.t1078.004", + "attack.t1110", + "attack.t1621" ] }, "related": [ { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { - "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { - "dest-uuid": "f8ef3a62-3f44-40a4-abca-761ab235c436", + "dest-uuid": "954a1639-f2d6-407d-aef3-4917622ca493", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "a61a3c56-4ce2-4351-a079-88ae4cbd2b58", - "value": "Azure Kubernetes Admission Controller" + "uuid": "5496ff55-42ec-4369-81cb-00f417029e25", + "value": "Multifactor Authentication Interrupted" }, { - "description": "Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.", + "description": "User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.", "meta": { - "author": "sawwinnnaung", - "creation_date": "2020/05/07", + "author": "AlertIQ", + "creation_date": "2022/03/24", "falsepositive": [ - "Valid change" + "Users actually login but miss-click into the Deny button when MFA prompt." ], - "filename": "azure_rare_operations.yml", + "filename": "azure_mfa_denies.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/RareOperations.yaml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_rare_operations.yml" + "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_mfa_denies.yml" ], "tags": [ - "attack.t1003" + "attack.initial_access", + "attack.credential_access", + "attack.t1078.004", + "attack.t1110", + "attack.t1621" ] }, "related": [ { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "954a1639-f2d6-407d-aef3-4917622ca493", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "c1182e02-49a3-481c-b3de-0fadc4091488", - "value": "Rare Subscription-level Operations In Azure" + "uuid": "e40f4962-b02b-4192-9bfe-245f7ece1f99", + "value": "Multifactor Authentication Denied" }, { - "description": "Detects when sign-ins increased by 10% or greater.", + "description": "Detect failed authentications from countries you do not operate out of.", "meta": { - "author": "Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1'", - "creation_date": "2022/08/11", + "author": "MikeDuddington, '@dudders1'", + "creation_date": "2022/07/28", "falsepositive": [ - "Unlikely" + "If this was approved by System Administrator." ], - "filename": "azure_ad_auth_failure_increase.yml", - "level": "medium", + "filename": "azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml", + "level": "low", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_auth_failure_increase.yml" + "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1078" + "attack.initial_access", + "attack.credential_access", + "attack.t1078.004", + "attack.t1110" ] }, "related": [ { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "e1d02b53-c03c-4948-b11d-4d00cca49d03", - "value": "Increased Failed Authentications Of Any Type" + "uuid": "28870ae4-6a13-4616-bd1a-235a7fad7458", + "value": "Failed Authentications From Countries You Do Not Operate Out Of" }, { - "description": "Monitor and alert for Bitlocker key retrieval.", + "description": "Detect failed attempts to sign in to disabled accounts.", "meta": { - "author": "Michael Epping, '@mepples21'", - "creation_date": "2022/06/28", + "author": "AlertIQ", + "creation_date": "2021/10/10", "falsepositive": [ "Unknown" ], - "filename": "azure_ad_bitlocker_key_retrieval.yml", + "filename": "azure_login_to_disabled_account.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#bitlocker-key-retrieval", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_bitlocker_key_retrieval.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_login_to_disabled_account.yml" ], "tags": [ - "attack.defense_evasion", + "attack.initial_access", "attack.t1078.004" ] }, @@ -84346,87 +84855,63 @@ "type": "related-to" } ], - "uuid": "a0413867-daf3-43dd-9245-734b3a787942", - "value": "Bitlocker Key Retrieval" + "uuid": "908655e0-25cf-4ae1-b775-1c8ce9cf43d8", + "value": "Login to Disabled Account" }, { - "description": "Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.", + "description": "Detects risky authencaition from a non AD registered device without MFA being required.", "meta": { - "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", - "creation_date": "2022/06/02", + "author": "Harjot Singh, '@cyb3rjy0t'", + "creation_date": "2023/01/10", "falsepositive": [ - "When a new application owner is added by an administrator" + "Unknown" ], - "filename": "azure_app_owner_added.yml", - "level": "medium", + "filename": "azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml", + "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#new-owner", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_owner_added.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml" ], "tags": [ - "attack.t1552", - "attack.credential_access" + "attack.defense_evasion", + "attack.t1078" ] }, "related": [ { - "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "74298991-9fc4-460e-a92e-511aa60baec1", - "value": "Added Owner To Application" + "uuid": "572b12d4-9062-11ed-a1eb-0242ac120002", + "value": "Suspicious SignIns From A Non Registered Device" }, { - "description": "Identifies when a application gateway is modified or deleted.", + "description": "Detect when users are authenticating without MFA being required.", "meta": { - "author": "Austin Songer", - "creation_date": "2021/08/16", + "author": "MikeDuddington, '@dudders1'", + "creation_date": "2022/07/27", "falsepositive": [ - "Application gateway being modified or deleted may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Application gateway modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + "If this was approved by System Administrator." ], - "filename": "azure_application_gateway_modified_or_deleted.yml", - "level": "medium", + "filename": "azure_ad_only_single_factor_auth_required.yml", + "level": "low", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml" + "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_only_single_factor_auth_required.yml" ], "tags": [ - "attack.impact" - ] - }, - "uuid": "ad87d14e-7599-4633-ba81-aeb60cfe8cd6", - "value": "Azure Application Gateway Modified or Deleted" - }, - { - "description": "Detect when a user has reset their password in Azure AD", - "meta": { - "author": "YochanaHenderson, '@Yochana-H'", - "creation_date": "2022/08/03", - "falsepositive": [ - "If this was approved by System Administrator or confirmed user action." - ], - "filename": "azure_user_password_change.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_user_password_change.yml" - ], - "tags": [ - "attack.persistence", + "attack.initial_access", "attack.credential_access", - "attack.t1078.004" + "attack.t1078.004", + "attack.t1556.006" ] }, "related": [ @@ -84436,71 +84921,36 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" - } - ], - "uuid": "340ee172-4b67-4fb4-832f-f961bdc1f3aa", - "value": "Password Reset By User Account" - }, - { - "description": "Monitor and alert on group membership additions of groups that have CA policy modification access", - "meta": { - "author": "Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner'", - "creation_date": "2022/08/04", - "falsepositive": [ - "User removed from the group is approved" - ], - "filename": "azure_group_user_addition_ca_modification.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_group_user_addition_ca_modification.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1548", - "attack.t1556" - ] - }, - "related": [ - { - "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" }, { - "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "dest-uuid": "b4409cd8-0da9-46e1-a401-a241afd4d1cc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "91c95675-1f27-46d0-bead-d1ae96b97cd3", - "value": "User Added To Group With CA Policy Modification Access" + "uuid": "28eea407-28d7-4e42-b0be-575d5ba60b2c", + "value": "Azure AD Only Single Factor Authentication Required" }, { - "description": "Detect when users in your Azure AD tenant are authenticating to other Azure AD Tenants.", + "description": "Monitor and alert for sign-ins where the device was non-compliant.", "meta": { - "author": "MikeDuddington, '@dudders1'", - "creation_date": "2022/06/30", + "author": "Michael Epping, '@mepples21'", + "creation_date": "2022/06/28", "falsepositive": [ - "If this was approved by System Administrator." + "Unknown" ], - "filename": "azure_users_authenticating_to_other_azure_ad_tenants.yml", - "level": "medium", + "filename": "azure_ad_sign_ins_from_noncompliant_devices.yml", + "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-external-user-sign-ins", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_users_authenticating_to_other_azure_ad_tenants.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_noncompliant_devices.yml" ], "tags": [ - "attack.initial_access", + "attack.defense_evasion", "attack.t1078.004" ] }, @@ -84513,26 +84963,24 @@ "type": "related-to" } ], - "uuid": "5f521e4b-0105-4b72-845b-2198a54487b9", - "value": "Users Authenticating To Other Azure AD Tenants" + "uuid": "4f77e1d7-3982-4ee0-8489-abf2d6b75284", + "value": "Sign-ins from Non-Compliant Devices" }, { - "description": "Identifies when an user or application modified the federation settings on the domain.", + "description": "Detects when there is a interruption in the authentication process.", "meta": { - "author": "Austin Songer", - "creation_date": "2021/09/06", + "author": "Austin Songer @austinsonger", + "creation_date": "2021/11/26", "falsepositive": [ - "Federation Settings being modified or deleted may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Federation Settings modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + "Unknown" ], - "filename": "azure_federation_modified.yml", + "filename": "azure_unusual_authentication_interruption.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_federation_modified.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_unusual_authentication_interruption.yml" ], "tags": [ "attack.initial_access", @@ -84548,1181 +84996,1253 @@ "type": "related-to" } ], - "uuid": "352a54e1-74ba-4929-9d47-8193d67aba1e", - "value": "Azure Domain Federation Settings Modified" + "uuid": "8366030e-7216-476b-9927-271d79f13cf3", + "value": "Azure Unusual Authentication Interruption" }, { - "description": "Identifies when a application security group is modified or deleted.", + "description": "Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments.\nIf this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted.\nThis can be a misconfigured application or potentially something malicious.\n", "meta": { - "author": "Austin Songer", - "creation_date": "2021/08/16", + "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", + "creation_date": "2022/06/01", "falsepositive": [ - "Application security group being modified or deleted may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Application security group modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + "Applications that are input constrained will need to use device code flow and are valid authentications." ], - "filename": "azure_application_security_group_modified_or_deleted.yml", + "filename": "azure_app_device_code_authentication.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-authentication-flows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_app_device_code_authentication.yml" ], "tags": [ - "attack.impact" + "attack.t1078", + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.initial_access" ] }, - "uuid": "835747f1-9329-40b5-9cc3-97d465754ce6", - "value": "Azure Application Security Group Modified or Deleted" + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "248649b7-d64f-46f0-9fb2-a52774166fb5", + "value": "Application Using Device Code Authentication Flow" }, { - "description": "Detect when authentications to important application(s) only required single-factor authentication", + "description": "Detects when an account is disabled or blocked for sign in but tried to log in", "meta": { - "author": "MikeDuddington, '@dudders1'", - "creation_date": "2022/07/28", + "author": "Yochana Henderson, '@Yochana-H'", + "creation_date": "2022/06/17", "falsepositive": [ - "If this was approved by System Administrator." + "Account disabled or blocked in error", + "Automation account has been blocked or disabled" ], - "filename": "azure_ad_auth_to_important_apps_using_single_factor_auth.yml", + "filename": "azure_blocked_account_attempt.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_auth_to_important_apps_using_single_factor_auth.yml" + "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_blocked_account_attempt.yml" ], "tags": [ "attack.initial_access", - "attack.t1078" + "attack.t1078.004" ] }, "related": [ { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "f272fb46-25f2-422c-b667-45837994980f", - "value": "Authentications To Important Apps Using Single Factor Authentication" + "uuid": "4afac85c-224a-4dd7-b1af-8da40e1c60bd", + "value": "Account Disabled or Blocked for Sign in Attempts" }, { - "description": "Identifies the deletion of Azure Kubernetes Pods.", + "description": "Indicates that a password spray attack has been successfully performed.", "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/07/24", + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/03", "falsepositive": [ - "Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Pods deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." ], - "filename": "azure_kubernetes_pods_deleted.yml", - "level": "medium", + "filename": "azure_identity_protection_password_spray.yml", + "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_pods_deleted.yml" + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#password-spray", + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_password_spray.yml" ], "tags": [ - "attack.impact" + "attack.t1110", + "attack.credential_access" ] }, - "uuid": "b02f9591-12c3-4965-986a-88028629b2e1", - "value": "Azure Kubernetes Pods Deleted" + "related": [ + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "28ecba0a-c743-4690-ad29-9a8f6f25a6f9", + "value": "Password Spray Activity" }, { - "description": "Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.", + "description": "Detects suspicious rules that delete or move messages or folders are set on a user's inbox.", "meta": { - "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", - "creation_date": "2022/05/26", + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/03", "falsepositive": [ - "When credentials are added/removed as part of the normal working hours/workflows" + "Actual mailbox rules that are moving items based on their workflow." ], - "filename": "azure_app_credential_added.yml", + "filename": "azure_identity_protection_inbox_manipulation.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-credentials", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_credential_added.yml" + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules", + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml" ], "tags": [ - "attack.t1098.001", - "attack.persistence" + "attack.t1140", + "attack.defense_evasion" ] }, "related": [ { - "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "cbb67ecc-fb70-4467-9350-c910bdf7c628", - "value": "Added Credentials to Existing Application" + "uuid": "ceb55fd0-726e-4656-bf4e-b585b7f7d572", + "value": "Suspicious Inbox Manipulation Rules" }, { - "description": "Identifies when a device or device configuration in azure is modified or deleted.", + "description": "Indicates sign-ins from an anonymous IP address, for example, using an anonymous browser or VPN.", "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/09/03", + "author": "Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/08/22", "falsepositive": [ - "Device or device configuration being modified or deleted may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Device or device configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + "We recommend investigating the sessions flagged by this detection in the context of other sign-ins" ], - "filename": "azure_device_or_configuration_modified_or_deleted.yml", - "level": "medium", + "filename": "azure_identity_protection_anonymous_ip_address.yml", + "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml" + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anonymous-ip-address", + "https://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml" ], "tags": [ - "attack.impact", - "attack.t1485", - "attack.t1565.001" + "attack.t1528", + "attack.credential_access" ] }, "related": [ { - "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "46530378-f9db-4af9-a9e5-889c177d3881", - "value": "Azure Device or Configuration Modified or Deleted" + "uuid": "53acd925-2003-440d-a1f3-71a5253fe237", + "value": "Anonymous IP Address" }, { - "description": "Identifies when a application is deleted in Azure.", + "description": "Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations.", "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/09/03", + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/03", "falsepositive": [ - "Application being deleted may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Application deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." ], - "filename": "azure_application_deleted.yml", - "level": "medium", + "filename": "azure_identity_protection_new_coutry_region.yml", + "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_application_deleted.yml" + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#new-country", + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml" ], "tags": [ + "attack.t1078", + "attack.persistence", "attack.defense_evasion", - "attack.impact", - "attack.t1489" + "attack.privilege_escalation", + "attack.initial_access" ] }, "related": [ { - "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "410d2a41-1e6d-452f-85e5-abdd8257a823", - "value": "Azure Application Deleted" + "uuid": "adf9f4d2-559e-4f5c-95be-c28dff0b1476", + "value": "New Country" }, { - "description": "Detects when a user has been elevated to manage all Azure Subscriptions.\nThis change should be investigated immediately if it isn't planned.\nThis setting could allow an attacker access to Azure subscriptions in your environment.\n", + "description": "Indicates suspicious rules such as an inbox rule that forwards a copy of all emails to an external address", "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/11/26", + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/03", "falsepositive": [ - "If this was approved by System Administrator." + "A legitmate forwarding rule." ], - "filename": "azure_subscription_permissions_elevation_via_activitylogs.yml", + "filename": "azure_identity_protection_inbox_forwarding_rule.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml" + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-forwarding", + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml" ], "tags": [ - "attack.initial_access", - "attack.t1078.004" + "attack.t1140", + "attack.defense_evasion" ] }, "related": [ { - "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "09438caa-07b1-4870-8405-1dbafe3dad95", - "value": "Azure Subscription Permission Elevation Via ActivityLogs" + "uuid": "27e4f1d6-ae72-4ea0-8a67-77a73a289c3d", + "value": "Suspicious Inbox Forwarding Identity Protection" }, { - "description": "Identifies when a Firewall Rule Configuration is Modified or Deleted.", + "description": "Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.", "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/08", + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/03", "falsepositive": [ - "Firewall Rule Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Firewall Rule Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." ], - "filename": "azure_network_firewall_rule_modified_or_deleted.yml", - "level": "medium", + "filename": "azure_identity_protection_atypical_travel.yml", + "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml" + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#atypical-travel", + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml" ], "tags": [ - "attack.impact" + "attack.t1078", + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.initial_access" ] }, - "uuid": "2a7d64cf-81fa-4daf-ab1b-ab80b789c067", - "value": "Azure Firewall Rule Configuration Modified or Deleted" + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "1a41023f-1e70-4026-921a-4d9341a9038e", + "value": "Atypical Travel" }, { - "description": "Detects when a Azure Kubernetes Cluster is created or deleted.", + "description": "Indicates access attempt to the PRT resource which can be used to move laterally into an organization or perform credential theft", "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/07", + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/07", "falsepositive": [ - "Kubernetes cluster being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + "This detection is low-volume and is seen infrequently in most organizations. When this detection appears it's high risk, and users should be remediated." ], - "filename": "azure_kubernetes_cluster_created_or_deleted.yml", - "level": "low", + "filename": "azure_identity_protection_prt_access.yml", + "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml" + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml" ], "tags": [ - "attack.impact" + "attack.t1528", + "attack.credential_access" ] }, - "uuid": "9541f321-7cba-4b43-80fc-fbd1fb922808", - "value": "Azure Kubernetes Cluster Created or Deleted" + "related": [ + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "a84fc3b1-c9ce-4125-8e74-bdcdb24021f1", + "value": "Primary Refresh Token Access Attempt" }, { - "description": "Detects when a user is removed from a privileged role. Bulk changes should be investigated.", + "description": "Indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server.", "meta": { - "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", - "creation_date": "2022/08/05", + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/03", "falsepositive": [ - "Legtimate administrator actions of removing members from a role" + "Using an IP address that is shared by many users" ], - "filename": "azure_priviledged_role_assignment_bulk_change.yml", + "filename": "azure_identity_protection_malware_linked_ip.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_priviledged_role_assignment_bulk_change.yml" + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated", + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml" ], "tags": [ - "attack.persistence", - "attack.t1098" + "attack.t1090", + "attack.command_and_control" ] }, "related": [ { - "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "102e11e3-2db5-4c9e-bc26-357d42585d21", - "value": "Bulk Deletion Changes To Privileged Account Permissions" + "uuid": "821b4dc3-1295-41e7-b157-39ab212dd6bd", + "value": "Sign-In From Malware Infected IP" }, { - "description": "Identifies when a network security configuration is modified or deleted.", + "description": "Indicates sign-in from a malicious IP address known to be malicious at time of sign-in.", "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/08", + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/07", "falsepositive": [ - "Network Security Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Network Security Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." ], - "filename": "azure_network_security_modified_or_deleted.yml", - "level": "medium", + "filename": "azure_identity_protection_malicious_ip_address_suspicious.yml", + "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_security_modified_or_deleted.yml" + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malicious-ip-address", + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml" ], "tags": [ - "attack.impact" + "attack.t1090", + "attack.command_and_control" ] }, - "uuid": "d22b4df4-5a67-4859-a578-8c9a0b5af9df", - "value": "Azure Network Security Configuration Modified or Deleted" + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "36440e1c-5c22-467a-889b-593e66498472", + "value": "Malicious IP Address Sign-In Suspicious" }, { - "description": "Detects when a user is added to a privileged role.", + "description": "Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins.", "meta": { - "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", - "creation_date": "2022/08/06", + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/03", "falsepositive": [ - "Legtimate administrator actions of adding members from a role" + "User changing to a new device, location, browser, etc." ], - "filename": "azure_priviledged_role_assignment_add.yml", + "filename": "azure_identity_protection_unfamilar_sign_in.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_priviledged_role_assignment_add.yml" + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties", + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml" ], "tags": [ - "attack.privilege_escalation", + "attack.t1078", + "attack.persistence", "attack.defense_evasion", - "attack.t1078.004" + "attack.privilege_escalation", + "attack.initial_access" ] }, "related": [ { - "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "49a268a4-72f4-4e38-8a7b-885be690c5b5", - "value": "User Added To Privilege Role" + "uuid": "128faeef-79dd-44ca-b43c-a9e236a60f49", + "value": "Unfamiliar Sign-In Properties" }, { - "description": "Number of VM creations or deployment activities occur in Azure via the azureactivity log.", + "description": "Indicates sign-in from a malicious IP address based on high failure rates.", "meta": { - "author": "sawwinnnaung", - "creation_date": "2020/05/07", + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/07", "falsepositive": [ - "Valid change" + "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." ], - "filename": "azure_creating_number_of_resources_detection.yml", - "level": "medium", + "filename": "azure_identity_protection_malicious_ip_address.yml", + "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_creating_number_of_resources_detection.yml" + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malicious-ip-address", + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml" ], "tags": [ - "attack.persistence", - "attack.t1098" + "attack.t1090", + "attack.command_and_control" ] }, "related": [ { - "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "d2d901db-7a75-45a1-bc39-0cbf00812192", - "value": "Number Of Resource Creation Or Deployment Activities" + "uuid": "a3f55ebd-0c01-4ed6-adc0-8fb76d8cd3cd", + "value": "Malicious IP Address Sign-In Failure Rate" }, { - "description": "Detects when successful sign-ins increased by 10% or greater.", + "description": "Indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns", "meta": { - "author": "Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton", - "creation_date": "2022/08/11", + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/03", "falsepositive": [ - "Increase of users in the environment" + "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." ], - "filename": "azure_ad_auth_sucess_increase.yml", - "level": "low", + "filename": "azure_identity_protection_token_issuer_anomaly.yml", + "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_auth_sucess_increase.yml" + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#token-issuer-anomaly", + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1078" + "attack.t1606", + "attack.credential_access" ] }, "related": [ { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "dest-uuid": "94cb00a4-b295-4d06-aa2b-5653b9c1be9c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "67d5f8fc-8325-44e4-8f5f-7c0ac07cb5ae", - "value": "Measurable Increase Of Successful Authentications" + "uuid": "e3393cba-31f0-4207-831e-aef90ab17a8c", + "value": "SAML Token Issuer Anomaly" }, { - "description": "Detect successful authentications from countries you do not operate out of.", + "description": "Indicates that the user's valid credentials have been leaked.", "meta": { - "author": "MikeDuddington, '@dudders1'", - "creation_date": "2022/07/28", + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/03", "falsepositive": [ - "If this was approved by System Administrator." + "A rare hash collision." ], - "filename": "azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml", - "level": "medium", + "filename": "azure_identity_protection_leaked_credentials.yml", + "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml" + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#leaked-credentials", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml" ], "tags": [ - "attack.initial_access", - "attack.credential_access", - "attack.t1078.004", - "attack.t1110" + "attack.t1589", + "attack.reconnaissance" ] }, "related": [ { - "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "dest-uuid": "5282dd9a-d26d-4e16-88b7-7c0f4553daf4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "8c944ecb-6970-4541-8496-be554b8e2846", - "value": "Successful Authentications From Countries You Do Not Operate Out Of" + "uuid": "19128e5e-4743-48dc-bd97-52e5775af817", + "value": "Azure AD Account Credential Leaked" }, { - "description": "Identifies when a virtual network device is being modified or deleted.\nThis can be a network interface, network virtual appliance, virtual hub, or virtual router.\n", + "description": "Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location.", "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/08", + "author": "Mark Morowczynski '@markmorow'", + "creation_date": "2023/08/07", "falsepositive": [ - "Virtual Network Device being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Virtual Network Device modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." ], - "filename": "azure_network_virtual_device_modified_or_deleted.yml", - "level": "medium", + "filename": "azure_identity_protection_anomalous_token.yml", + "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml" + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anomalous-token", + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_token.yml" ], "tags": [ - "attack.impact" + "attack.t1528", + "attack.credential_access" ] }, - "uuid": "15ef3fac-f0f0-4dc4-ada0-660aa72980b3", - "value": "Azure Virtual Network Device Modified or Deleted" + "related": [ + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "6555754e-5e7f-4a67-ad1c-4041c413a007", + "value": "Anomalous Token" }, { - "description": "Identifies when a Firewall Policy is Modified or Deleted.", + "description": "Indicates user activity that is unusual for the user or consistent with known attack patterns.", "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/09/02", + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/07", "falsepositive": [ - "Firewall Policy being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Firewall Policy modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." ], - "filename": "azure_network_firewall_policy_modified_or_deleted.yml", - "level": "medium", + "filename": "azure_identity_protection_threat_intel.yml", + "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml" + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user", + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml" ], "tags": [ - "attack.impact", + "attack.t1078", + "attack.persistence", "attack.defense_evasion", - "attack.t1562.007" + "attack.privilege_escalation", + "attack.initial_access" ] }, "related": [ { - "dest-uuid": "77532a55-c283-4cd2-bc5d-2d0b65e9d88c", + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "83c17918-746e-4bd9-920b-8e098bf88c23", - "value": "Azure Network Firewall Policy Modified or Deleted" + "uuid": "a2cb56ff-4f46-437a-a0fa-ffa4d1303cba", + "value": "Azure AD Threat Intelligence" }, { - "description": "Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.", + "description": "Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.", "meta": { - "author": "Harjot Singh, '@cyb3rjy0t'", - "creation_date": "2023/03/20", + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/03", "falsepositive": [ - "Known Legacy Accounts" + "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." ], - "filename": "azure_ad_suspicious_signin_bypassing_mfa.yml", + "filename": "azure_identity_protection_anonymous_ip_activity.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://blooteem.com/march-2022", - "https://www.microsoft.com/en-us/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_suspicious_signin_bypassing_mfa.yml" + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address", + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml" ], "tags": [ - "attack.initial_access", - "attack.credential_access", - "attack.t1078.004", - "attack.t1110" + "attack.t1078", + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.initial_access" ] }, "related": [ { - "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "53bb4f7f-48a8-4475-ac30-5a82ddfdf6fc", - "value": "Potential MFA Bypass Using Legacy Client Authentication" + "uuid": "be4d9c86-d702-4030-b52e-c7859110e5e8", + "value": "Activity From Anonymous IP Address" }, { - "description": "Identifies when a service principal was removed in Azure.", + "description": "Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.", "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/09/03", + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/03", "falsepositive": [ - "Service principal being removed may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Service principal removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + "Conneting to a VPN, performing activity and then dropping and performing addtional activity." ], - "filename": "azure_service_principal_removed.yml", - "level": "medium", + "filename": "azure_identity_protection_impossible_travel.yml", + "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_service_principal_removed.yml" + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#impossible-travel", + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml" ], "tags": [ - "attack.defense_evasion" + "attack.t1078", + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.initial_access" ] }, - "uuid": "448fd1ea-2116-4c62-9cde-a92d120e0f08", - "value": "Azure Service Principal Removed" + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b2572bf9-e20a-4594-b528-40bde666525a", + "value": "Impossible Travel" }, { - "description": "Monitor and alert for device registration or join events where MFA was not performed.", + "description": "Indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser", "meta": { - "author": "Michael Epping, '@mepples21'", - "creation_date": "2022/06/28", + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/03", "falsepositive": [ - "Unknown" + "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." ], - "filename": "azure_ad_device_registration_or_join_without_mfa.yml", - "level": "medium", + "filename": "azure_identity_protection_suspicious_browser.yml", + "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_device_registration_or_join_without_mfa.yml" + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-browser", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml" ], "tags": [ + "attack.t1078", + "attack.persistence", "attack.defense_evasion", - "attack.t1078.004" + "attack.privilege_escalation", + "attack.initial_access" ] }, "related": [ { - "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "5afa454e-030c-4ab4-9253-a90aa7fcc581", - "value": "Device Registration or Join Without MFA" + "uuid": "944f6adb-7a99-4c69-80c1-b712579e93e6", + "value": "Suspicious Browser Activity" }, { - "description": "Identifies when a new cloudshell is created inside of Azure portal.", + "description": "Indicates that there are anomalous patterns of behavior like suspicious changes to the directory.", "meta": { - "author": "Austin Songer", - "creation_date": "2021/09/21", + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/03", "falsepositive": [ - "A new cloudshell may be created by a system administrator." + "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." ], - "filename": "azure_new_cloudshell_created.yml", - "level": "medium", + "filename": "azure_identity_protection_anomalous_user.yml", + "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_new_cloudshell_created.yml" + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anomalous-user-activity", + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml" ], "tags": [ - "attack.execution", - "attack.t1059" + "attack.t1098", + "attack.persistence" ] }, "related": [ { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "72af37e2-ec32-47dc-992b-bc288a2708cb", - "value": "Azure New CloudShell Created" + "uuid": "258b6593-215d-4a26-a141-c8e31c1299a6", + "value": "Anomalous User Activity" }, { - "description": "Identifies when a application credential is modified.", + "description": "Detects when an end user consents to an application", "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/09/02", + "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", + "creation_date": "2022/07/28", "falsepositive": [ - "Application credential added may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Application credential added from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + "Unknown" ], - "filename": "azure_app_credential_modification.yml", - "level": "medium", + "filename": "azure_app_end_user_consent.yml", + "level": "low", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://www.cloud-architekt.net/auditing-of-msi-and-service-principals/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_credential_modification.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#end-user-consent", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_app_end_user_consent.yml" ], "tags": [ - "attack.impact" + "attack.credential_access", + "attack.t1528" ] }, - "uuid": "cdeef967-f9a1-4375-90ee-6978c5f23974", - "value": "Azure Application Credential Modified" + "related": [ + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "9b2cc4c4-2ad4-416d-8e8e-ee6aa6f5035a", + "value": "End User Consent" }, { - "description": "Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD", + "description": "Detects when an app is assigned Azure AD roles, such as global adminsitrator, or Azure RBAC roles, such as subscription owner.", "meta": { "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", - "creation_date": "2022/07/10", + "creation_date": "2022/07/19", "falsepositive": [ "When the permission is legitimately needed for the app" ], - "filename": "azure_app_permissions_msft.yml", - "level": "high", + "filename": "azure_app_role_added.yml", + "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_permissions_msft.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#service-principal-assigned-to-a-role", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_app_role_added.yml" ], "tags": [ - "attack.credential_access", - "attack.t1528" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1098.003" ] }, "related": [ { - "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "c1d147ae-a951-48e5-8b41-dcd0170c7213", - "value": "App Granted Microsoft Permissions" + "uuid": "b04934b2-0a68-4845-8a19-bdfed3a68a7a", + "value": "App Role Added" }, { - "description": "Monitor and alert on conditional access changes where non approved actor removed CA Policy.", + "description": "Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.", "meta": { - "author": "Corissa Koopmans, '@corissalea'", - "creation_date": "2022/07/19", + "author": "AlertIQ", + "creation_date": "2021/10/10", "falsepositive": [ - "Misconfigured role permissions", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment." + "Unknown" ], - "filename": "azure_aad_secops_ca_policy_removedby_bad_actor.yml", + "filename": "azure_change_to_authentication_method.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aad_secops_ca_policy_removedby_bad_actor.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_change_to_authentication_method.yml" ], "tags": [ - "attack.defense_evasion", + "attack.credential_access", + "attack.t1556", "attack.persistence", - "attack.t1548", - "attack.t1556" + "attack.defense_evasion", + "attack.t1098" ] }, "related": [ { - "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { - "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "26e7c5e2-6545-481e-b7e6-050143459635", - "value": "CA Policy Removed by Non Approved Actor" + "uuid": "4d78a000-ab52-4564-88a5-7ab5242b20c7", + "value": "Change to Authentication Method" }, { - "description": "This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\nThe health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.\n", + "description": "Detects when a user that doesn't have permissions to invite a guest user attempts to invite one.", "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", - "creation_date": "2021/08/26", + "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", + "creation_date": "2022/08/10", "falsepositive": [ - "Legitimate AAD Health AD FS service instances being deleted in a tenant" + "A non malicious user is unaware of the proper process" ], - "filename": "azure_aadhybridhealth_adfs_service_delete.yml", + "filename": "azure_guest_invite_failure.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://o365blog.com/post/hybridhealthagent/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_guest_invite_failure.yml" ], "tags": [ + "attack.persistence", "attack.defense_evasion", - "attack.t1578.003" + "attack.t1078.004" ] }, "related": [ { - "dest-uuid": "70857657-bd0b-4695-ad3e-b13f92cac1b4", + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "48739819-8230-4ee3-a8ea-e0289d1fb0ff", - "value": "Azure Active Directory Hybrid Health AD FS Service Delete" + "uuid": "0b4b72e3-4c53-4d5b-b198-2c58cfef39a9", + "value": "Guest User Invited By Non Approved Inviters" }, { - "description": "Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions", + "description": "Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated", "meta": { - "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", - "creation_date": "2022/07/28", + "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", + "creation_date": "2022/08/10", "falsepositive": [ - "When the permission is legitimately needed for the app" + "Administrator adding a legitimate temporary access pass" ], - "filename": "azure_app_privileged_permissions.yml", + "filename": "azure_tap_added.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_privileged_permissions.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_tap_added.yml" ], "tags": [ "attack.persistence", - "attack.privilege_escalation", - "attack.t1098.003" + "attack.t1078.004" ] }, "related": [ { - "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "5aecf3d5-f8a0-48e7-99be-3a759df7358f", - "value": "App Granted Privileged Delegated Or App Permissions" + "uuid": "fa84aaf5-8142-43cd-9ec2-78cfebf878ce", + "value": "Temporary Access Pass Added To An Account" }, { - "description": "Identifies when a suppression rule is created in Azure. Adversary's could attempt this to evade detection.", + "description": "Detects when a user has been elevated to manage all Azure Subscriptions.\nThis change should be investigated immediately if it isn't planned.\nThis setting could allow an attacker access to Azure subscriptions in your environment.\n", "meta": { - "author": "Austin Songer", - "creation_date": "2021/08/16", + "author": "Austin Songer @austinsonger", + "creation_date": "2021/11/26", "falsepositive": [ - "Suppression Rule being created may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Suppression Rule created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + "If this was approved by System Administrator." ], - "filename": "azure_suppression_rule_created.yml", - "level": "medium", + "filename": "azure_subscription_permissions_elevation_via_auditlogs.yml", + "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_suppression_rule_created.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#assignment-and-elevation", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_subscription_permissions_elevation_via_auditlogs.yml" ], "tags": [ - "attack.impact" + "attack.initial_access", + "attack.t1078" ] }, - "uuid": "92cc3e5d-eb57-419d-8c16-5c63f325a401", - "value": "Azure Suppression Rule Created" + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ca9bf243-465e-494a-9e54-bf9fc239057d", + "value": "Azure Subscription Permission Elevation Via AuditLogs" }, { - "description": "Monitor and alert on conditional access changes.", + "description": "Detects when an account was created and deleted in a short period of time.", "meta": { - "author": "Corissa Koopmans, '@corissalea'", - "creation_date": "2022/07/18", + "author": "Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton", + "creation_date": "2022/08/11", "falsepositive": [ - "Misconfigured role permissions", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment." + "Legit administrative action" ], - "filename": "azure_aad_secops_new_ca_policy_addedby_bad_actor.yml", - "level": "medium", + "filename": "azure_ad_account_created_deleted.yml", + "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_ad_account_created_deleted.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1548" + "attack.t1078" ] }, "related": [ { - "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "0922467f-db53-4348-b7bf-dee8d0d348c6", - "value": "New CA Policy by Non-approved Actor" + "uuid": "6f583da0-3a90-4566-a4ed-83c09fe18bbf", + "value": "Account Created And Deleted Within A Close Time Frame" }, { - "description": "Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.", + "description": "Monitor and alert for Bitlocker key retrieval.", "meta": { - "author": "Janantha Marasinghe", - "creation_date": "2022/11/27", + "author": "Michael Epping, '@mepples21'", + "creation_date": "2022/06/28", "falsepositive": [ "Unknown" ], - "filename": "azure_ad_azurehound_discovery.yml", - "level": "high", + "filename": "azure_ad_bitlocker_key_retrieval.yml", + "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://github.com/BloodHoundAD/AzureHound", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_azurehound_discovery.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#bitlocker-key-retrieval", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_ad_bitlocker_key_retrieval.yml" ], "tags": [ - "attack.discovery", - "attack.t1087.004", - "attack.t1526" + "attack.defense_evasion", + "attack.t1078.004" ] }, "related": [ { - "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "e24fcba8-2557-4442-a139-1ee2f2e784db", + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "35b781cc-1a08-4a5a-80af-42fd7c315c6b", - "value": "Discovery Using AzureHound" + "uuid": "a0413867-daf3-43dd-9245-734b3a787942", + "value": "Bitlocker Key Retrieval" }, { - "description": "Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare \"old\" vs \"new\" value.", + "description": "Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.", "meta": { - "author": "Corissa Koopmans, '@corissalea'", - "creation_date": "2022/07/19", + "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", + "creation_date": "2022/06/02", "falsepositive": [ - "Misconfigured role permissions", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment." + "When a new application owner is added by an administrator" ], - "filename": "azure_aad_secops_ca_policy_updatedby_bad_actor.yml", + "filename": "azure_app_owner_added.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aad_secops_ca_policy_updatedby_bad_actor.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#new-owner", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_app_owner_added.yml" ], "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1548", - "attack.t1556" + "attack.t1552", + "attack.credential_access" ] }, "related": [ { - "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "50a3c7aa-ec29-44a4-92c1-fce229eef6fc", - "value": "CA Policy Updated by Non Approved Actor" + "uuid": "74298991-9fc4-460e-a92e-511aa60baec1", + "value": "Added Owner To Application" }, { - "description": "Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.", + "description": "Detect when a user has reset their password in Azure AD", "meta": { - "author": "AlertIQ", - "creation_date": "2021/10/10", + "author": "YochanaHenderson, '@Yochana-H'", + "creation_date": "2022/08/03", "falsepositive": [ - "Unknown" + "If this was approved by System Administrator or confirmed user action." ], - "filename": "azure_account_lockout.yml", + "filename": "azure_user_password_change.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_account_lockout.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_user_password_change.yml" ], "tags": [ + "attack.persistence", "attack.credential_access", - "attack.t1110" + "attack.t1078.004" ] }, "related": [ { - "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "2b7d6fc0-71ac-4cf7-8ed1-b5788ee5257a", - "value": "Account Lockout" + "uuid": "340ee172-4b67-4fb4-832f-f961bdc1f3aa", + "value": "Password Reset By User Account" }, { - "description": "Detects when changes are made to PIM roles", + "description": "Monitor and alert on group membership additions of groups that have CA policy modification access", "meta": { - "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", - "creation_date": "2022/08/09", + "author": "Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner'", + "creation_date": "2022/08/04", "falsepositive": [ - "Legit administrative PIM setting configuration changes" + "User removed from the group is approved" ], - "filename": "azure_pim_change_settings.yml", - "level": "high", + "filename": "azure_group_user_addition_ca_modification.yml", + "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_pim_change_settings.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_group_user_addition_ca_modification.yml" ], "tags": [ - "attack.privilege_escalation", + "attack.defense_evasion", "attack.persistence", - "attack.t1078.004" + "attack.t1548", + "attack.t1556" ] }, "related": [ { - "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "db6c06c4-bf3b-421c-aa88-15672b88c743", - "value": "Changes To PIM Settings" + "uuid": "91c95675-1f27-46d0-bead-d1ae96b97cd3", + "value": "User Added To Group With CA Policy Modification Access" }, { - "description": "Monitor and alert for users added to device admin roles.", + "description": "Identifies when an user or application modified the federation settings on the domain.", "meta": { - "author": "Michael Epping, '@mepples21'", - "creation_date": "2022/06/28", + "author": "Austin Songer", + "creation_date": "2021/09/06", "falsepositive": [ - "Unknown" + "Federation Settings being modified or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Federation Settings modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], - "filename": "azure_ad_users_added_to_device_admin_roles.yml", - "level": "high", + "filename": "azure_federation_modified.yml", + "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-administrator-roles", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_users_added_to_device_admin_roles.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_federation_modified.yml" ], "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1078.004" + "attack.initial_access", + "attack.t1078" ] }, "related": [ { - "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "11c767ae-500b-423b-bae3-b234450736ed", - "value": "Users Added to Global or Device Admin Roles" + "uuid": "352a54e1-74ba-4929-9d47-8193d67aba1e", + "value": "Azure Domain Federation Settings Modified" }, { - "description": "This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\nThis can be done programmatically via HTTP requests to Azure.\n", + "description": "Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.", "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", - "creation_date": "2021/08/26", + "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", + "creation_date": "2022/05/26", "falsepositive": [ - "Legitimate AD FS servers added to an AAD Health AD FS service instance" + "When credentials are added/removed as part of the normal working hours/workflows" ], - "filename": "azure_aadhybridhealth_adfs_new_server.yml", - "level": "medium", + "filename": "azure_app_credential_added.yml", + "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://o365blog.com/post/hybridhealthagent/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aadhybridhealth_adfs_new_server.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-credentials", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_app_credential_added.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1578" + "attack.t1098.001", + "attack.persistence" ] }, "related": [ { - "dest-uuid": "144e007b-e638-431d-a894-45d90c54ab90", + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "288a39fc-4914-4831-9ada-270e9dc12cb4", - "value": "Azure Active Directory Hybrid Health AD FS New Server" + "uuid": "cbb67ecc-fb70-4467-9350-c910bdf7c628", + "value": "Added Credentials to Existing Application" }, { - "description": "Monitor and alert for Sign-ins by unknown devices from non-Trusted locations.", + "description": "Detects when a user is removed from a privileged role. Bulk changes should be investigated.", "meta": { - "author": "Michael Epping, '@mepples21'", - "creation_date": "2022/06/28", + "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", + "creation_date": "2022/08/05", "falsepositive": [ - "Unknown" + "Legtimate administrator actions of removing members from a role" ], - "filename": "azure_ad_sign_ins_from_unknown_devices.yml", - "level": "low", + "filename": "azure_priviledged_role_assignment_bulk_change.yml", + "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_sign_ins_from_unknown_devices.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_bulk_change.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1078.004" + "attack.persistence", + "attack.t1098" ] }, "related": [ { - "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "4d136857-6a1a-432a-82fc-5dd497ee5e7c", - "value": "Sign-ins by Unknown Devices" + "uuid": "102e11e3-2db5-4c9e-bc26-357d42585d21", + "value": "Bulk Deletion Changes To Privileged Account Permissions" }, { - "description": "Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.", + "description": "Detects when a user is added to a privileged role.", "meta": { - "author": "AlertIQ", - "creation_date": "2021/10/10", + "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", + "creation_date": "2022/08/06", "falsepositive": [ - "Unknown" + "Legtimate administrator actions of adding members from a role" ], - "filename": "azure_mfa_interrupted.yml", - "level": "medium", + "filename": "azure_priviledged_role_assignment_add.yml", + "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_mfa_interrupted.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_add.yml" ], "tags": [ - "attack.initial_access", - "attack.credential_access", - "attack.t1078.004", - "attack.t1110", - "attack.t1621" + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1078.004" ] }, "related": [ @@ -85732,260 +86252,221 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" - }, - { - "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "954a1639-f2d6-407d-aef3-4917622ca493", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" } ], - "uuid": "5496ff55-42ec-4369-81cb-00f417029e25", - "value": "Multifactor Authentication Interrupted" + "uuid": "49a268a4-72f4-4e38-8a7b-885be690c5b5", + "value": "User Added To Privilege Role" }, { - "description": "Detects the change of user type from \"Guest\" to \"Member\" for potential elevation of privilege.", + "description": "Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD", "meta": { - "author": "MikeDuddington, '@dudders1'", - "creation_date": "2022/06/30", + "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", + "creation_date": "2022/07/10", "falsepositive": [ - "If this was approved by System Administrator." + "When the permission is legitimately needed for the app" ], - "filename": "azure_guest_to_member.yml", - "level": "medium", + "filename": "azure_app_permissions_msft.yml", + "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-external-user-sign-ins", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_guest_to_member.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_app_permissions_msft.yml" ], "tags": [ - "attack.privilege_escalation", - "attack.initial_access", - "attack.t1078.004" + "attack.credential_access", + "attack.t1528" ] }, "related": [ { - "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "8dee7a0d-43fd-4b3c-8cd1-605e189d195e", - "value": "User State Changed From Guest To Member" - }, - { - "description": "Identifies when a owner is was removed from a application or service principal in Azure.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/09/03", - "falsepositive": [ - "Owner being removed may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Owner removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "azure_owner_removed_from_application_or_service_principal.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "636e30d5-3736-42ea-96b1-e6e2f8429fd6", - "value": "Azure Owner Removed From Application or Service Principal" + "uuid": "c1d147ae-a951-48e5-8b41-dcd0170c7213", + "value": "App Granted Microsoft Permissions" }, { - "description": "User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.", + "description": "Monitor and alert on conditional access changes where non approved actor removed CA Policy.", "meta": { - "author": "AlertIQ", - "creation_date": "2022/03/24", + "author": "Corissa Koopmans, '@corissalea'", + "creation_date": "2022/07/19", "falsepositive": [ - "Users actually login but miss-click into the Deny button when MFA prompt." + "Misconfigured role permissions", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment." ], - "filename": "azure_mfa_denies.yml", + "filename": "azure_aad_secops_ca_policy_removedby_bad_actor.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_mfa_denies.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_removedby_bad_actor.yml" ], "tags": [ - "attack.initial_access", - "attack.credential_access", - "attack.t1078.004", - "attack.t1110", - "attack.t1621" + "attack.defense_evasion", + "attack.persistence", + "attack.t1548", + "attack.t1556" ] }, "related": [ { - "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { - "dest-uuid": "954a1639-f2d6-407d-aef3-4917622ca493", + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "e40f4962-b02b-4192-9bfe-245f7ece1f99", - "value": "Multifactor Authentication Denied" + "uuid": "26e7c5e2-6545-481e-b7e6-050143459635", + "value": "CA Policy Removed by Non Approved Actor" }, { - "description": "Detects when PIM alerts are set to disabled.", + "description": "Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions", "meta": { - "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", - "creation_date": "2022/08/09", + "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", + "creation_date": "2022/07/28", "falsepositive": [ - "Administrator disabling PIM alerts as an active choice." + "When the permission is legitimately needed for the app" ], - "filename": "azure_pim_alerts_disabled.yml", + "filename": "azure_app_privileged_permissions.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_pim_alerts_disabled.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_app_privileged_permissions.yml" ], "tags": [ "attack.persistence", "attack.privilege_escalation", - "attack.t1078" + "attack.t1098.003" ] }, "related": [ { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "aeaef14c-e5bf-4690-a9c8-835caad458bd", - "value": "PIM Alert Setting Changes To Disabled" + "uuid": "5aecf3d5-f8a0-48e7-99be-3a759df7358f", + "value": "App Granted Privileged Delegated Or App Permissions" }, { - "description": "Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.", + "description": "Monitor and alert on conditional access changes.", "meta": { - "author": "sawwinnnaung", - "creation_date": "2020/05/07", + "author": "Corissa Koopmans, '@corissalea'", + "creation_date": "2022/07/18", "falsepositive": [ - "Valid change" + "Misconfigured role permissions", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment." ], - "filename": "azure_granting_permission_detection.yml", + "filename": "azure_aad_secops_new_ca_policy_addedby_bad_actor.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_granting_permission_detection.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml" ], "tags": [ - "attack.persistence", - "attack.t1098.003" + "attack.defense_evasion", + "attack.t1548" ] }, "related": [ { - "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "a622fcd2-4b5a-436a-b8a2-a4171161833c", - "value": "Granting Of Permissions To An Account" + "uuid": "0922467f-db53-4348-b7bf-dee8d0d348c6", + "value": "New CA Policy by Non-approved Actor" }, { - "description": "Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.", + "description": "Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare \"old\" vs \"new\" value.", "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/07", + "author": "Corissa Koopmans, '@corissalea'", + "creation_date": "2022/07/19", "falsepositive": [ - "Sensitive objects may be accessed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Sensitive objects accessed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + "Misconfigured role permissions", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment." ], - "filename": "azure_kubernetes_secret_or_config_object_access.yml", + "filename": "azure_aad_secops_ca_policy_updatedby_bad_actor.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_updatedby_bad_actor.yml" ], "tags": [ - "attack.impact" + "attack.defense_evasion", + "attack.persistence", + "attack.t1548", + "attack.t1556" ] }, - "uuid": "7ee0b4aa-d8d4-4088-b661-20efdf41a04c", - "value": "Azure Kubernetes Secret or Config Object Access" + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "50a3c7aa-ec29-44a4-92c1-fce229eef6fc", + "value": "CA Policy Updated by Non Approved Actor" }, { - "description": "Detects when a configuration change is made to an applications URI.\nURIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.\n", + "description": "Detects when changes are made to PIM roles", "meta": { - "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", - "creation_date": "2022/06/02", + "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", + "creation_date": "2022/08/09", "falsepositive": [ - "When and administrator is making legitimate URI configuration changes to an application. This should be a planned event." + "Legit administrative PIM setting configuration changes" ], - "filename": "azure_app_uri_modifications.yml", + "filename": "azure_pim_change_settings.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_uri_modifications.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_pim_change_settings.yml" ], "tags": [ - "attack.t1528", - "attack.t1078.004", + "attack.privilege_escalation", "attack.persistence", - "attack.credential_access", - "attack.privilege_escalation" + "attack.t1078.004" ] }, "related": [ - { - "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ @@ -85994,146 +86475,153 @@ "type": "related-to" } ], - "uuid": "0055ad1f-be85-4798-83cf-a6da17c993b3", - "value": "Application URI Configuration Changes" + "uuid": "db6c06c4-bf3b-421c-aa88-15672b88c743", + "value": "Changes To PIM Settings" }, { - "description": "Identifies when ClusterRoles/Roles are being modified or deleted.", + "description": "Monitor and alert for users added to device admin roles.", "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/07", + "author": "Michael Epping, '@mepples21'", + "creation_date": "2022/06/28", "falsepositive": [ - "ClusterRoles/Roles being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "ClusterRoles/Roles modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + "Unknown" ], - "filename": "azure_kubernetes_role_access.yml", - "level": "medium", + "filename": "azure_ad_users_added_to_device_admin_roles.yml", + "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_role_access.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-administrator-roles", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_ad_users_added_to_device_admin_roles.yml" ], "tags": [ - "attack.impact" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1078.004" ] }, - "uuid": "818fee0c-e0ec-4e45-824e-83e4817b0887", - "value": "Azure Kubernetes Sensitive Role Access" + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "11c767ae-500b-423b-bae3-b234450736ed", + "value": "Users Added to Global or Device Admin Roles" }, { - "description": "Identifies when a Keyvault Key is modified or deleted in Azure.", + "description": "Detects the change of user type from \"Guest\" to \"Member\" for potential elevation of privilege.", "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/16", + "author": "MikeDuddington, '@dudders1'", + "creation_date": "2022/06/30", "falsepositive": [ - "Key being modified or deleted may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Key modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + "If this was approved by System Administrator." ], - "filename": "azure_keyvault_key_modified_or_deleted.yml", + "filename": "azure_guest_to_member.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml" + "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-external-user-sign-ins", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_guest_to_member.yml" ], "tags": [ - "attack.impact", - "attack.credential_access", - "attack.t1552", - "attack.t1552.001" + "attack.privilege_escalation", + "attack.initial_access", + "attack.t1078.004" ] }, "related": [ { - "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "80eeab92-0979-4152-942d-96749e11df40", - "value": "Azure Keyvault Key Modified or Deleted" + "uuid": "8dee7a0d-43fd-4b3c-8cd1-605e189d195e", + "value": "User State Changed From Guest To Member" }, { - "description": "Identifies when a VPN connection is modified or deleted.", + "description": "Detects when PIM alerts are set to disabled.", "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/08", + "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", + "creation_date": "2022/08/09", "falsepositive": [ - "VPN Connection being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "VPN Connection modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + "Administrator disabling PIM alerts as an active choice." ], - "filename": "azure_vpn_connection_modified_or_deleted.yml", - "level": "medium", + "filename": "azure_pim_alerts_disabled.yml", + "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_pim_alerts_disabled.yml" ], "tags": [ - "attack.impact" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1078" ] }, - "uuid": "61171ffc-d79c-4ae5-8e10-9323dba19cd3", - "value": "Azure VPN Connection Modified or Deleted" + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "aeaef14c-e5bf-4690-a9c8-835caad458bd", + "value": "PIM Alert Setting Changes To Disabled" }, { - "description": "Detect failed authentications from countries you do not operate out of.", + "description": "Detects when a configuration change is made to an applications URI.\nURIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.\n", "meta": { - "author": "MikeDuddington, '@dudders1'", - "creation_date": "2022/07/28", + "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", + "creation_date": "2022/06/02", "falsepositive": [ - "If this was approved by System Administrator." + "When and administrator is making legitimate URI configuration changes to an application. This should be a planned event." ], - "filename": "azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml", - "level": "low", + "filename": "azure_app_uri_modifications.yml", + "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_app_uri_modifications.yml" ], "tags": [ - "attack.initial_access", - "attack.credential_access", + "attack.t1528", "attack.t1078.004", - "attack.t1110" + "attack.persistence", + "attack.credential_access", + "attack.privilege_escalation" ] }, "related": [ { - "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { - "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "28870ae4-6a13-4616-bd1a-235a7fad7458", - "value": "Failed Authentications From Countries You Do Not Operate Out Of" + "uuid": "0055ad1f-be85-4798-83cf-a6da17c993b3", + "value": "Application URI Configuration Changes" }, { "description": "Detects when a configuration change is made to an applications AppID URI.", @@ -86149,7 +86637,7 @@ "logsource.product": "azure", "refs": [ "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_appid_uri_changes.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_app_appid_uri_changes.yml" ], "tags": [ "attack.persistence", @@ -86179,51 +86667,56 @@ "value": "Application AppID Uri Configuration Changes" }, { - "description": "Detects when a Container Registry is created or deleted.", + "description": "Detects guest users being invited to tenant by non-approved inviters", "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/07", + "author": "MikeDuddington, '@dudders1'", + "creation_date": "2022/07/28", "falsepositive": [ - "Container Registry being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Container Registry created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + "If this was approved by System Administrator." ], - "filename": "azure_container_registry_created_or_deleted.yml", - "level": "low", + "filename": "azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml", + "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_container_registry_created_or_deleted.yml" + "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-external-user-sign-ins", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml" ], "tags": [ - "attack.impact" + "attack.initial_access", + "attack.t1078" ] }, - "uuid": "93e0ef48-37c8-49ed-a02c-038aab23628e", - "value": "Azure Container Registry Created or Deleted" + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "4ad97bf5-a514-41a4-abd3-4f3455ad4865", + "value": "Guest Users Invited To Tenant By Non Approved Inviters" }, { - "description": "Detect failed attempts to sign in to disabled accounts.", + "description": "Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.", "meta": { - "author": "AlertIQ", - "creation_date": "2021/10/10", + "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", + "creation_date": "2022/08/09", "falsepositive": [ - "Unknown" + "Actual admin using PIM." ], - "filename": "azure_login_to_disabled_account.yml", - "level": "medium", + "filename": "azure_pim_activation_approve_deny.yml", + "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_login_to_disabled_account.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_pim_activation_approve_deny.yml" ], "tags": [ - "attack.initial_access", + "attack.privilege_escalation", "attack.t1078.004" ] }, @@ -86236,276 +86729,270 @@ "type": "related-to" } ], - "uuid": "908655e0-25cf-4ae1-b775-1c8ce9cf43d8", - "value": "Login to Disabled Account" + "uuid": "039a7469-0296-4450-84c0-f6966b16dc6d", + "value": "PIM Approvals And Deny Elevation" }, { - "description": "Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.", + "description": "Detects when highly privileged delegated permissions are granted on behalf of all users", "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/07/24", + "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", + "creation_date": "2022/07/28", "falsepositive": [ - "Event deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + "When the permission is legitimately needed for the app" ], - "filename": "azure_kubernetes_events_deleted.yml", - "level": "medium", + "filename": "azure_app_delegated_permissions_all_users.yml", + "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_events_deleted.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_app_delegated_permissions_all_users.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1562", - "attack.t1562.001" + "attack.credential_access", + "attack.t1528" ] }, "related": [ { - "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "225d8b09-e714-479c-a0e4-55e6f29adf35", - "value": "Azure Kubernetes Events Deleted" + "uuid": "a6355fbe-f36f-45d8-8efc-ab42465cbc52", + "value": "Delegated Permissions Granted For All Users" }, { - "description": "User Added to an Administrator's Azure AD Role", + "description": "Monitor and alert for changes to the device registration policy.", "meta": { - "author": "Raphaël CALVET, @MetallicHack", - "creation_date": "2021/10/04", + "author": "Michael Epping, '@mepples21'", + "creation_date": "2022/06/28", "falsepositive": [ - "PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled." + "Unknown" ], - "filename": "azure_ad_user_added_to_admin_role.yml", - "level": "medium", + "filename": "azure_ad_device_registration_policy_changes.yml", + "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_ad_device_registration_policy_changes.yml" ], "tags": [ - "attack.persistence", + "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1098.003", - "attack.t1078" + "attack.t1484" ] }, "related": [ { - "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "ebbeb024-5b1d-4e16-9c0c-917f86c708a7", - "value": "User Added to an Administrator's Azure AD Role" + "uuid": "9494bff8-959f-4440-bbce-fb87a208d517", + "value": "Changes to Device Registration Policy" }, { - "description": "Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate.\nKubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs.\nAn Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.\n", + "description": "Detects when a new admin is created.", "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/11/22", + "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H', Tim Shelton", + "creation_date": "2022/08/11", "falsepositive": [ - "Azure Kubernetes CronJob/Job may be done by a system administrator.", - "If known behavior is causing false positives, it can be exempted from the rule." + "A legitimate new admin account being created" ], - "filename": "azure_kubernetes_cronjob.yml", + "filename": "azure_privileged_account_creation.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://kubernetes.io/docs/concepts/workloads/controllers/job/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cronjob.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_privileged_account_creation.yml" ], "tags": [ "attack.persistence", - "attack.t1053.003", "attack.privilege_escalation", - "attack.execution" + "attack.t1078.004" ] }, "related": [ { - "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "1c71e254-6655-42c1-b2d6-5e4718d7fc0a", - "value": "Azure Kubernetes CronJob" + "uuid": "f7b5b004-dece-46e4-a4a5-f6fd0e1c6947", + "value": "Privileged Account Creation" }, { - "description": "Detects guest users being invited to tenant by non-approved inviters", + "description": "Monitor and alert on group membership removal of groups that have CA policy modification access", "meta": { - "author": "MikeDuddington, '@dudders1'", - "creation_date": "2022/07/28", + "author": "Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner'", + "creation_date": "2022/08/04", "falsepositive": [ - "If this was approved by System Administrator." + "User removed from the group is approved" ], - "filename": "azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml", + "filename": "azure_group_user_removal_ca_modification.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-external-user-sign-ins", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_group_user_removal_ca_modification.yml" ], "tags": [ - "attack.initial_access", - "attack.t1078" + "attack.defense_evasion", + "attack.persistence", + "attack.t1548", + "attack.t1556" ] }, "related": [ { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "4ad97bf5-a514-41a4-abd3-4f3455ad4865", - "value": "Guest Users Invited To Tenant By Non Approved Inviters" + "uuid": "665e2d43-70dc-4ccc-9d27-026c9dd7ed9c", + "value": "User Removed From Group With CA Policy Modification Access" }, { - "description": "Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.", + "description": "Detects when end user consent is blocked due to risk-based consent.", "meta": { - "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", - "creation_date": "2022/08/09", + "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", + "creation_date": "2022/07/10", "falsepositive": [ - "Actual admin using PIM." + "Unknown" ], - "filename": "azure_pim_activation_approve_deny.yml", - "level": "high", + "filename": "azure_app_end_user_consent_blocked.yml", + "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_pim_activation_approve_deny.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_app_end_user_consent_blocked.yml" ], "tags": [ - "attack.privilege_escalation", - "attack.t1078.004" + "attack.credential_access", + "attack.t1528" ] }, "related": [ { - "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "039a7469-0296-4450-84c0-f6966b16dc6d", - "value": "PIM Approvals And Deny Elevation" + "uuid": "7091372f-623c-4293-bc37-20c32b3492be", + "value": "End User Consent Blocked" }, { - "description": "Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.", + "description": "Identifies when a service principal is created in Azure.", "meta": { "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/07", + "creation_date": "2021/09/02", "falsepositive": [ - "RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "RoleBinding/ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + "Service principal being created may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Service principal created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], - "filename": "azure_kubernetes_rolebinding_modified_or_deleted.yml", + "filename": "azure_service_principal_created.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_service_principal_created.yml" ], "tags": [ - "attack.impact", - "attack.credential_access" + "attack.defense_evasion" ] }, - "uuid": "25cb259b-bbdc-4b87-98b7-90d7c72f8743", - "value": "Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted" + "uuid": "0ddcff6d-d262-40b0-804b-80eb592de8e3", + "value": "Azure Service Principal Created" }, { - "description": "Detects when highly privileged delegated permissions are granted on behalf of all users", + "description": "Identifies when a key vault is modified or deleted.", "meta": { - "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", - "creation_date": "2022/07/28", + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/16", "falsepositive": [ - "When the permission is legitimately needed for the app" + "Key Vault being modified or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Key Vault modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], - "filename": "azure_app_delegated_permissions_all_users.yml", - "level": "high", + "filename": "azure_keyvault_modified_or_deleted.yml", + "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_delegated_permissions_all_users.yml" + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_keyvault_modified_or_deleted.yml" ], "tags": [ + "attack.impact", "attack.credential_access", - "attack.t1528" + "attack.t1552", + "attack.t1552.001" ] }, "related": [ { - "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "a6355fbe-f36f-45d8-8efc-ab42465cbc52", - "value": "Delegated Permissions Granted For All Users" + "uuid": "459a2970-bb84-4e6a-a32e-ff0fbd99448d", + "value": "Azure Key Vault Modified or Deleted" }, { - "description": "Identifies when a firewall is created, modified, or deleted.", + "description": "Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.", "meta": { "author": "Austin Songer @austinsonger", "creation_date": "2021/08/08", "falsepositive": [ - "Firewall being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Firewall modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + "Rule Collections (Application, NAT, and Network) being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Rule Collections (Application, NAT, and Network) modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], - "filename": "azure_firewall_modified_or_deleted.yml", + "filename": "azure_firewall_rule_collection_modified_or_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_firewall_modified_or_deleted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_firewall_rule_collection_modified_or_deleted.yml" ], "tags": [ "attack.impact", @@ -86522,28 +87009,32 @@ "type": "related-to" } ], - "uuid": "512cf937-ea9b-4332-939c-4c2c94baadcd", - "value": "Azure Firewall Modified or Deleted" + "uuid": "025c9fe7-db72-49f9-af0d-31341dd7dd57", + "value": "Azure Firewall Rule Collection Modified or Deleted" }, { - "description": "Detects risky authencaition from a non AD registered device without MFA being required.", + "description": "Identifies when an admission controller is executed in Azure Kubernetes.\nA Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server.\nThe behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster.\nAn adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster.\nFor example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod.\nAn adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials.\nAn adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.\n", "meta": { - "author": "Harjot Singh, '@cyb3rjy0t'", - "creation_date": "2023/01/10", + "author": "Austin Songer @austinsonger", + "creation_date": "2021/11/25", "falsepositive": [ - "Unknown" + "Azure Kubernetes Admissions Controller may be done by a system administrator.", + "If known behavior is causing false positives, it can be exempted from the rule." ], - "filename": "azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml", - "level": "high", + "filename": "azure_kubernetes_admission_controller.yml", + "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml" + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_admission_controller.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1078" + "attack.persistence", + "attack.t1078", + "attack.credential_access", + "attack.t1552", + "attack.t1552.007" ] }, "related": [ @@ -86553,197 +87044,229 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f8ef3a62-3f44-40a4-abca-761ab235c436", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], - "uuid": "572b12d4-9062-11ed-a1eb-0242ac120002", - "value": "Suspicious SignIns From A Non Registered Device" + "uuid": "a61a3c56-4ce2-4351-a079-88ae4cbd2b58", + "value": "Azure Kubernetes Admission Controller" }, { - "description": "Identifies when DNS zone is modified or deleted.", + "description": "Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.", "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/08", + "author": "sawwinnnaung", + "creation_date": "2020/05/07", "falsepositive": [ - "DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "DNS zone modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + "Valid change" ], - "filename": "azure_dns_zone_modified_or_deleted.yml", + "filename": "azure_rare_operations.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml" + "https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/RareOperations.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_rare_operations.yml" ], "tags": [ - "attack.impact", - "attack.t1565.001" + "attack.t1003" ] }, "related": [ { - "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "af6925b0-8826-47f1-9324-337507a0babd", - "value": "Azure DNS Zone Modified or Deleted" + "uuid": "c1182e02-49a3-481c-b3de-0fadc4091488", + "value": "Rare Subscription-level Operations In Azure" }, { - "description": "Identifies when a Virtual Network is modified or deleted in Azure.", + "description": "Identifies when a application gateway is modified or deleted.", "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/08", + "author": "Austin Songer", + "creation_date": "2021/08/16", "falsepositive": [ - "Virtual Network being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Virtual Network modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + "Application gateway being modified or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Application gateway modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], - "filename": "azure_virtual_network_modified_or_deleted.yml", + "filename": "azure_application_gateway_modified_or_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_virtual_network_modified_or_deleted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_application_gateway_modified_or_deleted.yml" ], "tags": [ "attack.impact" ] }, - "uuid": "bcfcc962-0e4a-4fd9-84bb-a833e672df3f", - "value": "Azure Virtual Network Modified or Deleted" + "uuid": "ad87d14e-7599-4633-ba81-aeb60cfe8cd6", + "value": "Azure Application Gateway Modified or Deleted" }, { - "description": "Monitor and alert for changes to the device registration policy.", + "description": "Identifies when a application security group is modified or deleted.", "meta": { - "author": "Michael Epping, '@mepples21'", - "creation_date": "2022/06/28", + "author": "Austin Songer", + "creation_date": "2021/08/16", "falsepositive": [ - "Unknown" + "Application security group being modified or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Application security group modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], - "filename": "azure_ad_device_registration_policy_changes.yml", - "level": "high", + "filename": "azure_application_security_group_modified_or_deleted.yml", + "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_device_registration_policy_changes.yml" + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_application_security_group_modified_or_deleted.yml" ], "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1484" + "attack.impact" ] }, - "related": [ - { - "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "9494bff8-959f-4440-bbce-fb87a208d517", - "value": "Changes to Device Registration Policy" + "uuid": "835747f1-9329-40b5-9cc3-97d465754ce6", + "value": "Azure Application Security Group Modified or Deleted" }, { - "description": "Detect when users are authenticating without MFA being required.", + "description": "Identifies the deletion of Azure Kubernetes Pods.", "meta": { - "author": "MikeDuddington, '@dudders1'", - "creation_date": "2022/07/27", + "author": "Austin Songer @austinsonger", + "creation_date": "2021/07/24", "falsepositive": [ - "If this was approved by System Administrator." + "Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Pods deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], - "filename": "azure_ad_only_single_factor_auth_required.yml", - "level": "low", + "filename": "azure_kubernetes_pods_deleted.yml", + "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_only_single_factor_auth_required.yml" + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_pods_deleted.yml" ], "tags": [ - "attack.initial_access", - "attack.credential_access", - "attack.t1078.004", - "attack.t1556.006" + "attack.impact" + ] + }, + "uuid": "b02f9591-12c3-4965-986a-88028629b2e1", + "value": "Azure Kubernetes Pods Deleted" + }, + { + "description": "Identifies when a device or device configuration in azure is modified or deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/03", + "falsepositive": [ + "Device or device configuration being modified or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Device or device configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_device_or_configuration_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_device_or_configuration_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact", + "attack.t1485", + "attack.t1565.001" ] }, "related": [ { - "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" }, { - "dest-uuid": "b4409cd8-0da9-46e1-a401-a241afd4d1cc", + "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "28eea407-28d7-4e42-b0be-575d5ba60b2c", - "value": "Azure AD Only Single Factor Authentication Required" + "uuid": "46530378-f9db-4af9-a9e5-889c177d3881", + "value": "Azure Device or Configuration Modified or Deleted" }, { - "description": "Monitor and alert for sign-ins where the device was non-compliant.", + "description": "Identifies when a application is deleted in Azure.", "meta": { - "author": "Michael Epping, '@mepples21'", - "creation_date": "2022/06/28", + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/03", "falsepositive": [ - "Unknown" + "Application being deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Application deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], - "filename": "azure_ad_sign_ins_from_noncompliant_devices.yml", - "level": "high", + "filename": "azure_application_deleted.yml", + "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_sign_ins_from_noncompliant_devices.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_application_deleted.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1078.004" + "attack.impact", + "attack.t1489" ] }, "related": [ { - "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "4f77e1d7-3982-4ee0-8489-abf2d6b75284", - "value": "Sign-ins from Non-Compliant Devices" + "uuid": "410d2a41-1e6d-452f-85e5-abdd8257a823", + "value": "Azure Application Deleted" }, { - "description": "Detects when a new admin is created.", + "description": "Detects when a user has been elevated to manage all Azure Subscriptions.\nThis change should be investigated immediately if it isn't planned.\nThis setting could allow an attacker access to Azure subscriptions in your environment.\n", "meta": { - "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H', Tim Shelton", - "creation_date": "2022/08/11", + "author": "Austin Songer @austinsonger", + "creation_date": "2021/11/26", "falsepositive": [ - "A legitimate new admin account being created" + "If this was approved by System Administrator." ], - "filename": "azure_privileged_account_creation.yml", - "level": "medium", + "filename": "azure_subscription_permissions_elevation_via_activitylogs.yml", + "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_privileged_account_creation.yml" + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_subscription_permissions_elevation_via_activitylogs.yml" ], "tags": [ - "attack.persistence", - "attack.privilege_escalation", + "attack.initial_access", "attack.t1078.004" ] }, @@ -86756,1283 +87279,995 @@ "type": "related-to" } ], - "uuid": "f7b5b004-dece-46e4-a4a5-f6fd0e1c6947", - "value": "Privileged Account Creation" + "uuid": "09438caa-07b1-4870-8405-1dbafe3dad95", + "value": "Azure Subscription Permission Elevation Via ActivityLogs" }, { - "description": "Identifies when a device in azure is no longer managed or compliant", + "description": "Identifies when a Firewall Rule Configuration is Modified or Deleted.", "meta": { "author": "Austin Songer @austinsonger", - "creation_date": "2021/09/03", + "creation_date": "2021/08/08", "falsepositive": [ - "Administrator may have forgotten to review the device." + "Firewall Rule Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Firewall Rule Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], - "filename": "azure_device_no_longer_managed_or_compliant.yml", + "filename": "azure_network_firewall_rule_modified_or_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml" + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_network_firewall_rule_modified_or_deleted.yml" ], "tags": [ "attack.impact" ] }, - "uuid": "542b9912-c01f-4e3f-89a8-014c48cdca7d", - "value": "Azure Device No Longer Managed or Compliant" + "uuid": "2a7d64cf-81fa-4daf-ab1b-ab80b789c067", + "value": "Azure Firewall Rule Configuration Modified or Deleted" }, { - "description": "Monitor and alert on group membership removal of groups that have CA policy modification access", + "description": "Detects when a Azure Kubernetes Cluster is created or deleted.", "meta": { - "author": "Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner'", - "creation_date": "2022/08/04", + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/07", "falsepositive": [ - "User removed from the group is approved" + "Kubernetes cluster being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], - "filename": "azure_group_user_removal_ca_modification.yml", - "level": "medium", + "filename": "azure_kubernetes_cluster_created_or_deleted.yml", + "level": "low", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_group_user_removal_ca_modification.yml" + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_cluster_created_or_deleted.yml" ], "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1548", - "attack.t1556" + "attack.impact" ] }, - "related": [ - { - "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "665e2d43-70dc-4ccc-9d27-026c9dd7ed9c", - "value": "User Removed From Group With CA Policy Modification Access" + "uuid": "9541f321-7cba-4b43-80fc-fbd1fb922808", + "value": "Azure Kubernetes Cluster Created or Deleted" }, { - "description": "Detects when there is a interruption in the authentication process.", + "description": "Identifies when a network security configuration is modified or deleted.", "meta": { "author": "Austin Songer @austinsonger", - "creation_date": "2021/11/26", + "creation_date": "2021/08/08", "falsepositive": [ - "Unknown" + "Network Security Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Network Security Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], - "filename": "azure_unusual_authentication_interruption.yml", + "filename": "azure_network_security_modified_or_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_unusual_authentication_interruption.yml" + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_network_security_modified_or_deleted.yml" ], "tags": [ - "attack.initial_access", - "attack.t1078" + "attack.impact" ] }, - "related": [ - { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "8366030e-7216-476b-9927-271d79f13cf3", - "value": "Azure Unusual Authentication Interruption" + "uuid": "d22b4df4-5a67-4859-a578-8c9a0b5af9df", + "value": "Azure Network Security Configuration Modified or Deleted" }, { - "description": "Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.", + "description": "Number of VM creations or deployment activities occur in Azure via the azureactivity log.", "meta": { - "author": "@ionsor", - "creation_date": "2022/02/08", + "author": "sawwinnnaung", + "creation_date": "2020/05/07", "falsepositive": [ - "Authorized modification by administrators" - ], - "filename": "azure_mfa_disabled.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_mfa_disabled.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1556" - ] - }, - "related": [ - { - "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "7ea78478-a4f9-42a6-9dcd-f861816122bf", - "value": "Disabled MFA to Bypass Authentication Mechanisms" - }, - { - "description": "Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments.\nIf this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted.\nThis can be a misconfigured application or potentially something malicious.\n", - "meta": { - "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", - "creation_date": "2022/06/01", - "falsepositive": [ - "Applications that are input constrained will need to use device code flow and are valid authentications." + "Valid change" ], - "filename": "azure_app_device_code_authentication.yml", + "filename": "azure_creating_number_of_resources_detection.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-authentication-flows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_device_code_authentication.yml" + "https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_creating_number_of_resources_detection.yml" ], "tags": [ - "attack.t1078", - "attack.defense_evasion", "attack.persistence", - "attack.privilege_escalation", - "attack.initial_access" + "attack.t1098" ] }, "related": [ { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "248649b7-d64f-46f0-9fb2-a52774166fb5", - "value": "Application Using Device Code Authentication Flow" + "uuid": "d2d901db-7a75-45a1-bc39-0cbf00812192", + "value": "Number Of Resource Creation Or Deployment Activities" }, { - "description": "Detects when end user consent is blocked due to risk-based consent.", + "description": "Identifies when a virtual network device is being modified or deleted.\nThis can be a network interface, network virtual appliance, virtual hub, or virtual router.\n", "meta": { - "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", - "creation_date": "2022/07/10", + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/08", "falsepositive": [ - "Unknown" + "Virtual Network Device being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Virtual Network Device modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], - "filename": "azure_app_end_user_consent_blocked.yml", + "filename": "azure_network_virtual_device_modified_or_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_end_user_consent_blocked.yml" + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_network_virtual_device_modified_or_deleted.yml" ], "tags": [ - "attack.credential_access", - "attack.t1528" + "attack.impact" ] }, - "related": [ - { - "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "7091372f-623c-4293-bc37-20c32b3492be", - "value": "End User Consent Blocked" + "uuid": "15ef3fac-f0f0-4dc4-ada0-660aa72980b3", + "value": "Azure Virtual Network Device Modified or Deleted" }, { - "description": "Detects when an account is disabled or blocked for sign in but tried to log in", + "description": "Identifies when a Firewall Policy is Modified or Deleted.", "meta": { - "author": "Yochana Henderson, '@Yochana-H'", - "creation_date": "2022/06/17", + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/02", "falsepositive": [ - "Account disabled or blocked in error", - "Automation account has been blocked or disabled" + "Firewall Policy being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Firewall Policy modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], - "filename": "azure_blocked_account_attempt.yml", + "filename": "azure_network_firewall_policy_modified_or_deleted.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_blocked_account_attempt.yml" + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_network_firewall_policy_modified_or_deleted.yml" ], "tags": [ - "attack.initial_access", - "attack.t1078.004" + "attack.impact", + "attack.defense_evasion", + "attack.t1562.007" ] }, "related": [ { - "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "dest-uuid": "77532a55-c283-4cd2-bc5d-2d0b65e9d88c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "4afac85c-224a-4dd7-b1af-8da40e1c60bd", - "value": "Account Disabled or Blocked for Sign in Attempts" + "uuid": "83c17918-746e-4bd9-920b-8e098bf88c23", + "value": "Azure Network Firewall Policy Modified or Deleted" }, { - "description": "Identifies when a Point-to-site VPN is Modified or Deleted.", + "description": "Identifies when a service principal was removed in Azure.", "meta": { "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/08", + "creation_date": "2021/09/03", "falsepositive": [ - "Point-to-site VPN being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Point-to-site VPN modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + "Service principal being removed may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Service principal removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], - "filename": "azure_network_p2s_vpn_modified_or_deleted.yml", + "filename": "azure_service_principal_removed.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_service_principal_removed.yml" ], "tags": [ - "attack.impact" + "attack.defense_evasion" ] }, - "uuid": "d9557b75-267b-4b43-922f-a775e2d1f792", - "value": "Azure Point-to-site VPN Modified or Deleted" + "uuid": "448fd1ea-2116-4c62-9cde-a92d120e0f08", + "value": "Azure Service Principal Removed" }, { - "description": "Identifies when secrets are modified or deleted in Azure.", + "description": "Identifies when a new cloudshell is created inside of Azure portal.", "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/16", + "author": "Austin Songer", + "creation_date": "2021/09/21", "falsepositive": [ - "Secrets being modified or deleted may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + "A new cloudshell may be created by a system administrator." ], - "filename": "azure_keyvault_secrets_modified_or_deleted.yml", + "filename": "azure_new_cloudshell_created.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_new_cloudshell_created.yml" ], "tags": [ - "attack.impact", - "attack.credential_access", - "attack.t1552", - "attack.t1552.001" + "attack.execution", + "attack.t1059" ] }, "related": [ { - "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "b831353c-1971-477b-abb6-2828edc3bca1", - "value": "Azure Keyvault Secrets Modified or Deleted" + "uuid": "72af37e2-ec32-47dc-992b-bc288a2708cb", + "value": "Azure New CloudShell Created" }, { - "description": "Identifies when a Azure Kubernetes network policy is modified or deleted.", + "description": "Identifies when a application credential is modified.", "meta": { "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/07", + "creation_date": "2021/09/02", "falsepositive": [ - "Network Policy being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Network Policy being modified and deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + "Application credential added may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Application credential added from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], - "filename": "azure_kubernetes_network_policy_change.yml", + "filename": "azure_app_credential_modification.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_network_policy_change.yml" + "https://www.cloud-architekt.net/auditing-of-msi-and-service-principals/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_app_credential_modification.yml" ], "tags": [ - "attack.impact", - "attack.credential_access" + "attack.impact" ] }, - "uuid": "08d6ac24-c927-4469-b3b7-2e422d6e3c43", - "value": "Azure Kubernetes Network Policy Change" + "uuid": "cdeef967-f9a1-4375-90ee-6978c5f23974", + "value": "Azure Application Credential Modified" }, { - "description": "Identifies when a service account is modified or deleted.", + "description": "This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\nThe health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.\n", "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/07", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "creation_date": "2021/08/26", "falsepositive": [ - "Service account being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Service account modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + "Legitimate AAD Health AD FS service instances being deleted in a tenant" ], - "filename": "azure_kubernetes_service_account_modified_or_deleted.yml", + "filename": "azure_aadhybridhealth_adfs_service_delete.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml" + "https://o365blog.com/post/hybridhealthagent/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_aadhybridhealth_adfs_service_delete.yml" ], "tags": [ - "attack.impact", - "attack.t1531" + "attack.defense_evasion", + "attack.t1578.003" ] }, "related": [ { - "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "dest-uuid": "70857657-bd0b-4695-ad3e-b13f92cac1b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "12d027c3-b48c-4d9d-8bb6-a732200034b2", - "value": "Azure Kubernetes Service Account Modified or Deleted" + "uuid": "48739819-8230-4ee3-a8ea-e0289d1fb0ff", + "value": "Azure Active Directory Hybrid Health AD FS Service Delete" }, { - "description": "Identifies an event where there are there are too many accounts assigned the Global Administrator role.", + "description": "Identifies when a suppression rule is created in Azure. Adversary's could attempt this to evade detection.", "meta": { - "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", - "creation_date": "2023/09/14", + "author": "Austin Songer", + "creation_date": "2021/08/16", "falsepositive": [ - "Investigate if threshold setting in PIM is too low." + "Suppression Rule being created may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Suppression Rule created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], - "filename": "azure_pim_too_many_global_admins.yml", - "level": "high", + "filename": "azure_suppression_rule_created.yml", + "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml" + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_suppression_rule_created.yml" ], "tags": [ - "attack.t1078", - "attack.persistence", - "attack.privilege_escalation" + "attack.impact" ] }, - "related": [ - { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "7bbc309f-e2b1-4eb1-8369-131a367d67d3", - "value": "Too Many Global Admins" + "uuid": "92cc3e5d-eb57-419d-8c16-5c63f325a401", + "value": "Azure Suppression Rule Created" }, { - "description": "Identifies when a user has been assigned a privilege role and are not using that role.", + "description": "This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\nThis can be done programmatically via HTTP requests to Azure.\n", "meta": { - "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", - "creation_date": "2023/09/14", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "creation_date": "2021/08/26", "falsepositive": [ - "Investigate if potential generic account that cannot be removed." + "Legitimate AD FS servers added to an AAD Health AD FS service instance" ], - "filename": "azure_pim_role_not_used.yml", - "level": "high", + "filename": "azure_aadhybridhealth_adfs_new_server.yml", + "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml" + "https://o365blog.com/post/hybridhealthagent/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_aadhybridhealth_adfs_new_server.yml" ], "tags": [ - "attack.t1078", - "attack.persistence", - "attack.privilege_escalation" + "attack.defense_evasion", + "attack.t1578" ] }, "related": [ { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "dest-uuid": "144e007b-e638-431d-a894-45d90c54ab90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "8c6ec464-4ae4-43ac-936a-291da66ed13d", - "value": "Roles Are Not Being Used" + "uuid": "288a39fc-4914-4831-9ada-270e9dc12cb4", + "value": "Azure Active Directory Hybrid Health AD FS New Server" }, { - "description": "Identifies when the same privilege role has multiple activations by the same user.", + "description": "Identifies when a owner is was removed from a application or service principal in Azure.", "meta": { - "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", - "creation_date": "2023/09/14", + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/03", "falsepositive": [ - "Investigate where if active time period for a role is set too short." + "Owner being removed may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Owner removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], - "filename": "azure_pim_role_frequent_activation.yml", - "level": "high", + "filename": "azure_owner_removed_from_application_or_service_principal.yml", + "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_owner_removed_from_application_or_service_principal.yml" ], "tags": [ - "attack.t1078", - "attack.persistence", - "attack.privilege_escalation" + "attack.defense_evasion" ] }, - "related": [ - { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "645fd80d-6c07-435b-9e06-7bc1b5656cba", - "value": "Roles Activated Too Frequently" + "uuid": "636e30d5-3736-42ea-96b1-e6e2f8429fd6", + "value": "Azure Owner Removed From Application or Service Principal" }, { - "description": "Identifies when an organization doesn't have the proper license for PIM and is out of compliance.", + "description": "Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.", "meta": { - "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", - "creation_date": "2023/09/14", + "author": "sawwinnnaung", + "creation_date": "2020/05/07", "falsepositive": [ - "Investigate if licenses have expired." + "Valid change" ], - "filename": "azure_pim_invalid_license.yml", - "level": "high", + "filename": "azure_granting_permission_detection.yml", + "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#the-organization-doesnt-have-microsoft-entra-premium-p2-or-microsoft-entra-id-governance", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml" + "https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_granting_permission_detection.yml" ], "tags": [ - "attack.t1078", "attack.persistence", - "attack.privilege_escalation" + "attack.t1098.003" ] }, "related": [ { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "58af08eb-f9e1-43c8-9805-3ad9b0482bd8", - "value": "Invalid PIM License" + "uuid": "a622fcd2-4b5a-436a-b8a2-a4171161833c", + "value": "Granting Of Permissions To An Account" }, { - "description": "Identifies when a privilege role can be activated without performing mfa.", + "description": "Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.", "meta": { - "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", - "creation_date": "2023/09/14", + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/07", "falsepositive": [ - "Investigate if user is performing MFA at sign-in." + "Sensitive objects may be accessed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Sensitive objects accessed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], - "filename": "azure_pim_role_no_mfa_required.yml", - "level": "high", + "filename": "azure_kubernetes_secret_or_config_object_access.yml", + "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml" + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_secret_or_config_object_access.yml" ], "tags": [ - "attack.t1078", - "attack.persistence", - "attack.privilege_escalation" + "attack.impact" ] }, - "related": [ - { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "94a66f46-5b64-46ce-80b2-75dcbe627cc0", - "value": "Roles Activation Doesn't Require MFA" + "uuid": "7ee0b4aa-d8d4-4088-b661-20efdf41a04c", + "value": "Azure Kubernetes Secret or Config Object Access" }, { - "description": "Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack.", + "description": "Identifies when ClusterRoles/Roles are being modified or deleted.", "meta": { - "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", - "creation_date": "2023/09/14", + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/07", "falsepositive": [ - "Investigate where users are being assigned privileged roles outside of Privileged Identity Management and prohibit future assignments from there." + "ClusterRoles/Roles being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "ClusterRoles/Roles modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], - "filename": "azure_pim_role_assigned_outside_of_pim.yml", - "level": "high", + "filename": "azure_kubernetes_role_access.yml", + "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml" + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_role_access.yml" ], "tags": [ - "attack.t1078", - "attack.persistence", - "attack.privilege_escalation" + "attack.impact" ] }, - "related": [ - { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "b1bc08d1-8224-4758-a0e6-fbcfc98c73bb", - "value": "Roles Assigned Outside PIM" + "uuid": "818fee0c-e0ec-4e45-824e-83e4817b0887", + "value": "Azure Kubernetes Sensitive Role Access" }, { - "description": "Identifies when an account hasn't signed in during the past n number of days.", + "description": "Identifies when a Keyvault Key is modified or deleted in Azure.", "meta": { - "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", - "creation_date": "2023/09/14", + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/16", "falsepositive": [ - "Investigate if potential generic account that cannot be removed." + "Key being modified or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Key modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], - "filename": "azure_pim_account_stale.yml", - "level": "high", + "filename": "azure_keyvault_key_modified_or_deleted.yml", + "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml" + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_keyvault_key_modified_or_deleted.yml" ], "tags": [ - "attack.t1078", - "attack.persistence", - "attack.privilege_escalation" + "attack.impact", + "attack.credential_access", + "attack.t1552", + "attack.t1552.001" ] }, "related": [ { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" - } - ], - "uuid": "e402c26a-267a-45bd-9615-bd9ceda6da85", - "value": "Stale Accounts In A Privileged Role" - }, - { - "description": "Indicates that a password spray attack has been successfully performed.", - "meta": { - "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", - "creation_date": "2023/09/03", - "falsepositive": [ - "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." - ], - "filename": "azure_identity_protection_password_spray.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#password-spray", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_password_spray.yml" - ], - "tags": [ - "attack.t1110", - "attack.credential_access" - ] - }, - "related": [ + }, { - "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "28ecba0a-c743-4690-ad29-9a8f6f25a6f9", - "value": "Password Spray Activity" + "uuid": "80eeab92-0979-4152-942d-96749e11df40", + "value": "Azure Keyvault Key Modified or Deleted" }, { - "description": "Detects suspicious rules that delete or move messages or folders are set on a user's inbox.", + "description": "Identifies when a VPN connection is modified or deleted.", "meta": { - "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", - "creation_date": "2023/09/03", + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/08", "falsepositive": [ - "Actual mailbox rules that are moving items based on their workflow." + "VPN Connection being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "VPN Connection modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], - "filename": "azure_identity_protection_inbox_manipulation.yml", - "level": "high", + "filename": "azure_vpn_connection_modified_or_deleted.yml", + "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml" + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_vpn_connection_modified_or_deleted.yml" ], "tags": [ - "attack.t1140", - "attack.defense_evasion" + "attack.impact" ] }, - "related": [ - { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "ceb55fd0-726e-4656-bf4e-b585b7f7d572", - "value": "Suspicious Inbox Manipulation Rules" + "uuid": "61171ffc-d79c-4ae5-8e10-9323dba19cd3", + "value": "Azure VPN Connection Modified or Deleted" }, { - "description": "Indicates sign-ins from an anonymous IP address, for example, using an anonymous browser or VPN.", + "description": "Detects when a Container Registry is created or deleted.", "meta": { - "author": "Gloria Lee, '@gleeiamglo'", - "creation_date": "2023/08/22", + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/07", "falsepositive": [ - "We recommend investigating the sessions flagged by this detection in the context of other sign-ins" + "Container Registry being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Container Registry created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], - "filename": "azure_identity_protection_anonymous_ip_address.yml", - "level": "high", + "filename": "azure_container_registry_created_or_deleted.yml", + "level": "low", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0", - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anonymous-ip-address", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml" + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_container_registry_created_or_deleted.yml" ], "tags": [ - "attack.t1528", - "attack.credential_access" + "attack.impact" ] }, - "related": [ - { - "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "53acd925-2003-440d-a1f3-71a5253fe237", - "value": "Anonymous IP Address" + "uuid": "93e0ef48-37c8-49ed-a02c-038aab23628e", + "value": "Azure Container Registry Created or Deleted" }, { - "description": "Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations.", + "description": "Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.", "meta": { - "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", - "creation_date": "2023/09/03", + "author": "Austin Songer @austinsonger", + "creation_date": "2021/07/24", "falsepositive": [ - "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." + "Event deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], - "filename": "azure_identity_protection_new_coutry_region.yml", - "level": "high", + "filename": "azure_kubernetes_events_deleted.yml", + "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#new-country", - "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml" + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_events_deleted.yml" ], "tags": [ - "attack.t1078", - "attack.persistence", "attack.defense_evasion", - "attack.privilege_escalation", - "attack.initial_access" + "attack.t1562", + "attack.t1562.001" ] }, "related": [ { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" - } - ], - "uuid": "adf9f4d2-559e-4f5c-95be-c28dff0b1476", - "value": "New Country" - }, - { - "description": "Indicates suspicious rules such as an inbox rule that forwards a copy of all emails to an external address", - "meta": { - "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", - "creation_date": "2023/09/03", - "falsepositive": [ - "A legitmate forwarding rule." - ], - "filename": "azure_identity_protection_inbox_forwarding_rule.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-forwarding", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml" - ], - "tags": [ - "attack.t1140", - "attack.defense_evasion" - ] - }, - "related": [ + }, { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "27e4f1d6-ae72-4ea0-8a67-77a73a289c3d", - "value": "Suspicious Inbox Forwarding Identity Protection" + "uuid": "225d8b09-e714-479c-a0e4-55e6f29adf35", + "value": "Azure Kubernetes Events Deleted" }, { - "description": "Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.", + "description": "User Added to an Administrator's Azure AD Role", "meta": { - "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", - "creation_date": "2023/09/03", + "author": "Raphaël CALVET, @MetallicHack", + "creation_date": "2021/10/04", "falsepositive": [ - "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." + "PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled." ], - "filename": "azure_identity_protection_atypical_travel.yml", - "level": "high", + "filename": "azure_ad_user_added_to_admin_role.yml", + "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#atypical-travel", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml" + "https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_ad_user_added_to_admin_role.yml" ], "tags": [ - "attack.t1078", "attack.persistence", - "attack.defense_evasion", "attack.privilege_escalation", - "attack.initial_access" - ] - }, - "related": [ - { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "1a41023f-1e70-4026-921a-4d9341a9038e", - "value": "Atypical Travel" - }, - { - "description": "Indicates access attempt to the PRT resource which can be used to move laterally into an organization or perform credential theft", - "meta": { - "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", - "creation_date": "2023/09/07", - "falsepositive": [ - "This detection is low-volume and is seen infrequently in most organizations. When this detection appears it's high risk, and users should be remediated." - ], - "filename": "azure_identity_protection_prt_access.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml" - ], - "tags": [ - "attack.t1528", - "attack.credential_access" + "attack.t1098.003", + "attack.t1078" ] }, "related": [ { - "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" - } - ], - "uuid": "a84fc3b1-c9ce-4125-8e74-bdcdb24021f1", - "value": "Primary Refresh Token Access Attempt" - }, - { - "description": "Indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server.", - "meta": { - "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", - "creation_date": "2023/09/03", - "falsepositive": [ - "Using an IP address that is shared by many users" - ], - "filename": "azure_identity_protection_malware_linked_ip.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml" - ], - "tags": [ - "attack.t1090", - "attack.command_and_control" - ] - }, - "related": [ + }, { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "821b4dc3-1295-41e7-b157-39ab212dd6bd", - "value": "Sign-In From Malware Infected IP" + "uuid": "ebbeb024-5b1d-4e16-9c0c-917f86c708a7", + "value": "User Added to an Administrator's Azure AD Role" }, { - "description": "Indicates sign-in from a malicious IP address known to be malicious at time of sign-in.", + "description": "Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate.\nKubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs.\nAn Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.\n", "meta": { - "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", - "creation_date": "2023/09/07", + "author": "Austin Songer @austinsonger", + "creation_date": "2021/11/22", "falsepositive": [ - "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." + "Azure Kubernetes CronJob/Job may be done by a system administrator.", + "If known behavior is causing false positives, it can be exempted from the rule." ], - "filename": "azure_identity_protection_malicious_ip_address_suspicious.yml", - "level": "high", + "filename": "azure_kubernetes_cronjob.yml", + "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malicious-ip-address", - "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml" + "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://kubernetes.io/docs/concepts/workloads/controllers/job/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_cronjob.yml" ], "tags": [ - "attack.t1090", - "attack.command_and_control" + "attack.persistence", + "attack.t1053.003", + "attack.privilege_escalation", + "attack.execution" ] }, "related": [ { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "36440e1c-5c22-467a-889b-593e66498472", - "value": "Malicious IP Address Sign-In Suspicious" + "uuid": "1c71e254-6655-42c1-b2d6-5e4718d7fc0a", + "value": "Azure Kubernetes CronJob" }, { - "description": "Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins.", + "description": "Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.", "meta": { - "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", - "creation_date": "2023/09/03", + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/07", "falsepositive": [ - "User changing to a new device, location, browser, etc." + "RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "RoleBinding/ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], - "filename": "azure_identity_protection_unfamilar_sign_in.yml", - "level": "high", + "filename": "azure_kubernetes_rolebinding_modified_or_deleted.yml", + "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml" + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_rolebinding_modified_or_deleted.yml" ], "tags": [ - "attack.t1078", - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.initial_access" + "attack.impact", + "attack.credential_access" ] }, - "related": [ - { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "128faeef-79dd-44ca-b43c-a9e236a60f49", - "value": "Unfamiliar Sign-In Properties" + "uuid": "25cb259b-bbdc-4b87-98b7-90d7c72f8743", + "value": "Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted" }, { - "description": "Indicates sign-in from a malicious IP address based on high failure rates.", + "description": "Identifies when a firewall is created, modified, or deleted.", "meta": { - "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", - "creation_date": "2023/09/07", + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/08", "falsepositive": [ - "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." + "Firewall being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Firewall modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], - "filename": "azure_identity_protection_malicious_ip_address.yml", - "level": "high", + "filename": "azure_firewall_modified_or_deleted.yml", + "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malicious-ip-address", - "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml" + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_firewall_modified_or_deleted.yml" ], "tags": [ - "attack.t1090", - "attack.command_and_control" + "attack.impact", + "attack.defense_evasion", + "attack.t1562.004" ] }, "related": [ { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "a3f55ebd-0c01-4ed6-adc0-8fb76d8cd3cd", - "value": "Malicious IP Address Sign-In Failure Rate" + "uuid": "512cf937-ea9b-4332-939c-4c2c94baadcd", + "value": "Azure Firewall Modified or Deleted" }, { - "description": "Indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns", + "description": "Identifies when DNS zone is modified or deleted.", "meta": { - "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", - "creation_date": "2023/09/03", + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/08", "falsepositive": [ - "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." + "DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "DNS zone modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], - "filename": "azure_identity_protection_token_issuer_anomaly.yml", - "level": "high", + "filename": "azure_dns_zone_modified_or_deleted.yml", + "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#token-issuer-anomaly", - "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml" + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_dns_zone_modified_or_deleted.yml" ], "tags": [ - "attack.t1606", - "attack.credential_access" + "attack.impact", + "attack.t1565.001" ] }, "related": [ { - "dest-uuid": "94cb00a4-b295-4d06-aa2b-5653b9c1be9c", + "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "e3393cba-31f0-4207-831e-aef90ab17a8c", - "value": "SAML Token Issuer Anomaly" + "uuid": "af6925b0-8826-47f1-9324-337507a0babd", + "value": "Azure DNS Zone Modified or Deleted" }, { - "description": "Indicates that the user's valid credentials have been leaked.", + "description": "Identifies when a Virtual Network is modified or deleted in Azure.", "meta": { - "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", - "creation_date": "2023/09/03", + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/08", "falsepositive": [ - "A rare hash collision." + "Virtual Network being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Virtual Network modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], - "filename": "azure_identity_protection_leaked_credentials.yml", - "level": "high", + "filename": "azure_virtual_network_modified_or_deleted.yml", + "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#leaked-credentials", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml" + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_virtual_network_modified_or_deleted.yml" ], "tags": [ - "attack.t1589", - "attack.reconnaissance" + "attack.impact" ] }, - "related": [ - { - "dest-uuid": "5282dd9a-d26d-4e16-88b7-7c0f4553daf4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "19128e5e-4743-48dc-bd97-52e5775af817", - "value": "Azure AD Account Credential Leaked" + "uuid": "bcfcc962-0e4a-4fd9-84bb-a833e672df3f", + "value": "Azure Virtual Network Modified or Deleted" }, { - "description": "Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location.", + "description": "Identifies when a device in azure is no longer managed or compliant", "meta": { - "author": "Mark Morowczynski '@markmorow'", - "creation_date": "2023/08/07", + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/03", "falsepositive": [ - "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." + "Administrator may have forgotten to review the device." ], - "filename": "azure_identity_protection_anomalous_token.yml", - "level": "high", + "filename": "azure_device_no_longer_managed_or_compliant.yml", + "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anomalous-token", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_token.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_device_no_longer_managed_or_compliant.yml" ], "tags": [ - "attack.t1528", - "attack.credential_access" + "attack.impact" ] }, - "related": [ - { - "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "6555754e-5e7f-4a67-ad1c-4041c413a007", - "value": "Anomalous Token" + "uuid": "542b9912-c01f-4e3f-89a8-014c48cdca7d", + "value": "Azure Device No Longer Managed or Compliant" }, { - "description": "Indicates user activity that is unusual for the user or consistent with known attack patterns.", + "description": "Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.", "meta": { - "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", - "creation_date": "2023/09/07", + "author": "@ionsor", + "creation_date": "2022/02/08", "falsepositive": [ - "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." + "Authorized modification by administrators" ], - "filename": "azure_identity_protection_threat_intel.yml", - "level": "high", + "filename": "azure_mfa_disabled.yml", + "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in", - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user", - "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml" + "https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_mfa_disabled.yml" ], "tags": [ - "attack.t1078", "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.initial_access" + "attack.t1556" ] }, "related": [ { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "a2cb56ff-4f46-437a-a0fa-ffa4d1303cba", - "value": "Azure AD Threat Intelligence" + "uuid": "7ea78478-a4f9-42a6-9dcd-f861816122bf", + "value": "Disabled MFA to Bypass Authentication Mechanisms" }, { - "description": "Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.", + "description": "Identifies when a Point-to-site VPN is Modified or Deleted.", "meta": { - "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", - "creation_date": "2023/09/03", + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/08", "falsepositive": [ - "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." + "Point-to-site VPN being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Point-to-site VPN modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], - "filename": "azure_identity_protection_anonymous_ip_activity.yml", - "level": "high", + "filename": "azure_network_p2s_vpn_modified_or_deleted.yml", + "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml" + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_network_p2s_vpn_modified_or_deleted.yml" ], "tags": [ - "attack.t1078", - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.initial_access" + "attack.impact" ] }, - "related": [ - { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "be4d9c86-d702-4030-b52e-c7859110e5e8", - "value": "Activity From Anonymous IP Address" + "uuid": "d9557b75-267b-4b43-922f-a775e2d1f792", + "value": "Azure Point-to-site VPN Modified or Deleted" }, { - "description": "Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.", + "description": "Identifies when secrets are modified or deleted in Azure.", "meta": { - "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", - "creation_date": "2023/09/03", + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/16", "falsepositive": [ - "Conneting to a VPN, performing activity and then dropping and performing addtional activity." + "Secrets being modified or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], - "filename": "azure_identity_protection_impossible_travel.yml", - "level": "high", + "filename": "azure_keyvault_secrets_modified_or_deleted.yml", + "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#impossible-travel", - "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml" + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_keyvault_secrets_modified_or_deleted.yml" ], "tags": [ - "attack.t1078", - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.initial_access" + "attack.impact", + "attack.credential_access", + "attack.t1552", + "attack.t1552.001" ] }, "related": [ { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "b2572bf9-e20a-4594-b528-40bde666525a", - "value": "Impossible Travel" + "uuid": "b831353c-1971-477b-abb6-2828edc3bca1", + "value": "Azure Keyvault Secrets Modified or Deleted" }, { - "description": "Indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser", + "description": "Identifies when a Azure Kubernetes network policy is modified or deleted.", "meta": { - "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", - "creation_date": "2023/09/03", + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/07", "falsepositive": [ - "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." + "Network Policy being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Network Policy being modified and deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], - "filename": "azure_identity_protection_suspicious_browser.yml", - "level": "high", + "filename": "azure_kubernetes_network_policy_change.yml", + "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-browser", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml" + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_network_policy_change.yml" ], "tags": [ - "attack.t1078", - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.initial_access" + "attack.impact", + "attack.credential_access" ] }, - "related": [ - { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "944f6adb-7a99-4c69-80c1-b712579e93e6", - "value": "Suspicious Browser Activity" + "uuid": "08d6ac24-c927-4469-b3b7-2e422d6e3c43", + "value": "Azure Kubernetes Network Policy Change" }, { - "description": "Indicates that there are anomalous patterns of behavior like suspicious changes to the directory.", + "description": "Identifies when a service account is modified or deleted.", "meta": { - "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", - "creation_date": "2023/09/03", + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/07", "falsepositive": [ - "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." + "Service account being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Service account modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], - "filename": "azure_identity_protection_anomalous_user.yml", - "level": "high", + "filename": "azure_kubernetes_service_account_modified_or_deleted.yml", + "level": "medium", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anomalous-user-activity", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml" + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_service_account_modified_or_deleted.yml" ], "tags": [ - "attack.t1098", - "attack.persistence" + "attack.impact", + "attack.t1531" ] }, "related": [ { - "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "258b6593-215d-4a26-a141-c8e31c1299a6", - "value": "Anomalous User Activity" + "uuid": "12d027c3-b48c-4d9d-8bb6-a732200034b2", + "value": "Azure Kubernetes Service Account Modified or Deleted" }, { "description": "Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.", @@ -88047,8 +88282,8 @@ "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ - "https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/", "https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps", + "https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/product/nginx/web_nginx_core_dump.yml" ], "tags": [ @@ -88157,8 +88392,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://bad-jubies.github.io/RCE-NOW-WHAT/", "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", + "https://bad-jubies.github.io/RCE-NOW-WHAT/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_win_webshells_in_access_logs.yml" ], "tags": [ @@ -88227,9 +88462,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", "https://github.com/payloadbox/sql-injection-payload-list", - "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", "https://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection", "https://brightsec.com/blog/sql-injection-payloads/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_sql_injection_in_access_logs.yml" @@ -88298,11 +88533,11 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://twitter.com/httpvoid0x2f/status/1532924261035384832", - "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035", "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", - "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", + "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", + "https://twitter.com/httpvoid0x2f/status/1532924261035384832", + "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_java_payload_in_access_logs.yml" ], "tags": [ @@ -88408,8 +88643,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", + "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_susp_useragents.yml" ], @@ -88478,8 +88713,8 @@ "logsource.product": "No established product", "refs": [ "https://github.com/lijiejie/IIS_shortname_Scanner", - "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", "https://www.exploit-db.com/exploits/19525", + "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml" ], "tags": [ @@ -89007,9 +89242,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", - "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", + "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_telegram_api.yml" ], "tags": [ @@ -89100,14 +89335,14 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://perishablepress.com/blacklist/ua-2013.txt", - "http://www.botopedia.org/search?searchword=scan&searchphrase=all", "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", - "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", "https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large", + "https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q", + "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", + "https://perishablepress.com/blacklist/ua-2013.txt", "https://twitter.com/crep1x/status/1635034100213112833", "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", - "https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q", + "http://www.botopedia.org/search?searchword=scan&searchphrase=all", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_malware.yml" ], "tags": [ @@ -89140,9 +89375,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638", "https://blog.talosintelligence.com/ipfs-abuse/", "https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11", + "https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml" ], "tags": [ @@ -89286,8 +89521,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65", "https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h", + "https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_cryptominer.yml" ], "tags": [ @@ -89571,8 +89806,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", + "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", "https://www.spamhaus.org/statistics/tlds/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml" @@ -89624,8 +89859,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100", "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile", + "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_cobalt_amazon.yml" ], "tags": [ @@ -89833,8 +90068,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", + "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_hacktool.yml" ], "tags": [ @@ -90054,8 +90289,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html", "https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462", + "https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_webdav_search_ms.yml" ], "tags": [ @@ -90130,8 +90365,8 @@ "logsource.category": "file_event", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md", "https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml" ], "tags": [ @@ -90324,8 +90559,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", + "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_screencapture.yml" ], "tags": [ @@ -90433,8 +90668,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://redcanary.com/blog/applescript/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md", + "https://redcanary.com/blog/applescript/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_applescript.yml" ], "tags": [ @@ -90533,9 +90768,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://ss64.com/osx/dsenableroot.html", "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1078.003/T1078.003.md", "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml", + "https://ss64.com/osx/dsenableroot.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml" ], "tags": [ @@ -90669,9 +90904,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", "https://github.com/MythicAgents/typhon/", "https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html", - "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml" ], "tags": [ @@ -90863,8 +91098,8 @@ "logsource.product": "macos", "refs": [ "https://linux.die.net/man/1/truncate", - "https://linux.die.net/man/1/dd", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md", + "https://linux.die.net/man/1/dd", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_binary_padding.yml" ], "tags": [ @@ -91097,8 +91332,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08", "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_xcsset_malware_infection.yml" ], "tags": [ @@ -91154,9 +91389,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml", - "https://www.manpagez.com/man/8/firmwarepasswd/", "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", + "https://www.manpagez.com/man/8/firmwarepasswd/", + "https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml" ], "tags": [ @@ -91508,8 +91743,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://ss64.com/osx/dseditgroup.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-5---add-a-newexisting-user-to-the-admin-group-using-dseditgroup-utility---macos", + "https://ss64.com/osx/dseditgroup.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml" ], "tags": [ @@ -91737,8 +91972,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/", "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", + "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml" ], @@ -91895,9 +92130,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", "https://github.com/MythicAgents/typhon/", "https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html", - "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_jamf_usage.yml" ], "tags": [ @@ -91955,8 +92190,8 @@ "logsource.product": "qualys", "refs": [ "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/default_credentials_usage.yml" ], @@ -91976,8 +92211,8 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/host_without_firewall.yml" ], @@ -91999,8 +92234,8 @@ "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/netflow_cleartext_protocols.yml" ], @@ -92206,8 +92441,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", + "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml" ], "tags": [ @@ -92437,8 +92672,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/", "https://linux.die.net/man/1/xclip", + "https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_collection.yml" ], "tags": [ @@ -92504,9 +92739,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://man7.org/linux/man-pages/man8/kmod.8.html", "https://linux.die.net/man/8/insmod", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", + "https://man7.org/linux/man-pages/man8/kmod.8.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_load_module_insmod.yml" ], "tags": [ @@ -92574,9 +92809,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://objective-see.org/blog/blog_0x68.html", "https://www.glitch-cat.com/p/green-lambert-and-attack", "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat", - "https://objective-see.org/blog/blog_0x68.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml" ], "tags": [ @@ -92609,9 +92844,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", "https://linux.die.net/man/1/import", "https://imagemagick.org/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencapture_import.yml" ], "tags": [ @@ -92644,8 +92879,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", "https://firewalld.org/documentation/man-pages/firewall-cmd.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml" ], "tags": [ @@ -92712,8 +92947,8 @@ "logsource.product": "linux", "refs": [ "https://mn3m.info/posts/suid-vs-capabilities/", - "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", + "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", "https://man7.org/linux/man-pages/man8/getcap.8.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml" ], @@ -92789,8 +93024,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://blog.aquasec.com/container-security-tnt-container-attack", "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html", + "https://blog.aquasec.com/container-security-tnt-container-attack", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml" ], "tags": [ @@ -92823,8 +93058,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/Neo23x0/auditd/blob/master/audit.rules", "Self Experience", + "https://github.com/Neo23x0/auditd/blob/master/audit.rules", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_auditing_config_change.yml" ], "tags": [ @@ -92857,8 +93092,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md", "https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml" ], "tags": [ @@ -93223,8 +93458,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", + "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml" ], "tags": [ @@ -93466,8 +93701,8 @@ "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", - "https://man7.org/linux/man-pages/man1/passwd.1.html", "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", + "https://man7.org/linux/man-pages/man1/passwd.1.html", "https://linux.die.net/man/1/chage", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml" ], @@ -93569,9 +93804,9 @@ "logsource.product": "linux", "refs": [ "https://access.redhat.com/articles/4409591#audit-record-types-2", - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", "https://linux.die.net/man/8/pam_tty_audit", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", + "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml" ], "tags": [ @@ -93679,8 +93914,8 @@ "logsource.product": "linux", "refs": [ "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07", - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files", "https://access.redhat.com/articles/4409591#audit-record-types-2", + "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_create_account.yml" ], "tags": [ @@ -93713,9 +93948,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/", "https://book.hacktricks.xyz/shells/shells/linux", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan", - "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_dev_tcp.yml" ], "tags": [ @@ -94018,9 +94253,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://digital.nhs.uk/cyber-alerts/2018/cc-2825", - "https://linux.die.net/man/8/useradd", "https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid", + "https://linux.die.net/man/8/useradd", + "https://digital.nhs.uk/cyber-alerts/2018/cc-2825", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_privileged_user_creation.yml" ], "tags": [ @@ -94061,8 +94296,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/", "https://github.com/Immersive-Labs-Sec/nimbuspwn", + "https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml" ], "tags": [ @@ -94185,10 +94420,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://artkond.com/2017/03/23/pivoting-guide/", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", - "http://pastebin.com/FtygZ1cg", "https://web.archive.org/web/20170319121015/http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html", + "https://artkond.com/2017/03/23/pivoting-guide/", + "http://pastebin.com/FtygZ1cg", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_commands.yml" ], "tags": [ @@ -94453,8 +94688,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c", "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml", + "https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml" ], "tags": [ @@ -94487,9 +94722,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://www.openwall.com/lists/oss-security/2019/10/14/1", "https://access.redhat.com/security/cve/cve-2019-14287", "https://twitter.com/matthieugarin/status/1183970598210412546", - "https://www.openwall.com/lists/oss-security/2019/10/14/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml" ], "tags": [ @@ -94630,10 +94865,10 @@ "logsource.category": "file_event", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml" ], "tags": [ @@ -94667,10 +94902,10 @@ "logsource.category": "file_event", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml" ], "tags": [ @@ -94783,8 +95018,8 @@ "logsource.category": "file_event", "logsource.product": "linux", "refs": [ - "https://research.splunk.com/endpoint/linux_doas_conf_file_creation/", "https://www.makeuseof.com/how-to-install-and-use-doas/", + "https://research.splunk.com/endpoint/linux_doas_conf_file_creation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml" ], "tags": [ @@ -94817,8 +95052,8 @@ "logsource.category": "network_connection", "logsource.product": "linux", "refs": [ - "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", "https://twitter.com/hakluke/status/1587733971814977537/photo/1", + "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml" ], "tags": [ @@ -94951,9 +95186,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://www.openwall.com/lists/oss-security/2019/10/14/1", "https://access.redhat.com/security/cve/cve-2019-14287", "https://twitter.com/matthieugarin/status/1183970598210412546", - "https://www.openwall.com/lists/oss-security/2019/10/14/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml" ], "tags": [ @@ -95028,10 +95263,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml" ], "tags": [ @@ -95144,8 +95379,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/vim/", "https://gtfobins.github.io/gtfobins/vimdiff/", + "https://gtfobins.github.io/gtfobins/vim/", "https://gtfobins.github.io/gtfobins/rvim/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml" ], @@ -95179,10 +95414,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml" ], "tags": [ @@ -95280,10 +95515,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml" ], "tags": [ @@ -95383,8 +95618,8 @@ "logsource.product": "linux", "refs": [ "https://linuxhint.com/uninstall-debian-packages/", - "https://sysdig.com/blog/mitre-defense-evasion-falco", "https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command", + "https://sysdig.com/blog/mitre-defense-evasion-falco", "https://linuxhint.com/uninstall_yum_package/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_remove_package.yml" ], @@ -95493,8 +95728,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md", "https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml" ], "tags": [ @@ -95696,9 +95931,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", "https://twitter.com/d1r4c/status/1279042657508081664", "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", - "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", "https://curl.se/docs/manpage.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml" @@ -95799,10 +96034,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://www.cyberciti.biz/faq/linux-remove-user-command/", "https://linuxize.com/post/how-to-delete-group-in-linux/", - "https://linux.die.net/man/8/userdel", "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", - "https://www.cyberciti.biz/faq/linux-remove-user-command/", + "https://linux.die.net/man/8/userdel", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_userdel.yml" ], "tags": [ @@ -95901,8 +96136,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html", "https://www.cyberciti.biz/faq/how-force-kill-process-linux/", + "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_kill_process.yml" ], "tags": [ @@ -96093,8 +96328,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html", "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/", + "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html", "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml" @@ -96119,10 +96354,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml" ], "tags": [ @@ -96337,8 +96572,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/sleventyeleven/linuxprivchecker/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", + "https://github.com/sleventyeleven/linuxprivchecker/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml" ], "tags": [ @@ -96371,10 +96606,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml" ], "tags": [ @@ -96407,8 +96642,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", "https://bpftrace.org/", + "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml" ], "tags": [ @@ -96584,10 +96819,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://www.cyberciti.biz/faq/linux-remove-user-command/", "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://linux.die.net/man/8/groupdel", "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", - "https://www.cyberciti.biz/faq/linux-remove-user-command/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_groupdel.yml" ], "tags": [ @@ -96654,9 +96889,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/carlospolop/PEASS-ng", - "https://github.com/diego-treitos/linux-smart-enumeration", "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes", + "https://github.com/diego-treitos/linux-smart-enumeration", + "https://github.com/carlospolop/PEASS-ng", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml" ], "tags": [ @@ -96756,8 +96991,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html", + "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml" ], "tags": [ @@ -96989,8 +97224,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html", "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/", + "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html", "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml" @@ -97066,9 +97301,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html", "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html", "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_storage.html", + "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml" ], "tags": [ @@ -97109,8 +97344,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_network.html", + "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml" ], "tags": [ @@ -97370,11 +97605,11 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", - "https://www.infosecademy.com/netcat-reverse-shells/", "https://www.revshells.com/", - "https://man7.org/linux/man-pages/man1/ncat.1.html", "https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/", + "https://man7.org/linux/man-pages/man1/ncat.1.html", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.infosecademy.com/netcat-reverse-shells/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml" ], "tags": [ @@ -97408,8 +97643,8 @@ "logsource.product": "linux", "refs": [ "https://gtfobins.github.io/gtfobins/nohup/", - "https://www.computerhope.com/unix/unohup.htm", "https://en.wikipedia.org/wiki/Nohup", + "https://www.computerhope.com/unix/unohup.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup.yml" ], "tags": [ @@ -97555,9 +97790,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html", "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html", "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vsan.html", + "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml" ], "tags": [ @@ -97598,10 +97833,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "Internal Research", - "https://github.com/carlospolop/PEASS-ng", "https://github.com/pathtofile/bad-bpf", "https://github.com/Gui774ume/ebpfkit", + "Internal Research", + "https://github.com/carlospolop/PEASS-ng", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_hack_tools.yml" ], "tags": [ @@ -97692,9 +97927,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://bpftrace.org/", "https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html", "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", - "https://bpftrace.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml" ], "tags": [ @@ -97751,9 +97986,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/", "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan", "https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/", - "https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml" ], "tags": [ @@ -97845,9 +98080,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/", "https://blogs.blackberry.com/", "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", - "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml" ], "tags": [ @@ -97880,10 +98115,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml" ], "tags": [ @@ -97950,8 +98185,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/sleventyeleven/linuxprivchecker/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", + "https://github.com/sleventyeleven/linuxprivchecker/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml" ], "tags": [ @@ -98120,8 +98355,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml" ], @@ -98155,10 +98390,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml" ], "tags": [ @@ -98224,8 +98459,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/", "https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/", + "https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml" ], "tags": [ @@ -98303,5 +98538,5 @@ "value": "Security Software Discovery - Linux" } ], - "version": 20231010 + "version": 20231017 }